EPIC Privacy 2010 Election Campaign Comments
Wednesday October 13, 2010; 8:30 – 10:00 AM
The Mott House, 122 Maryland Avenue NE
Thank you for having me here today. My name is Aaron Titus. I am an attorney and the Privacy Director for the Liberty Coalition. The Liberty Coalition works with more than 80 partner organizations from across the political spectrum on transpartisan issues to preserve the Bill of Rights, personal autonomy and individual privacy. The Liberty Coalition works with, but does not speak on behalf of our partners.
We have heard about several substantial policy issues today. I would like to focus on some of the underlying reasons that Privacy has an uphill battle. The Four Most Fundamental Challenges to Privacy in 2010 are:
- The False Notion that one can “Own” Personal Information
- The Failed Notice and Consent Legal Regime
- Erosion of the Definition of Privacy
- The Two Mortal Enemies of Privacy: Convenience and Fear
Who Owns My Data?
The cultural notion that you can “own” personal information is the single biggest threat to privacy because if you can own my personal information, you can own me. In a very real sense, I am Data. And if I am Data, and Data is Property, then I may become Property.
We are Data
As Daniel Solove wrote, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.” This collage is our “Data Self:” A digital alter-ego capable of entering contracts, committing crimes, and going into debt. It’s more than a copy or digital shadow, because you are responsible for the actions of your Data Self.
You are bound by contracts your Data Self signs; you will to jail for crimes your Data Self commits. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance.
Data is Property
Intellectual Property Law treats data like property because 1. Data has value, like property. 2. Data is fungible, like property, and 3. Data is alienable, like property. Most types of information (ie, trade secrets, copyrightable or patentable information, etc) are valuable, fungible, and alienable.
If personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner runs it into a tree, it’s not my problem. But we all know that if I “sell” my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. You can’t get rid of it. But because personal information is valuable and fungible, it is often treated like property as a practical matter.
But intellectual property rights in personal information have little basis in law. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.2 You can’t patent personal information,3 and it certainly isn’t a trade secret.4 In short, nobody “owns” my name, including myself.
Even if we could invent an imaginary intellectual property right to one’s personal information, in most cases the most logical owner would be third parties who created it. My parents would most likely “own” my name and DNA, since they made it up. My mother and her doctor had much more to do with my date of birth than I did. Credit card companies would “own” my credit card number. The government would “own” my Social Security Number, and the Post Office would “own” my address.
Personal information cannot be property.
We are Property
But as long as we treat personal information as property, we are faced with an unavoidable dilemma: If We are Data and Data is Property, then We may become Property. Just yesterday Security Expert Bruce Schneider underlined this fact when he said, “We’re not Facebook customers, we’re Facebook’s product it sells to its customers [the advertisers].”
The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the term “Identity Theft” epitomizes the problem with treating personal information as property: The very term recognizes that you have an alter-ego “identity” or Data Self. And it acknowledges that your Data Self can be stolen and abused, like property.
If we are data and data is property, then we may become property.
Facing the possibility of a new class of crimes, we cannot afford to allow personal information to be treated as government or corporate property. I must have control over my personal information, because I am my personal information.
Replacement of the Notice and Consent Legal Regime
The second most fundamental Privacy issue of 2010 is the failed Notice and Consent Legal Regime. At its core, Notice and Consent allows almost all privacy protections to be waived with proper notice and implied consent. In most cases, Notice and Consent provides no baseline protections, and as Marc Rotenberg has said many times, the Notice and Consent legal regime stands in opposition to Fair Information Practice Principles (FIPPs). Notice and Consent has failed to protect consumers because the market does not value privacy.
As Fred Cate of the Center for Applied Cybersecurity Research explained, the Notice and Consent model is flawed because some activities should not be consentable. Just like one may not “consent” to be served fraudulent or misleading advertising, some uses of personal information should be prohibited and non-consentable.
Eroding Definition of Privacy
The third most fundamental Privacy issue of 2010 is an Eroding Definition of Privacy. As an attorney, I have learned the importance of definitions. I can promise you the world, but if I define the term “world” as “pocket lint,” you can guess who wins.
I fear that the public doesn’t really know what privacy is. And elected officials have done little to advance the public discourse. Instead, the public discussion has been dominated by DHS, the TSA, Google, Facebook, and others. These entities have drastically narrowed the definition of privacy, often attempting to narrow it to nothing more than “security.” We are losing the world and ending up with pocket lint.
With a narrow or ambiguous definition of privacy, promises to “protect civil rights, civil liberties, and privacy” become either superfluous or illusory. The reason is simple: Without knowing what exactly we’re protecting, it’s impossible to know whether or when we’ve succeeded. It’s almost like saying “We’re going to make the world a better place:” Fluffy goodness that means nothing.
Elected officials must insist on a risk-assessment approach when developing strategies to mitigate the risks to civil liberties, civil rights, and privacy. The first step in that process is to enumerate all of those liberties and rights. We need to talk more about privacy, Anonymity, Freedom of speech, and Rights against searches and seizures, for example.
Next, define each of those liberties. Third, identify the risks to those liberties. Fourth, identify strategies to mitigate those risks. And finally, weigh the cost of implementing the strategies against the benefits. When we do not evaluate what civil rights and liberties are threatened, we are at greater peril of losing them.
We cannot expect the public to stand up for privacy when they do not understand what they’re fighting for. We need public officials who will remind the public what their civil liberties and civil rights are.
The Two Mortal Enemies of Privacy: Convenient Technology and Fear of Insecurity
Private Sector: Convenience
In the private sector, within the context of the Notice and Consent Legal regime, Convenience and Technology continue to be the mortal enemies of Privacy.
It turns out that much of the privacy we have enjoyed for generations did not have roots in constitutional law, but convention reinforced by high transaction costs. As technology has reduced transaction costs, practical privacy protections have diminished or disappeared altogether.
Take Identity Theft, for example. Identity Theft is when someone pretends to be you, does something bad, and you get blamed. Identity theft has always existed. But 15 years ago, you had to drive down to the county courthouse, walk up to the third floor, get a copy of a birth certificate, then walk up to the 5th floor, then drive over to the DMV… The transactional costs for stealing an identity were very high.
Medical records were far more confidential when they were written on paper. It’s not that the legal privacy protections were any greater than they are now, but the cost of sharing the information was prohibitive. Technology universally increases efficiency and decreases transactional costs. Medical information is more efficiently shared with researchers, leading to better treatments. Detailed profile information is efficiently, instantly and cheaply shared with a three dozen affiliate companies. Breaches of enormous proportion and identity theft have never been cheaper or more efficient.
Government: Fear of Insecurity
Counterterrorism in this country is more about mitigating terror, or fear, than saving lives. We hold to a false notion in this country that perfection is somehow attainable, and that when something goes wrong it was because someone failed, and someone is to blame.
As Americans we are very bad at weighing risk, which is why we demand to feel secure. And our lawmakers deliver: The American people now (arguably) demand to be digitally strip searched and groped every time they walk onto an airplane. We take off our shoes. We’re all pretty sure that someone over at the NSA could read our emails if they wanted to. We are all familiar with the term, “warrantless wiretapping,” “National Security Letters,” and “Warantless GPS tracking.” But we are mollified by telling ourselves either we have “nothing to hide,” or “I’m too boring for anyone to pay attention to.” After all, most antelope in the herd never get eaten.
We are terrorizing ourselves.
When people say, “I have nothing to hide,” they really mean, “I am not ashamed of anything.” The truth is, we all have a lot to hide, and shame is just one of many reasons to keep information private or confidential. Having something to hide is not an admission of guilt, and it doesn’t mean you have anything to be ashamed of.
We keep Social Security Numbers private not because we’re ashamed of the number, but because we fear identity theft. Sometimes medical conditions remain confidential because others may react irrationally to them. The Census now zealously guards its information because during World War II, the Federal government acted irresponsibly with truthful census data about the location of Japanese-American citizens.
The need for privacy is the recognition that individuals and institutions act unreasonably and irresponsibly, to the detriment of individuals and society, when in possession of certain truthful facts. In short, humans aren’t always equipped to handle the truth. We are biased.
Conclusion
Again the Four Most Fundamental Challenges to Privacy of 2010 are:
- The False Notion that one can “Own” Personal Information
- The Failed Notice and Consent Legal Regime
- Erosion of the Definition of Privacy
- The Two Mortal Enemies of Privacy: Convenience and Fear
Thank you for having me.