Realistic Privacy Protection in the Information Age

This post is the last in a series about privacy. They are all drawn from my book. The full discussion is available, free for distribution, here.

I’ve devoted several posts to failed solutions to the problem of privacy in a data-filled world. In the end, I think these approaches all fail because they’re all reactionary — they try to stop the accumulation and analysis of data, as though technology were not making it cheaper and easier every day to accumulate and analyze data. They’re like bailing the Titanic with a bucket.

So what might work? In my view, we shouldn’t fight information technology. We should work with it — use its capabilities to protect against abuse of the data that will inevitably be gathered by governments and companies.

The best way to understand this idea is to begin with Barack Obama’s passport records—and with Joe the Plumber. These were two minor flaps that punctuated the 2008 presidential campaign. But both tell us something about how privacy really is protected these days.

In March of 2008, Barack Obama and Hillary Clinton were dueling across the country in weekly primary showdowns. Suddenly, the campaign took an odd turn. The Bush administration’s State Department announced that it had fired or disciplined several contractors for examining Obama’s passport records.

Democrats erupted. They remembered when Bill Clinton’s files had been examined during the 1992 campaign, and Obama’s lengthy stays outside the United States as a child had become a simmering underground issue in this campaign. It wasn’t hard to jump to the conclusion that the candidate’s files had been searched for partisan purposes. An Obama campaign spokesman called the records search “outrageous . . . This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach.”

After an investigation, the flap slowly deflated. It soon emerged that all three of the main presidential candidates’ passport files had been improperly accessed. Investigators reported that the State Department was able to quickly identify who had examined the files by using its computer audit system. This system flagged any unusual requests for access to the files of prominent Americans. The fired contractors did not deny the computer record. Several of them were charged with crimes and pleaded guilty. All, it turned out, had acted purely out of “curiosity.”

Six months later, it was the Republicans’ turn to howl about privacy violations in the campaign. “Joe” Wurzelbacher, a plumber, became an overnight hero to Republicans in October 2008. After all, he was practically the only person who laid a glove on Barack Obama during the campaign. The candidate made an impromptu stop in Wurzelbacher’s Ohio neighborhood and was surprised when the plumber forced him into a detailed on-camera defense of his tax plan. Three days later, “Joe the Plumber” and his taxes were invoked dozens of times in the presidential debates.

The price of fame was high. A media frenzy quickly stripped Joe Wurzelbacher of anonymity. Scouring the public record, reporters found that the plumber had been hit with a tax lien; they also found government data that raised doubts about the status of his plumbing license.

Reporters weren’t the only ones digging. Ohio state employees also queried confidential state records about Wurzelbacher. In all, they conducted eighteen state records checks on Wurzelbacher. They asked whether the plumber owed child support, whether he’d ever received welfare or unemployment benefits, and whether he was in any Ohio law enforcement databases. Some of these searches were proper responses to media requests under Ohio open records laws; others looked more like an effort to dig dirt on the man.

Ohio’s inspector general launched an investigation and in less than a month was able to classify all but one of the eighteen records searches as either legitimate or improper. (One search could not be traced because it came from an agency outside the jurisdiction of the inspector general.)

Thirteen searches were traced and deemed proper. But three particularly intrusive searches were found improper; they had been carried out at the request of a high-ranking state employee who was also a strong Obama supporter. She was suspended from her job and soon stepped down. A fourth search was traced to a former information technology contractor who had not been authorized to search the system he accessed; he was placed under criminal investigation.

What do these two flaps have in common? They were investigated within weeks of the improper access, and practically everyone involved was caught immediately.

That’s important.

Information technology isn’t just taking away your privacy or mine. It’s taking away the privacy of government workers even faster. So it isn’t hard to identify every official who accessed a particular file on a particular day. That’s what happened here. Government access to personal data need not be restricted by speed bumps or walls. Instead, it can be protected by rules, so long as the rules are enforced.

What’s new is that network security and audit tools now make it easy to enforce the rules. That’s important because it takes the profit motive out of misuse of government data. No profit-motivated official is going to take the risk of stealing personal data if it’s obvious that he’ll be caught as soon as people start to complain about identity theft. Systematic misuse of government databases is a lot harder and more dangerous if good auditing is in place.

Call it the auditor’s solution. It’s the only privacy solution that will get more effective as informationtechnology advances. And we’re going to need more solutions that allow flexible, easy access to sensitive databases while still protecting privacy.

If the plight of government investigators trying to prevent terrorist attacks doesn’t move you, think about the plight of medical technicians trying to keep you alive after a bad traffic accident.

The Obama administration has launched a long-overdue effort to bring electronic medical records into common use. But the privacy problem in this area is severe. Few of us want our medical records to be available to casual browsers. At the same time, we can’t personally verify the bona fides of the people accessing our records, especially if we’re lying by the side of the road suffering from what looks like brain or spine damage.

The electronic record system won’t work if it can’t tell the first responders that you have unusual allergies or a pacemaker. It has to do that quickly and without a lot of formalities. The side of the road is no place for emergency medical staff to be told that they can’t access your records until they change their passwords or send their medical credentials to a new hospital.

No one wants to be the punch line in an updated surgeon’s joke: “The privacy system was a success; unfortunately it killed the patient.”

Auditing access after the fact is likely to be our best answer to this problem, as it is to the very similar problem of how to let law enforcement and intelligence agencies share information smoothly and quickly in response to changing and urgent circumstances. The Markle Foundation has done pioneering work in this area, and its path-breaking 2003 report on privacy and security in the war on terror recommends embracing technologies that watch the watchers. A unique mix of security, privacy, and technology experts managed to reach agreement in that report; they found that one key to protecting privacy without sacrificing security was a network that included “access control, authentication, and full auditing capability.”

These technologies can be very flexible. This makes them especially suitable for cases where outright denial of data access could have fatal results. The tools can be set to give some people immediate access, or to open the databases in certain situations, with an audit to follow. They can monitor each person with access to the data and learn that person’s access patterns—what kinds of data, at what time, for how long, with or without copying, and the like. Deviations from the established pattern can have many consequences. Perhaps access will be granted but the person will be alerted that an explanation must be offered within twenty-four hours. Or access could be granted while a silent alarm sounds, allowing systems administrators to begin a real-time investigation.

There’s a kind of paradox at the heart this solution. We can protect people from misuse of their data, but only by stripping network users of any privacy or anonymity when they look at the data. The privacy campaigners aren’t likely to complain, though. In my experience, their interest in preserving the privacy of intelligence and law enforcement officers is pretty limited.

When I was general counsel of the National Security Agency, a well-known privacy group headed by Marc Rotenberg filed a Freedom of Information Act request asking the NSA to assemble all documents and emails sent “to or from Stewart Baker.” Then as now, the NSA was forbidden to assemble files on American citizens who were not agents of a foreign power. Even so, Rotenberg was asking NSA to assemble a dossier on me. Since NSA and I were locked in a battle with Rotenberg over encryption policy at the time, the purpose of the dossier was almost certainly to look for embarrassing information that might help Rotenberg in his political fight. Indeed, Rotenberg claimed when I confronted him that he was planning to scrutinize my dossier for evidence of misconduct.

Had the FBI or NSA assembled a dossier on their political opponents, it would have been a violation of law. In fact it would have caused a massive privacy scandal. But Rotenberg could demand that NSA assemble a dossier on his adversary without even appreciating the irony. It wasn’t a privacy problem to him, because in his view, government officials deserved no privacy.

I still think Rotenberg’s tactics were reprehensible; he had singled me out for a selective loss of privacy because he didn’t like my views. But I’ve come to appreciate that there’s a core of truth to his view of government. Anyone who has access to government files containing personal data has special responsibilities. He should not expect the same privacy when he searches that data as he has while he’s surfing the net at home. And now that technology makes it easy to authenticate and track every person, every device, and every action on a network, perhaps it’s time to use that technology to preserve everyone else’s privacy.

In the end, that’s the difference between a privacy policy that makes sense and one that doesn’t. We can’t lock up data that is getting cheaper every day. Pretending that it’s property won’t work. Putting “predicates” between government and the data it needs won’t work. And neither will insisting that the data may only be used for purposes foreseen when it was collected.

What we can do is use new information technology tools to deter government officials from misusing their access to that data.

As you know by now, I think that some technology poses extraordinary risks. But we can avoid the worst risks if we take action early. We shouldn’t try to stop the trajectory of new technology. But we can bend it just a little. Call it a course correction on an exponential curve.

That’s also true for privacy. The future is coming, like it or not. Our data will be everywhere. But we can bend the curve of technology to make those who hold the data more accountable.

Bending the exponential curve a bit. That’s a privacy policy that could work.