America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh

““America Faces the World On America Faces the World On Privacy: Four Years After 9/11”Privacy: Four Years After 9/11”

Peter P. SwirePeter P. SwireOhio State UniversityOhio State University

Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLPKeynote: Edinburgh Privacy ConferenceKeynote: Edinburgh Privacy Conference

September 5, 2005September 5, 2005

OverviewOverview

BackgroundBackground The public sector & the Bush Doctrine of The public sector & the Bush Doctrine of

information sharinginformation sharing The private sector & challenges to fair The private sector & challenges to fair

information practicesinformation practices Ways to build trans-Atlantic understanding Ways to build trans-Atlantic understanding

on privacyon privacy

I. Before 9/11I. Before 9/11

The 1998 baselineThe 1998 baseline The E.U. Directive went into effect fall, 1998The E.U. Directive went into effect fall, 1998 My book was keyed to that dateMy book was keyed to that date

• Extensive interviews with EU and US expertsExtensive interviews with EU and US experts• EU perspectiveEU perspective

Human rights basedHuman rights based Need for harmonization in common marketNeed for harmonization in common market

• US perspectiveUS perspective Cost/benefit basedCost/benefit based Concerns about under- Concerns about under- andand over-regulation over-regulation

Chief Counselor for PrivacyChief Counselor for Privacy My role in U.S. Executive Office of the President, 1999-early My role in U.S. Executive Office of the President, 1999-early

20012001 Trying to “build privacy in” for policies/lawsTrying to “build privacy in” for policies/laws

HIPAA: medical privacyHIPAA: medical privacy Gramm-Leach: financial privacyGramm-Leach: financial privacy FTC enforcement of privacy promisesFTC enforcement of privacy promises

• Especially for the InternetEspecially for the Internet Safe HarborSafe Harbor Federal agency web policies & privacy impact assessmentsFederal agency web policies & privacy impact assessments Bipartisan interest in Congress to make email & wiretap Bipartisan interest in Congress to make email & wiretap

laws stricterlaws stricter

My Normative BaselineMy Normative Baseline

My own views are roughly those reflected by the My own views are roughly those reflected by the Clinton Administration, 1999-2000Clinton Administration, 1999-2000 Achieve progress in building privacy into Achieve progress in building privacy into

public and private systemspublic and private systems Fair information practices as the baselineFair information practices as the baseline Be realistic about how laws are actually Be realistic about how laws are actually

implemented in practice, avoiding over- and implemented in practice, avoiding over- and under-regulationunder-regulation

II. The Public SectorII. The Public Sector Moral view of the “precautionary principle”: if the Moral view of the “precautionary principle”: if the

consequences of an action are unknown but consequences of an action are unknown but judged to have a high risk of being ethically judged to have a high risk of being ethically negative, it is better to not carry out the action negative, it is better to not carry out the action rather than risk the uncertain but possibly rather than risk the uncertain but possibly negative consequencesnegative consequences

Principle best known for protecting the Principle best known for protecting the environmentenvironment Long run potential harm from actionLong run potential harm from action Precaution (inaction) less likely to cause long-Precaution (inaction) less likely to cause long-

run harmrun harm

Precautionary & PrivacyPrecautionary & Privacy

Instinct for privacy scholars is that protecting Instinct for privacy scholars is that protecting privacy is like protecting the environmentprivacy is like protecting the environment

Precautionary principle:Precautionary principle: Err on the side of human rightsErr on the side of human rights When in doubt, be cautious about the use of When in doubt, be cautious about the use of

data and the dangers caused by that usedata and the dangers caused by that use Precaution against use of data & the long Precaution against use of data & the long

term effects of revealing private informationterm effects of revealing private information

Precautionary & SecurityPrecautionary & Security

Consider a contrary viewConsider a contrary view Precautionary principle:Precautionary principle:

Err on the side of protecting society from Err on the side of protecting society from attackattack

When in doubt, share data to avoid the When in doubt, share data to avoid the dangers of attackdangers of attack

Precautions are against the long-term Precautions are against the long-term damage from the attacksdamage from the attacks

Precautionary and PrivacyPrecautionary and Privacy

In the privacy debate, we are used to “balancing” In the privacy debate, we are used to “balancing” privacy & securityprivacy & security ““Balancing” is a term of utilitarian calculusBalancing” is a term of utilitarian calculus

Use of the precautionary principle helps show Use of the precautionary principle helps show that that moralmoral fervor is on both sides fervor is on both sides Privacy protects human rights (no attacks by Privacy protects human rights (no attacks by

commercial or state interests)commercial or state interests) Information sharing protects human rights Information sharing protects human rights

(right to bodily integrity, not to be attacked)(right to bodily integrity, not to be attacked)

The Bush Doctrine ofThe Bush Doctrine of Information Sharing Information Sharing

Disclaimer – I often critique the Bush Disclaimer – I often critique the Bush Administration on privacy & information sharingAdministration on privacy & information sharing It is important to understand the logic of the It is important to understand the logic of the

positionposition Axiom 1: The threat has changedAxiom 1: The threat has changed

Was threat of Soviet tank or missile attackWas threat of Soviet tank or missile attack Now is asymmetric threat – a few individuals Now is asymmetric threat – a few individuals

with boxcutters or home-made explosives with boxcutters or home-made explosives

Bush DoctrineBush Doctrine

Axiom 2: The threat is significantAxiom 2: The threat is significant The intellectual importance of WMDsThe intellectual importance of WMDs ““One nuke can ruin your whole day”One nuke can ruin your whole day” Measures that are not justified by small Measures that are not justified by small

attacks may be justified for asymmetric, large attacks may be justified for asymmetric, large attacksattacks


Axiom 3: Progress in IT dwarfs progress in Axiom 3: Progress in IT dwarfs progress in defensive physical securitydefensive physical security Price of sensors, storage, and sharing down Price of sensors, storage, and sharing down

sharplysharply Useful knowledge & patterns extracted from Useful knowledge & patterns extracted from

datadata The efficient mix of security measures has a The efficient mix of security measures has a

large & ongoing shift to information-intensive large & ongoing shift to information-intensive strategiesstrategies


(1) The threat has changed(1) The threat has changed (2) The threat is significant (2) The threat is significant (3) Progress in IT shifts the best response(3) Progress in IT shifts the best response For privacy advocates, which of these For privacy advocates, which of these

assertions seems incorrect?assertions seems incorrect? There is a powerful logic to this approachThere is a powerful logic to this approach Now we turn to possible responsesNow we turn to possible responses

Has the Threat Changed?Has the Threat Changed?

Yes.Yes. Conventional threat, typified by satellite Conventional threat, typified by satellite

reconnaisance of military targets, is clearly less reconnaisance of military targets, is clearly less than before 1989than before 1989 Enemy mobilization often graduated and Enemy mobilization often graduated and

visible (levels of military alert)visible (levels of military alert) Current threats from asymmetric attacksCurrent threats from asymmetric attacks

No visibility of imminent attacks unless get No visibility of imminent attacks unless get information about the individual attackersinformation about the individual attackers

How Significant is the Threat?How Significant is the Threat?

This topic is controversialThis topic is controversial I address this in 2004 article on foreign I address this in 2004 article on foreign

intelligence & surveillanceintelligence & surveillance No WMDs in IraqNo WMDs in Iraq Nation states as havens likely Nation states as havens likely muchmuch more more

dangerous than isolated individualsdangerous than isolated individuals Exception in my view – nuclear proliferationException in my view – nuclear proliferation

Significance of the ThreatSignificance of the Threat

Within the U.S., extremely difficult politically to Within the U.S., extremely difficult politically to question the threatquestion the threat Republicans are loyal to Pres. BushRepublicans are loyal to Pres. Bush Democrats can’t appear weakDemocrats can’t appear weak

Within U.S., privacy and civil liberties advocates Within U.S., privacy and civil liberties advocates can question the threat but are not likely to can question the threat but are not likely to succeed muchsucceed much

European resistance can slow hasty actions by European resistance can slow hasty actions by U.S. where threat is exaggeratedU.S. where threat is exaggerated

Is the Shift to IT &Is the Shift to IT & Prevention Efficient? Prevention Efficient?

Here is the battleground for privacyHere is the battleground for privacy (1) Ends/means rationality – does the proposed (1) Ends/means rationality – does the proposed

surveillance actually improve security?surveillance actually improve security? Does security measure work? Cost Does security measure work? Cost

effectively?effectively? E.g., carry-ons over-broad (nail cutters) and E.g., carry-ons over-broad (nail cutters) and

under-broad (ingenious attackers can attack)under-broad (ingenious attackers can attack) E.g., data mining may create so many false E.g., data mining may create so many false

positives that the noise swamps the signalpositives that the noise swamps the signal

Shift to IT and Prevention?Shift to IT and Prevention?

(2) “Security theater” & Bruce Schneier(2) “Security theater” & Bruce Schneier Perceive, and critique, measures that are Perceive, and critique, measures that are

taken for the sake of “doing something”taken for the sake of “doing something” E.g., show ID to get into office buildings; this E.g., show ID to get into office buildings; this

is worthless in a world of pervasive fake IDsis worthless in a world of pervasive fake IDs Important to have credible and effective Important to have credible and effective

technical critiques of proposed surveillancetechnical critiques of proposed surveillance• U.S. State Dept. RFIDs on passports as U.S. State Dept. RFIDs on passports as

“terrorist beacons” readable at 10 meters“terrorist beacons” readable at 10 meters

Shift to IT & PreventionShift to IT & Prevention

(3) Point out unprecedented nature of proposed (3) Point out unprecedented nature of proposed surveillancesurveillance E.g., library records and chilling the right to E.g., library records and chilling the right to

readread ““Gag rule” on foreign intelligence orders to get Gag rule” on foreign intelligence orders to get

library and other databaseslibrary and other databases• Some greater due process in Patriot Act Some greater due process in Patriot Act

revisionsrevisions E.g., national ID cards and build coalition of E.g., national ID cards and build coalition of

libertarians on left and rightlibertarians on left and right

Shift to IT and PreventionShift to IT and Prevention

(4) Invoke historical abuses & ask for checks (4) Invoke historical abuses & ask for checks and balancesand balances Prevention was tried by Hoover & the FBIPrevention was tried by Hoover & the FBI Prevention led, over time, to vast expansion Prevention led, over time, to vast expansion

of surveillance but little proven preventionof surveillance but little proven prevention Political and other abuses from that Political and other abuses from that

expansionexpansion Therefore, oversight and limits on new Therefore, oversight and limits on new

surveillance because human nature hasn’t surveillance because human nature hasn’t changedchanged


(5) Fairness, discrimination, and effectiveness(5) Fairness, discrimination, and effectiveness If single out groups, such as young Arab If single out groups, such as young Arab

males, then that can backfiremales, then that can backfire Is unfair, and perceived as unfair by manyIs unfair, and perceived as unfair by many Risk of creating resentment by communities Risk of creating resentment by communities

who cooperation is needed – better to build who cooperation is needed – better to build bridges to communities than to treat everyone bridges to communities than to treat everyone as a suspectas a suspect


(6) Show how proposed measures make the (6) Show how proposed measures make the problem worseproblem worse E.g., trusted traveler programs will give E.g., trusted traveler programs will give

greater powers for harm to the terrorists who greater powers for harm to the terrorists who get the credentialget the credential

E.g., racial profiling that undermines E.g., racial profiling that undermines assistance from the well-informedassistance from the well-informed


(7) International opposition to U.S. measures(7) International opposition to U.S. measures Return to this belowReturn to this below Concerns from outside the U.S. do require a Concerns from outside the U.S. do require a

more fully developed policy process within more fully developed policy process within U.S.U.S.

Summary on Bush DoctrineSummary on Bush Doctrine Significant moral & political logic to: new threat; threat Significant moral & political logic to: new threat; threat

is large; IT will helpis large; IT will help Possible answers include:Possible answers include:

Does proposal work?Does proposal work? It may be “security theater”It may be “security theater” Unprecedented surveillance and not neededUnprecedented surveillance and not needed Historical abuses show need for checksHistorical abuses show need for checks Fairness and non-discriminationFairness and non-discrimination Proposed measures make the problem worseProposed measures make the problem worse International realpolitikInternational realpolitik

III. The Private SectorIII. The Private Sector

““Security” as the source of new privacy Security” as the source of new privacy protectionsprotections

Compliance American styleCompliance American style Challenge to the FIPsChallenge to the FIPs

Government use of commercial dataGovernment use of commercial data

““Security” Helps PrivacySecurity” Helps Privacy

Recent U.S. privacy protections created in the Recent U.S. privacy protections created in the name of “security”name of “security” American style of politicsAmerican style of politics ““Death” tax and “estate” taxDeath” tax and “estate” tax

““Security” is a winning word after 9/11Security” is a winning word after 9/11 ““Privacy” sounds like one is not committed to Privacy” sounds like one is not committed to

winning the War on Terrorismwinning the War on Terrorism

New “Security” MeasuresNew “Security” Measures

Security notifications for breachSecurity notifications for breach At least 15 states with laws, 14 this yearAt least 15 states with laws, 14 this year

Cybercrime measuresCybercrime measures DOJ supports anti-wiretap law (Councilman)DOJ supports anti-wiretap law (Councilman)

Spyware as security threatSpyware as security threat State, maybe federal, legislationState, maybe federal, legislation

Spam as threat to availability and integrity of Spam as threat to availability and integrity of systemssystems CAN-SPAM and other lawsCAN-SPAM and other laws

Compliance American StyleCompliance American Style

3 modes of compliance3 modes of compliance Aspirational – the law expresses an ideal, but Aspirational – the law expresses an ideal, but

detailed compliance is not expected (E.U.?)detailed compliance is not expected (E.U.?) Gamesmanship – organizations minimize the Gamesmanship – organizations minimize the

effect of the law with compliance tricks effect of the law with compliance tricks (cynical view of U.S.?)(cynical view of U.S.?)

Defensive or Risk averse – organizations Defensive or Risk averse – organizations avoid even the risk of enforcement by over-avoid even the risk of enforcement by over-complying (actual U.S. practice under medical complying (actual U.S. practice under medical privacy rule)privacy rule)

Consequences of Compliance Consequences of Compliance American StyleAmerican Style

Policymakers learn that over-regulation is a Policymakers learn that over-regulation is a major riskmajor risk For privacy, sensible data flows don’t happenFor privacy, sensible data flows don’t happen The family member picking up the prescription The family member picking up the prescription

at the pharmacyat the pharmacy The historical researcher of the 18The historical researcher of the 18 thth C. poet C. poet

U.S. Ambassador David Aaron’s 1999 offer:U.S. Ambassador David Aaron’s 1999 offer: We’ll take E.U. privacy laws if you’ll take our We’ll take E.U. privacy laws if you’ll take our

plaintiffs’ lawyersplaintiffs’ lawyers

Compliance: EU & USCompliance: EU & US In the 1998 book, we asked EU Commission if it In the 1998 book, we asked EU Commission if it

was legal to carry a laptop on the plane to a was legal to carry a laptop on the plane to a country that lacked an adequacy determinationcountry that lacked an adequacy determination Answer from a Commission official: “It depends”Answer from a Commission official: “It depends” Practice within EU – of course the laptops are Practice within EU – of course the laptops are

carried onto planescarried onto planes Have had increase in enforcement actions in E.U. Have had increase in enforcement actions in E.U.

since thensince then I welcome your thoughts on how close E.U. is to I welcome your thoughts on how close E.U. is to

full compliance with the law as writtenfull compliance with the law as written

Compliance in U.S.Compliance in U.S.

Major U.S. growth in CPOs and institutionalized Major U.S. growth in CPOs and institutionalized privacyprivacy CPO term not used until 1999CPO term not used until 1999

In U.S., my experience since 2000 is that there In U.S., my experience since 2000 is that there is more risk-averse compliance than I is more risk-averse compliance than I anticipated -- sensible behavior is more chilled anticipated -- sensible behavior is more chilled by rules than I expectedby rules than I expected

Policymakers learn to be cautious about Policymakers learn to be cautious about aspirational or over-broad privacy lawsaspirational or over-broad privacy laws

More on ComplianceMore on Compliance

One thought on why compliance is so differentOne thought on why compliance is so different Belgium & the Netherlands – all the key actors Belgium & the Netherlands – all the key actors

in an industry gather in a room with officialsin an industry gather in a room with officials• Ombudsman role of D.P. authoritiesOmbudsman role of D.P. authorities

U.S. – major players are 5,000 km away from U.S. – major players are 5,000 km away from regulatorsregulators• Formal/legal role of FTC and other Formal/legal role of FTC and other

regulatorsregulators• Over 1 million HIPAA covered entitiesOver 1 million HIPAA covered entities

Fair Information Practices Fair Information Practices Under ChallengeUnder Challenge

E.U. Dir. Art. 6(e): data not kept in identified form E.U. Dir. Art. 6(e): data not kept in identified form “longer than is necessary” for purposes for which “longer than is necessary” for purposes for which was collectedwas collected

Technology challengeTechnology challenge Storage much, much cheaperStorage much, much cheaper Forensics much better, and is Forensics much better, and is hardhard to delete to delete

U.S. has HIPAA & many contracts that say “take U.S. has HIPAA & many contracts that say “take practicable measures”, but deletion will often not practicable measures”, but deletion will often not take placetake place

FIPs: Secondary UseFIPs: Secondary Use

The major battleground is secondary useThe major battleground is secondary use U.S. is less sure it agrees with this FIPU.S. is less sure it agrees with this FIP

Many public records, used widelyMany public records, used widely First Amendment, and data is generally First Amendment, and data is generally

publishable unless under a contractpublishable unless under a contract Business & government belief that information Business & government belief that information

sharing is often progress, not rights violationsharing is often progress, not rights violation Scope of data protection laws as shown in Scope of data protection laws as shown in

Swedish Lindqvist case would be most Swedish Lindqvist case would be most surprising to U.S. intuitionssurprising to U.S. intuitions

Secondary Use & Govt AccessSecondary Use & Govt Access

Growing issues on rules for government access Growing issues on rules for government access to private-sector datato private-sector data Government purchases (e.g., subscriptions to Government purchases (e.g., subscriptions to

do background checks)do background checks) Government asks or requires for law Government asks or requires for law

enforcement or intelligenceenforcement or intelligence

Commercial Data & Govt.Commercial Data & Govt.

U.S. rules for purchase are not well developedU.S. rules for purchase are not well developed Great interest from government as part of Great interest from government as part of

information sharing growthinformation sharing growth Little legal framework for how that purchased Little legal framework for how that purchased

data is handled by federal governmentdata is handled by federal government Answers to this will mirror answers to broader Answers to this will mirror answers to broader

wish by agencies for information sharing in anti-wish by agencies for information sharing in anti-terrorism effortsterrorism efforts

IV. Looking AheadIV. Looking Ahead

Within the U.S., and I think globally, “security” Within the U.S., and I think globally, “security” will be an increasingly important way that new will be an increasingly important way that new privacy protections will be implementedprivacy protections will be implemented Political and policy alliances to build Political and policy alliances to build bothboth

security and privacy into information systemssecurity and privacy into information systems

Looking AheadLooking Ahead

Politically, the Bush Administration has Politically, the Bush Administration has sometimes been willing to go along with privacy sometimes been willing to go along with privacy initiativesinitiatives CPO for Homeland SecurityCPO for Homeland Security Privacy Impact Assessments in 2002 lawPrivacy Impact Assessments in 2002 law It didn’t cancel HIPAAIt didn’t cancel HIPAA

The Administration has had The Administration has had nono significant data significant data privacy initiatives of its ownprivacy initiatives of its own No distractions from the War on TerrorNo distractions from the War on Terror


Better privacy policy must then come from Better privacy policy must then come from elsewhereelsewhere U.S. state legislation – spyware, breach, etc.U.S. state legislation – spyware, breach, etc. Privacy advocates & Congress – CPOs, PIAsPrivacy advocates & Congress – CPOs, PIAs International realities that require the U.S. International realities that require the U.S.

Administration to stop, look, and listenAdministration to stop, look, and listen


Europe & the role of the DirectiveEurope & the role of the Directive Educated U.S. policy & business leadersEducated U.S. policy & business leaders Required the process that led to the Safe Required the process that led to the Safe

HarborHarbor Significant convergence; not harmonizationSignificant convergence; not harmonization

Similar effects on passenger name recordsSimilar effects on passenger name records Mandates in non-U.S. law do create a possibility Mandates in non-U.S. law do create a possibility

of negotiation and partial convergenceof negotiation and partial convergence


The ebb & flow of politicsThe ebb & flow of politics 2000 Clinton wiretap/privacy bill criticized for 2000 Clinton wiretap/privacy bill criticized for

not being protective enough of privacynot being protective enough of privacy 2001 Patriot Act much further toward 2001 Patriot Act much further toward

surveillancesurveillance With time, the politics of 2001 will shift to With time, the politics of 2001 will shift to

something elsesomething else Perhaps the much-feared “next big attack’Perhaps the much-feared “next big attack’ Perhaps closer to new normalcy & calmPerhaps closer to new normalcy & calm I am hopeful of the latterI am hopeful of the latter


As U.S. politics shift, U.S. policy likely to become As U.S. politics shift, U.S. policy likely to become more open to international practices and normsmore open to international practices and norms The European rights approach will face The European rights approach will face

continuing U.S. objections on secondary usecontinuing U.S. objections on secondary use But the overall framework of checks against But the overall framework of checks against

data abuse can have solid U.S. supportdata abuse can have solid U.S. support EspeciallyEspecially if what is asked of the U.S. is a if what is asked of the U.S. is a

reasonable fit with the U.S. compliance reasonable fit with the U.S. compliance realities realities

In ClosingIn Closing

The Atlantic seems wider today than it did five The Atlantic seems wider today than it did five years ago, on privacy, global warming, and other years ago, on privacy, global warming, and other issuesissues

Continuing, implementable privacy protections Continuing, implementable privacy protections can grow over time in the U.S.can grow over time in the U.S.

Better understanding across the Atlantic, such Better understanding across the Atlantic, such as this conference, will help that to occuras this conference, will help that to occur

Contact InformationContact Information

Professor Peter P. SwireProfessor Peter P. Swire Phone: (240) 994-4142Phone: (240) 994-4142 Email: Email: [email protected]@peterswire.net Web: Web: www.peterswire.netwww.peterswire.net

Documents

America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh