It's a pleasure to be here and give you my brief thoughts on privacy in the wake of the September 11th attacks.
I'm here as Editor of Privacilla.org. Privacilla is a Web-based think-tank devoted exclusively to privacy. It attempts to capture privacy as a public policy issue from top to bottom.
We divide privacy from government and privacy in the private sector. Within the private sector, we break it down into financial privacy, medical privacy, and online privacy. Within those categories, we talk about the issues, what the policies should be, what proposals are out there, and so on. Importantly, we attempt to define what "privacy" is and set aside the non-privacy issues that are often confused with "privacy."
The title of this entire conference is ". . . Privacy and Data Security . . ." which gives us an opportunity to separate privacy from other issues. Doing so makes it more likely that we are going to deal with each issue effectively. I hope everyone here realizes that things like privacy, security, telemarketing, identity fraud, and spam are each vastly different, if related, subjects.
Let me make a brief disclaimer that I try to give it whenever I speak. I do represent and advise clients as a lobbyist and consultant here in Washington. None of my clients has specific privacy concerns, but privacy touches just about every public policy issue, so I always encourage people to watch for bias in what I have to say, as you should with any privacy advocate. My remarks do not represent the views of any client.
I will be brief so we can get to discussion and Q&A. There is a lot of thinking on privacy on the Web site at www.privacilla.org, so let me encourage people to visit the site for more information.
In the wake of the terrorist attacks, all right-minded citizens have been searching for ways to help improve homeland security and protect against future terrorism. Companies that hold consumer data are no exception. So I want to discuss one trend that I see emerging.
With the best of intentions, some companies appear to be considering offering up their data to federal authorities for law enforcement and intelligence purposes.
As I said, Privacilla discusses privacy from government and privacy in the private sector as the very different things that they are. Between the two, governments are, and have always been, the greater threat to privacy - to say nothing of civil liberties. Governments can take personal information by force of law and, once they have it, use it against citizens in ways that no company can.
So we need to be very careful about proposals to share information among business and government or to integrate private-sector and government databases. There are ways to do it right and ways to do it wrong.
Doing it right means that a great deal of security is handled by private companies using private-sector data. I have no problem, for example, with airlines learning my background, rating me as a security threat, and giving me a card with a biometric identifier that I can use at their security checkpoints. I'm fairly confident that they would rate me as a low risk and I would be able to spend less time in the airport. If I chose to travel anonymously, I could plan on taking my shoes off at security. If airlines then used information about me in a way that harmed or offended me, I might sue them, switch airlines, or enlist consumer groups to join me in a boycott.
If the government handles the security and the investigation, I doubt I would be any safer in terms of my air travel, but I would be at far greater risk that information about me would be used against me, and that I would have far less recourse. In the private sector, individual consumers have far more choice and power than they do in their dealings with the government sector.
Interestingly, the aftermath of the September 11th attacks showed us what the proper relationship between private data and law enforcement should be. The investigation that immediately followed the terrorist attacks gave us a model for crime-control and security that minimized the threat to citizens' privacy, targeted suspects effectively, and, by the way, placed a relatively low burden on data-intensive businesses.
When it became clear that an elaborate system of money exchange had supported the September 11th terrorists, the FBI and the bank regulatory agencies issued urgent requests to financial services providers that they search out and submit information on the terrorists, their aliases, and their supporters. Rightly, companies brought forth information they had on particular, identified suspects.
This is a model for the future: investigators querying the private sector about real suspects. Routine data sharing, integration of databases, and other inventions do no better and pose too great a threat to privacy.
In the exigency and, literally, terror of the times, it can be forgiven if some suspects were investigated in the absence of a warrant. The 19 terrorists had killed off their Fourth Amendment rights along with themselves. But a program modeled on the September 11th suspect-query system should require the appropriate level of legal suspicion before individualized personal information is handed over to the government.
In the absence of individualized suspicion, consumers do have an expectation that information about them held by private companies will not be handed over to the government. This is for the protection of both privacy and civil liberties. Private and public data-sharing evades the Privacy Act, a law that badly needs revision.
Even in the post-September 11th era, you, as leaders of data-intensive companies, should guard the line between the private and public sectors. In your efforts to assist with homeland security, you should not deputize your data or support companies who do.