250 likes | 434 Views
Privacy and Information Sharing in the War on Terror. Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Fellow, Center for American Progress IAPP Summit, March 9, 2006. Overview. My background in privacy The lack of information sharing as a cause of 9/11 attacks
E N D
Privacy and Information Sharing in the War on Terror Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Fellow, Center for American Progress IAPP Summit, March 9, 2006
Overview • My background in privacy • The lack of information sharing as a cause of 9/11 attacks • The Bush Doctrine of information sharing • A due diligence checklist for when proposed information sharing makes sense
Chief Counselor for Privacy • U.S. Office of Management & Budget, 1999-early 2001 • Trying to “build privacy in” for policies/laws • HIPAA: medical privacy • Gramm-Leach: financial privacy • FTC enforcement of privacy promises • Especially for the Internet • Safe Harbor with Europe • Federal agency web policies & privacy impact assessments • Chaired WH Working Group on how to update surveillance law for the Internet age
My Normative Baseline • My own views are roughly those reflected by the Clinton Administration during that period • Achieve progress in building privacy into public and private systems • Fair information practices as the baseline • Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation • No reason that should be a partisan position
Information Sharing • The failure of intelligence to prevent the 9/11 attacks • Belief that did not have enough information sharing • Between FBI and CIA • Between federal and first responders • Among all the “good guys” to get the “bad guys”
Encouraging Information Sharing • Several Executive Orders to encourage it • Intelligence Reform Act of 2004 & National Director of Intelligence • Markle Task Force on National Security in the Information Age • Intellectual rationale for information sharing • Says privacy, data security, and civil liberties should be built in as well
The Bush Doctrine of Information Sharing • Disclaimer – I have often critiqued the Bush Administration on privacy & information sharing • First explain the logic of the position • Axiom 1: The threat has changed • Was threat of Soviet tank or missile attack • Now is asymmetric threat – a few individuals with boxcutters or home-made explosives
Bush Doctrine • Axiom 2: The threat is significant • The intellectual importance of WMDs • “One nuke can ruin your whole day” • Measures that are not justified by small attacks may be justified for asymmetric, large attacks
Bush Doctrine • Axiom 3: Progress in IT dwarfs progress in defensive physical security • Price of sensors, storage, and sharing down sharply • Useful knowledge & patterns extracted from data • The efficient mix of security measures has a large & ongoing shift to information-intensive strategies
Bush Doctrine • (1) The threat has changed • (2) The threat is significant • (3) Progress in IT shifts the best response • For privacy advocates, which of these assertions seems incorrect? • There is a powerful logic to this approach • Now we turn to possible responses
Has the Threat Changed? • Yes. • Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 • Enemy mobilization was often graduated and visible (levels of military alert) • Current threats from asymmetric attacks • No visibility of imminent attacks unless get information about the individual attackers
How Significant is the Threat? • This topic is controversial • I address this in 2004 article on foreign intelligence & surveillance • No WMDs in Iraq • Nation states as havens likely much more dangerous than isolated individuals • Exceptions in my view – nuclear proliferation, tailored viruses
Significance of the Threat • Within the U.S., has been extremely difficult politically to question the threat • Republicans have been loyal to Pres. Bush • Democrats can’t appear weak • Within U.S., privacy and civil liberties advocates question the threat but have not been likely to succeed much • The debate since 9/11 has been what to do assuming a large threat: “The War on Terrorism”
Due Diligence List for Whether Shift to Information Sharing is Efficient • Here is the battleground for each proposal • (1) Ends/means rationality – does the proposed surveillance actually improve security? • Does security measure work? Cost effectively? • E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) • E.g., data mining may create so many false positives that the noise swamps the signal
Due Diligence List • (2) Security experts’ concern about information sharing: • Imagine you are GC for the CIA • Will sharing compromise our “sources and methods”? • When should we abandon “need to know”? • How often will “bad guys” infiltrate the information sharing that is intended to inform only the “good guys”? To all first responders? • Swire research on disclosure & security
Due Diligence List • (3) “Security theater” & Bruce Schneier • Perceive, and critique, measures that are taken for the sake of “doing something” • E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs • Important to have credible and effective technical critiques of proposed surveillance • U.S. State Dept. RFIDs on passports as “terrorist beacons” readable at 10 meters
Due Diligence List • (4) Point out unprecedented nature of proposed surveillance – a Burkean, conservative point • E.g., library records and chilling the right to read • “Gag rule” on foreign intelligence orders to get library and other databases • Some greater due process in Patriot Act revisions • E.g., national ID cards and coalition of libertarians on left and right
Due Diligence List • (5) Invoke historical abuses & ask for checks and balances • Prevention was tried by Hoover & the FBI • The theory of “just a bit more data” • Prevention led, over time, to vast expansion of surveillance but little proven prevention • Political and other abuses from that expansion • Therefore, oversight and limits on new surveillance because human nature hasn’t changed
Due Diligence List • (6) Fairness, discrimination, and effectiveness • If single out groups, such as young Arab males, then that can backfire • Is unfair, and perceived as unfair by many • Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect
Due Diligence List • (7) Show how proposed measures make the problem worse • E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential • E.g., racial profiling that undermines assistance from the well-informed
Due Diligence List • (8) International reaction to U.S. measures • E.U. & other countries are more regulatory on many privacy issues • Not politically popular in U.S. to do it just because, say, the French want it • Having allies, though, is actually a good thing • Concerns from outside the U.S. may require a more fully developed policy process within U.S.
Conclusion:Summary on Bush Doctrine • Significant moral & political logic to: • New threat • The threat is large • IT and information sharing will help • More IT and information sharing is often a logical response to changing conditions
The Due Diligence List • Issues to consider include: • Does proposal work? Cost-effectively? • Risk to sources & methods and other security • It may be “security theater” • Unprecedented surveillance and not needed • Historical abuses show need for checks • Fairness and non-discrimination • Proposed measures may make the problem worse • International ramifications
What Have We Learned? • Description: the types of arguments used in information sharing debates • Prescription: • Do the due diligence • Empirical assessment of each item on the list • Institutions to screen proposals for sharing • Institutions for oversight of the programs that go forward • In that way, use new IT if, but only if, that actually makes sense
Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net