I am delighted to be here today to join in this “privacy perspectives” panel. And I’m happy to confirm that I do have a perspective. I hope you’ll recognize it pretty quickly here.
Many of you may know me as the outspoken Editor of Privacilla.org. Since the last time I was before you, I have gotten some institutional backing of which I am very proud. I am now the Director of Information Policy Studies at The Cato Institute. You’ll be happy to know that I plan to continue being outspoken.
Cato is a think-tank here in D.C. that advances individual liberty, limited government, free markets, and peace. We’re generally in favor of national security, but not at the cost of basic liberties. And many programs instituted in the name of national security come at too high a cost in privacy and other values, or they need revision with these values in mind. The Fourth Amendment was not repealed by the September 11 attacks.
I want to address a single issue that I think is very important: that is the use of commercial data in national security and law enforcement missions. I’ve long believed that commercial use of consumer data (within bounds set by consumers in the marketplace) ultimately redounds to the benefit of consumers. It does not upset their privacy expectations.
This thesis is tested, to be sure, as people have discovered our entry into the Information Age. Some people have been caught unawares by modern business processes and some businesses have been caught unawares by consumer concern. That’s why you’re here.
As I said, even uses of data that consumers have not been aware of have benefited them, through lower prices, better-targeted marketing, well-tailored products, and faster customer service.
Consumers are not benefited, though, when information about them is deployed in government surveillance. My firm belief is that companies should make part of their information policies their obligation to defend the privacy of their customers from government, sticking to tried-and-true rules for transferring data to the government, like doing so based only on particularized subpoenas.
All of you probably have known someone in your life who lacks a sense of boundaries. Perhaps you’ve had a boss who thought it was appropriate to ask you about your marital life. Perhaps you have a parent who thought that he or she should talk to your doctor long after you were making your own health decisions. I guess the classic example is the mother-in-law who believes that she is the final authority on child-rearing for everyone in her lineage. These are people who lack a sense of boundaries.
Let’s translate the concept of boundaries into the corporate mission. What do you do? Sell widgets. Why do you do it? To make money. Why do you collect or buy data about widget users? To make more money. I’m fine with all of those.
If you were to participate in a government-sponsored data mining project, why would you do that? Out of patriotism, of course. Well, that is essentially a distraction from your corporate mission. And let me suggest that your highest loyalty should be to some founding ideals: The state can only investigate people with probable cause. General warrants shall not issue.
Time and again since September 11, various branches of the government have been assembling programs that are premised essentially on a general warrant to search through privately held consumer data. Total Information Awareness and CAPPS II were both premised on suspicionless rummaging through private data. Thankfully, they were slapped down, or fell apart.
Or so we thought. New versions of these programs appear to be re-emerging in a couple of places.
For example, legislation in the Senate to implement the recommendations of the 9/11 Commission would create a ‘trusted’ information sharing network, whatever that means. Though I know the good intentions of its proponents, I also know about mission creep. An information sharing network of the type described is just groundwork for a surveillance program.
If there’s to be a network, the mission should define the network, rather than the network defining the mission. Let there be networked service of subpoenas and networked responses to subpoenas. There’s no problem with using technology consistent with the Constitution, but any technology that promises something “better” than constitutional national security and law enforcement, well, that’s just not better.
Likewise, the Secure Flight program at the Transportation Security Administration has hallmarks of CAPPS II, including the use of private data in various ways. As you probably know, the TSA will soon issue a directive to the airlines requiring them to turn over passenger travel data from June 2004. Not cool.
The silence from the airlines has been deafening, of course, and it’s fairly obvious that their official position would be “Don’t do this,” while they’re winking at the TSA like Inspector Dreyfus in the Pink Panther movies. I, for one, traveled in June and so am considering how to deal with the prospect of being involuntarily conscripted into this surveillance program.
Which brings me to my final point. Some data aggregators are actively pursuing the government as a market for privately collected data. The Privacy Act is in need of reform to keep up with this development, and has been for several years now. If trends continue, it will become necessary to starve the suppliers of data to government surveillance programs. To be clear: that means boycotting businesses that have any part in feeding data into the government maw.
If it comes to that, some of my colleagues who advocate for heavy regulation on the information economy will be able to turn to me and say, “I told you so.” One of their stronger premises is the danger of private data being merged into government investigation and surveillance. And I will have to admit being wrong. I don’t mind doing that. Believe me – I shed dignity every day.
But, if not for my reputation, then for your bottom line, you should resist participating in anything other than fully constitutional sharing of consumer data with government. That means responding fully to proper subpoenas, and it means reporting genuine suspicions of crime. It does not mean turning over, or making available, information about innocent people on a mere request.
So I hope you get a clear sense of perspective from this. And I hope you recognize that your corporate obligations – mostly to the bottom line, but also to the society – point in one direction: Just say “No” when the government asks to tap into your files.
©2000-2004 Privacilla.org. All content subject to the Privacilla Public License.