It's a pleasure to be here at ACLI. I'm here to speak to you today as the Editor of Privacilla.org. I'll get back to what on earth that is in a moment. I am also the founder of what I call an Information Age lobbying and consulting firm called PolicyCounsel.Com. My firm focuses on e-commerce, technology, and telecommunications. I'm also an Adjunct Fellow with the Progress and Freedom Foundation. I'm delighted by my association with PFF because they do a lot of excellent work. You should look for what PFF has to say in a variety of fields. They recently released an important economic study on privacy.
By way of further background, I'm a California lawyer and was a counsel with the House Judiciary Committee prior to starting PolicyCounsel.Com and Privacilla.
While I was working on the Hill, I found myself personally dissatisfied with how "privacy" was evolving as a public policy issue. I watched privacy law and regulation being passed and promulgated without ever feeling satisfied that Congress or the regulators had identified what interests they were actually pursuing.
Well, if something troubles you, I think you ought to do something about it. So here I am, talking to you. I have developed quite a little avocation out of dispensing what I think is some clear thinking on privacy. Privacilla is how I do that.
Privacilla is a Web-based think-tank devoted exclusively to privacy. It attempts to capture privacy as a public policy issue from top to bottom. We divide privacy from government and privacy in the private sector, a very important distinction that few privacy advocates ever make. Within the private sector, we break it down into financial privacy, medical privacy, and online privacy. Within those categories, we talk about the issues, what the law should be, what proposals are out there, and so on. Importantly, we attempt to define what "privacy" is and set aside the non-privacy issues that masquerade by the name "privacy."
Let me encourage you to visit the site at www.privacilla.org and get an idea of the material that is there. The site invites you to send information and links for inclusion. It also invites you to sign up to be on an e-mail list that we do. With a few e-mails a month, you can keep up on what we're putting on the site, where I'll be speaking next, and stuff like that.
Another caveat that's in order is that I am a mile wide and an inch deep on privacy. It is a huge issue and it's a lot to cover. I can't claim to know all the intricacies of Gramm-Leach-Bliley or the HIPAA regulations, for example. My study focuses on privacy as a sociological and legal issue from a public policy standpoint, as opposed to a compliance issue. I really do look at things from 30,000 feet. I study how the issue moves in public debate and how the actual condition known as privacy can be delivered.
I happen to think that GLB, HIPAA, or other new regulations won't do it - and that's not beside the point - but I believe that Robbie Meyer may spend some time on the more detailed legal nuances and specific proposals that are out there.
I've been asked to address privacy in the wake of September 11th. In some sense, we're probably all sick of looking at life through the lens of the terrorist attacks, but as yesterday's airplane crash showed us too vividly, there's no way not to look at things without September 11th in mind. I think that date is fast becoming the 21st century's equivalent of December 7th - a date that confirms to us with each mention the strength of our country and our institutions.
A lot has changed with September 11th, and a lot remains the same. I'd like to hit on both. After I talk, I hope there might be some time to engage in questions and answers, because I'm much more interested in what you want to hear than in what I want to say.
I want to start with what has changed with privacy as an issue after the September 11 attacks.
First, I'll make a practical observation: the attacks moved any more legislative and regulatory action on privacy back on the schedule for most policy-makers. Congress and the states have found other priorities for now.
Second, our new, supercharged national concern with security has changed the way privacy is looked at. Privacy used to be subject to absolute claims, like "I own my information" or "You have a right to information privacy." In the wake of the September 11 attacks, privacy has been placed on a continuum with national security, which is where it properly should be. With intelligent work, you can illustrate that privacy is also on a continuum with convenience, with low prices, and so on.
Next, I'll talk about the things that have stayed the same since September 11th. There are some basics I want you to lay out for you that were true before the attacks and that remain true today.
First of all, privacy is still the same concept that it was before September 11th. Few people understood what privacy was before the attacks and few people do today. I have a working definition of privacy that I would like to share with you. If you can adopt it as your own and share it with the politicians, the regulators, and your customers, we'll all be a lot better off.
Second, I want to talk about identity fraud - one of the hottest 'privacy' issues - that was and still is a group of crimes that are already illegal. You all know that already, but I want to convince you to work on this issue with me. I have one simple prescription for straightening out identity fraud and this is a dose of medicine I want you to take.
I'll wrap up with a few observations and suggestions going forward. So let me get right in.
The first September 11th-related observation I have is very practical - it's almost mundane - but it has a lot of importance.
September 11th moved privacy back on the schedule for legislators and regulators. At the federal level, which I'm most familiar with, there were going to be discussions and debates this Fall that are not happening. They may be put off until next Fall or even until the following Spring because of the priorities that have been put ahead of it in the queue. It all depends on how quickly we get back to normal life. The politicians who thought regulation in the name of privacy was popular before are going to think that it's something they should do again.
The delay is generally good for the privacy issue because of the way I think that issue moves in public debate.
I had an interesting conversation a few months back with some PR professionals in New York who do privacy-related communications. We each told the story of how we had gotten into the issue, and learned it - how we had each been shocked to learn how information about us moves in the economy - and then came to understand it, and found ourselves able to advocate for it.
Basically, starting around 1995, the Internet put a very public face on information practices that had been evolving for decades. There has been information trading and information sharing going on for years, and no one is hurt by it. As you know, people are helped by it. But it's still understandable that, as people discover the Information Economy and the fact that they're a part of it, they get a little bit outraged.
"My information is being used?!"
Let me share with you a similar kind of fact - that's shocking, until you think about it. In your next breath, you're going to take in carbon dioxide molecules that somebody else breathed out earlier today. Isn't that disgusting? Tell your kids about that. Watch them go "Eeeeuuuuuwww!!!"
Well, I guess it is disgusting. If we had a perfect world, we would each have our atoms to ourselves. But this air sharing has been going on all our lives.
The thing to focus on is whether people are being harmed. Sure enough, breathing other people's air is occasionally harmful, just like shared information is sometimes used in harmful ways. But the alternatives are much, much worse. If there weren't air-sharing, we'd be a lot worse of than we are today. And if there weren't information sharing, we'd be a lot worse off than we are today. The idea is to separate harmful uses of information from good ones. Sharing itself is not harmful.
Now, to be clear, I think that consumers should be able to get out of that system if they want to. For both information sharing and air-sharing, the answer is pretty much to go live in the forest. And there's nothing wrong with that. It's a beautiful place. But I question people who want to live in cities, or enjoy the benefits of the Information Economy, and not be involved in air-sharing, or information-sharing.
As people address their outrage, and learn more about the Information Economy and the fact that they are not being harmed - that they are actually being helped - they start to lose that outrage. Their temperature goes down and they start to accept and even advocate for the processes that deliver the goods and services they want at lower prices and with less obtrusive advertising.
We are at or near the peak of public concern with information practices. I tend to think that people in the media and people in Washington have moved through the heights of concern so you will see the push for new regulation abate over the coming several years.
So time is on the side of sensibility in the privacy issue. The delay caused by September 11th helps.
But it will not come quickly enough. I do believe that there will be a serious run at new federal legislation in the next couple of years. There certainly is state legislation out there that is not going away. In early December, there will be a workshop at the Federal Trade Commission on Gramm-Leach-Bliley privacy notices. The HIPAA regulations are going to be addressed by the Administration. Lots more to come in the future. Any of these things could act as a catalyst for new adventures.
My second thought about September 11th is a little subtler.
The federal anti-terrorism legislation - the USA-Patriot Act - basically set privacy back quite a bit. The Internet had already increased the ability of law enforcement to monitor our communications. Now we have new and expanded wiretapping powers, new access to personal information by government.
I'm a privacy advocate, but I've been unable to say that this legislation was wrong because none of us really knows to this day what the correlation is between domestic surveillance and preventing terrorism. We'll find out over the course of years. I was pleased to see that the House insisted on a sunset to the wiretapping provisions so that we can reconsider them at a time when cooler heads may prevail.
What the terrorist attacks and the USA-Patriot Act did with the privacy issue that I think is good is that it took privacy out of the realm of absolutes and put it onto a continuum.
Before September 11th, people could say "I have a fundamental right to information privacy," or "I own my information," and that would be taken pretty seriously. These things sound nice, and they sound true to some people, but if you drill down, you find that they don't jibe with the way our society and economy are structured.
The terrorist attacks made clear what has always been true: there is a trade-off between privacy and national security. In a country where everyone has an unrestricted right to keep information private, we're not safe. I still think we should err on the side of privacy, but we now recognize that privacy is on a continuum with things like national security and safety.
Because it's so obviously true, the idea of a privacy-national security tradeoff has been adopted by the people and the media almost instantly. There are trade-offs between privacy and other important interests.
This puts you as an industry in a better position to talk about other areas where privacy is on a continuum. In the marketplace, privacy is subject to tradeoffs in terms of price and convenience, for example. You can have a lot of financial privacy if you are willing to pay a higher price for financial services and endure a lot of inconvenience. If you want low prices and convenience, you may give up a little privacy. These are decisions consumers are capable of making.
Pro-regulation privacy advocates and some of the bureaucrats in Washington have wanted to make these decisions for consumers, and the results are what we have seen so far in the Gramm-Leach-Bliley Act and the HIPAA regulations. A lot of burden and cost that gets passed to consumers, and not much more privacy.
There is a silver lining in the cloud of the September 11th attacks and the loss of privacy we have all suffered at the hands of government after the attacks. We are in a position to discuss privacy much more intelligently - if you are ready to take that conversation to the right people.
Like I mentioned before, there is more time to improve the quality of the debate on privacy, because the terrorist attacks delayed the next round of legislating on privacy.
There are a couple of observations about privacy I would like to make that don't really hinge on September 11th.
First, privacy as a concept did not change with the September 11th attacks. It was widely misunderstood before the terrorist attacks, and it remains widely misunderstood today. I said that I started Privacilla out of my own dissatisfaction with how the privacy issue was moving in Washington. A friend of mine there observed correctly that "privacy" is the word they give to just about every concern with the modern age.
People use the word "privacy" to talk about spam or junk mail, to talk about identity fraud, to talk about telemarketing, to talk about revealing private information, and to talk about many kinds of discrimination. With all these ideas falling under the privacy umbrella, it's no wonder that just about any legislation with privacy in the title has gotten a political free pass.
Part of my role is to define the privacy issue, and redefine the non-privacy issues as what they really are. So I have drilled down and tried to come up with a definition of privacy. I figure if we want to protect privacy, we want to know what it is first.
My take on privacy is that it is a subjective condition - a state of being like happiness or piety. Each of us pursue it for ourselves. That means that I can't tell you what gives you your sense of privacy, just like I can't tell you what makes you happy, and you can't tell me what gives me my sense of privacy. We each have our own ideas of privacy which are defined by our own upbringing, culture, and experiences.
To illustrate how diverse people's approaches to privacy can be, I remember when the HIPAA regulations came out, saying how important it was to protect medical information. That seems to make sense. Then I was flipping through the TV channels and I saw a show in which a patient agreed to have his heart surgery televised. This man, who was identified my name, had his beating heart shown on national television.
The lesson is that if you think you know what information other people want to keep private, you've missed something. The "Get Well" card exists precisely because we sometimes need to share highly personal medical information and have other people acknowledge our medical conditions quite publicly.
Privacy is a subjective condition. People should get to decide based on all their circumstances when they want to share information and when they don't. This doesn't mean arbitrary, government-mandated "notices" either. There are billions of transactions every day in the United States alone that convey personal information. Mandatory notices can't possibly account for all the circumstances that arise every day. Rules and regulations that purport to deliver privacy will only deliver the guesses of bureaucrats and regulators about what privacy should look like, and I think the Gramm-Leach-Bliley notices are a great example of those guesses being wrong.
What we need to do is distribute decisions about privacy to the people who are affected by them. Privacy is a product of personal responsibility. And consumers empowered by education about how information moves will deliver privacy on precisely the terms they want it.
I've said what privacy is - a subjective condition - and I'd also like to tell you how you get it. I believe people have privacy when two conditions are satisfied.
First, people have privacy when they have the power to control personal information about themselves. In a simple example, I mean that I have the power to put on clothes and protect privacy in the appearance of my body. Thank goodness. We all get dressed pretty confident in the idea that our bodies will remain covered until we decide otherwise.
In an example closer to home for this discussion, people can choose what financial information they reveal in the private sector by how they structure their financial relationships. For the ultimate in financial privacy, keep your cash in a mattress. You start to give up a lot of privacy quickly by using financial products, but we all have the power to buy things nearly anonymously using cash and we have the power to choose what we reveal, even if it can be inconvenient at times.
Compare the situation in the insurance marketplace with the income tax. Do any of us have the power to withhold earnings information from the federal or state governments? No. The only withholding happening there is the government withholding my money - and taking my personal financial information.
In our dealings with governments we don't usually have the first piece of what delivers privacy: the power to control information about ourselves. It's collected by law. And I'll note, as an aside, that the local, state, and federal governments are much more aggressive collectors, users, and sometime abusers of personal information than the private sector.
The second piece of the privacy puzzle is actually exercising the power to control information about ourselves consistent with our interests and values. You've got all the power in the world to put on pants, but if you haven't zipped up your fly, you don't have quite the privacy you wanted. Or that we want you to have!
Likewise, if you don't know that the operators of Web sites collect information about how people use their sites, you won't know to visit their site anonymously if you want to collect information from them anonymously.
This illustrates how privacy is a product of educated consumerism. If consumers are ignorant of how information moves in the economy, they may be walking through the financial world with their flies down. The solution is education of them - not regulation of you.
I mentioned before that privacy lies on a continuum, and a lot of people say, at least, that they are not happy with the privacy they must give up to participate in our financial marketplaces. I agree, based on what I know, that the markets are too monolithic. They evolved for decades without garnering much attention and, as I said before, the Internet began a national conversation about information practices that caught your industry by surprise.
People do have the power to control information about themselves. They can refuse to do business with you all if you aren't offering them privacy protections that they like. You should look for opportunities to give them options. I suspect that, in the end, a lot of people will take the deal that you're currently offering, which is low-cost, high-convenience, and high-information-sharing. But there may be a worthwhile market to serve in people with different privacy preferences. Go after that market and you will not only make money, but solve a political problem too.
When consumers know that they're exercising choices about how information is used, they will feel like they have privacy.
So, I've tried to give privacy a definition. It is a personal condition that exists when someone has the power to control information about themselves and when they use that power consistent with their values and interests. This definition was true before September 11th and it remains true after September 11th.
The second "yesterday, today, and tomorrow" issue has to do with identity fraud, and it's really a bit of a pet peeve of mine. So indulge me here, will ya'?
I think identity fraud is one of the biggest drivers of the privacy debate. I would say that 75% of the privacy debate exists because of concerns with identity fraud. Using a false identity to defraud someone is already a crime in all states, as far as I know, and at the national level. In fact, on Privacilla, I characterize it as a crime problem and not a privacy problem at all. I mean, getting punched in the face may technically be a privacy violation, but it makes a lot more sense to treat it as assault and battery and lock the bad guy up.
Now, has anyone noticed that I'm calling it "identity fraud" and not "identity theft"? There's a good reason for that, and I'd like you to join me in using the phrase "identity fraud."
The reason why is because how you talk about an issue affects how it is dealt with by the press and by the politicians. The phrase "identity fraud" points people to the real problem - people using false identities to commit fraud.
"Identity theft" brings in a whole host of other issues. "Theft" - in legal terms - is taking someone's property with the intent to permanently deprive them of that property. So a theft of your book means that you never get that book back. An identity theft would mean that you lose your identity for good! Friends don't recognize you on the street. Your mother, your spouse, or your children don't know how to reach you by telephone. Do you remember how Hannibal Lecter escaped at the end of Silence of the Lambs? He tore a guard's face off and put it on his own head. That's identity theft!
When we're using that phrase, it's no wonder that the law and regulation keeps coming. It's the bogey-man, Invasion of the Body Snatchers, and Hannibal Lecter all wrapped into one.
Calling identity fraud by its proper name will help everyone recognize the exact nature of the problem. It will calm the public slightly, because being victimized by identity fraud means lots of hassle, not the end of your identity. Using the words "identity fraud" will help policy-makers and the press work toward rational and intelligent solutions - like some real crime control.
I have had a little success so far with getting "identity fraud" to be the phrase we use to talk about this problem in Washington. I would love it if you folks could go out and use the phrase "identity fraud" from now on rather than "identity theft." You don't have to stop conversations to correct people the way I would. But if you just use the phrase, other people will pick it up, and before long we'll have a movement on our hands.
So, those are two of the definitive issues that predate and outlast the terrorist attacks of September 11th. I'm working to instill a better sense of what privacy actually is for regulators and legislators by defining privacy and by trying to move us away from confusing phrases like "identity theft."
As I said before, the terrorist attacks moved back the schedule for the next round of privacy legislation, and it showed in one case how privacy lies on a continuum as part of a trade-off, in the case national security. There is potential for this issue to get straightened out before more damage is done to the economy in the name of privacy without delivering the real thing.
Finally, I'll make a few observations and recommendations going forward.
The idea of putting more regulation on the private sector in the name of privacy is coming back.
The Gramm-Leach-Bliley notices will be at the top of the agenda in the beginning of December. The consumer response to these notices was dismal, and I see a very good likelihood that the pro-regulation privacy advocates will now take the step that they wanted to take in the first place. They will move for putting direct limits on information sharing because they couldn't get consumers to ask for it directly through the notices.
The failure of the GLB notices was a failure on the part of Congress and the regulators to divine what matters to consumers. Whether the notices were phrased just right or not, the GLB notices were a massive survey and it found that the sharing of truthful financial information among financial services companies - even for the purpose of marketing - does not rate as an action item for consumers. And I don't think you should stand for activists who try to spin the issue any other way.
You all have an ongoing obligation to educate your consumers about identity fraud. They need to know what it is, they need to know that it's already against the law, they need to know how to prevent it, and they need to know what to do about it if it happens to them. I'm sure you've been working to demystify the issue of identity fraud for them. Do it some more.
Finally, I want to encourage you to offer more information options to your customers. Give them choices and make them know that they are making choices. There may be products already that offer privacy protection options. But I watch a lot of TV. If I don't know 'em yet, your industry is not pushing them hard enough.
The best illustration I've seen of how the markets are going to deliver privacy is an ad that Earthlink has been running on TV. A guy and a gal are in a bar. She gives him her number and he immediately turns to the bartender and says "You want this? Five bucks." This is a company going after its competitors based on what it does with customer information. I'd like to see companies in the financial services sector going after each other like this. That will prove to me that consumers are being put in a position to protect privacy on the terms they want.
I hope these observations have been interesting and perhaps helpful. Once again, I want to encourage you to visit, use, and get involved with Privacilla.org. I'm pleased to have the opportunity to address you. As you know, ACLI is a powerhouse in Washington, and I appreciate the work you do there. I'm happy for the opportunity to contribute to your thinking in a small way.