Marc Rotenberg on Time cover story on privacy (fwd)

Declan McCullagh declan at
Fri Aug 22 14:31:21 PDT 1997

---------- Forwarded message ----------
Date: Fri, 22 Aug 1997 14:12:25 -0700 (PDT)
From: Declan McCullagh <declan at>
To: fight-censorship at
Subject: Marc Rotenberg on Time cover story on privacy

[My comments on privacy that I forwarded yesterday under the Subject: line
"Response to Time cover on privacy" were in response to Marc's criticism,
attached below. -Declan]

---------- Forwarded message ----------
Date: Thu, 21 Aug 1997 11:49:13 -0400
From: Marc Rotenberg <rotenberg at>
To: declan at
Subject: Re: FC: Response to Time cover on privacy


Josh -

I appreciate the excellent coverage of privacy issues in this
week's Time Magazine and at the Pathfinder site, but I am
concerned about three particular points made in your
article and the general tenor of your reporting.

First, much of your discussion of the privacy issue assumes
that there is a necessary trade-off between privacy and
social benefit. Give up some data, get a good parking space.
I think this is a very shallow view of privacy rights. A
person who lives in a prison has very little privacy and
very little benefit. An affluent person in a democratic
society, however, may have both. Clearly, there is something
more going on than a zero-sum game.

Many of the current efforts to promote genuine privacy
enhancing techniques, such as anonymous cash, are based on
the belief that we can obtain many of the same benefits
of customized service without giving up personally
indentifiable information. In this context, the
discussion of cookies is critical -- a non-actual
user identified cookie is very good for service and
privacy, but a user-identified cookie can be good
for service but bad for privacy. But your discussion
of cookies glosses over this critical point.

These questions come up all the time. Should intelligent
highways capture actual IDs? Can medical services be
delivered psuedo-anonymously? What about communication
services? Web access? You substituted an old privacy
cliche ("in the modern world we give up some privacy
for some benefit") for coverage of the interesting,
cutting edge policy issues that the net and the
debate about identity has raised.

Second, following Alan Westin's line, you suggest that
we have generally avoided privacy legislation in the private
sector. This is simply not true. We have federal privacy
legislation for credit record (1970), school records
(1974), bank records (1978), cable subscriber records
(1984), stored email (1986), video rental records (1988),
junk faxes and auto dialers (1991), and dozens more at
the state level for everything from insurance and health
records to library records.

You can say that these laws are at times ineffective or
incoherent -- why federal privacy for video records
but nor medical records? -- but it is just wrong to start
tearing pages from the history books and the US code
to support a bias against privacy laws. Alan should know
better; you should as well.

Finally, you and Kevin K. take a big swing at my call for
privacy legislation and a privacy agency. I appreciate that
it is a cardinal rule of some to oppose any government
anything, but at least understand the argument for the
privacy agency

  "We need new legal protections to enforce the privacy act, . . ."

The Privacy Act was established in 1974 to restrict the
ability of government to collect information on citizens
and to give citizens the right to get access to their
own files. But since '74, federal agencies have shown
little interest in upholding the law and privacy
concerns *across the federal government* have

Do I take from Kevin's criticism that he would prefer
that there was no effort to improve enforcment of the
Privacy Act, limit record sharing in the government,
and ensure people get access to their own files? Is
that right?

Can we at least agree that the Privacy Act plays
an important role in protecting citizen rights and
that efforts to strengthen it should be supported?

  " . . . to keep federal agencies in line, . . .'

So that, for example, when law enforcement agencies in
the federal government press the White House and the
OMB for new law enforcement authority there is a
counterveiling agency in the government that requires
that privacy concerns are addressed before the proposal
reaches the President's desk. And if they aren't
adequately addressed, maybe the proposal doesn't
get to the President's desk.

It is obvious after both the Clipper episode and the OECD
Crypto Guidelines that governments with privacy agencys
have done a better job resisting these calls for
extended government surveillance. The problem is that
the one-dimensional critique of government provided in the
article (and Wired and Netly) simply doesn't allow for the
possibility that one of the best ways to constrain government
power is through checks and balances. That, btw, was the key to
controlling government authority in the US Constitution.

In the absence of a federal privacy agency, you can
almost be guaranteed that administration proposals
will always tip in favor of surveillance. And
the irony of the opposition by some to a federal
privacy agency is that it has made it easier over the
last few years for NSA/FBI to push forward crypto
standards and roll the Department of Commerce. What in
the federal government should stop them? Absent an
office to push back, they have a clear course to the
President's desk.

  " . . . to act as a spokesperson for the Federal Government . . ."

This is for the fairly obvious reason that privacy is one
of the biggest issues today in the US and there is no
office in government that can even say authoritatively
what the position of the US is. (Note that this problem
doesn't exist over on the surveillance side or with
copyright protection. The government values both. So David
Aaron was given the title and the authority to promote
the Administration position on key escrow/key recovery,
and Bruce Lehman did the same at WIPO for copyrights
interests. Do you understand now what's going on?).
The result is that there is not even a basis for
trade discussion or government negotiation.

 . . . and to act on behalf of privacy interests."

So that when SSA is putting PEBES on line there is
some privacy evaluation.

Or, to take a recent European example, the new German
communications law encourages the development of
anonymous payment schemes to promote on-line commerce
and to protect privacy. Where did the idea come
from? The privacy agency.

So, I have to ask, what is it exactly in my proposal that
you/Kevin/Declan object to? Is it the fact that there
will be a government <something>? I can't argue against
that. You're entitled to your religious beliefs, but it
has nothing to do with reporting or policy. Is it
the fact that Trustee, OPS will do all of this better?
If you have been following my point, you'll realize now
that doesn't make any sense. Or what if it costs taxpayer
dollars? In 1993 I backed creation of a federal privacy
agency. Total cost: $5 m.  The industry balked. "Too expensive.
We have to trim the federal budget." The following year they
backed Digital Telephony and a $500 m authorization
to make the phone system easy to wiretap.

I am also getting a little tired of the myth of the small
town where everyone knew everything about everyone else and
that there was no privacy. First off, this myth runs directly
contrary to another, better description of American society
-- the unexplored frontier. Where exactly did all those frontiersmen
come from? The answer is the small town. People were constantly
picking up and moving, building new homes, and establishing
new identities. Many people born in these small towns left and
went to school, joined the military, started businesses, moved to
the city. Mobility, more than any other characteristic, is central
to the American experience. Read Tocqueville. Civic association
was and is constantly formed and reformed.

Finally, I do agree with Kevin that privacy is very much about
social relations. In fact the tag line for the book that Phil Agre
and I edited for MIT Press, "Technology and Privacy: The New Landscape"
begins "Privacy is the capacity to negotiate social
relationships by controlling access to personal information."

Privacy rules essentially establish the base lines for
negotiating social relations between individuals and
organizations. If you collect personal information, you
take on some responsibilities. If you give up some
information, you get some rights. You'll find those
principles in just about every privacy law and policy
in the world. Not only is this commonsense, but it
has some nice benefits for an era when technology allows
us to shape new forms of social relations -- we can
design techniques that allow organizations and inviduals
to interact without disclosure of personal information.
Indeed, the web and the Net provided all of this to
us, but now it could be quickly lost.

I don't know what it will take to persuade some of the
opinion leaders in the on-line world that law will play
a critical role in protecting individual privacy in the
coming years, but I'm willing to listen and learn.And I
hope, whatever form this dialogue takes, we can all move
beyond ideology, myth, and charicature.

Marc Rotenberg.

Marc Rotenberg, director                *   +1 202 544 9240 (tel)
Electronic Privacy Information Center   *   +1 202 547 5482 (fax)
666 Pennsylvania Ave., SE Suite 301     *   rotenberg at
Washington, DC 20003   USA              +

More information about the cypherpunks-legacy mailing list