---------- Forwarded message ---------- Date: Fri, 22 Aug 1997 14:12:25 -0700 (PDT) From: Declan McCullagh <declan@well.com> To: fight-censorship@vorlon.mit.edu Subject: Marc Rotenberg on Time cover story on privacy [My comments on privacy that I forwarded yesterday under the Subject: line "Response to Time cover on privacy" were in response to Marc's criticism, attached below. -Declan] ---------- Forwarded message ---------- Date: Thu, 21 Aug 1997 11:49:13 -0400 From: Marc Rotenberg <rotenberg@epic.org> To: declan@well.com Subject: Re: FC: Response to Time cover on privacy ---- Josh - I appreciate the excellent coverage of privacy issues in this week's Time Magazine and at the Pathfinder site, but I am concerned about three particular points made in your article and the general tenor of your reporting. First, much of your discussion of the privacy issue assumes that there is a necessary trade-off between privacy and social benefit. Give up some data, get a good parking space. I think this is a very shallow view of privacy rights. A person who lives in a prison has very little privacy and very little benefit. An affluent person in a democratic society, however, may have both. Clearly, there is something more going on than a zero-sum game. Many of the current efforts to promote genuine privacy enhancing techniques, such as anonymous cash, are based on the belief that we can obtain many of the same benefits of customized service without giving up personally indentifiable information. In this context, the discussion of cookies is critical -- a non-actual user identified cookie is very good for service and privacy, but a user-identified cookie can be good for service but bad for privacy. But your discussion of cookies glosses over this critical point. These questions come up all the time. Should intelligent highways capture actual IDs? Can medical services be delivered psuedo-anonymously? What about communication services? Web access? You substituted an old privacy cliche ("in the modern world we give up some privacy for some benefit") for coverage of the interesting, cutting edge policy issues that the net and the debate about identity has raised. Second, following Alan Westin's line, you suggest that we have generally avoided privacy legislation in the private sector. This is simply not true. We have federal privacy legislation for credit record (1970), school records (1974), bank records (1978), cable subscriber records (1984), stored email (1986), video rental records (1988), junk faxes and auto dialers (1991), and dozens more at the state level for everything from insurance and health records to library records. You can say that these laws are at times ineffective or incoherent -- why federal privacy for video records but nor medical records? -- but it is just wrong to start tearing pages from the history books and the US code to support a bias against privacy laws. Alan should know better; you should as well. Finally, you and Kevin K. take a big swing at my call for privacy legislation and a privacy agency. I appreciate that it is a cardinal rule of some to oppose any government anything, but at least understand the argument for the privacy agency "We need new legal protections to enforce the privacy act, . . ." The Privacy Act was established in 1974 to restrict the ability of government to collect information on citizens and to give citizens the right to get access to their own files. But since '74, federal agencies have shown little interest in upholding the law and privacy concerns *across the federal government* have mushroomed. Do I take from Kevin's criticism that he would prefer that there was no effort to improve enforcment of the Privacy Act, limit record sharing in the government, and ensure people get access to their own files? Is that right? Can we at least agree that the Privacy Act plays an important role in protecting citizen rights and that efforts to strengthen it should be supported? " . . . to keep federal agencies in line, . . .' So that, for example, when law enforcement agencies in the federal government press the White House and the OMB for new law enforcement authority there is a counterveiling agency in the government that requires that privacy concerns are addressed before the proposal reaches the President's desk. And if they aren't adequately addressed, maybe the proposal doesn't get to the President's desk. It is obvious after both the Clipper episode and the OECD Crypto Guidelines that governments with privacy agencys have done a better job resisting these calls for extended government surveillance. The problem is that the one-dimensional critique of government provided in the article (and Wired and Netly) simply doesn't allow for the possibility that one of the best ways to constrain government power is through checks and balances. That, btw, was the key to controlling government authority in the US Constitution. In the absence of a federal privacy agency, you can almost be guaranteed that administration proposals will always tip in favor of surveillance. And the irony of the opposition by some to a federal privacy agency is that it has made it easier over the last few years for NSA/FBI to push forward crypto standards and roll the Department of Commerce. What in the federal government should stop them? Absent an office to push back, they have a clear course to the President's desk. " . . . to act as a spokesperson for the Federal Government . . ." This is for the fairly obvious reason that privacy is one of the biggest issues today in the US and there is no office in government that can even say authoritatively what the position of the US is. (Note that this problem doesn't exist over on the surveillance side or with copyright protection. The government values both. So David Aaron was given the title and the authority to promote the Administration position on key escrow/key recovery, and Bruce Lehman did the same at WIPO for copyrights interests. Do you understand now what's going on?). The result is that there is not even a basis for trade discussion or government negotiation. . . . and to act on behalf of privacy interests." So that when SSA is putting PEBES on line there is some privacy evaluation. Or, to take a recent European example, the new German communications law encourages the development of anonymous payment schemes to promote on-line commerce and to protect privacy. Where did the idea come from? The privacy agency. So, I have to ask, what is it exactly in my proposal that you/Kevin/Declan object to? Is it the fact that there will be a government <something>? I can't argue against that. You're entitled to your religious beliefs, but it has nothing to do with reporting or policy. Is it the fact that Trustee, OPS will do all of this better? If you have been following my point, you'll realize now that doesn't make any sense. Or what if it costs taxpayer dollars? In 1993 I backed creation of a federal privacy agency. Total cost: $5 m. The industry balked. "Too expensive. We have to trim the federal budget." The following year they backed Digital Telephony and a $500 m authorization to make the phone system easy to wiretap. I am also getting a little tired of the myth of the small town where everyone knew everything about everyone else and that there was no privacy. First off, this myth runs directly contrary to another, better description of American society -- the unexplored frontier. Where exactly did all those frontiersmen come from? The answer is the small town. People were constantly picking up and moving, building new homes, and establishing new identities. Many people born in these small towns left and went to school, joined the military, started businesses, moved to the city. Mobility, more than any other characteristic, is central to the American experience. Read Tocqueville. Civic association was and is constantly formed and reformed. Finally, I do agree with Kevin that privacy is very much about social relations. In fact the tag line for the book that Phil Agre and I edited for MIT Press, "Technology and Privacy: The New Landscape" http://www-mitpress.mit.edu/book-home.tcl?isbn=026201162X begins "Privacy is the capacity to negotiate social relationships by controlling access to personal information." Privacy rules essentially establish the base lines for negotiating social relations between individuals and organizations. If you collect personal information, you take on some responsibilities. If you give up some information, you get some rights. You'll find those principles in just about every privacy law and policy in the world. Not only is this commonsense, but it has some nice benefits for an era when technology allows us to shape new forms of social relations -- we can design techniques that allow organizations and inviduals to interact without disclosure of personal information. Indeed, the web and the Net provided all of this to us, but now it could be quickly lost. I don't know what it will take to persuade some of the opinion leaders in the on-line world that law will play a critical role in protecting individual privacy in the coming years, but I'm willing to listen and learn.And I hope, whatever form this dialogue takes, we can all move beyond ideology, myth, and charicature. Marc Rotenberg. EPIC. ================================================================== Marc Rotenberg, director * +1 202 544 9240 (tel) Electronic Privacy Information Center * +1 202 547 5482 (fax) 666 Pennsylvania Ave., SE Suite 301 * rotenberg@epic.org Washington, DC 20003 USA + http://www.epic.org ==================================================================