It’s always a pleasure to speak here at ALEC. For those of you who do not know me from prior events, I am Jim Harper, and I edit a Web-based think-tank called Privacilla.org. Privacilla collects information and arguments about privacy as a public policy issue, including online privacy, medical privacy, financial privacy, and privacy from government.
A wide variety of issues are described in common speech using the word “privacy.” This makes it a tough area for you to work on. When people say “privacy,” they may mean security, they may mean fairness, they may mean freedom from annoyance, or a host of other things. So I am always challenged in my work on privacy to parse out the issues and address them thoughtfully.
I’m happy to bat clean-up for you here today. The speakers before me have articulated well how outsourcing of services overseas is equivalent in terms of economic well-being to free trade in goods. The overall benefits of offshore outsourcing are greater than the harms, though I do understand that someone who loses their job is suffering a 100% unemployment rate, which is very distressing.
After you’ve dispensed with the economics, one of the few remaining arguments against outsourcing is the privacy concerns. There has been, to this point, one anecdotal case where privacy has been threatened by outsourcing, and I’ll get to that in a minute. But I have three main points I want to make to you.
First, people should understand that obligations entered into here in the U.S. go wherever data goes. If a credit card has promised you confidentiality and they ship data offshore to be processed, they must ensure that the confidentiality promise they made here is enforced. Along with contractual rights, they are subject to bad press and consumer retaliation through loss of business if they violate privacy, and there’s no excuse that data was offshore.
Legal obligations like the privacy torts apply no matter where the data moves. It wouldn’t matter if data collected here by a company is revealed through a breach in a foreign country. In almost every state in the U.S., consumers have a cause of action if highly sensitive private facts are revealed about them. The basis of the action is the offense it causes to the victim wherever he or she is. It doesn’t turn on where the data was first revealed. So the privacy obligations attach to the data no matter where it goes.
Of course, various regulatory requirements in state law, and in federal law – things like HIPAA for medical information, Gramm-Leach-Bliley for financial information – those obligations go wherever the data goes. They do not cut out when data moves offshore to be processed.
My second point is this: Good practices protect privacy well, wherever the data goes. The point is not where data moves, but how it is moved and how it is protected. The good outsourcing companies take a number of steps to ensure the security of data in transit and where it is processed.
They investigate the outside service provider carefully. They make sure that there is proper training of employees. They monitor the sites where work is done. And they require best practices. For example: The computers on which data is processed should not have direct connections to the Internet or extraneous programs like e-mail or Instant Messaging. The rooms where the processing is done can be kept free of pencils or paper, printers and copy machines, so that employees can’t abscond with data. They ensure that data is not stored at the remote location any longer than necessary. And, of course, they must use encryption when transferring data.
So, good practices protect data wherever it moves. The offshore part of the equation doesn’t have all that much importance.
My third point, related to the second, is that bad practices fail to protect privacy, onshore or off. To illustrate, I’ll tell the one story I know of where offshore outsourcing has threatened a privacy breach.
It starts at the UCSF medical center in San Francisco, California. They outsourced their medical transcription work to a firm in Marin called Transcription Stat. Transcription Stat, in turn, outsourced the work to a woman in Florida, and they believed that she did the work. In fact, she was outsourcing the work yet another step, to a man named “Tom Spires” in Texas. Then, believe it or not, this Tom Spires outsourced the work yet again to a woman in Pakistan.
The woman in Pakistan was an English speaker with some medical training who had begun her own transcription business. When she got in touch with Tom Spires, she was very excited because he promised her a lot of work at good pay. He was an uncertain business partner because he was hard to reach sometimes and wouldn’t give a phone number, but what is a hungry small businesswoman supposed to do?
After a period of time, Tom Spires fell behind on his payments and reached $500 in arrears to the Pakistani transcriber. This is more than a month’s wages and our Pakistani friend had bills to pay herself. When she was unable to reach Tom Spires for some weeks, she took matters into her own hands and contacted the UCSF Medical Center saying that she would put patient medical records online if she were not paid. Needless to say, she got paid right away.
The story of this privacy threat was big, and it circulates today as the reason why offshore outsourcing threatens privacy.
A reporter for the San Francisco Chronicle has researched the incident carefully, and what he found shows that it is bad practices and mendacity right here in the United States that caused this threat to privacy.
“Tom Spires,” it turns out, is probably a name invented by the Florida woman. The Florida house she lives in is owned by people named “Spires” and the payments to Pakistan came from Florida, not Texas. The transcription service in Marin did not know that work was being outsourced further, much less outsourced offshore. In short, this long chain of careless outsourcing, and some fishy business in Florida, created the threat to privacy.
I don’t endorse the Pakistani woman’s method of collecting, but I find it hard to blame her either. I imagine that, right now while we’re worrying about the privacy threat in Pakistan, there’s a meeting happening over there about whether Americans can be trusted to pay their bills!
So, the point is that bad practices anywhere lead to privacy threats anywhere, onshore or off. The offshore aspect is not terribly significant.
There is one threat from offshore outsourcing that I feel is legitimate. It’s called the “foreign subpoena problem.” Obviously, other countries do not have the same Fourth Amendment protections that we do. There is a possibility that data moved offshore could be collected by the local government there. For example, a country trying to get tax information from local citizens who invest in the United States might seek to get that through U.S. financial records processed in country.
This is one reason why it’s important not to leave data resident at an offshore outsourcer. But the first answer to the foreign subpoena problem is that it would probably be economic suicide. The instant a country started to do that, companies would pull their business from that country. I don’t think a country would attack its own economic base in this way, but I guess stranger things have happened.
Ultimately, this problem should probably be resolved through country-to-country agreements that ensure outsourced data will not be collected by the local governments.
And, I should note to you that the foreign subpoena problem, just like outsourcing, cuts both ways. Canada has recently expressed concern about data transferred to the United States and whether it will be made available to the government here under the USA-PATRIOT Act.
It is always important to be vigilant about privacy. Beyond this narrow foreign subpoena possibility, though, I think the privacy problem from outsourcing is pretty overstated. We can reap the economic benefits of offshore outsourcing without significantly threatening privacy.
©2000-2004 Privacilla.org. All content subject to the Privacilla Public License.