Today is obviously a difficult day for many people because it is the one-year anniversary of the attacks on the World Trade Center and the Pentagon. It has been a difficult year to be a privacy advocate because values like privacy are often in tension with security. It is alleged and widely believed that having less privacy will give us more security. I do not believe that to be true, but those of us who cherish privacy have been in the position of seeming, at times, to be anti-security.
I was asked the day after the attacks by a reporter whether laws would be passed that negatively impacted privacy. And, like a babe in the woods, I said No. The terrorist attacks were not a result of Americans being able to keep information about themselves from government. Despite my experience, I was optimistic and forgot about the absence of need for correlation between cause and effect in the making of our public policy. Only now are we discussing the failure of intelligence agencies to effectively use already available information.
Similarly, there have been moves to close off access to government information in the name of security. I know less about this area, but I am also skeptical of the claim that these measures are particularly effective, much less consistent with our values and interest in American democracy.
Our collective knee-jerk reaction seemed to be that civil liberties should take a back seat in the war on terrorism. But I think it has been clear from the start that the best way to prevent terrorism is having better human intelligence. That is, infiltrating terrorist organizations abroad and eliminating the threats against us there. I do not think that the ritual shedding of civil liberties we undertook post-September 11th was terribly proximate to the effort to end terrorism.
September 11th certainly puts these issues in high relief, so there is no better time than today to discuss privacy and access to information in the hands of government.
Let me introduce myself briefly and then make a few remarks on the Privacy Act and the fascinating tension between the Privacy Act and open government laws like the Freedom of Information Act.
As you are aware, I am the Editor of Privacilla.org, which is a Web-based think-tank devoted to privacy. I am also an Adjunct Fellow at The Progress & Freedom Foundation. In addition, I have a lobbying and consulting firm called PolicyCounsel.Com. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla and none of what I say to you represents the views of any client, but be aware of my potential for bias, as you would be with any privacy advocate.
At Privacilla, we try to sort out the issues that, in public debate, go under the name of “privacy.” We have put forward a definition of privacy so that policymakers can better address the issue directly and determine what interests they are pursuing with various proposals.
The word “privacy” has come to be used to describe just about every concern with the modern world. That’s fine for regular people, but when we as policymakers address these concerns, we need to be a little more precise.
At Privacilla, we have developed a working definition of privacy that we believe should form the basis of policy discussions on the topic: Privacy is a subjective condition that individuals enjoy when two factors are in place — legal ability to control information about oneself, and exercise of that control consistent with one's interests and values.
Most importantly, privacy is a personal, subjective condition. That means that my sense of privacy is my own, and yours is yours. Legislators and regulators can’t pass laws to tell us we have privacy when we think we don’t. Those laws can only represent guesses about what privacy might look like.
The first factor I mentioned is the legal power to control information. This essentially asks whether people have been deprived of power to control information in some way. There are thousands of laws and regulations that deprive people of power over information about themselves. Let there be no mistake about the good intentions of these laws. Much of what we are dealing with in the Privacy Act has to do with what becomes of information after people have been deprived of control, though, and that's important to remember.
The second factor I mentioned is exercise of control consistent with our interests and values. Ultimately, the only thing that can deliver privacy on the terms consumers want it is consumer awareness and education. If you don’t know how information moves in the Information Economy, you can’t reject practices that you disapprove of. It is the actions of educated and aware consumers in the marketplace that determine whether the uses made of information are acceptable.
I like the topic we have today: “Privacy is Not Just an Act.” I will add to that, if I may: The Privacy Act is More Than Just Privacy.
Of course, privacy is more than just an Act. It’s unfortunate but true that Americans don’t have privacy just because the agencies of the federal government are in compliance with the strictures of the Privacy Act. There are a lot of protections of various kinds in the Privacy Act, but I am more inclined to identify a loss of privacy as happening when the government demands information from people by law. We have no opportunity to decide as individuals whether information will be shared or not.
In that sense, the Privacy Act is somewhat misnamed. Restrictions on subsequent use or sharing of information are important. But in the absence of any opportunity for choice, it’s not really privacy we’re talking about.
At Privacilla, we note, without suggesting malice on anyone’s part, that loss of privacy is a cost of government. Nearly all government programs require the use of information about citizens at one point or another. Indeed, there is a fairly direct correlation between how helpful a government program is intended to be in the lives of citizens and how invasive of their privacy it must be. Want to help people with health care? It really helps to know their medical condition. And many programs operate on precisely those terms.
So, where the Privacy Act attempts to tell people that they still have privacy in information, I would prefer the government to come clean and say “We have determined that you will enjoy less privacy in order to have this program.” That would be the more accurate and honest statement of the case.
But that is a bigger argument than you folks here today regularly deal with. Lucky for you.
I also want to talk about how the Privacy Act is much more than privacy. It involves a number of different information policies. I hope it will help you in your work to understand and distinguish among them.
In particular, I want to note that the right to access and correct information under the Privacy Act has almost nothing to do with privacy at all. Access and correction have much more to do with an equally important value, which is fairness.
Consider this example: Let’s say I have your diary. Lots of juicy information about you in there, no? And I take it and I encase it in a 50-gallon drum of cement. Then I take the 50-gallon drum and I drop it in the deep ocean. At this point, the privacy of the contents of your diary are very well protected. Very well, indeed. But you have no access to it whatsoever. You have no ability to correct the information that’s in there.
So, you see, privacy and access are very different concepts. You can have privacy without access, and you certainly can have access without privacy. Indeed, access rights tend to present security risks that can lead to loss of privacy. Access and privacy are, in a sense, conflicting values. They are certainly not the same thing.
I think access goes to a different value from privacy — a very important value: fairness. It is incredibly important that we should be treated fairly by our government. There is a high likelihood that incorrect information in the hands of government will be the basis for unfair treatment. Because of the coercive powers of government, inaccurate or unfair treatment can be very harmful indeed. The Privacy Act addresses the fairness question as much as it addresses privacy.
So, you see, just as privacy is more than just an Act, the Privacy Act is more than just privacy. Thats’s a happy little tongue-twister, isn’t it?
I’ll note that the Federal Agency Protection of Privacy Act, which passed the House Judiciary Committee yesterday, similarly deals with many more information policies than just privacy. The bill would represent progress in making the public aware of the privacy impacts of federal regulation, but it would not help clarify our minds about when we are dealing with privacy and when we are dealing with other important information policies. In my testimony to the Committee and in subsequent follow-up, I pointed this out.
Finally, let me move to a more general discussion of the tension between privacy and public records.
Public records threaten privacy and related interests in a variety of ways. They may permit law enforcement snooping. They prevent anonymity and pseudonymity, which are important and appropriate social customs. They can be improperly used by bureaucrats or released indiscriminately to the public. And, when criminals have access to them, they can be used to further fraud and violent crimes.
But they have many beneficial uses, too. Public records enable the press and community leaders to investigate and thwart wrongdoing. Motor vehicle records have been used to contact people whose cars are observed cruising neighborhoods in search of drugs or prostitutes. Such records have been used by Mothers Against Drunk Drivers to uncover alcohol abuse by residents of local communities and by reporters to uncover alcohol abuse by airline pilots and school bus drivers.
I understand that about 3 million people change their last names each year due to marriage and divorce, and 42 million consumers move every year. Credit reporting agencies and others use public records to track these changes and preserve the good credit records of many people, while protecting us from people who would hide their bad credit histories or other negative background.
Public access to government records also plays a large part in ensuring open government. Access to public records allows citizens to monitor the functions of their government directly, and it allows the press to fully exercise its watchdog role.
So, even in the post-9/11 environment, blanketing public records with secrecy is not a satisfactory solution. This would compromise important open-government values and prevent beneficial uses. Governments should not be able to keep records on citizens hidden from view.
Redaction or editing of records is also not a satisfactory solution. This leaves fallible government officials and bureaucracies in control of citizens' personal information — and unanswerable for their conduct.
Instead, as I said before, loss of privacy must be recognized as a cost of government programs that require citizens to be counted, catalogued, measured, tested, and watched. The only satisfactory protection for privacy in the case of public records is to reduce the need for public records in the first place, by reducing the role of government in intimate details of citizens’ lives.
To the extent records are collected, they should generally be available to the public in order to prevent secret government databases from becoming common practice. Information in public records should be kept secret only if that will have a substantial role in preventing identified and discrete harms to the public.
There is much more to do to reconcile the tension between public records, privacy, and other interests. The Progress & Freedom Foundation has published a book on the topic called Privacy and the Digital State: Balancing Public Information and Personal Privacy by PFF Senior Fellow Alan Charles Raul. This is a beginning, and I hope much more analysis is done.
My own belief is that the Privacy Act is due for revision. Technology has changed quite a bit since the Act was passed and — just as important — our understanding of privacy and government has changed since the Act was passed.
Perhaps you and I can work together on re-examining and rationalizing the Privacy Act once more. Maybe we could shorten it a bit. If we can cut down it’s length by, say, 10%, I think that will be an achievement. That will make it a little more likely that regular Americans like me will understand what is happening with information about us when we deal with our government.
All content subject to the Privacilla Public License.