The Hidden Cost of Privacy

[R.A. Hettinga]

Whit Diffie once said that only business, not government, can protect
itself from on-line attacks.


Just as there are no collective rights, there is no such thing as
collective responsibility.

And, more than anything else, privacy, like self defense, is an
individual responsibility.

Sooner or later everyone becomes a cypherpunk.


More opinion, comment, at Schneier's blog:
<http://www.schneier.com/blog/archives/2009/06/the_hidden_cost.html
 >

Cheers,
RAH
--------
"If we could just pass a few more laws, we could all be criminals." --
Vinnie Moscaritolo

---------

<http://www.forbes.com/forbes/2009/0608/034-privacy-research-hidden-cost-of-p
rivacy_print.html
 >

Forbes.com

Technology
The Hidden Cost of Privacy
Lee Gomes, 06.08.09, 12:00 AM ET



Special interest groups and lawyers claim they are defenders of
individual privacy. But all that red tape is causing more harm to
consumers than good.

In a world of tight budgets and sacrificed programs, one sector has
continued to grow with the speed and choking effectiveness of kudzu:
regulations around privacy.

More than 300 privacy-related laws are on the books, in both
Washington, D.C. and state capitals. Privacy-related consulting
services provided by law and accounting firms are a $500-million-a-
year business and have been growing at double digits.

Expenses inside companies for privacy compliance easily run into the
billions; a growing number of firms, for instance, now have their own
"chief privacy officer." The International Association of Privacy
Professionals, less than ten years old, has 6,200 members, and
membership has grown as much as 40% a year for the last five years. "I
don't think many professions can say that," says J. Trevor Hughes, its
executive director.

So what, besides a gravy train of regulators, consultants and
activists, are we getting for all this effort? Unfortunately, not much
privacy protection.

On the one hand, laws designed to keep consumers apprised of privacy
issues have resulted in a deluge of privacy notices, consent forms and
security alerts into mailboxes, both real and electronic. You can't
see a doctor, sign up for a bank account or visit a Web site without
collecting your share of this paperwork. Rather than making people
more private, though, the torrent of notifications leaves most of them
so desensitized that they stop caring.

In other instances, the American approach to privacy occasionally
produces too much of it, notably when it comes to medical research.
Federal privacy laws involving health records are often so stringently
interpreted by bureaucrats that studies involving life-threatening
diseases have had to be scaled back or canceled. A pioneering, decades-
long study of strokes and heart attacks shut down this year when
researchers weren't able to get the necessary patient-consent forms
signed.

A recent report from the Institute of Medicine says privacy laws have
created a crisis for U.S. researchers. Lawrence O. Gostin, the
Georgetown University law professor who presided over the study,
complains that the consent forms that are a centerpiece of many laws
don't even do a good job in protecting medical privacy. "Patients
don't understand what they are signing," he says.

No one in this age of hackers and identity theft questions whether
privacy and data security should be a priority. No one would want
government agencies or companies to be sloppy when encrypting their
databases and restricting access to personal information.

But many privacy efforts are proving counterproductive. Security
"breach notices" are an example. First required by the state of
California in 2003 but now widespread, these are the letters sent by
companies to their customers letting them know about problems
connected with their personal data. The worst case would be a hacker
breaking in and stealing credit card information.

In principle it makes sense to force companies to fess up to their
data glitches and give consumers the ability to fix any resulting
problems.
In practice, though, companies are increasingly sending out the
notices at the slightest provocation, leaving recipients confused
about what, if anything, they need to do. It's a classic case of
information overload.

Late last year, for example, there was a hiccup in the Web site
software used by the International Cake Exploration Societi to collect
members' $60 dues. Some of the personal information of the 3,500
hobbyist bakers who belong to the group may have been exposed online
for a few weeks. The bug was fixed as soon it was discovered, and
there was no reason to think that any private information had been
accessed.

Nonetheless, Glenda Galvez, a Wichita Falls, Tex. wedding cake baker
who is the group's president, found she had a legal obligation to
notify her members. She was referred to Amir Azaran, with the Chicago
law firm of Neal, Gerber & Eisenberg, who helped prepare the breach
notices that were sent to every member in the group. Considering the
minor nature of the problem, the blanket notification "didn't make
much sense," says Azaran. But still, for him to have suggested any
other course of action "would have amounted to telling a client to
willfully ignore the law."

The legal bill will be a few thousand dollars. The bakers got off
cheap. The Ponemon Institute, which studies privacy, estimates that
lost or stolen laptops typically cost a company $50,000, much of it in
the form of legal notifications.

Since many states put these notices on their Web sites, it's easy to
track their frequency. Over the last 12 months, for example, Maryland
residents have received 224 of them, from firms such as AT&T, Goldman
Sachs, hp, Google, Facebook, 3m, Verizon Wireless, Kraft Foods,
Continental Airlines and Starbucks. A quarter of those notifications
were triggered by lost or stolen laptops. But sometimes the incident
is trivial: One small Wall Street accounting firm bothered its
customers with the news that an employee had seen a file he wasn't
supposed to have.

Because of this overdisclosure, consumers seem to be caring less, not
more, about privacy threats. Big companies sometimes provide a year's
worth of free credit monitoring in connection with breach notices as a
way of mollifying customers. Jay Cline, a consultant in Minneapolis
who tracks privacy issues, says that in the early days of the notices,
up to a third of recipients would take up such offers. Now, he says,
the figure is below 5%.

Lawyers who spend their workdays preparing privacy-related notices
freely admit that scarcely anyone reads them. The yearly privacy
updates from banks required by the 1999 Gramm-Leach-Bliley Act are
commonly cited as especially useless; no less an authority than Ralph
Nader says the mailings are among the biggest wastes of paper in human
history.

"Whenever I am speaking, I ask the audience if anyone has ever made
use of one of those forms," says Kirk J. Nahra, an attorney with Wiley
Rein in Washington, D.C. "If even one person raises their hand, I am
amazed."

This legalistic, paperwork-based privacy can be privacy-hostile.
Sleazy companies exploit the fact that no one reads privacy notices.
This explains the profusion of Web gimmicks like "real age" tests,
opinion surveys and iq exams. Their real purpose is to extract
personal information from bored Web surfers, data that can later be
sold for marketing purposes. "If a company wants to play fast and
loose, all it has to do is bury something in 40 pages of legal mumbo
jumbo," says Douglas Farry, with the law firm of McKenna Long &
Aldridge.

If this emerging Everest of new privacy paperwork sometimes ends up
creating too little privacy, other parts of the modern privacy
industrial complex make for too much.

Medicine offers heartbreaking examples. The federal Health Insurance
Portability & Accountability Act, or Hipaa, places so many new privacy
restrictions on medical data that dozens of studies for life-
threatening ailments--heart attacks, strokes, cancer--are being
delayed or canceled outright because researchers are unable to jump
through all the privacy hoops regulators are demanding.

Every five years, starting in 1979, doctors connected with the
Minnesota Heart Study would look at the charts for every cardiac-
related emergency room admission in the Twin Cities--45,000 charts in
all. It's one of the world's most important ongoing heart studies and
has led to numerous lifesaving breakthroughs in treatment, including
documenting how many lives get saved by quickly giving thrombolytics
to stroke patients.

Enter Hipaa and its requirement that patients give consent for their
records to be examined. That can be nearly impossible to obtain when
someone is having a heart attack. The study lacked the staffing
resources needed to track down patients afterward. So the researchers
folded up the operation.

"We had lots of useful clinical data, and we never had any sort of
security breach," says an exasperated Russell V. Luepker, a University
of Minnesota cardiovascular expert who ran the study. "Now the lawyers
say that giving us the data would be risking a felony. It stinks."

Stanford University oncologist Sandra Horning has a three-year grant
to study cancer tumors; her goal is to look at 450 tissue samples
situated at a few dozen research centers around the country. Even
though she doesn't need to know the names of any patients, Horning's
team has spent two years dealing with Hipaa consent forms. In all that
time no science has been done. "We are two years behind where we
should be," she laments.

Sometimes bureaucrats end up protecting privacy rights that medical
patients may not even know they have. Roberta B. Ness, now the dean of
the University of Texas School of Public Health, was once researching
risky pregnancies in a maternity clinic. Briefly peeking at medical
records to find patients with telltale signs like hypertension was out
of the question. But clinic regulators also said it was a privacy
invasion to simply ask pregnant women waiting in the lobby if they'd
like to volunteer for a study.

As a result, Ness said, enrollment in the study was reduced by half.
Worse, researchers say the results they get from these reduced studies
are methodologically suspect, since the sorts of people who consent to
privacy forms are often not representative in income, race and
education levels of the population as a whole.

Why haven't researchers spoken out? One reason involves the oversize
role played in policy debates by privacy protest groups. Elaine R.
Rubin, vice president for policy of the Association of Academic Health
Centers, says that many scientists are reluctant to suggest rethinking
the laws because they "worry about being accused by privacy
absolutists of not favoring privacy at all."

Privacy advocates have become a staple in these debates. Many of them
work hard at finding a reasonable balance between privacy and other
social goods. Others, though, get attention with absolutist positions
motivated by fringe personal beliefs. One argument advanced against
radio-frequency ids--the electronic tags that handle toll passes and
inventory control--is that the chips resemble the "Mark of the Beast"
prophesied in the New Testament.

Some complainers are obsessed with anonymity and appear bothered by
any data sharing at all, even when entirely voluntary. It's
reminiscent of the Navajo belief that letting someone take your
picture is letting them steal a piece of your soul.

This preoccupation with keeping data anonymous can lead to surreal
outcomes. Fred H. Cate, director of the Center for Applied
Cybersecurity at the Indiana University School of Law at Bloomington,
notes that privacy advocates helped block a federal proposal to
require air travelers to give their addresses and birth dates when
buying tickets. While labeling the effort an invasion of privacy, they
seemed unconcerned about the vastly more invasive alternative: federal
agents performing body searches and rummaging through luggage.

RFIDs are a good case study of the peculiar public relations dynamics
of privacy, and show that technology vendors are terrorized by
suggestions that they aren't sensitive to privacy concerns. When
probed by special scanners a few feet away, the chips report back a
few dozen characters of manufacturer information, akin to what's found
on a bar code. RFID tags are typically both readily visible and easily
removable.

But some privacy advocates tell dark tales of RFIDs being part of an
Orwellian nightmare in which citizens, by simply walking down the
street, reveal everything about themselves to a network of ubiquitous
scanners. Not only are the risks of the chips comically exaggerated,
but the benefits--more effective counterfeiting controls, better
monitoring of product safety and reliability--are never mentioned.

In the name of privacy, there have been campaigns against the RFID
tagging of pets in Texas, while some New Hampshire citizens have
argued about whether tagging a body inhibits the soul's progress to
heaven. In California legislators briefly considered a proposal that
the state publish a map showing the location of every RFID reader, as
if they were toxic waste dumps.

Many companies have become reluctant to talk about RFIDs, even as they
explore using them. One consumer products company, after describing in
an interview its plans to eventually use the chip in its widely known
household products, called back and asked that the products not be
mentioned, lest it create p.r. headaches before the company was ready
for them.

Is there a way out of the current, overly legalized approach to
privacy, which seems to make no one happy?

Hints are emerging on different fronts. The Federal Trade Commission
is beginning to nudge companies into being less wordy and thus more
useful in describing their Web privacy policies.

Another approach involves realizing that "privacy" might be the wrong
way of thinking about some issues. For example, many privacy advocates
usually lobby to keep sensitive information out of medical records in
order to prevent discrimination against people with stigmatized
diseases. But this can make the records so sanitized as to be useless,
which in fact is emerging as a concern as the country moves to a
system of electronic medical records.

A better approach might be to make records as complete as possible but
to crack down hard on anyone making improper use of them.

Protecting absolute privacy usually has a cost. Turning off cookies in
Web browsers makes the Internet vastly less convenient. Similarly,
assuring emergency room heart attack patients that no one besides
their doctor will ever see their records may also result in their
future care not being as good because important studies have to get
canceled.

"Privacy is obviously a very important value," says attorney Cate, of
Indiana University. "But sometimes it competes with other values. And
that's something that many people don't seem to understand. We should
be able to have frank discussions about social policies without the
privacy card always automatically trumping everything."