The Wall Street Journal recently published a round-robin dialogue on privacy featuring Jeff Jarvis, danah boyd, Chris Soghoian, and me. Our vibrant discussion was quite heavily compressed for publication, so two of the other participants have now published their contributions in full. Jeff Jarvis's is here, and danah boyd's is here. Publishing the full version on the web seems like good practice generally, so I'm following suit, with a few edits to avoid cross-referencing material that hasn't been put on the web. The Wall Street Journal's questions are in bold italics.
How much should people care about privacy?
That’s like asking how much they should care about the weather. Some, for sure. If we don’t, we’re liable to end up deeply uncomfortable from time to time.
But let’s not kid ourselves. Privacy is like the weather in another way, too. For all the complaining, no one is going to do much about it.
They can’t. The price of storing and analyzing data is dropping exponentially; and keeping that data hidden is a hopeless task.
So, in the end, we will adjust. Privacy is the most adaptable of rights.
Sometimes our sense of what is private shrinks. The man who invented the right to privacy, Louis Brandeis, was appalled that ordinary newsmen could snap his picture and print it in the paper without so much as a by-your-leave. And most of us can sympathize, if we remember the shock of seeing ourselves in a photo, looking quite different than we imagined. But no one today thinks that photography is a privacy violation. We’ve adjusted to the new technology.
And sometimes our sense of privacy grows. Most of us would be deeply uncomfortable at the idea of having strangers sleeping in our homes, listening to our family conversations, and gossiping about us over the back fence. But Brandeis never gave the privacy risk posed by his servants a second thought.
It's tempting, in that first uncomfortable moment when new technology starts to shrink our old sense of privacy, to ask for new laws to protect us from change.
They won’t. Sooner or later, the laws on the books will yield to Moore’s law. But in the meantime, bad laws can do a lot of damage.
Maybe it made sense to tell the FBI in Hoover’s day that its agents couldn’t compile clippings files on Americans who weren't suspected of acting improperly. But by the time of 9/11, when any coed could assemble clips files on her blind dates -- in seconds, for free, with the help of Google -- did it really make sense for FBI agents to be the only people in the country barred from printing out name searches?
So, sure, we should care about privacy. But we should also care about dumb privacy laws whose cost we won’t appreciate until it’s too late.
What is the harm that can be inflicted by bad privacy laws? Will it prevent us from catching terrorists or drug cartels?
Bad privacy laws abound, but the harm they do is too often downplayed in the media.
Take the story of September 11 itself. As the attacks loomed, the secret court that approves national security wiretaps had plunged the FBI into turmoil -- but over privacy, not terrorism. Perhaps reacting to charges that it was merely a rubber stamp, the secret court had begun aggressively protecting Americans’ privacy -- by imposing harsh, career-killing sanctions on an FBI agent who failed to observe the Wall between law enforcement and intelligence.
As described in Skating on Stilts, the court’s harsh punishment was still reverberating when the FBI learned that two al Qaeda operatives had entered the US. Members of its massive Cole bombing task force begged for a chance to track them down. But no one was willing to risk the secret court’s wrath by using a criminal task force to pursue intelligence leads.
And so we missed our last, best chance to stop the 9/11 attacks -- thanks to the secret court’s misplaced enthusiasm for a dubious privacy doctrine. That’s what turned me from a moderate privacy supporter into a profound skeptic.
Worse, because the secret court has never been held to account for its fecklessness, it is reportedly still following the same path -- imposing new and secret privacy restrictions on our intelligence agencies. And leaving us all at risk of becoming the next privacy victims.
You've said that privacy advocates have helped turn our computers into surveillance machines; what privacy laws are you referring to? And how should it have been prevented?
There are indeed privacy laws that make computer defense much more difficult. European laws protecting employee privacy make it harder to secure corporate networks, and U.S. privacy rules make it hard for the government to identify and warn Americans whose computers have been taken over by botnets. But the real problem is the way privacy groups have prevented the government from making policy changes in response to the growing danger of network attacks.
Take intrusion detection. Many corporate networks use technology that monitors networks to detect intrusions and alert administrators to threats. As long ago as the 1990s, the Clinton Administration proposed creating a Federal Intrusion Detection network, or FIDNet, that would do the same thing for civilian government networks. It didn't happen. FIDNet was condemned by privacy groups as "a monitoring system that threatens privacy and other civil liberties.” Along with their allies in the press, privacy advocates made FIDNet so controversial that Congress killed it. When George W. Bush revisited the idea, it made even less progress. Only now, after a third President has raised the alarm about network attacks, are we beginning to roll out coordinated intrusion detection for the civilian arms of government. Of course we're a decade late; foreign governments have had ten years to steal all the information the privacy advocates now say they’re worried about – delays caused in large part by the privacy advocates themselves.
If secret court orders protecting privacy led to 9/11, as you contend - isn't the answer to not have secret courts? Not that privacy is terrible?
Secrecy may well be cloaking dubious rulings by the secret court, just as it cloaked the court's enforcement of the Wall. But we can't expose those rulings without also exposing the highly classified intelligence operations the court is overseeing. To solve this kind of dilemma, the Congress's intelligence committees sometimes conduct classified investigations and release an unclassified summary of their findings. Maybe the value of such an investigation is one thing that privacy advocates and I (and the Wall Street Journal) can all agree on.
But the problem at its heart is not secrecy. It's the court's willingness to create novel privacy and civil liberties protections. That may sound like a good thing, but it cost us dearly in August 2001. We should consider that cost before we impose new privacy rules.