Presentation is loading. Please wait.

Presentation is loading. Please wait.

America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh.

Similar presentations


Presentation on theme: "America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh."— Presentation transcript:

1 America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh Privacy Conference September 5, 2005

2 Overview Background Background The public sector & the Bush Doctrine of information sharing The public sector & the Bush Doctrine of information sharing The private sector & challenges to fair information practices The private sector & challenges to fair information practices Ways to build trans-Atlantic understanding on privacy Ways to build trans-Atlantic understanding on privacy

3 I. Before 9/11 The 1998 baseline The 1998 baseline The E.U. Directive went into effect fall, 1998 The E.U. Directive went into effect fall, 1998 My book was keyed to that date My book was keyed to that date Extensive interviews with EU and US expertsExtensive interviews with EU and US experts EU perspectiveEU perspective Human rights based Human rights based Need for harmonization in common market Need for harmonization in common market US perspectiveUS perspective Cost/benefit based Cost/benefit based Concerns about under- and over-regulation Concerns about under- and over-regulation

4 Chief Counselor for Privacy My role in U.S. Executive Office of the President, early 2001 My role in U.S. Executive Office of the President, early 2001 Trying to build privacy in for policies/laws Trying to build privacy in for policies/laws HIPAA: medical privacy HIPAA: medical privacy Gramm-Leach: financial privacy Gramm-Leach: financial privacy FTC enforcement of privacy promises FTC enforcement of privacy promises Especially for the InternetEspecially for the Internet Safe Harbor Safe Harbor Federal agency web policies & privacy impact assessments Federal agency web policies & privacy impact assessments Bipartisan interest in Congress to make & wiretap laws stricter Bipartisan interest in Congress to make & wiretap laws stricter

5 My Normative Baseline My own views are roughly those reflected by the Clinton Administration, My own views are roughly those reflected by the Clinton Administration, Achieve progress in building privacy into public and private systems Achieve progress in building privacy into public and private systems Fair information practices as the baseline Fair information practices as the baseline Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation Be realistic about how laws are actually implemented in practice, avoiding over- and under-regulation

6 II. The Public Sector Moral view of the precautionary principle: if the consequences of an action are unknown but judged to have a high risk of being ethically negative, it is better to not carry out the action rather than risk the uncertain but possibly negative consequences Moral view of the precautionary principle: if the consequences of an action are unknown but judged to have a high risk of being ethically negative, it is better to not carry out the action rather than risk the uncertain but possibly negative consequences Principle best known for protecting the environment Principle best known for protecting the environment Long run potential harm from action Long run potential harm from action Precaution (inaction) less likely to cause long- run harm Precaution (inaction) less likely to cause long- run harm

7 Precautionary & Privacy Instinct for privacy scholars is that protecting privacy is like protecting the environment Instinct for privacy scholars is that protecting privacy is like protecting the environment Precautionary principle: Precautionary principle: Err on the side of human rights Err on the side of human rights When in doubt, be cautious about the use of data and the dangers caused by that use When in doubt, be cautious about the use of data and the dangers caused by that use Precaution against use of data & the long term effects of revealing private information Precaution against use of data & the long term effects of revealing private information

8 Precautionary & Security Consider a contrary view Consider a contrary view Precautionary principle: Precautionary principle: Err on the side of protecting society from attack Err on the side of protecting society from attack When in doubt, share data to avoid the dangers of attack When in doubt, share data to avoid the dangers of attack Precautions are against the long-term damage from the attacks Precautions are against the long-term damage from the attacks

9 Precautionary and Privacy In the privacy debate, we are used to balancing privacy & security In the privacy debate, we are used to balancing privacy & security Balancing is a term of utilitarian calculus Balancing is a term of utilitarian calculus Use of the precautionary principle helps show that moral fervor is on both sides Use of the precautionary principle helps show that moral fervor is on both sides Privacy protects human rights (no attacks by commercial or state interests) Privacy protects human rights (no attacks by commercial or state interests) Information sharing protects human rights (right to bodily integrity, not to be attacked) Information sharing protects human rights (right to bodily integrity, not to be attacked)

10 The Bush Doctrine of Information Sharing Disclaimer – I often critique the Bush Administration on privacy & information sharing Disclaimer – I often critique the Bush Administration on privacy & information sharing It is important to understand the logic of the position It is important to understand the logic of the position Axiom 1: The threat has changed Axiom 1: The threat has changed Was threat of Soviet tank or missile attack Was threat of Soviet tank or missile attack Now is asymmetric threat – a few individuals with boxcutters or home-made explosives Now is asymmetric threat – a few individuals with boxcutters or home-made explosives

11 Bush Doctrine Axiom 2: The threat is significant Axiom 2: The threat is significant The intellectual importance of WMDs The intellectual importance of WMDs One nuke can ruin your whole day One nuke can ruin your whole day Measures that are not justified by small attacks may be justified for asymmetric, large attacks Measures that are not justified by small attacks may be justified for asymmetric, large attacks

12 Bush Doctrine Axiom 3: Progress in IT dwarfs progress in defensive physical security Axiom 3: Progress in IT dwarfs progress in defensive physical security Price of sensors, storage, and sharing down sharply Price of sensors, storage, and sharing down sharply Useful knowledge & patterns extracted from data Useful knowledge & patterns extracted from data The efficient mix of security measures has a large & ongoing shift to information-intensive strategies The efficient mix of security measures has a large & ongoing shift to information-intensive strategies

13 Bush Doctrine (1) The threat has changed (1) The threat has changed (2) The threat is significant (2) The threat is significant (3) Progress in IT shifts the best response (3) Progress in IT shifts the best response For privacy advocates, which of these assertions seems incorrect? For privacy advocates, which of these assertions seems incorrect? There is a powerful logic to this approach There is a powerful logic to this approach Now we turn to possible responses Now we turn to possible responses

14 Has the Threat Changed? Yes. Yes. Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 Conventional threat, typified by satellite reconnaisance of military targets, is clearly less than before 1989 Enemy mobilization often graduated and visible (levels of military alert) Enemy mobilization often graduated and visible (levels of military alert) Current threats from asymmetric attacks Current threats from asymmetric attacks No visibility of imminent attacks unless get information about the individual attackers No visibility of imminent attacks unless get information about the individual attackers

15 How Significant is the Threat? This topic is controversial This topic is controversial I address this in 2004 article on foreign intelligence & surveillance I address this in 2004 article on foreign intelligence & surveillance No WMDs in Iraq No WMDs in Iraq Nation states as havens likely much more dangerous than isolated individuals Nation states as havens likely much more dangerous than isolated individuals Exception in my view – nuclear proliferation Exception in my view – nuclear proliferation

16 Significance of the Threat Within the U.S., extremely difficult politically to question the threat Within the U.S., extremely difficult politically to question the threat Republicans are loyal to Pres. Bush Republicans are loyal to Pres. Bush Democrats cant appear weak Democrats cant appear weak Within U.S., privacy and civil liberties advocates can question the threat but are not likely to succeed much Within U.S., privacy and civil liberties advocates can question the threat but are not likely to succeed much European resistance can slow hasty actions by U.S. where threat is exaggerated European resistance can slow hasty actions by U.S. where threat is exaggerated

17 Is the Shift to IT & Prevention Efficient? Here is the battleground for privacy Here is the battleground for privacy (1) Ends/means rationality – does the proposed surveillance actually improve security? (1) Ends/means rationality – does the proposed surveillance actually improve security? Does security measure work? Cost effectively? Does security measure work? Cost effectively? E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) E.g., carry-ons over-broad (nail cutters) and under-broad (ingenious attackers can attack) E.g., data mining may create so many false positives that the noise swamps the signal E.g., data mining may create so many false positives that the noise swamps the signal

18 Shift to IT and Prevention? (2) Security theater & Bruce Schneier (2) Security theater & Bruce Schneier Perceive, and critique, measures that are taken for the sake of doing something Perceive, and critique, measures that are taken for the sake of doing something E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs E.g., show ID to get into office buildings; this is worthless in a world of pervasive fake IDs Important to have credible and effective technical critiques of proposed surveillance Important to have credible and effective technical critiques of proposed surveillance U.S. State Dept. RFIDs on passports as terrorist beacons readable at 10 metersU.S. State Dept. RFIDs on passports as terrorist beacons readable at 10 meters

19 Shift to IT & Prevention (3) Point out unprecedented nature of proposed surveillance (3) Point out unprecedented nature of proposed surveillance E.g., library records and chilling the right to read E.g., library records and chilling the right to read Gag rule on foreign intelligence orders to get library and other databases Gag rule on foreign intelligence orders to get library and other databases Some greater due process in Patriot Act revisionsSome greater due process in Patriot Act revisions E.g., national ID cards and build coalition of libertarians on left and right E.g., national ID cards and build coalition of libertarians on left and right

20 Shift to IT and Prevention (4) Invoke historical abuses & ask for checks and balances (4) Invoke historical abuses & ask for checks and balances Prevention was tried by Hoover & the FBI Prevention was tried by Hoover & the FBI Prevention led, over time, to vast expansion of surveillance but little proven prevention Prevention led, over time, to vast expansion of surveillance but little proven prevention Political and other abuses from that expansion Political and other abuses from that expansion Therefore, oversight and limits on new surveillance because human nature hasnt changed Therefore, oversight and limits on new surveillance because human nature hasnt changed

21 Shift to IT and Prevention (5) Fairness, discrimination, and effectiveness (5) Fairness, discrimination, and effectiveness If single out groups, such as young Arab males, then that can backfire If single out groups, such as young Arab males, then that can backfire Is unfair, and perceived as unfair by many Is unfair, and perceived as unfair by many Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect Risk of creating resentment by communities who cooperation is needed – better to build bridges to communities than to treat everyone as a suspect

22 Shift to IT and Prevention (6) Show how proposed measures make the problem worse (6) Show how proposed measures make the problem worse E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential E.g., trusted traveler programs will give greater powers for harm to the terrorists who get the credential E.g., racial profiling that undermines assistance from the well-informed E.g., racial profiling that undermines assistance from the well-informed

23 Shift to IT and Prevention (7) International opposition to U.S. measures (7) International opposition to U.S. measures Return to this below Return to this below Concerns from outside the U.S. do require a more fully developed policy process within U.S. Concerns from outside the U.S. do require a more fully developed policy process within U.S.

24 Summary on Bush Doctrine Significant moral & political logic to: new threat; threat is large; IT will help Significant moral & political logic to: new threat; threat is large; IT will help Possible answers include: Possible answers include: Does proposal work? Does proposal work? It may be security theater It may be security theater Unprecedented surveillance and not needed Unprecedented surveillance and not needed Historical abuses show need for checks Historical abuses show need for checks Fairness and non-discrimination Fairness and non-discrimination Proposed measures make the problem worse Proposed measures make the problem worse International realpolitik International realpolitik

25 III. The Private Sector Security as the source of new privacy protections Security as the source of new privacy protections Compliance American style Compliance American style Challenge to the FIPs Challenge to the FIPs Government use of commercial data Government use of commercial data

26 Security Helps Privacy Recent U.S. privacy protections created in the name of security Recent U.S. privacy protections created in the name of security American style of politics American style of politics Death tax and estate tax Death tax and estate tax Security is a winning word after 9/11 Security is a winning word after 9/11 Privacy sounds like one is not committed to winning the War on Terrorism Privacy sounds like one is not committed to winning the War on Terrorism

27 New Security Measures Security notifications for breach Security notifications for breach At least 15 states with laws, 14 this year At least 15 states with laws, 14 this year Cybercrime measures Cybercrime measures DOJ supports anti-wiretap law (Councilman) DOJ supports anti-wiretap law (Councilman) Spyware as security threat Spyware as security threat State, maybe federal, legislation State, maybe federal, legislation Spam as threat to availability and integrity of systems Spam as threat to availability and integrity of systems CAN-SPAM and other laws CAN-SPAM and other laws

28 Compliance American Style 3 modes of compliance 3 modes of compliance Aspirational – the law expresses an ideal, but detailed compliance is not expected (E.U.?) Aspirational – the law expresses an ideal, but detailed compliance is not expected (E.U.?) Gamesmanship – organizations minimize the effect of the law with compliance tricks (cynical view of U.S.?) Gamesmanship – organizations minimize the effect of the law with compliance tricks (cynical view of U.S.?) Defensive or Risk averse – organizations avoid even the risk of enforcement by over- complying (actual U.S. practice under medical privacy rule) Defensive or Risk averse – organizations avoid even the risk of enforcement by over- complying (actual U.S. practice under medical privacy rule)

29 Consequences of Compliance American Style Policymakers learn that over-regulation is a major risk Policymakers learn that over-regulation is a major risk For privacy, sensible data flows dont happen For privacy, sensible data flows dont happen The family member picking up the prescription at the pharmacy The family member picking up the prescription at the pharmacy The historical researcher of the 18 th C. poet The historical researcher of the 18 th C. poet U.S. Ambassador David Aarons 1999 offer: U.S. Ambassador David Aarons 1999 offer: Well take E.U. privacy laws if youll take our plaintiffs lawyers Well take E.U. privacy laws if youll take our plaintiffs lawyers

30 Compliance: EU & US In the 1998 book, we asked EU Commission if it was legal to carry a laptop on the plane to a country that lacked an adequacy determination In the 1998 book, we asked EU Commission if it was legal to carry a laptop on the plane to a country that lacked an adequacy determination Answer from a Commission official: It depends Answer from a Commission official: It depends Practice within EU – of course the laptops are carried onto planes Practice within EU – of course the laptops are carried onto planes Have had increase in enforcement actions in E.U. since then Have had increase in enforcement actions in E.U. since then I welcome your thoughts on how close E.U. is to full compliance with the law as written I welcome your thoughts on how close E.U. is to full compliance with the law as written

31 Compliance in U.S. Major U.S. growth in CPOs and institutionalized privacy Major U.S. growth in CPOs and institutionalized privacy CPO term not used until 1999 CPO term not used until 1999 In U.S., my experience since 2000 is that there is more risk-averse compliance than I anticipated -- sensible behavior is more chilled by rules than I expected In U.S., my experience since 2000 is that there is more risk-averse compliance than I anticipated -- sensible behavior is more chilled by rules than I expected Policymakers learn to be cautious about aspirational or over-broad privacy laws Policymakers learn to be cautious about aspirational or over-broad privacy laws

32 More on Compliance One thought on why compliance is so different One thought on why compliance is so different Belgium & the Netherlands – all the key actors in an industry gather in a room with officials Belgium & the Netherlands – all the key actors in an industry gather in a room with officials Ombudsman role of D.P. authoritiesOmbudsman role of D.P. authorities U.S. – major players are 5,000 km away from regulators U.S. – major players are 5,000 km away from regulators Formal/legal role of FTC and other regulatorsFormal/legal role of FTC and other regulators Over 1 million HIPAA covered entitiesOver 1 million HIPAA covered entities

33 Fair Information Practices Under Challenge E.U. Dir. Art. 6(e): data not kept in identified form longer than is necessary for purposes for which was collected E.U. Dir. Art. 6(e): data not kept in identified form longer than is necessary for purposes for which was collected Technology challenge Technology challenge Storage much, much cheaper Storage much, much cheaper Forensics much better, and is hard to delete Forensics much better, and is hard to delete U.S. has HIPAA & many contracts that say take practicable measures, but deletion will often not take place U.S. has HIPAA & many contracts that say take practicable measures, but deletion will often not take place

34 FIPs: Secondary Use The major battleground is secondary use The major battleground is secondary use U.S. is less sure it agrees with this FIP U.S. is less sure it agrees with this FIP Many public records, used widely Many public records, used widely First Amendment, and data is generally publishable unless under a contract First Amendment, and data is generally publishable unless under a contract Business & government belief that information sharing is often progress, not rights violation Business & government belief that information sharing is often progress, not rights violation Scope of data protection laws as shown in Swedish Lindqvist case would be most surprising to U.S. intuitions Scope of data protection laws as shown in Swedish Lindqvist case would be most surprising to U.S. intuitions

35 Secondary Use & Govt Access Growing issues on rules for government access to private-sector data Growing issues on rules for government access to private-sector data Government purchases (e.g., subscriptions to do background checks) Government purchases (e.g., subscriptions to do background checks) Government asks or requires for law enforcement or intelligence Government asks or requires for law enforcement or intelligence

36 Commercial Data & Govt. U.S. rules for purchase are not well developed U.S. rules for purchase are not well developed Great interest from government as part of information sharing growth Great interest from government as part of information sharing growth Little legal framework for how that purchased data is handled by federal government Little legal framework for how that purchased data is handled by federal government Answers to this will mirror answers to broader wish by agencies for information sharing in anti- terrorism efforts Answers to this will mirror answers to broader wish by agencies for information sharing in anti- terrorism efforts

37 IV. Looking Ahead Within the U.S., and I think globally, security will be an increasingly important way that new privacy protections will be implemented Within the U.S., and I think globally, security will be an increasingly important way that new privacy protections will be implemented Political and policy alliances to build both security and privacy into information systems Political and policy alliances to build both security and privacy into information systems

38 Looking Ahead Politically, the Bush Administration has sometimes been willing to go along with privacy initiatives Politically, the Bush Administration has sometimes been willing to go along with privacy initiatives CPO for Homeland Security CPO for Homeland Security Privacy Impact Assessments in 2002 law Privacy Impact Assessments in 2002 law It didnt cancel HIPAA It didnt cancel HIPAA The Administration has had no significant data privacy initiatives of its own The Administration has had no significant data privacy initiatives of its own No distractions from the War on Terror No distractions from the War on Terror

39 Looking Ahead Better privacy policy must then come from elsewhere Better privacy policy must then come from elsewhere U.S. state legislation – spyware, breach, etc. U.S. state legislation – spyware, breach, etc. Privacy advocates & Congress – CPOs, PIAs Privacy advocates & Congress – CPOs, PIAs International realities that require the U.S. Administration to stop, look, and listen International realities that require the U.S. Administration to stop, look, and listen

40 Looking Ahead Europe & the role of the Directive Europe & the role of the Directive Educated U.S. policy & business leaders Educated U.S. policy & business leaders Required the process that led to the Safe Harbor Required the process that led to the Safe Harbor Significant convergence; not harmonization Significant convergence; not harmonization Similar effects on passenger name records Similar effects on passenger name records Mandates in non-U.S. law do create a possibility of negotiation and partial convergence Mandates in non-U.S. law do create a possibility of negotiation and partial convergence

41 Looking Ahead The ebb & flow of politics The ebb & flow of politics 2000 Clinton wiretap/privacy bill criticized for not being protective enough of privacy 2000 Clinton wiretap/privacy bill criticized for not being protective enough of privacy 2001 Patriot Act much further toward surveillance 2001 Patriot Act much further toward surveillance With time, the politics of 2001 will shift to something else With time, the politics of 2001 will shift to something else Perhaps the much-feared next big attack Perhaps the much-feared next big attack Perhaps closer to new normalcy & calm Perhaps closer to new normalcy & calm I am hopeful of the latter I am hopeful of the latter

42 Looking Ahead As U.S. politics shift, U.S. policy likely to become more open to international practices and norms As U.S. politics shift, U.S. policy likely to become more open to international practices and norms The European rights approach will face continuing U.S. objections on secondary use The European rights approach will face continuing U.S. objections on secondary use But the overall framework of checks against data abuse can have solid U.S. support But the overall framework of checks against data abuse can have solid U.S. support Especially if what is asked of the U.S. is a reasonable fit with the U.S. compliance realities Especially if what is asked of the U.S. is a reasonable fit with the U.S. compliance realities

43 In Closing The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other issues The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other issues Continuing, implementable privacy protections can grow over time in the U.S. Continuing, implementable privacy protections can grow over time in the U.S. Better understanding across the Atlantic, such as this conference, will help that to occur Better understanding across the Atlantic, such as this conference, will help that to occur

44 Contact Information Professor Peter P. Swire Professor Peter P. Swire Phone: (240) Phone: (240) Web: Web:


Download ppt "America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh."

Similar presentations


Ads by Google