This post is the last in a series about privacy. They are all drawn from my book. The full discussion is available, free for distribution, here.
I’ve devoted several posts to failed solutions to the problem of privacy in a data-filled world. In the end, I think these approaches all fail because they’re all reactionary — they try to stop the accumulation and analysis of data, as though technology were not making it cheaper and easier every day to accumulate and analyze data. They’re like bailing the Titanic with a bucket.
So what might work? In my view, we shouldn’t fight information technology. We should work with it — use its capabilities to protect against abuse of the data that will inevitably be gathered by governments and companies.
The best way to understand this idea is to begin with Barack Obama’s passport records—and with Joe the Plumber. These were two minor flaps that punctuated the 2008 presidential campaign. But both tell us something about how privacy really is protected these days.
In March of 2008, Barack Obama and Hillary Clinton were dueling across the country in weekly primary showdowns. Suddenly, the campaign took an odd turn. The Bush administration’s State Department announced that it had fired or disciplined several contractors for examining Obama’s passport records.
Democrats erupted. They remembered when Bill Clinton’s files had been examined during the 1992 campaign, and Obama’s lengthy stays outside the United States as a child had become a simmering underground issue in this campaign. It wasn’t hard to jump to the conclusion that the candidate’s files had been searched for partisan purposes. An Obama campaign spokesman called the records search “outrageous . . . This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”
After an investigation, the flap slowly deflated. It soon emerged that all three of the main presidential candidates’ passport files had been improperly accessed. Investigators reported that the State Department was able to quickly identify who had examined the files by using its computer audit system. This system flagged any unusual requests for access to the files of prominent Americans. The fired contractors did not deny the computer record. Several of them were charged with crimes and pleaded guilty. All, it turned out, had acted purely out of “curiosity.”
Six months later, it was the Republicans’ turn to howl about privacy violations in the campaign. “Joe” Wurzelbacher, a plumber, became an overnight hero to Republicans in October 2008. After all, he was practically the only person who laid a glove on Barack Obama during the campaign. The candidate made an impromptu stop in Wurzelbacher’s Ohio neighborhood and was surprised when the plumber forced him into a detailed on-camera defense of his tax plan. Three days later, “Joe the Plumber” and his taxes were invoked dozens of times in the presidential debates.
The price of fame was high. A media frenzy quickly stripped Joe Wurzelbacher of anonymity. Scouring the public record, reporters found that the plumber had been hit with a tax lien; they also found government data that raised doubts about the status of his plumbing license.
Reporters weren’t the only ones digging. Ohio state employees also queried confidential state records about Wurzelbacher. In all, they conducted eighteen state records checks on Wurzelbacher. They asked whether the plumber owed child support, whether he’d ever received welfare or unemployment benefits, and whether he was in any Ohio law enforcement databases. Some of these searches were proper responses to media requests under Ohio open records laws; others looked more like an effort to dig dirt on the man.
Ohio’s inspector general launched an investigation and in less than a month was able to classify all but one of the eighteen records searches as either legitimate or improper. (One search could not be traced because it came from an agency outside the jurisdiction of the inspector general.)
Thirteen searches were traced and deemed proper. But three particularly intrusive searches were found improper; they had been carried out at the request of a high-ranking state employee who was also a strong Obama supporter. She was suspended from her job and soon stepped down. A fourth search was traced to a former information technology contractor who had not been authorized to search the system he accessed; he was placed under criminal investigation.
What do these two flaps have in common? They were investigated within weeks of the improper access, and practically everyone involved was caught immediately.
That’s important.
Information technology isn’t just taking away your privacy or mine. It’s taking away the privacy of government workers even faster. So it isn’t hard to identify every official who accessed a particular file on a particular day. That’s what happened here. Government access to personal data need not be restricted by speed bumps or walls. Instead, it can be protected by rules, so long as the rules are enforced.
What’s new is that network security and audit tools now make it easy to enforce the rules. That’s important because it takes the profit motive out of misuse of government data. No profit-motivated official is going to take the risk of stealing personal data if it’s obvious that he’ll be caught as soon as people start to complain about identity theft. Systematic misuse of government databases is a lot harder and more dangerous if good auditing is in place.
Call it the auditor’s solution. It’s the only privacy solution that will get more effective as informationtechnology advances. And we’re going to need more solutions that allow flexible, easy access to sensitive databases while still protecting privacy.
If the plight of government investigators trying to prevent terrorist attacks doesn’t move you, think about the plight of medical technicians trying to keep you alive after a bad traffic accident.
The Obama administration has launched a long-overdue effort to bring electronic medical records into common use. But the privacy problem in this area is severe. Few of us want our medical records to be available to casual browsers. At the same time, we can’t personally verify the bona fides of the people accessing our records, especially if we’re lying by the side of the road suffering from what looks like brain or spine damage.
The electronic record system won’t work if it can’t tell the first responders that you have unusual allergies or a pacemaker. It has to do that quickly and without a lot of formalities. The side of the road is no place for emergency medical staff to be told that they can’t access your records until they change their passwords or send their medical credentials to a new hospital.
No one wants to be the punch line in an updated surgeon’s joke: “The privacy system was a success; unfortunately it killed the patient.”
Auditing access after the fact is likely to be our best answer to this problem, as it is to the very similar problem of how to let law enforcement and intelligence agencies share information smoothly and quickly in response to changing and urgent circumstances. The Markle Foundation has done pioneering work in this area, and its path-breaking 2003 report on privacy and security in the war on terror recommends embracing technologies that watch the watchers. A unique mix of security, privacy, and technology experts managed to reach agreement in that report; they found that one key to protecting privacy without sacrificing security was a network that included “access control, authentication, and full auditing capability.”
These technologies can be very flexible. This makes them especially suitable for cases where outright denial of data access could have fatal results. The tools can be set to give some people immediate access, or to open the databases in certain situations, with an audit to follow. They can monitor each person with access to the data and learn that person’s access patterns—what kinds of data, at what time, for how long, with or without copying, and the like. Deviations from the established pattern can have many consequences. Perhaps access will be granted but the person will be alerted that an explanation must be offered within twenty-four hours. Or access could be granted while a silent alarm sounds, allowing systems administrators to begin a real-time investigation.
There’s a kind of paradox at the heart this solution. We can protect people from misuse of their data, but only by stripping network users of any privacy or anonymity when they look at the data. The privacy campaigners aren’t likely to complain, though. In my experience, their interest in preserving the privacy of intelligence and law enforcement officers is pretty limited.
When I was general counsel of the National Security Agency, a well-known privacy group headed by Marc Rotenberg filed a Freedom of Information Act request asking the NSA to assemble all documents and emails sent “to or from Stewart Baker.” Then as now, the NSA was forbidden to assemble files on American citizens who were not agents of a foreign power. Even so, Rotenberg was asking NSA to assemble a dossier on me. Since NSA and I were locked in a battle with Rotenberg over encryption policy at the time, the purpose of the dossier was almost certainly to look for embarrassing information that might help Rotenberg in his political fight. Indeed, Rotenberg claimed when I confronted him that he was planning to scrutinize my dossier for evidence of misconduct.
Had the FBI or NSA assembled a dossier on their political opponents, it would have been a violation of law. In fact it would have caused a massive privacy scandal. But Rotenberg could demand that NSA assemble a dossier on his adversary without even appreciating the irony. It wasn’t a privacy problem to him, because in his view, government officials deserved no privacy.
I still think Rotenberg’s tactics were reprehensible; he had singled me out for a selective loss of privacy because he didn’t like my views. But I’ve come to appreciate that there’s a core of truth to his view of government. Anyone who has access to government files containing personal data has special responsibilities. He should not expect the same privacy when he searches that data as he has while he’s surfing the net at home. And now that technology makes it easy to authenticate and track every person, every device, and every action on a network, perhaps it’s time to use that technology to preserve everyone else’s privacy.
In the end, that’s the difference between a privacy policy that makes sense and one that doesn’t. We can’t lock up data that is getting cheaper every day. Pretending that it’s property won’t work. Putting “predicates” between government and the data it needs won’t work. And neither will insisting that the data may only be used for purposes foreseen when it was collected.
What we can do is use new information technology tools to deter government officials from misusing their access to that data.
As you know by now, I think that some technology poses extraordinary risks. But we can avoid the worst risks if we take action early. We shouldn’t try to stop the trajectory of new technology. But we can bend it just a little. Call it a course correction on an exponential curve.
That’s also true for privacy. The future is coming, like it or not. Our data will be everywhere. But we can bend the curve of technology to make those who hold the data more accountable.
Bending the exponential curve a bit. That’s a privacy policy that could work.
PersonFromPorlock says:
So we can depend on government officials enforcing the rules to protect us from government officials breaking the rules? Don’t you think there might be a slight problem here?
July 4, 2010, 4:08 pmRichard Lyon says:
You know, I have really, really enjoyed these series of articles, and I’ve deeply enjoyed reading Skating on Stilts. They are all quite thought provoking.
BUT, the attitude you have scares the hell out of me. It ignores so much, and clings to the fallacy that laws (i.e, rules) will be enforced. When they aren’t.
Look at the situation in Arizona, where they pass a state law which is basically identical to federal immigration law, then start enforcing it. And the feds scream bloody murder.
Look at the last election in Texas – neither the Republicans, nor the democrats met the filing deadline to be on the ballot in the presidential election. Yet, when the libertarians filed suit, the Texas Supreme Court chose to ignore the law, and allow the Republicans and Democrats on the ballot.
Laws and/or Rules will NOT be enforced.
Don’t collect the information to begin with. If its not collected, it can’t be misused.
July 4, 2010, 4:24 pmPersonFromPorlock says:
If Mr. Baker’s proposals ever becomes law, though, literature suggests a dandy name for it: The Blanche Dubois Act.
July 4, 2010, 4:33 pmDuracomm says:
I wonder if Stewart Baker would care to revise his comments on the internet kill switch disagreement.
One of his main arguments was that the bp spill supported the need for more government involvement in IT security because private companies were not competent to respond.
It has now become painfully obvious that government action is hindering spill recovery efforts and increasing the overall level of damage caused by the bp oil spill.
Looking at federal response to the bp spill comprehensively wrecks Stewart Baker’s argument that increasing government involvement in IT security will result in increased security.
In fact, as illustrated by government response to the bp spill, the most likely result will be a reduced ability to respond to cyber attacks and more damage from them.
Avertible catastrophe
July 4, 2010, 5:39 pmguest890 says:
While I mostly agree with the by-the-letter content of this post, I still disagree with the ultimate point of view.
I used to work on what is known as AAA software–authentication, authorization, and audit. Audit of access to records is an absolutely necessary–as you rightly point out, certain people need access to sensitive information in order to do their jobs, and an audit trail can help make sure that they don’t abuse that access (and are punished when they do).
But audit alone doesn’t mean that we shouldn’t care about the government taking and sharing our data, for a host of reasons you ignore (many of which are the same reasons you’ve ignored throughout this series, and have been pointed out by commenters).
1) Audit helps make sure that people with access don’t abuse that access. If there’s *no* need for legitimate access, it’s better to simply not have the data there to begin with. If certain people might need access but not others, that should be dealt with through authn/authz policies, not audit.
2) There’s no guarantee that the audit software will be implemented properly.
3a) If the audit software is used to automatically identify patterns of abuse, there’s no guarantee that it will catch every improper access even if it is implemented properly.
3b) If the audit software simply records a log of accesses, then in order to identify every improper access, every access will have to be manually reviewed (likely prohibitively expensive).
3c) If the audit software simply records a log of accesses, and not every access is reviewed, then some improper accesses will slip through the cracks. (Sure, maybe there’s a flag on public figures like Obama and even Wurzelbacher–but does that help the rest of us?)
4) There’s no guarantee that the auditors will be honest and not corrupt.
5) There’s no guarantee that the auditors, even if honest, will be well-funded enough (and free from other, non-funding pressure from above) to keep up with all allegations of abuse. (This interacts with 3b–and possibly with 3a/3c, if the volume of complaints/flagged accesses is high.)
And that’s just off the top of my head. I’m sure there’s more; read the comments to this and your other posts.
As I said, I agree with most of the factual details you mention, but disagree with the way they’re presented. Audit is a critical part of any solution to protect sensitive data–but it can’t be the whole of the solution.
July 4, 2010, 5:51 pmBookworm says:
I have one major problem with the assumption that auditing works, and with your examples. They were all cases where there was clear motive to illegally access files and exploit the information therein, and hence a clear need to audit the files. This is good for those having their 15-seconds of fame, but bad for everyone else. If a government agent decided to look at the files of 99% of Americans no one would notice, because those would not be the files audited.
Additionally, you will only ever catch people after the fact, leaving open major possibilities for abuse in the meantime.
July 4, 2010, 7:01 pmFub says:
Whether intentional or not, Prof. Baker does present facts that demonstrate one such problem. From his recitation of facts in the events surrounding Joe the Plumber:
Only the “civilian” was criminally investigated. The high ranking government employee was not prosecuted or otherwise punished, but allowed to “step down” free as a lark.
Since malfeasing government employees can, and do, ordinarily cause far greater harm to far more citizens than other citizens can ordinarily do, there is no good reason that the government employees should not be punished far more harshly for their violations.
But there are bad reasons. They are called entitlement, privilege and unaccountability for government officials. They were among the reasons America’s founders fought the war against oppressive government that we celebrate today. Too bad we’ve forgotten those reasons.
July 4, 2010, 8:24 pmGaunilo says:
Since I have been pontificating on the firearms issues today, your post brought to mind a comparison between your position and a recurring disagreement on firearms policy and law.
One side says that addressing the issue of criminals is best left to the police and the courts. We as individuals should not possess deadly weapons to defend ourselves. These weapons should be left to the police, and if we are attacked, we should call the police and wait for them to come and protect us.
The other position is that we are responsible for our own protection. This side claims that the police job is to come and draw the chalk line around our body, and then catch the criminals. It is our job to protect ourselves until the police arrive.
Your proposed solution reminds me a lot of the first position. We trust the government with our data, and if they abuse it, we trust the government to punish them. They cannot fix the loss of privacy, but they can be fired or prosecuted or told they are naughty boys, or some other appropriate sanction. Our loss from the data abuse is just collateral damage, and we should be happy that justice is being served.
I tend to take the second route as it regards data protection. I know you are in a better position than I am to know whether anything I might do will really protect me, but I try all I can. There are many things we can do to both limit data collection, and to make what is collected hard to analyze and of dubious accuracy.
And I am not predisposed to trust the government to be an honest protector of data. Government has its own interests, and the interest of its citizens is generally very far down the list of its priorities.
July 4, 2010, 8:45 pmDG says:
Does anyone fail to see the irony of a lawyer pontificating on computer networking and security policies? I guess this warrants a question to Mr. Baker – what are the technical qualifications that enable you to understand the incredibly complex areas that you are commenting on in your book?
I have the feeling that you are the kind of guy who would – reasonably so – object to non-lawyers offering comments about complex areas of the law. And yes, you feel capable of offering – nay, charging for – your layman’s opinion on cryptography, security, and Internetworking – all highly complex areas that require years of study.
Perhaps I wasted my time with that master’s degree in engineering….
(BTW, see Eugene Volokh, as an example of someone with both an academic and practical expertise in both computer science and the law – someone well qualified to comment on both.)
July 5, 2010, 1:05 amPatty Shundynide says:
He was general counsel at the NSA.
Were you general counsel at the NSA?
July 5, 2010, 5:39 amOrenWithAnE says:
This is ridiculous. Congress should have immediately passed a waiver to the normal rules for extraordinary circumstances, to expire in 12 months or so.
July 5, 2010, 9:31 amDuracomm says:
Stewart does not realize or consistently fails to acknowledge that government databases that are misused or contain incorrect information provide a significant additional risk not seen in private databases.
Government databases are used for law enforcement purposes and mistakes in that particular area can have lethal consequences.
If you’re keeping score at home, that’s “wrong address” and “wrong man.” Shot four times.
The magnitude of the problem can be seen by looking at the search results for wrong address at the link below
wrong address raided by swat team
One point to note is that those responsible for wrong address swat raids are rarely if ever punished for their error.
Stewart’s assertion that accretion of personal information in government databases is ok because government officials will punish other government officials who misuse the database certainly is not supported in these cases.
July 5, 2010, 9:53 amDuracomm says:
OrenWithAnE said,
Agreed, and that is a big problem for Stewart’s arguments.
The competent, effective, trustworthy, government bureaucracy in Stewart’s head has no relation to the often depressingly counterproductive government that we get to watch in action.
July 5, 2010, 10:04 amStewart Baker says:
Guest890 and Bookworm make reasonable points about audit and similar safeguards. They don’t always work because the technology isn’t sufficiently developed to catch, say, browsers who are looking for obscure people’s data, or because the technology isn’t always deployed right. I suppose that’s true, although I’m not sure that simple browsing of obscure people’s data is a big problem. Stalking or identity theft, yes, but browsing? But let’s accept the premise. Surely it’s easy to see how the relentless march of Moore’s law is going to make it easier to solve that problem over time. We can use more sophisticated algorithms to ever more effectively monitor abusive access of databases. My point was that this is the only privacy policy that works with technology’s natural growth curve, rather than trying to stop it, or deny its benefits to government.
The people who think that the BP spill demonstrates the relative incompetence of government strike me as not having proven their case. They mostly point to the Jones Act and EPA oil-skimming rules, both of which have kept European technology out of the Gulf. Let’s assume that’s true, and that the European technology is a better solution than US systems. The problem then is a preexisting set of laws that have not been sufficiently adapted to meet this emergency, at least in the view of some. But the private sector can’t waive those laws either, so it would not be “more competent” to solve the Jones Act or EPA problem, it would be less competent. Unless you want to make the remarkable argument that there are no environmental market failures justifying government intervention, this all boils down to an argument about how quickly and when certain laws should be revised to deal with an unforeseen emergency.
The argument that government databases should be restricted because errors in those databases can lead to deaths, I think, fails on two grounds. Medical databases in private hands are surely even more likely to cause death if the data is wrong. And in any event, the way to make databases more accurate is almost always to include more data, not less.
Finally, I admit that I don’t have much enthusiasm for arguments that the only way to keep governments from abusing data is to deny governments the data. On that theory, we wouldn’t issue weapons,or ammunition, to police or the military. Sometimes we have to grant the power and then watch for misuse.
PS For Patty: At NSA I often got legal advice from engineers and upon investigation I often found that the legal advice was right. They had treated the law as a complex system that could be diagrammed, and in many cases it could be. That tends to undermine any tendency to credentialism.
July 5, 2010, 4:26 pmFub says:
If one takes that as true arguendo, then the question remains — what dissuades government officials or employees from misuse?
As your own original post pointed out, the government official who abused authority to access Joe the Plumber’s government records was subject to very minor sanction: she was allowed to resign the position. Yet the non-government actor who did the same thing was subjected to “criminal investigation”.
Losing a sinecure but keeping retirement funds, or even accumulated vacation pay acquired in that position, scarcely rates as punishment. It is comparable to the now well known consequence for police who abuse citizens: they are suspended with pay and subject to an “internal investigation” that always clears them of wrongdoing. Their “punishment” is a paid vacation.
If no significant punishment is ever meted out to officials who have been found to abuse their access to citizens’ data, then “watching for misuse” is a pointless exercise even if the watching reveals malfeasance.
July 5, 2010, 5:18 pmMark Jones says:
I think it’s pretty clear that if we weren’t equipping the police like military SpecOps units, in bodyarmor and helmets, with SMGs, grenades, and the like, and training them to ACT like storm troopers, we’d have a lot fewer incidents of doors being kicked in at 3 a.m. to serve warrants which could just as easily be served with less drama at more reasonable hours. And fewer innocents terrorized (or killed, when they react the way free men with clear consciences should be expected to act when their homes are violated by armed thugs).
“…and watch for misuse” doesn’t mean a damn thing when it’s pretty clear from a never-ending stream of news reports that even when caught red-handed, most government employees don’t face any consequences. How many of the tax-evaders in the Obama administration got fined or imprisoned instead of landing cushy government jobs? How many SWAT cops who’ve gunned down innocent people in mistaken raids lost their jobs? How many of their bosses, or the judges who signed the warrants?
The more I see of this sort of thing, the more I come to believe that “obeying the law, like paying taxes, is for the little people.”
When I see evidence that government employees are being policed (and actually, you know, PUNISHED for their crimes) more thoroughly than the average citizen, then maybe I’ll buy into your theory. But not until then. If they can’t be trusted to do the right thing, and I don’t think they can be, the best defense is not to let them HAVE the data.
July 5, 2010, 5:35 pmDuracomm says:
Regarding his failed argument that the bp spill was a good example for more government control in IT infrastructure security Stewart Baker said,
That is not a view that is the facts on the ground.
I have seen some nonsensical arguments in the past but this one takes the cake
A problem (hindered spill cleanup) has been caused by government law. Current government officials won’t modify the law making the problem (environmental damage from the spill) worse.
The private sector can’t change the law.
Therefore Stewart concludes that because private business can’t fix problems caused by government policy private business is less competent than the government.
The mind boggles.
July 5, 2010, 6:32 pmGaunilo says:
After more reflection, our only recourse over the next decades may be to find a way to subvert data collection systems by finding ways to feed them large amounts of erroneous data until they cannot be trusted for any useful purposes. As an alternative, we may be also able to feed them true but irrelevant data until the needed data is just too much trouble to find. This is unfortunate, since in my earlier analysis, I was discussing defending ourselves against criminals, not our government. But in the real world, it may be a distinction without a difference, at least as far as how both groups affect our lives.
July 5, 2010, 6:41 pmDuracomm says:
Stewart Baker said,
Nice strawman there particularly since no one has made that argument. The interesting thing is the jones act is a labor law that has nothing to do with environmental regulations.
An emergency so unforeseen that the mms requires a spill response plan for all wells drilled in the gulf of mexico.
The bp spill shows government bureaucracies are brittle points of failure that don’t respond well to planned for threats let alone novel ones.
Giving government bureaucracies a greater regulatory role in internet security will inevitably decrease internet security.
July 5, 2010, 6:54 pmExternality says:
One of the problems with Mr. Baker’s approach is that it is very difficult to prove that a specific breach of data security caused the victim harm, i.e., proving that X’s legal (or illegal) data access is the cause-in-fact and proximate cause of Y’s stigmatized medical condition becoming widespread knowledge. Even where one can prove that a specific bureaucrat breached data security regulations by accessing records, one would still need a confession or other evidence to show that that specific bureaucrat then passed the data onto to others, causing harm.
In Mr. Baker’s example, the paramedic might be held accountable for improperly _accessing_ someone’s records. The paramedic will almost certainly not be held further accountable when, a few weeks later, the improperly accessed information winds up on the Internet. Showing that the paramedic accessed the records accessed the information is one thing, proving the paramedic disseminated the information is much more difficult. If the paramedic denies disseminating the information, blames the other people who also accessed the medical record around that time, and avoided leaving an obvious trail, proving civil damages is almost impossible.
Unfortunately, the above scenario actually occurs in real life.
During the 1980s and 1990s, people with HIV/AIDS were frequently fired, harassed, or encouraged to go on disability when co-workers heard of their illness. People in, for example, human resources, who had legitimate access to the PWHA’s file, would gossip with someone who would gossip with someone else. Eventually, the PWHAs co-workers learned that they were working with an “AIDS Patient.” A lot of PWHAs experienced job problems because co-workers “just heard” about the PWHA’s condition from someone whose identity the co-worker “forgot.”
Proving where the information originated from was very, very, difficult. Showing that someone in HR accessed the file was not enough, they may have had legitimate access to the file. Whether HR clerk accessed the file properly or improperly, they were not about to admit to illegally sharing confidential information. The PWHA’s co-workers could never seem to remember who told them. The PWHA was therefore unable to show, even with a list of people with access to their file, who had improperly disseminated their information.
Because these problems frequently began shortly after an employee filed their first insurance claim related to HIV, AIDS, or a related illness, AIDS organizations actually had seminars on preventing or delaying your employer and health insurer from learning your condition.
Similar problems erupted in the educational setting. Staff and students who were employed at say, the student health clinic, would gossip about a PWHA’s illness, leading to the information getting around and the PWHA getting harassed and encouraged to leave.
July 5, 2010, 8:46 pmGrover Gardner says:
Not to drag things too far off-topic, but it appears that someone on the internet is wrong.
July 6, 2010, 2:53 amDuracomm says:
Grover Gardner,
The article you linked to does not appear to be very credible.
The article relied heavily on obama administration sources to argue that the obama administration inaction was not harming the oil spill response.
After delays, U.S. begins to tap foreign aid for gulf oil spill
July 6, 2010, 10:42 pm