Computers, Privacy & the Constitution

A Privacy Framework that Changes Little

-- By AaronChan - 28 Feb 2012


The Obama administration recently released its Consumer Data Privacy Framework advocating for new legislation to comprehensively define consumer data protection rights. Unlike many European countries, the United States does not have a law regarding privacy for all aspects of personal data collection on the Internet. Outside of several sectors, such as health care and credit reporting, the Federal government does not have laws protecting consumers from commercial exploitation of personal data. While the Electronic Communications Privacy Act does set up some marginal protection from government intrusion into electronic communications, it does not protect people from third parties. Since third parties are so proficient at collecting personal data, the government does not want to excessively curtail this activity. The Framework, while high in rhetoric, is empty in substance precisely because the government does not truly care about individual privacy.

The government benefits from continuing to perpetuate the idea that technology works for its users while allowing man-in-the-middle attacks to circumvent that model. It can monitor the public while also restraining the power of the data miners in exploiting their trade. By pitting the users against the companies, the government can manipulate both sides to perpetuate itself.

What the government says it cares about

In the Framework, the administration claims that the current world lacks “a clear statement of basic privacy principles that apply to the commercial world.” It is true that there is no definitive statement of privacy principles on the books. The Federal Trade Commission has broad powers under 5 of the FTC Act to prosecute “unfair or deceptive acts” and it has used this power to go after perceived privacy problems with some Internet companies. However, because technology evolves so quickly, it is necessary that the law be based on standards rather than rules. As ECPA demonstrates, clearly defining privacy rules based on contemporary technological practices becomes archaic and pointless. Instead, the Framework embraces setting standards about personal data collection and use based on Fair Information Practice Principles: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. This is certainly the better path to take to ensure that technology does not outpace legal protection.

The administration claims that consumers need some protection in order to maintain consumer trust in networked technologies and that the Framework will provide such protection. While it may be true that consumers need to trust Internet companies for them to use online services, it is questionable as to what it would take for consumers to lose that trust as almost every new Facebook “feature” was eventually adopted by users. Yet, despite Mark Zuckerberg’s efforts to shift the privacy paradigm into sharing is good, privacy as a concept still sounds desirable to most Americans. This allows the Obama administration to claim that it is looking out for the public interest in promoting privacy.

What the government actually cares about

Despite its public relations side espousing principles of personal data autonomy, the government has an interest in encouraging the public to disregard privacy. There is no need for the government to do its own spying when people voluntarily give up every detail of their lives and their friends’ lives to online companies. The government can rely on these companies to collect the information and freely reach into their databases whenever it needs something that it may otherwise be prohibited from acquiring itself. Hence there is a dichotomy between protecting the public from voracious companies out to ravage personal data while making sure that the government has access when it wants. In other words, it is bad when private companies do gather and sell personal data, but not when it is for the government. For example, under the principle of "Focused Collection," “[c]ompanies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.” This “legal obligation” can be broadly read, but it illustrates what the government wants.

The government can’t be too persuasive in its rhetoric. It still needs its backdoor. By portraying the data miners as the villains, it also repositions itself in the eyes of the public. Uncritical Americans may believe that the government actually has their individual interests at heart, rather than the true goal of the government—maintaining social order. This keeps the users from banding together with the data companies against the government. In theory, there could be a market for privacy, but attacks on data miners by the government keep the coalition from forming. Additionally these companies already are at the mercy of the government; there is little they can do to resist the force of a government demand when the laws are extremely favorable for intelligence agencies. All they can do is seek immunity from private suits, a condition the government is more than willing to provide. This further alienates the public and the companies, while deflecting criticism away from the government’s practices.

Why the government can say one thing but mean another

Because the government has an interest in people continuing to voluntarily give away all their information to companies, it can draw a distinction between wrongful collection of personal data and wrongful use. Under collection, the administration can say all it wants about data autonomy and informed consumers, but it knows that consumers do not care enough about their data autonomy for informed consent to mean anything. People do not realize why it is problematic for them to expose their lives and the lives of others to third parties and the government. It does not matter how much is explained to them when convenience trumps privacy.

Although this may describe some consumer behavior towards commercial privacy now, this does not mean that user privacy preferences do not evolve. As demonstrated by the outrage over Facebook’s purchase of Instagram, there is a vocal minority that actively reject Facebook’s intrusion into other Net activity. These protests indicate that there is some user resistance to centralizing Net activity. These Instagram users were already sharing their personal pictures, but they drew the line at allowing that data to be assimilated into the Facebook complex. This disaggregation instinct can be directed against the government’s efforts to consolidate all personal data. But as long as the government can hold the threat of terrorism over its citizens, it would be politically arduous, and even potentially treacherous, to roll back the intelligence machine.

A very good draft. A few points I would add to your thinking:

First, it will help to consider "the government" a complex entity with many moving parts. The language you quote and on which your political analysis depends should be read as the boundary established in the policy coordination process by the intelligence and internal security entities. As you will have seen over course of the term, DoJ, Homeland Security and the DNI form a coalition that can efffectively resist anything on the "commercial" side. The commercial parties (network operators, Goog, FB, other data miners) have realized that the intelligence and security services are strong enough to demand impunity, and so the commercial parties are insisting on complete immunity from rule of law for all their "good faith" cooperation with the intelligence and security services. FTC, as an "independent" agency, is bucking the WH-DoJ position and going after Google where it can. The privacy guidelines represent the overall WH coordination of the FTC and Commerce Department positions on commercial privacy, minus any animus with Google, which has cemented its relationship with the WH in defeating SOPA/PIPA, and with all the carve-outs demanded by the intelligence and security services, represented for these purposes primarily by the DNI.

Second, we are not very far along in the analysis when we have discovered that formal government policy is speaking out of both sides of its mouth. Thurman Arnold would no doubt say that in politics, any creed embodying only a proposition and its opposite is not yet fully fleshed out. The real strength of your thinking lies in the insight that commercial collection and commercial use implicate different elements of the overall play of governmental interest. You haven't fully considered why the problem is "getting code in" to commercial mining operations, rather than "getting data out," or why the US government has a specific advantage in dealing with the miners on this subject.

Third, your point about collection and convenience as the individual user sees the situation is observationally verified, but it is only guaranteed to be true in the short term. Over the next several decades, people will grow up whose relationship to the Net will be quite different. Depending on the educational effects of our efforts, they will either be completely uninterested in privacy, in which case the Net will become the Matrix, or they will come to identify freedom with changing the behavior of the Net so that it controls them less and assists them more. That's where the work we are doing touches the fundamental nature of human destiny.


Webs Webs

r5 - 11 Jan 2013 - 21:48:47 - IanSullivan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM