1
America Faces the World On Privacy Four Years
After 9/11

• Peter P. Swire
• Ohio State University
• Consultant, Morrison Foerster, LLP
• Keynote Edinburgh Privacy Conference
• September 5, 2005

2
Overview

• Background
• The public sector the Bush Doctrine of
  information sharing
• The private sector challenges to fair
  information practices
• Ways to build trans-Atlantic understanding on
  privacy

3
I. Before 9/11

• The 1998 baseline
• The E.U. Directive went into effect fall, 1998
• My book was keyed to that date
• Extensive interviews with EU and US experts
• EU perspective
• Human rights based
• Need for harmonization in common market
• US perspective
• Cost/benefit based
• Concerns about under- and over-regulation

4
Chief Counselor for Privacy

• My role in U.S. Executive Office of the
  President, 1999-early 2001
• Trying to build privacy in for policies/laws
• HIPAA medical privacy
• Gramm-Leach financial privacy
• FTC enforcement of privacy promises
• Especially for the Internet
• Safe Harbor
• Federal agency web policies privacy impact
  assessments
• Bipartisan interest in Congress to make email
  wiretap laws stricter

5
My Normative Baseline

• My own views are roughly those reflected by the
  Clinton Administration, 1999-2000
• Achieve progress in building privacy into public
  and private systems
• Fair information practices as the baseline
• Be realistic about how laws are actually
  implemented in practice, avoiding over- and
  under-regulation

6
II. The Public Sector

• Moral view of the precautionary principle if
  the consequences of an action are unknown but
  judged to have a high risk of being ethically
  negative, it is better to not carry out the
  action rather than risk the uncertain but
  possibly negative consequences
• Principle best known for protecting the
  environment
• Long run potential harm from action
• Precaution (inaction) less likely to cause
  long-run harm

7
Precautionary Privacy

• Instinct for privacy scholars is that protecting
  privacy is like protecting the environment
• Precautionary principle
• Err on the side of human rights
• When in doubt, be cautious about the use of data
  and the dangers caused by that use
• Precaution against use of data the long term
  effects of revealing private information

8
Precautionary Security

• Consider a contrary view
• Precautionary principle
• Err on the side of protecting society from attack
• When in doubt, share data to avoid the dangers of
  attack
• Precautions are against the long-term damage from
  the attacks

9
Precautionary and Privacy

• In the privacy debate, we are used to balancing
  privacy security
• Balancing is a term of utilitarian calculus
• Use of the precautionary principle helps show
  that moral fervor is on both sides
• Privacy protects human rights (no attacks by
  commercial or state interests)
• Information sharing protects human rights (right
  to bodily integrity, not to be attacked)

10
The Bush Doctrine of Information Sharing

• Disclaimer I often critique the Bush
  Administration on privacy information sharing
• It is important to understand the logic of the
  position
• Axiom 1 The threat has changed
• Was threat of Soviet tank or missile attack
• Now is asymmetric threat a few individuals with
  boxcutters or home-made explosives

11
Bush Doctrine

• Axiom 2 The threat is significant
• The intellectual importance of WMDs
• One nuke can ruin your whole day
• Measures that are not justified by small attacks
  may be justified for asymmetric, large attacks

12
Bush Doctrine

• Axiom 3 Progress in IT dwarfs progress in
  defensive physical security
• Price of sensors, storage, and sharing down
  sharply
• Useful knowledge patterns extracted from data
• The efficient mix of security measures has a
  large ongoing shift to information-intensive
  strategies

13
Bush Doctrine

• (1) The threat has changed
• (2) The threat is significant
• (3) Progress in IT shifts the best response
• For privacy advocates, which of these assertions
  seems incorrect?
• There is a powerful logic to this approach
• Now we turn to possible responses

14
Has the Threat Changed?

• Yes.
• Conventional threat, typified by satellite
  reconnaisance of military targets, is clearly
  less than before 1989
• Enemy mobilization often graduated and visible
  (levels of military alert)
• Current threats from asymmetric attacks
• No visibility of imminent attacks unless get
  information about the individual attackers

15
How Significant is the Threat?

• This topic is controversial
• I address this in 2004 article on foreign
  intelligence surveillance
• No WMDs in Iraq
• Nation states as havens likely much more
  dangerous than isolated individuals
• Exception in my view nuclear proliferation

16
Significance of the Threat

• Within the U.S., extremely difficult politically
  to question the threat
• Republicans are loyal to Pres. Bush
• Democrats cant appear weak
• Within U.S., privacy and civil liberties
  advocates can question the threat but are not
  likely to succeed much
• European resistance can slow hasty actions by
  U.S. where threat is exaggerated

17
Is the Shift to IT Prevention Efficient?

• Here is the battleground for privacy
• (1) Ends/means rationality does the proposed
  surveillance actually improve security?
• Does security measure work? Cost effectively?
• E.g., carry-ons over-broad (nail cutters) and
  under-broad (ingenious attackers can attack)
• E.g., data mining may create so many false
  positives that the noise swamps the signal

18
Shift to IT and Prevention?

• (2) Security theater Bruce Schneier
• Perceive, and critique, measures that are taken
  for the sake of doing something
• E.g., show ID to get into office buildings this
  is worthless in a world of pervasive fake IDs
• Important to have credible and effective
  technical critiques of proposed surveillance
• U.S. State Dept. RFIDs on passports as terrorist
  beacons readable at 10 meters

19
Shift to IT Prevention

• (3) Point out unprecedented nature of proposed
  surveillance
• E.g., library records and chilling the right to
  read
• Gag rule on foreign intelligence orders to get
  library and other databases
• Some greater due process in Patriot Act revisions
• E.g., national ID cards and build coalition of
  libertarians on left and right

20
Shift to IT and Prevention

• (4) Invoke historical abuses ask for checks and
  balances
• Prevention was tried by Hoover the FBI
• Prevention led, over time, to vast expansion of
  surveillance but little proven prevention
• Political and other abuses from that expansion
• Therefore, oversight and limits on new
  surveillance because human nature hasnt changed

21
Shift to IT and Prevention

• (5) Fairness, discrimination, and effectiveness
• If single out groups, such as young Arab males,
  then that can backfire
• Is unfair, and perceived as unfair by many
• Risk of creating resentment by communities who
  cooperation is needed better to build bridges
  to communities than to treat everyone as a suspect

22
Shift to IT and Prevention

• (6) Show how proposed measures make the problem
  worse
• E.g., trusted traveler programs will give greater
  powers for harm to the terrorists who get the
  credential
• E.g., racial profiling that undermines assistance
  from the well-informed

23
Shift to IT and Prevention

• (7) International opposition to U.S. measures
• Return to this below
• Concerns from outside the U.S. do require a more
  fully developed policy process within U.S.

24
Summary on Bush Doctrine

• Significant moral political logic to new
  threat threat is large IT will help
• Possible answers include
• Does proposal work?
• It may be security theater
• Unprecedented surveillance and not needed
• Historical abuses show need for checks
• Fairness and non-discrimination
• Proposed measures make the problem worse
• International realpolitik

25
III. The Private Sector

• Security as the source of new privacy
  protections
• Compliance American style
• Challenge to the FIPs
• Government use of commercial data

26
Security Helps Privacy

• Recent U.S. privacy protections created in the
  name of security
• American style of politics
• Death tax and estate tax
• Security is a winning word after 9/11
• Privacy sounds like one is not committed to
  winning the War on Terrorism

27
New Security Measures

• Security notifications for breach
• At least 15 states with laws, 14 this year
• Cybercrime measures
• DOJ supports anti-wiretap law (Councilman)
• Spyware as security threat
• State, maybe federal, legislation
• Spam as threat to availability and integrity of
  systems
• CAN-SPAM and other laws

28
Compliance American Style

• 3 modes of compliance
• Aspirational the law expresses an ideal, but
  detailed compliance is not expected (E.U.?)
• Gamesmanship organizations minimize the effect
  of the law with compliance tricks (cynical view
  of U.S.?)
• Defensive or Risk averse organizations avoid
  even the risk of enforcement by over-complying
  (actual U.S. practice under medical privacy rule)

29
Consequences of Compliance American Style

• Policymakers learn that over-regulation is a
  major risk
• For privacy, sensible data flows dont happen
• The family member picking up the prescription at
  the pharmacy
• The historical researcher of the 18th C. poet
• U.S. Ambassador David Aarons 1999 offer
• Well take E.U. privacy laws if youll take our
  plaintiffs lawyers

30
Compliance EU US

• In the 1998 book, we asked EU Commission if it
  was legal to carry a laptop on the plane to a
  country that lacked an adequacy determination
• Answer from a Commission official It depends
• Practice within EU of course the laptops are
  carried onto planes
• Have had increase in enforcement actions in E.U.
  since then
• I welcome your thoughts on how close E.U. is to
  full compliance with the law as written

31
Compliance in U.S.

• Major U.S. growth in CPOs and institutionalized
  privacy
• CPO term not used until 1999
• In U.S., my experience since 2000 is that there
  is more risk-averse compliance than I anticipated
  -- sensible behavior is more chilled by rules
  than I expected
• Policymakers learn to be cautious about
  aspirational or over-broad privacy laws

32
More on Compliance

• One thought on why compliance is so different
• Belgium the Netherlands all the key actors in
  an industry gather in a room with officials
• Ombudsman role of D.P. authorities
• U.S. major players are 5,000 km away from
  regulators
• Formal/legal role of FTC and other regulators
• Over 1 million HIPAA covered entities

33
Fair Information Practices Under Challenge

• E.U. Dir. Art. 6(e) data not kept in identified
  form longer than is necessary for purposes for
  which was collected
• Technology challenge
• Storage much, much cheaper
• Forensics much better, and is hard to delete
• U.S. has HIPAA many contracts that say take
  practicable measures, but deletion will often
  not take place

34
FIPs Secondary Use

• The major battleground is secondary use
• U.S. is less sure it agrees with this FIP
• Many public records, used widely
• First Amendment, and data is generally
  publishable unless under a contract
• Business government belief that information
  sharing is often progress, not rights violation
• Scope of data protection laws as shown in Swedish
  Lindqvist case would be most surprising to U.S.
  intuitions

35
Secondary Use Govt Access

• Growing issues on rules for government access to
  private-sector data
• Government purchases (e.g., subscriptions to do
  background checks)
• Government asks or requires for law enforcement
  or intelligence

36
Commercial Data Govt.

• U.S. rules for purchase are not well developed
• Great interest from government as part of
  information sharing growth
• Little legal framework for how that purchased
  data is handled by federal government
• Answers to this will mirror answers to broader
  wish by agencies for information sharing in
  anti-terrorism efforts

37
IV. Looking Ahead

• Within the U.S., and I think globally, security
  will be an increasingly important way that new
  privacy protections will be implemented
• Political and policy alliances to build both
  security and privacy into information systems

38
Looking Ahead

• Politically, the Bush Administration has
  sometimes been willing to go along with privacy
  initiatives
• CPO for Homeland Security
• Privacy Impact Assessments in 2002 law
• It didnt cancel HIPAA
• The Administration has had no significant data
  privacy initiatives of its own
• No distractions from the War on Terror

39
Looking Ahead

• Better privacy policy must then come from
  elsewhere
• U.S. state legislation spyware, breach, etc.
• Privacy advocates Congress CPOs, PIAs
• International realities that require the U.S.
  Administration to stop, look, and listen

40
Looking Ahead

• Europe the role of the Directive
• Educated U.S. policy business leaders
• Required the process that led to the Safe Harbor
• Significant convergence not harmonization
• Similar effects on passenger name records
• Mandates in non-U.S. law do create a possibility
  of negotiation and partial convergence

41
Looking Ahead

• The ebb flow of politics
• 2000 Clinton wiretap/privacy bill criticized for
  not being protective enough of privacy
• 2001 Patriot Act much further toward surveillance
• With time, the politics of 2001 will shift to
  something else
• Perhaps the much-feared next big attack
• Perhaps closer to new normalcy calm
• I am hopeful of the latter

42
Looking Ahead

• As U.S. politics shift, U.S. policy likely to
  become more open to international practices and
  norms
• The European rights approach will face continuing
  U.S. objections on secondary use
• But the overall framework of checks against data
  abuse can have solid U.S. support
• Especially if what is asked of the U.S. is a
  reasonable fit with the U.S. compliance realities

43
In Closing

• The Atlantic seems wider today than it did five
  years ago, on privacy, global warming, and other
  issues
• Continuing, implementable privacy protections can
  grow over time in the U.S.
• Better understanding across the Atlantic, such as
  this conference, will help that to occur

44
Contact Information

• Professor Peter P. Swire
• Phone (240) 994-4142
• Email peter_at_peterswire.net
• Web www.peterswire.net