Freedom even without data privacy
To reiterate and expand on some points that I keep making:
- Governments are driving to build and integrate vast databanks of information about us. We can’t stop this.
- However, we can and should slow it and shape it.
- Since we can’t ultimately stop the collection of information, we also need to establish a whole new set of legal limits on the use of information.
- This is an urgent matter. What unfolds over the next few decades will largely be shaped over the next few years.
True, we’re talking about the largest data integration projects in world history – government projects at that. The implementation time frame may be better measured in decades than years. But implementation will happen eventually.
I want us to discuss specific design elements of our legal and technical defenses against privacy threats. (And I really mean “us”; I want to start a discussion here among knowledgeable people, that can be refined to the point it seriously affects actual policy-making.) I’ll start by outlining some of the specific threats themselves. In no particular order, these include:
- Censorship of reading, censorship of writing. Certain subjects could simply become taboo, by force of law. Frankly, as a lifelong US citizen I find this to be the least of my concerns, as it’s a straightforward First Amendment issue of the sort many people have long concerned themselves with. (However, I think it’s a huge problem in countries such as China, Iran, et al., calling for direct action on our part in the West to combat it.)
- Evidence in court. Here the problem gets more serious. People’s Google searches, for example, are being used as evidence of intent to commit murder. While the appeal of that to prosecutors, and the occasional benefit, is obvious, I find it deeply troubling, because of the slippery slope it starts. Should a search for gangsta rap lyrics be evidence of criminal intent? Should my investigations around a new car purchase be admissible as proof of intent to recklessly drive?
- Criminal and civil investigations. Even if something is not admissible in court, there’s a risk it will inform civil and criminal investigations. That can apply to anything from terrorism to conventional murder to tax evasion, with consequences ranging from incarceration to airport hassles. And what about confirmation hearings for government appointees? Should they be held up to public scrutiny for every porn site they visit? (Clarence Thomas says hello.) Actually, the same problem could theoretically arise in government hiring of any sort, especially in security-sensitive areas.
- General chilling of SaaS, electronic health records, online email, and worthy technologies that involve public data storage. This may be perception rather than reality — but are you really comfortable keeping your email around forever, if you know the government can always look at it later?
- Information leaks, leading to problems other than with the government. The more the government knows about you, the more it can leak via stupid or corrupt employees.
How then should we advise policy makers, so that they may meet legitimate needs for data collection and integration, yet minimize these grave threats to freedom? My ideas start as follows:
- There should be absolute freedom from restriction on reading and writing, with only the narrowest of exceptions – direct exhortations to commit crimes, violations of live underage porn models, etc.
- “State of mind” evidence derived from reading, web surfing, etc. should be inadmissible in court and even in investigations. If national security mandates its use in an investigation, no other kind of offense found as a byproduct of the investigation should be prosecuted.
- Such evidence should also be inadmissible in government hiring decisions, preferably even for the most sensitive of security positions.
- (Here’s where the technology starts.) There need to be audit trails or other controls that enable the government to prove it obeyed the rules in Point #2 (and for that matter Point #3 as well). Without proof there will be no reliable obedience. Compliance is not just for the private sector. This can’t realistically be “negative” proof, of the sort “Show me all queries that turned up this person’s information as a hit,” because that would surely compromise other investigations. Hence, it needs to be a positive trail, documenting each step of the process of gathering clues pointing to a specific person. Making that work without being ridiculously cumbersome will be extremely hard, but I think it also is necessary. Any ideas on how to design it would be much appreciated. Any ideas that substitute technology for intrusive business processes would be particularly welcome.
- Security technology around this data should be superb. Beyond that, there needs to be a culture of confidentiality running throughout any government operation. An analogy would be the way health care providers have learned to act. Obviously, some specific exceptions would need to be carved out, but that’s OK. What’s important is that confidentiality is presumed to be absolute — backed up by draconian penalties — unless there’s a specific rule/regulation/process allowing an information flow.
- All uses of data that are not explicitly permitted to government must be forbidden. Unlike many of my more conservative friends, I do not believe in the general form of this dictum. But government needs a strict, comprehensive privacy policy, with the force of law. Just as consumers are (or should be) reluctant to give data to organizations that lack clear privacy assurances, individuals and businesses will become reluctant to leave their databases off-premises unless they have assurance of government non-interference. The crippling effects of this could be awful. That doesn’t mean government can’t pass new laws, giving it more data access rights. But the lawmaking process would leave time for data owners to either pull it inhouse, or else to conclude that there’s no good alternative to leaving it within government’s reach.
- For exactly the same reasons, all government programs (with only the narrowest of security exceptions) that use data should be disclosed. Even the narrow security exceptions should be subject to separation-of-powers oversight.
That’s a long list of “musts” and “really shoulds” I’ve offered. A number of them will be hard to implement, politically and/or technically. That’s why we need to get started right away.
Comments
10 Responses to “Freedom even without data privacy”
Leave a Reply
“Governments are driving to build and integrate vast databanks of information about us. We can’t stop this.
However, we can and should slow it and shape it.
Since we can’t ultimately stop the collection of information, we also need to establish a whole new set of legal limits on the use of info
rmation”
hmmm scary. Big brother?
Governments are driving to build and integrate vast databanks of information about us. We can’t stop this.
However, we can and should slow it and shape it.
Since we can’t ultimately stop the collection of information, we also need to establish a whole new set of legal limits on the use of information
kinda scary…
Yes, potentially Big Brother.
The good news is that we have the power to resist. Look at how horrific the Bush Administration is, in principle, on liberty. Look at how little actual harm they’ve done to liberty on the actual soil of the 50 states. These things take time to REALLY go bad, at least in the US.
CAM
Man do not be so paranoid, so what they know about you,it can be useful to fight terrorism and crime.
I think we disagree about who the real paranoids are.
CAM
[…] Freedom even without data privacy (a public policy wish list) […]
[…] Freedom even without data privacy Share: These icons link to social bookmarking sites where readers can share and discover new web pages. […]
[…] US writer Curt Monash has written about this topic many times over the years, arguing that since we clearly cannot halt the move […]
[…] *I also spoke with a couple of Mark’s Yahoo colleagues, on his introduction, who are being less helpful than he is about clarifying what I am or am not allowed to say for publication. But I will say that I was heartened by the degree of concern they showed for doing the right thing with regard to privacy. I was not as heartened by the concrete ideas — or lack thereof — for making it happen. But frankly, I don’t think it’s a solvable technical problem. Rather, it should be a huge priority on the legal/political front. […]
[…] be fingered later for pornography consumption or illegal file sharing. I deplore some of the ways web-surfing data can be and is being used, and want laws passed to rein them in. But the retention will […]