The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- Date: Wed, 23 Sep 92 12:43:28 PDT From: redell@src.dec.com (David Redell) Subject: Draft ACM whitepaper on computers and privacy *** DRAFT ACM Whitepaper *** Wed Sep 23 1992 *** Information Technology and the Privacy of the Individual Dave Redell The Role of Privacy in Modern Society Information technology and personal privacy appear to be on a collision course in our society. Facilities allowing the collection, storage, retrieval, processing and communication of vast volumes of data are transforming society in many beneficial ways, but there is a darker side to this picture -- the continuing erosion of the privacy of the individual. It is sadly ironic that the United States, which assumed a short-lived leadership role in privacy protection twenty years ago, is today playing a half-hearted game of catch-up with the European Community. How did this situation develop? What is likely to happen to personal privacy during the next twenty years? And what can we as computer professionals do about it? In any such discussion, it is important to recognize the central role that personal privacy plays in our society. It is all too easy for us to take privacy for granted, regarding it as an pleasant but inessential luxury, to be casually traded away for minor efficiencies and conveniences. Many people even regard privacy as a concern primarily of those who are suspected of wrongdoing -- as something dispensable if you "have nothing to hide". Aside from the obvious problem that privacy invasion can involve information that is inaccurate or out of context, this view ignores a deeper point: personal privacy is the foundation of personal freedom. In both history and literature, the first step taken by totalitarian states to assure a docile population is the elimination of personal privacy. But one need not assume a tyrannical conspiracy to see the danger in devaluing privacy as a cornerstone of our society's respect for the individual. Our traditional model of a nation bound together by voluntary ties of home, family and community is fundamentally undermined when the individual is stripped of the power to control private personal information -- the basic coin of individual autonomy and intimate relationships through which such bonds are forged. Privacy does not, of course, imply absolute secrecy. Such secrecy would require the individual's total withdrawal from the larger society. The concept of privacy inherently implies an appropriate balance between the benefit of revealing each item of personal information against the desire to withhold it. It is vital, however, that this tradeoff be made with a full and explicit acknowledgment of whose benefit is being served. When people voluntarily trade their own privacy for some direct benefit to them, it is a personal decision that each individual can make on a case-by-case basis. Too often, however, the privacy of the individual is sacrificed for a "greater good" of some other person or -- more typically -- some organization. If this is not based on a voluntary, informed decision by the individual involved, then strong arguments are required to justify it. There are certainly cases in which such involuntary compromise is deemed necessary and appropriate -- for example in the tax system or the criminal justice system. But each such compromise requires a carefully considered foundation in mandated social policy, and appropriate safeguards to protect the required personal information from misuse. Of course, all these fundamental issues predate the advent of modern information technologies -- computers, databases, and networks -- but these technologies provide the ability to disseminate personal information on a scale that was inconceivable until the middle of the 20th Century. Not only is access to this enormous volume of personal data now possible, it is rapidly becoming so inexpensive that virtually anyone can afford it. Moreover, one cannot reasonably conclude that computers are simply making old practices more efficient; a quantitative change of several orders of magnitude is effectively qualitative, requiring a thorough reexamination of the legal protections and social conventions surrounding personal privacy in our society. This qualitative impact is typical of most important new technologies: initially motivated by simple efficiency considerations, they in fact turn out to trigger sweeping changes in the way we conduct business, govern ourselves and live our lives. Current Threats to Privacy -- Some Examples Threats from government Although governments have been gathering data on citizens since long before the development of computers, the advent of information technology marks a giant leap in the ability of those in power to monitor the lives of the citizenry. In the U.S., as in most industrialized nations, the result is a vast collection of databases whose combined records would provide startlingly complete dossiers for every man, woman and child in the country. Agencies at all levels of government cite strong arguments to justify their ever-increasing thirst for data. Often the proposed use ends up being only the first of many to which the data will be put. The information is utilized for purposes of taxation, social security, law enforcement, health care, motor vehicles, national security, the census, and innumerable other government functions. Congress has found it necessary to deter repeated attempts by the executive branch to aggregate data into a unified federal government database, providing each agency access to the information gathered by all the others. Although such partitioning is a key tool for preventing abuses in our democratic system, the agencies involved generally decry it as inefficient and wasteful, and the federal government is currently considering new proposals to encourage the transfer of personal information between federal agencies. Database matching across agencies often succeeds in circumventing the intent of partitioning. Modern techniques of "federated" databases can blur the boundaries between separate databases. The various states provide totally inconsistent rules for privacy of personal data. Moreover, the quantity and quality of the gathered data by state and local governments varies widely, as does its usage. Discrete items of personal information become more sensitive as they are computerized. Even data that was originally in the public record can become sensitive when made available via a powerful database. Various bodies, including the U.S. Supreme Court, have upheld the principle that the aggregation of personal information in electronic form creates a heightened privacy interest. Threats from commercial organizations >From its beginnings, our democratic system has regarded intrusive government as the key threat to individual liberty, and a central thrust of the U.S. Constitution has always been protection against this threat. As computers have magnified the risks, the effort to adapt existing legal protections and Constitutional guarantees to the new situation has often lagged behind, but at least it has had a solid basis to build upon. The U.S. has no corresponding legal traditions, however, with respect to the commercial sector. For this reason, commercial databases in this country function in a largely unconstrained environment, lacking many of the constraints and safeguards that are required in other nations, such as the European Community. Credit bureaus maintain detailed records on virtually every adult citizen of the United States. These records, typically found to contain an alarming number of erroneous entries, are used in approving or disapproving millions of financial transactions each day. Health insurance claims generate a detailed record of each citizen's medical history. Patients have little or no knowledge of or control over the gathering, retention and transmission of this data. Employee records contain information that is sensitive and often quite subjective. Proper protection of such data is often left to the employer's discretion, yielding inconsistent and inadequate standards and practices. Electronic monitoring of the workplace has led in many cases to what has been called "the electronic sweatshop." While employers have a legitimate right to assess employee performance, the use of intrusive, detailed monitoring and logging of an employee's every move is becoming widely recognized as both intrusive and counterproductive. Protests over these practices have led to federal legislation currently pending in Congress. Direct-mail marketing databases contain lists of people grouped into a wide range of detailed categories, leading to a rising tide of junk mail. This flood is more than just a nuisance; it is a symptom of the vast amount of information about the lifestyles of individual citizens that is being collected and widely disseminated by commercial firms. Credit card lenders have, as a matter of course, gathered consumer purchase data for many years. More recently, merchants have begun compiling such data as well, often through "frequent shopper" and other incentive programs. Such information, captured through point-of-sale equipment and logged in a database, records and characterizes the purchasing behavior of individual customers. Inducements such as prizes and personalized discounts are readily apparent, but much of the real motivation for these programs is obscured. In the future, as consumer purchase profiles become a valuable commodity, these programs will more than pay for themselves by allowing the gathering and resale of data from all types of transactions -- not just those handled via credit card. Telephone companies propose to offer "Caller ID" services that require all phone customers to disclose their telephone numbers when they place calls. Though proponents claim that the service would reduce harassing calls, in fact other services are better suited for this purpose. In practice, the main effect of Caller ID would be increased collection of personal information for direct marketing purposes. Threats from individuals Much of the public concern about data privacy has focused on "hackers" making unauthorized access to systems. It is important to note that, sensational media stories notwithstanding, the threat of such information vandalism is only a small part of the threat to privacy from malevolent individuals. Illegally breaking into a computer system is a serious offense, but as a practical privacy risk, it pales into insignificance when considered in the broader context of the everyday activities of the modern information infrastructure. There are at least two ways in which computers play a role in the compromising of one individual's privacy by another individual. The first is that government and commercial computers can, accidentally or by design, disclose information against the wishes of the record subject. The second is that the rapidly falling cost of personal computers allows individuals to perform many of the privacy-invasive actions that only a few years ago were practical only for government and commercial organizations. Credit bureaus -- especially the smaller resale "superbureaus" -- have repeatedly been found lax in their standards for releasing personal credit information. In some cases, a simple request via telephone has proven sufficient to obtain another person's financial data without any legitimate authorization. Sensitive data from law enforcement databases, such as criminal history files, have found their way into the wrong hands, usually via malfeasance of some authorized user. Information brokers of marginal legitimacy offer a broad range of services to private investigators and others who are willing to pay their prices. By knowing how to use (and misuse) a broad range of existing databases, these brokers can assemble wide-ranging dossiers on private citizens without their knowledge. Personal computer databases are often used to store and disseminate detrimental information about individuals -- for example, alleged "bad tenant" status. The total lack of any standards, controls, or even disclosures of such systems raises hard questions about meaningful distinctions between commercial and private databases. It is important to note that the dividing lines between government, commercial and individual threats to privacy are not always as clear as one might expect. For example, law enforcement access to telephone calling records is not constrained by the laws governing wiretaps. Similarly, the FBI has sought to obtain mailing lists that they felt might generate investigative leads -- a chilling prospect for anyone who has ever wondered "How did I get on that list, anyway?". The FBI has also discussed even more ambitious goals for linking their databases with those of commercial organizations such as airlines, credit card companies, and car rental agencies. The Social Security Administration received considerable attention a few years ago for arranging to provide bulk verification of social security numbers in a major credit bureau's database. Such examples point out that while the provision of adequate security firewalls between systems is an important issue, it does not address the deeper question of which personal information should be allowed to flow among institutions. Emerging Threats to Privacy The explosive improvement in cost/performance of computers and networks shows no sign of stopping, or even slowing. As this trend enables more and more uses of computer technology, we can expect to see an accompanying growth in threats to privacy. One example of an appealing and beneficial new technology with accompanying privacy risks is wireless digital communication. The obvious risks involve eavesdropping on private communication. More subtle risks arise involving authentication and masquerading. In both cases, the use of wireless communication simply exacerbates problems that already exist in wired networks. There are additional issues, however, that are unique to wireless communication. For example, projections for future wireless digital communication include microcellular data networks with cells as small as 100 meters. This, combined with the notion of a unique, permanent personal ID used as a mobile phone number, suggests a network infrastructure capable of monitoring and logging the movements of any citizen in considerable detail. So far, very little attention has been paid to this issue by the designers of such networks. Similar to tracking via the wireless infrastructure is the idea of tracking for its own sake. Technology such as infrared "active badges" can help office workers locate each other, forward telephone calls, and so on. However, this technology's potential for privacy invasion must be recognized and dealt with if it is not to outweigh any benefits gained. Analogous proposals for tracking of automobiles by "smart highways" are also in advanced planning stages at numerous industrial and academic laboratories. As electronic communication media become commonplace in the business world, workers' expectations of privacy are often at odds with employer monitoring and control of electronic mail, voice mail, computer discussion groups and so on. What the employer regards as simply prudent control of valuable resources is often experienced by the employee as intrusive and depersonalizing. At the very least, a clearer setting of mutual expectations is needed. As described above, consumer purchase histories are currently gathered in a somewhat fragmented manner. Over the next decade, a growing market is projected in bulk purchase and reuse of purchase history data, largely through national clearinghouses similar to today's credit bureaus. By aggregating data from many sources, such clearinghouses will be able to develop extensive lifestyle profiles on individual consumers, which can then be sold for targeted marketing use. Future risks will also include some that have been discussed for many years. For example, as technology continues to improve, falling costs and the lure of "efficiency" may threaten to tilt the balance against the arguments that have so far held in check such proposals as universal ID cards and monolithic government dossier systems. History of Privacy Protection in the United States Threats like those outlined above must be considered in the context of recent history. So far, policymakers have been only partially successful in addressing the privacy concerns that new information technologies have raised. The first groundswell of concern over the technological erosion of privacy began in the 1960s when a proposal for a centralized collection of person data was considered by the federal government. Although the proposal was rejected, it was clear that new safeguards for personal information stored in computer databases would be necessary; the ACM was among the groups that began playing an active role in studying the privacy issue. A special task force was convened by the Department of Health, Education and Welfare to study privacy protection. In 1973 the task force released "Records, Computers, and the Rights of Citizens" and set out a group of principles, known as the Code of Fair Information Practices, that made clear the obligations of organizations that collect personal information. The basic principles of the Code are: - There must be no personal data record-keeping systems whose very existence is secret. - There must be a way for a person to find out what information about the person is in a record and how it is used. - There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent. - There must be a way for a person to correct or amend a record of identifiable information about the person. - Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data. These principles became the foundation for the Privacy Act of 1974, a comprehensive law that circumscribes the actions of government agencies in collecting, using, and disseminating personal data. However, the Privacy Act did not cover personal information held by private organizations, and this has led to growing efforts to develop such legislation. The Code was widely accepted as a cornerstone of privacy protection in the context of modern information processing. In particular, it set the stage for much of the subsequent privacy legislation in Europe, culminating in the Privacy Directive of the European Community. This directive, which unifies the privacy protections of the individual member nations, goes substantially beyond the U.S. Privacy Act and subsequent U.S. legislation. In particular, it applies a set of principles similar to those in the Code of Fair Information Practices to commercial as well as governmental information processing. Unfortunately, the U.S., despite initial intentions in the early 1970s, has consistently failed to extend its treatment of governmental systems to those operated by commercial organizations. As a result, the European Privacy Directive is now viewed here as a cause for significant practical concern, since it limits the propagation of personal data to countries -- like the U.S. -- in which privacy safeguards are seen as inadequate. In contrast with the European situation, privacy law in the United States is a patchwork of specialized protections, liberally punctuated with loopholes and exceptions. For example, there is privacy protection for bank records but not for medical records. There is coverage for videotape rentals, but not magazine subscriptions. Credit records are covered, but insurance records are not. Even where privacy protection exists, new business practices and new technological developments often make good laws quickly outdated. What is missing is a larger context of legal and social principles, such as the notion of "Informational Self-determination" originated in Germany and widely embraced within the European Community. This principle states that all use of personal data, whether by government or business, must be authorized and regulated by appropriate legislation. Within this framework, specific examples can and should be treated individually, of course, but the general principle provides a unifying context for such legislation, helping to avoid arbitrary loopholes and inconsistencies. Technological Safeguards It is important to note cases in which improved technology can protect privacy, as well as those in which privacy is threatened. While it is generally naive to expect a purely technological fix to any complex social problem, it is equally unrealistic to depend entirely on legislative safeguards in situations where appropriate use of technology can at least lay a foundation for enforcing privacy protections. Technology can and should be used to enhance privacy where possible. A case in point is encryption. The ability of inexpensive encryption devices to insure privacy over emerging digital networks -- both wired and wireless -- represents a fundamental advance in the technological underpinnings of privacy. In this regard, it is discouraging to note that law enforcement agencies are already promoting legislation designed to cripple such privacy protections. Encryption-based techniques can yield much more general facilities than simply protection against eavesdropping, such as verifiable digital signatures and anonymous digital cash. Such facilities will play key roles in supporting privacy in our increasingly computerized and networked world. It is vital that these developments not be hampered by the misguided perception that encryption technology should be the exclusive purview of the military and intelligence communities. Encryption technology will be widely available from foreign manufacturers, and roadblocks preventing U.S. manufacturers from offering competing products will simply be counterproductive. The Responsibilities of Computer Professionals In the context of the real and growing threat to personal privacy posed by many uses of information technology, what is the responsibility of computer professionals? On the one hand, it is clearly unreasonable to expect system designers to bear the entire responsibility for the negative consequences that may emerge from the systems they build. The governmental and commercial owners of the systems plan the usage of the technology they pay for; moreover, in a democracy, the citizenry as a whole is ultimately responsible for choices of social policy. On the other hand, computer professionals do incur some special responsibilities by virtue of their expertise, and their ability to influence the character of the systems they build. While there is an understandable tendency on the part of many computer professionals to avoid "getting involved in politics", the interaction of technology with social policy is just too complex and too important to be left to the politicians alone. Our participation is crucial. At the most basic level, it is essential that the responsible use of technology be seen as something that society has both the right and the ability to control. The myth of the "technological imperative" cannot be accepted as justification for an unstoppable erosion of personal privacy. Technology must be used to confer benefits without incurring unacceptable costs -- including social costs. The idea that systems will inevitably be built and used simply because they are technically feasible must not be allowed to beg this vital question. Both as individual practitioners and as specially informed members of the public, system designers have a professional responsibility to insure that the impacts of computer systems on privacy and similar social values are explicitly taken into account. The ACM's draft Code of Ethics and Professional Conduct states that "computing professionals must insure that the products of their efforts will be used in socially responsible ways". It goes on to state that "it is the responsibility of professionals to maintain the privacy and integrity of data describing individuals." and that they have "a special responsibility to provide objective, credible evaluations to employers, clients, users and the public." One important aspect of balancing costs against benefits falls particularly to the computer professional. If the design of a system ignores important considerations like privacy, the result is often a system architecture that forces inherently unnecessary tradeoffs. For example, some recent proposals for automated toll collection on toll roads and bridges involve collection of data on people's movements, simply because this appears to be the most obvious way to bill drivers for usage. Such systems are often defended with the argument that the anyone can simply decline to use them if they feel that the privacy costs outweigh the benefits. In many cases, however, a different approach to the system architecture could confer most or all of the benefits without invading individual privacy -- for example, by debiting anonymous accounts and into which drivers could deposit money as needed. Another important role of the computer professional is to point out considerations that must be taken into account early in the system design process if they are to be dealt with effectively. Security in general, and privacy in particular, are examples of goals that can be prohibitively difficult to achieve by retrofitting features into an existing system, and can thus be locked out if early design decisions ignore them. Conclusions The erosion of personal privacy by modern computer systems is an important and ongoing problem. Both the individual and society as a whole are hurt when the chilling effect of privacy invasion curtails the effective scope of personal freedom. Although the workings of this erosion process have been largely invisible to the average citizen, there are signs of growing public concern. As social policy adapts to changes in technology, computer professionals have a key role to play as citizens, helping to refine and apply appropriate principles and to keep the policy-making process on a path that will maximize the benefits of current and future technology while minimizing the erosion of privacy. Meanwhile, in their roles as working professionals, those who design, build, maintain and operate computer systems have an equally important role to play, taking personal responsibility for their own choices and actions in the systems they create. Public interest groups like Computer Professionals for Social Responsibility have long been active in this area. More general professional organizations like the ACM can well serve both their members and the larger society by studying the current and emerging implications of information technology and recommending principles of professional ethics to serve as guideposts for computer professionals in their daily work. As we help to design tomorrow's information-rich world, and we have a special obligation to ensure that this emerging world protects the privacy and dignity of us all.