Whit Diffie once said that only business, not government, can protect itself from on-line attacks. Just as there are no collective rights, there is no such thing as collective responsibility. And, more than anything else, privacy, like self defense, is an individual responsibility. Sooner or later everyone becomes a cypherpunk. More opinion, comment, at Schneier's blog: <http://www.schneier.com/blog/archives/2009/06/the_hidden_cost.html
Cheers, RAH -------- "If we could just pass a few more laws, we could all be criminals." -- Vinnie Moscaritolo --------- <http://www.forbes.com/forbes/2009/0608/034-privacy-research-hidden-cost-of-p rivacy_print.html
Forbes.com Technology The Hidden Cost of Privacy Lee Gomes, 06.08.09, 12:00 AM ET Special interest groups and lawyers claim they are defenders of individual privacy. But all that red tape is causing more harm to consumers than good. In a world of tight budgets and sacrificed programs, one sector has continued to grow with the speed and choking effectiveness of kudzu: regulations around privacy. More than 300 privacy-related laws are on the books, in both Washington, D.C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a- year business and have been growing at double digits. Expenses inside companies for privacy compliance easily run into the billions; a growing number of firms, for instance, now have their own "chief privacy officer." The International Association of Privacy Professionals, less than ten years old, has 6,200 members, and membership has grown as much as 40% a year for the last five years. "I don't think many professions can say that," says J. Trevor Hughes, its executive director. So what, besides a gravy train of regulators, consultants and activists, are we getting for all this effort? Unfortunately, not much privacy protection. On the one hand, laws designed to keep consumers apprised of privacy issues have resulted in a deluge of privacy notices, consent forms and security alerts into mailboxes, both real and electronic. You can't see a doctor, sign up for a bank account or visit a Web site without collecting your share of this paperwork. Rather than making people more private, though, the torrent of notifications leaves most of them so desensitized that they stop caring. In other instances, the American approach to privacy occasionally produces too much of it, notably when it comes to medical research. Federal privacy laws involving health records are often so stringently interpreted by bureaucrats that studies involving life-threatening diseases have had to be scaled back or canceled. A pioneering, decades- long study of strokes and heart attacks shut down this year when researchers weren't able to get the necessary patient-consent forms signed. A recent report from the Institute of Medicine says privacy laws have created a crisis for U.S. researchers. Lawrence O. Gostin, the Georgetown University law professor who presided over the study, complains that the consent forms that are a centerpiece of many laws don't even do a good job in protecting medical privacy. "Patients don't understand what they are signing," he says. No one in this age of hackers and identity theft questions whether privacy and data security should be a priority. No one would want government agencies or companies to be sloppy when encrypting their databases and restricting access to personal information. But many privacy efforts are proving counterproductive. Security "breach notices" are an example. First required by the state of California in 2003 but now widespread, these are the letters sent by companies to their customers letting them know about problems connected with their personal data. The worst case would be a hacker breaking in and stealing credit card information. In principle it makes sense to force companies to fess up to their data glitches and give consumers the ability to fix any resulting problems. In practice, though, companies are increasingly sending out the notices at the slightest provocation, leaving recipients confused about what, if anything, they need to do. It's a classic case of information overload. Late last year, for example, there was a hiccup in the Web site software used by the International Cake Exploration Societi to collect members' $60 dues. Some of the personal information of the 3,500 hobbyist bakers who belong to the group may have been exposed online for a few weeks. The bug was fixed as soon it was discovered, and there was no reason to think that any private information had been accessed. Nonetheless, Glenda Galvez, a Wichita Falls, Tex. wedding cake baker who is the group's president, found she had a legal obligation to notify her members. She was referred to Amir Azaran, with the Chicago law firm of Neal, Gerber & Eisenberg, who helped prepare the breach notices that were sent to every member in the group. Considering the minor nature of the problem, the blanket notification "didn't make much sense," says Azaran. But still, for him to have suggested any other course of action "would have amounted to telling a client to willfully ignore the law." The legal bill will be a few thousand dollars. The bakers got off cheap. The Ponemon Institute, which studies privacy, estimates that lost or stolen laptops typically cost a company $50,000, much of it in the form of legal notifications. Since many states put these notices on their Web sites, it's easy to track their frequency. Over the last 12 months, for example, Maryland residents have received 224 of them, from firms such as AT&T, Goldman Sachs, hp, Google, Facebook, 3m, Verizon Wireless, Kraft Foods, Continental Airlines and Starbucks. A quarter of those notifications were triggered by lost or stolen laptops. But sometimes the incident is trivial: One small Wall Street accounting firm bothered its customers with the news that an employee had seen a file he wasn't supposed to have. Because of this overdisclosure, consumers seem to be caring less, not more, about privacy threats. Big companies sometimes provide a year's worth of free credit monitoring in connection with breach notices as a way of mollifying customers. Jay Cline, a consultant in Minneapolis who tracks privacy issues, says that in the early days of the notices, up to a third of recipients would take up such offers. Now, he says, the figure is below 5%. Lawyers who spend their workdays preparing privacy-related notices freely admit that scarcely anyone reads them. The yearly privacy updates from banks required by the 1999 Gramm-Leach-Bliley Act are commonly cited as especially useless; no less an authority than Ralph Nader says the mailings are among the biggest wastes of paper in human history. "Whenever I am speaking, I ask the audience if anyone has ever made use of one of those forms," says Kirk J. Nahra, an attorney with Wiley Rein in Washington, D.C. "If even one person raises their hand, I am amazed." This legalistic, paperwork-based privacy can be privacy-hostile. Sleazy companies exploit the fact that no one reads privacy notices. This explains the profusion of Web gimmicks like "real age" tests, opinion surveys and iq exams. Their real purpose is to extract personal information from bored Web surfers, data that can later be sold for marketing purposes. "If a company wants to play fast and loose, all it has to do is bury something in 40 pages of legal mumbo jumbo," says Douglas Farry, with the law firm of McKenna Long & Aldridge. If this emerging Everest of new privacy paperwork sometimes ends up creating too little privacy, other parts of the modern privacy industrial complex make for too much. Medicine offers heartbreaking examples. The federal Health Insurance Portability & Accountability Act, or Hipaa, places so many new privacy restrictions on medical data that dozens of studies for life- threatening ailments--heart attacks, strokes, cancer--are being delayed or canceled outright because researchers are unable to jump through all the privacy hoops regulators are demanding. Every five years, starting in 1979, doctors connected with the Minnesota Heart Study would look at the charts for every cardiac- related emergency room admission in the Twin Cities--45,000 charts in all. It's one of the world's most important ongoing heart studies and has led to numerous lifesaving breakthroughs in treatment, including documenting how many lives get saved by quickly giving thrombolytics to stroke patients. Enter Hipaa and its requirement that patients give consent for their records to be examined. That can be nearly impossible to obtain when someone is having a heart attack. The study lacked the staffing resources needed to track down patients afterward. So the researchers folded up the operation. "We had lots of useful clinical data, and we never had any sort of security breach," says an exasperated Russell V. Luepker, a University of Minnesota cardiovascular expert who ran the study. "Now the lawyers say that giving us the data would be risking a felony. It stinks." Stanford University oncologist Sandra Horning has a three-year grant to study cancer tumors; her goal is to look at 450 tissue samples situated at a few dozen research centers around the country. Even though she doesn't need to know the names of any patients, Horning's team has spent two years dealing with Hipaa consent forms. In all that time no science has been done. "We are two years behind where we should be," she laments. Sometimes bureaucrats end up protecting privacy rights that medical patients may not even know they have. Roberta B. Ness, now the dean of the University of Texas School of Public Health, was once researching risky pregnancies in a maternity clinic. Briefly peeking at medical records to find patients with telltale signs like hypertension was out of the question. But clinic regulators also said it was a privacy invasion to simply ask pregnant women waiting in the lobby if they'd like to volunteer for a study. As a result, Ness said, enrollment in the study was reduced by half. Worse, researchers say the results they get from these reduced studies are methodologically suspect, since the sorts of people who consent to privacy forms are often not representative in income, race and education levels of the population as a whole. Why haven't researchers spoken out? One reason involves the oversize role played in policy debates by privacy protest groups. Elaine R. Rubin, vice president for policy of the Association of Academic Health Centers, says that many scientists are reluctant to suggest rethinking the laws because they "worry about being accused by privacy absolutists of not favoring privacy at all." Privacy advocates have become a staple in these debates. Many of them work hard at finding a reasonable balance between privacy and other social goods. Others, though, get attention with absolutist positions motivated by fringe personal beliefs. One argument advanced against radio-frequency ids--the electronic tags that handle toll passes and inventory control--is that the chips resemble the "Mark of the Beast" prophesied in the New Testament. Some complainers are obsessed with anonymity and appear bothered by any data sharing at all, even when entirely voluntary. It's reminiscent of the Navajo belief that letting someone take your picture is letting them steal a piece of your soul. This preoccupation with keeping data anonymous can lead to surreal outcomes. Fred H. Cate, director of the Center for Applied Cybersecurity at the Indiana University School of Law at Bloomington, notes that privacy advocates helped block a federal proposal to require air travelers to give their addresses and birth dates when buying tickets. While labeling the effort an invasion of privacy, they seemed unconcerned about the vastly more invasive alternative: federal agents performing body searches and rummaging through luggage. RFIDs are a good case study of the peculiar public relations dynamics of privacy, and show that technology vendors are terrorized by suggestions that they aren't sensitive to privacy concerns. When probed by special scanners a few feet away, the chips report back a few dozen characters of manufacturer information, akin to what's found on a bar code. RFID tags are typically both readily visible and easily removable. But some privacy advocates tell dark tales of RFIDs being part of an Orwellian nightmare in which citizens, by simply walking down the street, reveal everything about themselves to a network of ubiquitous scanners. Not only are the risks of the chips comically exaggerated, but the benefits--more effective counterfeiting controls, better monitoring of product safety and reliability--are never mentioned. In the name of privacy, there have been campaigns against the RFID tagging of pets in Texas, while some New Hampshire citizens have argued about whether tagging a body inhibits the soul's progress to heaven. In California legislators briefly considered a proposal that the state publish a map showing the location of every RFID reader, as if they were toxic waste dumps. Many companies have become reluctant to talk about RFIDs, even as they explore using them. One consumer products company, after describing in an interview its plans to eventually use the chip in its widely known household products, called back and asked that the products not be mentioned, lest it create p.r. headaches before the company was ready for them. Is there a way out of the current, overly legalized approach to privacy, which seems to make no one happy? Hints are emerging on different fronts. The Federal Trade Commission is beginning to nudge companies into being less wordy and thus more useful in describing their Web privacy policies. Another approach involves realizing that "privacy" might be the wrong way of thinking about some issues. For example, many privacy advocates usually lobby to keep sensitive information out of medical records in order to prevent discrimination against people with stigmatized diseases. But this can make the records so sanitized as to be useless, which in fact is emerging as a concern as the country moves to a system of electronic medical records. A better approach might be to make records as complete as possible but to crack down hard on anyone making improper use of them. Protecting absolute privacy usually has a cost. Turning off cookies in Web browsers makes the Internet vastly less convenient. Similarly, assuring emergency room heart attack patients that no one besides their doctor will ever see their records may also result in their future care not being as good because important studies have to get canceled. "Privacy is obviously a very important value," says attorney Cate, of Indiana University. "But sometimes it competes with other values. And that's something that many people don't seem to understand. We should be able to have frank discussions about social policies without the privacy card always automatically trumping everything."