This post is the last in a series about privacy. They are all drawn from my book. The full discussion is available, free for distribution, here.)
I've
devoted several posts to failed solutions to the problem of privacy
in a data-filled world. In the end, I think these
approaches all fail because they're all reactionary -- they try to stop
the accumulation and analysis of data, as though technology were not
making it cheaper and easier every day to accumulate and analyze
data. They're like bailing the Titanic with a bucket.
So
what might work? In my view, we shouldn't fight information technology. We should work with it -- use its capabilities to protect
against abuse of the data that will inevitably be gathered by governments
and companies.
The best way to understand this idea is to begin with
Barack Obama’s passport records—and with Joe the Plumber. These
were two minor flaps that punctuated the 2008 presidential campaign.
But both tell us something about how privacy really is protected
these days.
In
March of 2008, Barack Obama and Hillary Clinton were dueling across
the country in weekly primary showdowns. Suddenly, the campaign took
an odd turn. The Bush administration’s State Department announced
that it had fired or disciplined several contractors for examining
Obama’s passport records.
Democrats
erupted. They remembered when Bill Clinton’s files had been
examined during the 1992 campaign, and Obama’s lengthy stays
outside the United States as a child had become a simmering
underground issue in this campaign. It wasn’t hard to jump to the
conclusion that the candidate’s files had been searched for
partisan purposes. An Obama campaign spokesman called the records
search “outrageous . . . This is a serious matter that merits a
complete investigation, and we demand to know who looked at Senator
Obama’s passport file, for what purpose, and why it took so long
for them to reveal this security breach.”
After
an investigation, the flap slowly deflated. It soon emerged that all
three of the main presidential candidates’ passport files had been
improperly accessed. Investigators reported that the State Department
was able to quickly identify who had examined the files by using its
computer audit system. This system flagged any unusual requests for
access to the files of prominent Americans. The fired contractors did
not deny the computer record. Several of them were charged with
crimes and pleaded guilty. All, it turned out, had acted purely out
of “curiosity.”
Six
months later, it was the Republicans’ turn to howl about privacy
violations in the campaign. “Joe” Wurzelbacher, a plumber, became
an overnight hero to Republicans in October 2008. After all, he was
practically the only person who laid a glove on Barack Obama during
the campaign. The candidate made an impromptu stop in Wurzelbacher’s
Ohio neighborhood and was surprised when the plumber forced him into
a detailed on-camera defense of his tax plan. Three days later, “Joe
the Plumber” and his taxes were invoked dozens of times in the
presidential debates.
The
price of fame was high. A media frenzy quickly stripped Joe
Wurzelbacher of anonymity. Scouring the public record, reporters
found that the plumber had been hit with a tax lien; they also found
government data that raised doubts about the status of his plumbing
license.
Reporters
weren’t the only ones digging. Ohio state employees also queried
confidential state records about Wurzelbacher. In all, they conducted
eighteen state records checks on Wurzelbacher. They asked whether the
plumber owed child support, whether he’d ever received welfare or
unemployment benefits, and whether he was in any Ohio law enforcement
databases. Some of these searches were proper responses to media
requests under Ohio open records laws; others looked more like an
effort to dig dirt on the man.
Ohio’s
inspector general launched an investigation and in less than a month
was able to classify all but one of the eighteen records searches as
either legitimate or improper. (One search could not be traced
because it came from an agency outside the jurisdiction of the
inspector general.)
Thirteen
searches were traced and deemed proper. But three particularly
intrusive searches were found improper; they had been carried out at
the request of a high-ranking state employee who was also a strong
Obama supporter. She was suspended from her job and soon stepped
down. A fourth search was traced to a former information technology
contractor who had not been authorized to search the system he
accessed; he was placed under criminal investigation.
What
do these two flaps have in common? They were investigated within
weeks of the improper access, and practically everyone involved was
caught immediately.
That’s
important.
Information
technology isn’t just taking away your privacy or mine. It’s
taking away the privacy of government workers even faster.
So
it isn’t hard to identify every official who accessed a particular
file on a particular day. That’s what happened here. Government
access to personal data need not be restricted by speed bumps or
walls. Instead, it can be protected by rules, so long as the rules
are enforced.
What’s
new is that network security and audit tools now make it easy to
enforce the rules. That’s important because it takes the profit
motive out of misuse of government data. No profit-motivated official
is going to take the risk of stealing personal data if it’s obvious
that he’ll be caught as soon as people start to complain about
identity theft. Systematic misuse of government databases is a lot
harder and more dangerous if good auditing is in place.
Call
it the auditor’s solution. It's the only privacy solution
that will get more effective as informationtechnology advances. And
we’re going to need more solutions that allow flexible, easy access
to sensitive databases while still protecting privacy.
If
the plight of government investigators trying to prevent terrorist
attacks doesn’t move you, think about the plight of medical
technicians trying to keep you alive after a bad traffic accident.
The
Obama administration has launched a long-overdue effort to bring
electronic medical records into common use. But the privacy problem
in this area is severe. Few of us want our medical records to be
available to casual browsers. At the same time, we can’t personally
verify the bona fides of the people accessing our records, especially
if we’re lying by the side of the road suffering from what looks
like brain or spine damage.
The
electronic record system won’t work if it can’t tell the first
responders that you have unusual allergies or a pacemaker. It has to
do that quickly and without a lot of formalities. The side of the
road is no place for emergency medical staff to be told that they
can’t access your records until they change their passwords or send
their medical credentials to a new hospital.
No
one wants to be the punch line in an updated surgeon’s joke: “The
privacy system was a success; unfortunately it killed the patient.”
Auditing
access after the fact is likely to be our best answer to this
problem, as it is to the very similar problem of how to let law
enforcement and intelligence agencies share information smoothly and
quickly in response to changing and urgent circumstances. The Markle
Foundation has done pioneering work in this area, and its
path-breaking 2003 report on privacy and security in the war on
terror recommends embracing technologies that watch the watchers. A
unique mix of security, privacy, and technology experts managed to
reach agreement in that report; they found that one key to protecting
privacy without sacrificing security was a network that included
“access control, authentication, and full auditing capability.”
These
technologies can be very flexible. This makes them especially
suitable for cases where outright denial of data access could have
fatal results. The tools can be set to give some people immediate
access, or to open the databases in certain situations, with an audit
to follow. They can monitor each person with access to the data and
learn that person’s access patterns—what kinds of data, at what
time, for how long, with or without copying, and the like. Deviations
from the established pattern can have many consequences. Perhaps
access will be granted but the person will be alerted that an
explanation must be offered within twenty-four hours. Or access could
be granted while a silent alarm sounds, allowing systems
administrators to begin a real-time investigation.
There’s
a kind of paradox at the heart this solution. We can protect people
from misuse of their data, but only by stripping network users of any
privacy or anonymity when they look at the data. The privacy
campaigners aren’t likely to complain, though. In my experience,
their interest in preserving the privacy of intelligence and law
enforcement officers is pretty limited.
When
I was general counsel of the National Security Agency, a well-known
privacy group headed by Marc Rotenberg filed a Freedom of Information
Act request asking the NSA to assemble all documents and emails sent
“to or from Stewart Baker.” Then as now, the NSA was forbidden to
assemble files on American citizens who were not agents of a foreign
power. Even so, Rotenberg was asking NSA to assemble a dossier on me.
Since NSA and I were locked in a battle with Rotenberg over
encryption policy at the time, the purpose of the dossier was almost
certainly to look for embarrassing information that might help
Rotenberg in his political fight. Indeed, Rotenberg claimed when I
confronted him that he was planning to scrutinize my dossier for
evidence of misconduct.
Had
the FBI or NSA assembled a dossier on their political
adversaries, it would have been a violation of law. In fact, it would
have caused a privacy scandal. But Rotenberg saw no irony in his
request. It wasn’t a privacy problem, in his view, because
government officials deserve no privacy.
I
still think Rotenberg’s tactics were reprehensible; he had singled
me out for a selective loss of privacy because he didn’t like my
views. But I’ve come to appreciate that there’s a core of truth
to his view of government. Anyone who has access to government files
containing personal data has special responsibilities. He should not
expect the same privacy when he searches that data as he has while
he’s surfing the net at home. And now that technology makes it easy
to authenticate and track every person, every device, and every
action on a network, perhaps it’s time to use that technology to
preserve everyone else’s privacy.
In
the end, that’s the difference between a privacy policy that makes
sense and one that doesn’t. We can’t lock up data that is getting
cheaper every day. Pretending that it’s property won’t work.
Putting “predicates” between government and the data it needs
won’t work. And neither will insisting that the data may only be used
for purposes foreseen when it was collected.
What
we can do
is use new information technology tools to deter government officials
from misusing their access to that data.
As
you know by now, I think that some technology poses extraordinary
risks. But we can avoid the worst risks if we take action early. We
shouldn’t try to stop the trajectory of new technology. But we can
bend it just a little. Call it a course correction on an exponential
curve.
That’s
also true for privacy. The future is coming, like it or not. Our data
will be everywhere. But we can bend the curve of technology to make
those who hold the data more accountable.
Bending
the exponential curve a bit. That’s a privacy policy that could
work.