FC: Privacilla's Jim Harper to House: Worry more about .gov snoops!

From: Declan McCullagh (declanat_private)
Date: Wed May 01 2002 - 07:44:48 PDT

  • Next message: Declan McCullagh: "FC: Ashcroft & friends: We'll try again to ban "morphed" child porn"

    ---
    
    Date: Wed, 1 May 2002 08:53:08 -0400
    Subject: Privacilla Testimony to House Judiciary Committee
    From: "Jim Harper - Privacilla.org" <jim.harperat_private>
    
    This morning, I'll be testifying to the House
    Judiciary Committee's Subcommitttee on Commercial and Administrative Law
    regarding the Federal Agency Protection of Privacy Act (H.R. 4561).  (10:00
    am in 2141 Rayburn House Office Building.)
    My written testimony is up on the site at:
    
    PDF: http://www.privacilla.org/releases/federal_agency_privacy_testimony.pdf
    html: http://www.privacilla.org/releases/federal_agency_privacy_testimony.html
    
    The html version has handy links to additional
    reading.  And not just any additional reading.  Additional reading
    about privacy . . . .
    
    Jim Harper
    Editor
    Privacilla.org
    
    ---
    
              Prepared Statement of Jim Harper, Editor of Privacilla.org
                             at the Hearing on H.R. 4561
                    the "Federal Agency Protection of Privacy Act"
               U.S. House of Representatives Committee on the Judiciary
                  Subcommittee on Commercial and Administrative Law
    
                                     May 1, 2002
    
        Chairman Barr, Mr. Watt, and Members of the Subcommittee,
    
        It is a great pleasure to appear before you to discuss H.R. 4561, the
        "Federal Agency Protection of Privacy Act." I am Jim Harper, the
        Editor of Privacilla.org, a Web-based think-tank devoted exclusively
        to privacy. I am also an Adjunct Fellow at the Progress & Freedom
        Foundation and the Founder and Principal of Information Age lobbying
        and consulting firm PolicyCounsel.Com.
    
        Privacy is one of the most complex and difficult public policy issues
        confronting Congress and legislatures across the country today. I am
        pleased to lend what knowledge I have to your consideration of this
        legislation.
    
        Privacilla.org is a Web site that attempts to capture "privacy" as a
        public policy issue. The pages of Privacilla cover the issue of
        privacy from top to bottom. We deal with fundamental privacy concepts,
        privacy from government, and privacy in the private sector, including
        financial, medical, and online privacy. Anyone may submit ideas,
        information, and links for potential inclusion on the site. The site
        represents the thinking of many people and I would refer you to the
        Privacilla "Support" page to get an idea of the groups we work with.
        Please visit Privacilla at http://www.privacilla.org and use it as a
        resource whenever your work brings you to a privacy policy question.
    
        Privacilla takes a free-market, pro-technology approach to privacy
        policy. There certainly are other views, and you should consider them
        all. Please also be aware that Privacilla is currently a project of my
        lobbying and consulting firm, PolicyCounsel.Com. My firm does not
        represent any interest on privacy specifically, but nearly all issues
        touch on privacy in some way, so you should consider my potential for
        bias, as you would with any privacy advocate. The views presented on
        Privacilla, and those I express today, are not the views of any
        client.
    
        Chairman Barr, I salute you for introducing H.R. 4561 with broadly
        bipartisan support, and for holding these hearings today. Mr. Watt,
        and other Members of the Subcommittee, congratulations to you for
        joining in introducing this important bill.
    
        Privacy is a complex and widely misunderstood public policy issue.
        This legislation can help protect Americans' privacy by giving the
        American people, the press, and Congress information they need about
        how federal regulation affects privacy. This legislation presents an
        opportunity to refine the terms of the many different "privacy"
        debates, so that Congress, the press, and the public can find
        solutions to a number of important problems.
    
        Though they are motivated only by beneficent purposes, many government
        programs deprive Americans of control over personal information and
        their privacy. The Federal Agency Protection of Privacy Act can help
        restore to the people the power and autonomy that is one of the great
        benefits of living in the United States. There are several successful
        precedents in our nation's administrative laws for this proposal. Few,
        if any, changes are needed to perfect the legislation in terms of
        privacy. I urge you, though, to be aware of the many important
        elements of information policy beyond privacy that fall within the
        scope of the bill.
    
        Defining Terms: What is Privacy?
        The Judiciary Committee is the committee of American law and legal
        institutions. There is no better place to define and give structure to
        terms such as our focus today: privacy. By digging deeply into privacy
        as a legal concept, you as congressional leaders can dramatically
        improve the quality of many public policy debates, and the outcomes
        Congress produces for the American people.
    
        Left undefined, the word "privacy" has become far too much of a
        stalking horse for all variety of ideological and special interest
        groups. Indeed, a coterie of activist organizations - including
        Privacilla - thrives because there is not an agreed to and limited
        definition for the word "privacy" in current debate. Moreover, the
        lack of definition has rendered Congress, state legislatures, the
        press, and the public less able to find solutions to the many problems
        and legitimate concerns that popularly fall under the heading of
        "privacy."
    
        For example, identity fraud is widely perceived as a "privacy"
        problem. But it is better understood as a group of crimes that thrive
        on the use of personal identification and financial information.
        Because of this widespread misperception, the crimes that constitute
        identity fraud go poorly enforced while Congress considers banning
        many uses of Social Security Numbers in the name of "privacy."
        Limiting SSN use would likely stifle many benefits that consumers and
        the economy enjoy without effectively reducing this serious crime
        problem.
    
        Similarly, unwanted commercial e-mail, or "spam," is an intrusion into
        electronic communications and a serious annoyance that is often
        labeled as a "privacy" problem. Spam exists in large part because
        e-mail marketers know little or nothing about the interests of
        potential customers. It is difficult to reconcile spam - e-mails
        broadcast to unknown people nearly at random - with the heart of the
        privacy concept, which is too much personal information being
        available too widely.
    
        At Privacilla, we have a working definition of privacy that we believe
        should form the basis of policy discussions on the topic: Privacy is a
        subjective condition that individuals enjoy when two factors are in
        place legal ability to control information about oneself, and exercise
        of that control consistent with one's interests and values.
    
        Privacy is a personal, subjective condition. It is a state of affairs
        individuals enjoy based on sharing or retention of information about
        themselves consistent with their own preferences. These preferences
        are a product of such things as culture, upbringing, and experience.
        Because privacy is subjective, one person cannot decide for another
        what his or her sense of privacy should be. You can not tell me,
        either by giving your opinion or by passing a law, that my privacy is
        protected when I think it is not.
    
        The first factor above goes to the existence of choice the legal power
        to control the release of information. A person who wishes to maintain
        privacy in the appearance of his or her body, for example, may put on
        clothes and be relatively certain that no one will remove that
        clothing without permission. Few laws require people to remove their
        clothing and, thanks to the concept of "battery" in state tort and
        criminal law, private actors may be punished for touching our clothing
        in any way that interferes with bodily privacy. Our choices to hide or
        reveal information about the appearance of our bodies are protected by
        law.
    
        Likewise, a person who wants to prevent others from gaining knowledge
        of his or her purchasing patterns may pay in cash and regularly change
        the stores at which he or she shops. He or she may also arrange by
        contract to have personal information maintained in confidence.
        Various legal protections, such as the law of contracts, give us
        autonomy and choice that we use to protect privacy.
    
        The second factor is exercising that control of information consistent
        with our values. This is difficult in many commercial marketplaces.
        Many consumers are unaware of how the Information Economy works, and
        the fact that they are a part of it. Many industries are monolithic in
        their information practices. Arguably, they fail to fully inform
        consumers about what happens with personal information, and they offer
        consumers few alternatives. This is arguable, however. It may be that
        only a tiny, but vocal minority of consumers and activists actually
        wants to study commercial information practices and exercise choice
        among different options. If a significant number of consumers do, they
        are a market waiting to be served.
    
        As policy-makers, we should not presuppose that a certain amount or
        type of privacy serves consumers' interests in the marketplace, and
        Privacilla's definition of privacy does not do this. Advocates who
        claim to know what consumers want in terms of privacy prove their
        ignorance by making the claim.
    
        Consumers may rationally determine that they are safe from harmful
        uses of information when dealing with certain companies and leave it
        at that. The fact that hundreds or even thousands of mundane facts
        about themselves are in the hands of businesses may be a matter of
        indifference to reasonable people. Aware, empowered, and responsible
        consumers can demand of businesses what options they want in terms of
        information sharing or withholding. They can also demand, if they
        prefer, lower prices, customized service, combined offerings, and so
        on.
    
        Unless Congress and state legislators are going to guess at consumers'
        true preferences and impose them from the top down, only consumer
        education will deliver privacy on the terms consumers want it in the
        commercial world. Governments cannot protect privacy directly; they
        can only foster or destroy people's ability to protect their own
        privacy.
    
        Governments Pose a Unique Threat to Privacy
        While protecting privacy in the commercial world may be difficult,
        protecting privacy from government is impossible. Dealings with
        government are categorically different from interactions in the
        private sector. When citizens apply for licenses or permits, fill out
        forms for regulators, or submit tax returns, they do not have the
        legal power to control what information they share. They must submit
        the information that the government requires. It is either illegal to
        withhold information or withholding information penalizes citizens of
        money or benefits to which they are legally entitled. The notorious
        "Big Brother" in George Orwell's 1984 was a caution against the powers
        of governments. When dealing with them, the first factor in privacy
        protection - legal power to control personal information - is absent.
    
        It would be a mammoth, but worthwhile, task to catalogue all the
        personal information that is demanded by all federal programs.
        Additional study should include the purposes for which information is
        collected, other purposes to which it is put, and whether such
        information is ever eliminated from government records when it has
        served its original or successor purposes. The Federal Agency
        Protection of Privacy Act may help us do that.
    
        Some studies suggest the scope of personal data collection and
        warehousing done at the federal level. In September 2000 testimony to
        the House Government Reform Subcommittee on Information Management,
        Information, and Technology, Solveig Singleton, now of the Competitive
        Enterprise Institute, surveyed federal databases. Her non-exhaustive
        list included databases at the Commerce Department, the Department of
        Justice, the Department of Education, the Department of Energy, the
        Federal Bureau of Investigation, the Department of Health and Human
        Services, the Department of Housing and Urban Development, the
        Department of the Interior, the Department of Labor, the Social
        Security Administration, and the Department of the Treasury, which
        houses the Internal Revenue Service. Many of these databases include
        health and financial information.
    
        In March 2001, a study issued by Privacilla.org found that, during the
        18-month period from September 1999 to February 2001, federal agencies
        announced 47 times that they would exchange and merge personal
        information from databases about American citizens. New information
        sharing programs were instituted more than once every two weeks. We
        characterized these programs as only the tip of an information-trading
        iceberg. The Computer Matching and Privacy Protection Act, which
        causes agencies to report these activities in the Federal Register,
        applies only to a small subset of the federal agency programs that use
        personal data about Americans. New uses of personal information are
        made by federal agencies constantly. The Privacy Act requires only a
        declaration in the Federal Register of a new "routine use" before
        personal data is used and shared in new ways.
    
        In case it needs emphasis, the threats to privacy posed by government
        programs are not the result of malice or malfeasance of any kind. The
        political leaders who have instituted such programs, and the
        administrators who operate them, have the best intentions for serving
        the public. Similarly, the fact alone that any government program
        weakens American citizens' privacy should not be the sole reason to
        terminate or cut back the program. Rather, privacy should be an
        important factor that policy-makers consider whenever they are
        creating, implementing, or altering government programs. Studies like
        Privacy and the Digital State: Balancing Public Information and
        Personal Privacy by Progress & Freedom Foundation Senior Fellow Alan
        Charles Raul have made progress on that front. The Federal Agency
        Protection of Privacy Act would help make privacy part of the
        policy-making calculus in federal agencies and in the Congress.
    
        The Administrative Process Should Inform the Public About Privacy
        Impacts
        A prominent theory behind the Administrative Procedure Act's enactment
        in 1946 was the idea of "scientific government." This was the notion
        that a band of impartial public servants would discover the one true
        public interest underlying legislation, and regulate in its service.
    
        Experience and modern scholarship reveal that the regulatory process,
        like the legislative process, does not locate some singular public
        interest. It responds to a cacophony of competing interests and
        values, among which are the interests of regulators and bureaucracies
        themselves. Administrative government does not improve on
        constitutional legislative processes so much as it improvises to
        accommodate the growth of the federal government in the latter half of
        the last century.
    
        An increasingly prominent theory of the administrative process though
        perhaps still a fallback from the idea that regulation would discern a
        "pure" public interest is that it can open administrative lawmaking to
        public scrutiny, particularly along lines that are deemed important by
        Congress. Several amendments to the APA in the last twenty-five years
        are consistent with this approach.
    
        The Regulatory Flexibility Act, passed in 1980, requires agencies to
        consider the special needs and concerns of small entities. Each time
        it publishes a proposed rule in the Federal Register, an agency must
        prepare and publish a Regulatory Flexibility Analysis describing the
        impact of the proposed rule on small businesses, organizations,
        government jurisdictions, and the like. The Initial Regulatory
        Flexibility Analysis is subject to public comment, and a final
        regulation must be accompanied by a final Regulatory Flexibility
        Analysis. The Reg-Flex Act apparently provides the model for the
        Federal Agency Protection of Privacy Act.
    
        Along similar lines, Congress passed the Unfunded Mandates Reform Act
        in 1995. Among other things, UMRA requires federal agencies to inform
        and work with states and localities on major regulations. The Small
        Business Regulatory Enforcement Fairness Act, passed in 1996, requires
        agencies to work more closely with small business in formulating
        regulations. It also subjects the analysis requirements of the
        Regulatory Flexibility Act to judicial review.
    
        These laws provide extensive precedent for the Federal Agency
        Protection of Privacy Act. The federal administrative process has been
        modified several times to accommodate the interests of various
        private- and public-sector institutions. Opening that process to the
        privacy interests of individual Americans is a matter of consensus
        among a broad cross-section of advocacy groups and congressional
        leaders, as we see from the wellspring of support for this
        legislation.
    
        Some Important Details and Nuances to Consider
        The Federal Agency Protection of Privacy Act is modeled on the
        Regulatory Flexibility Act, which has been used with success for more
        than 20 years to get greater information about the impacts proposed
        regulations will have on small entities. Simply, the Act would require
        agencies to issue the same type of analysis an Initial Privacy Impact
        Analysis along with a notice of proposed rulemaking. After considering
        the comments of the interested public, agencies would have to issue a
        Final Privacy Impact Analysis along with the finally promulgated
        regulation.
    
        The success of the Regulatory Flexibility Act increased with the
        addition of the judicial review provisions to the Reg-Flex law in
        1996, and it is pleasing to see that the Federal Agency Protection of
        Privacy Act also would make agency action subject to judicial review.
        Knowing that judicial review is available will make agencies naturally
        solicitous of congressional intent without requiring a great deal of
        litigation.
    
        As with all legislation, there are some elements that could be
        improved. The casual reader may suspect that the Federal Agency
        Protection of Privacy Act would require agencies to assess how private
        sector implementation of regulatory mandates would affect privacy.
        This reading is probably a stretch and, judging by the public
        statements you and your colleagues have made, Chairman Barr, this is
        not your intent. Rather, it appears that your intent is for agencies
        to assess the consequences of their own information practices on
        privacy.
    
        Language perfecting the bill could require agencies performing an
        Initial Privacy Impact Analysis to "describe the impact of the
        agency's uses of information under the proposed rule on the privacy of
        individuals." (proposed 5 U.S.C. § 553a(a)(1); suggested added
        language in bold). Likewise, agencies performing a Final Privacy
        Impact Analysis could be required to describe and assess "the extent
        to which the agency's uses of information under the final rule will
        impact the privacy interests of individuals . . . ." (proposed 5
        U.S.C. § 553a(b)(2)(A); suggested added language in bold). These minor
        changes are one way to better express the intent of the legislation.
    
        As you consider this legislation, you should be aware that it
        incorporates many policies beyond privacy. Security, for example,
        (made a part of Privacy Impact Analyses at 5 U.S.C. §
        553a(a)(2)(A)(iv) and 5 U.S.C. § 553a(b)(2)(A)(iv)) is any number of
        practices and processes that respond to threats against a company or
        government's ability to function. Only one such function is carrying
        out privacy obligations. A business or government that lacks proper
        security may well violate its privacy commitments, but may allow much
        worse to happen as well. The policy considerations that go into
        security of data in the hands of governments is a separate and
        significant issue beyond my expertise. There are benefits from
        requiring agencies to declare that they provide for security of
        personal information, as long as the agency is not so forthcoming as
        to breach security in the process.
    
        Providing access and an opportunity to correct personal information is
        an important consideration (made a part of Privacy Impact Analyses at
        proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. §
        553a(b)(2)(A)(ii)). But access and the opportunity to correct
        information go to fair treatment much more than privacy. Consider that
        there is no reason to access or correct information that will never be
        used. It is only important that information be correct if it may be
        used adversely to the interests of the individual. Using incorrect
        information against a person is unfair, not unprivate.
    
        Access is also generally inconsistent with security. Giving access
        only to appropriate parties presents difficult security challenges
        clustered around authentication of identity. An Advisory Committee on
        Access and Security, convened by the Federal Trade Commission in early
        2000, concluded its work without reaching consensus because of the
        complex interaction between these two, essentially conflicting,
        interests. To illustrate this point: The privacy of information sealed
        in concrete and dropped to the bottom of the ocean is well protected,
        and it may remain private for eternity, but there is no opportunity to
        access it.
    
        As with security, there is no harm in requiring federal agencies to
        inform the public of access and correction rights. Similar fairness
        protections are found in the Privacy Act of 1974, which obviously
        deals with more than privacy.
    
        Using information for additional purposes (a part of Privacy Impact
        Analyses at proposed 5 U.S.C. § 553a(a)(2)(A)(ii) and 5 U.S.C. §
        553a(b)(2)(A)(ii)) may affect privacy, depending on whether there is
        further disclosure of information. Information about a citizen's
        medical condition and address, for example, collected for making
        health care payments, may not be rendered less private if the same
        part of the same agency uses that information to research whether
        people with certain conditions reside in certain areas of the country.
        If a subsequent use of information involves sharing that information
        with a state agency or a different federal agency, however, then the
        subsequent use can be said to render the information less private than
        it was before.
    
        More importantly, though, a Privacy Impact Analysis that claims there
        will be no further sharing of information may provide false assurance.
        This is because nothing prevents governments from changing the rules
        about their use of information after it is collected.
    
        The National "New Hires" Database is an excellent case in point. The
        Personal Responsibility and Work Opportunity Reconciliation Act of
        1996 required the Secretary of Health and Human Services to develop a
        National Directory of New Hires. This directory is a database of
        information on all newly hired employees, quarterly wage reports, and
        unemployment insurance claims in the United States.
    
        The purpose of this new database was entirely laudable - helping
        states locate parents who have skipped out on their child support
        obligations. But, already, the data is being repurposed. The National
        Directory of New Hires has been expanded to track down defaulters on
        student loans. Additional expansions have been proposed that would
        give state unemployment insurance officials access to the database.
    
        In the better view, privacy in information is lost when it is
        submitted to government authorities. Unlike in the private sector,
        there is no higher authority to which Americans can appeal when
        personal information held by governments is put to new and
        unanticipated uses. A Privacy Impact Analysis that claims there are
        protections against use of information for changed purpose may be
        accurate for weeks, months, or years. But this is weak protection
        compared to contractual obligations formed in the private sector.
        Privacy-protecting contracts may be regarded as permanent because
        their breach is contrary to legally enforceable obligations that
        neither of the parties can unilaterally change.
    
        This does not counsel against requiring Privacy Impact Analyses to
        discuss use limitations. Such analyses may make Americans more aware
        when commitments to restrict uses of information are changed by
        subsequent Congresses and Administrations. We will be better informed
        if the Federal Agency Protection of Privacy Act is passed with all its
        current provisions.
    
        This discussion of the many nuances of the bill is intended to
        illustrate the enormous complexity of information policy, and to
        caution against unconsidered adoption of the so-called "Fair
        Information Practices." Often touted by pro-regulation privacy
        activists, they represent a vast array of different policies. Some are
        related to privacy; some are inconsistent with it. One does not have
        to agree with the baggage-laden concept of "Fair Information
        Practices" to support the Federal Agency Protection of Privacy Act.
    
        The concept of "Fair Information Practices" appears to have originated
        in the early 1970s from a committee convened within the Department of
        Health and Human Services called "The Secretary's Advisory Committee
        on Automated Personal Data Systems." The intellectual content of its
        report, commonly known as the "HEW Report," formed much of the basis
        of the Privacy Act of 1974 and its thinking is useful for controlling
        government data collection and use.
    
        The report treated the public and private sectors identically despite
        the vast differences in rights, powers, and incentives that exist in
        these different worlds. For this reason, it cannot be said that the
        HEW Report addressed all the complexities of the privacy issue. "Fair
        Information Practices" do not apply well to the commercial world. As
        an analysis of government information practices, however, the HEW
        Report was an important project and document. It also tells us that
        computers and privacy are not a new concern to Americans.
    
        Conclusion
        Again, Chairman Barr, Mr. Watt, and Members of the Subcommittee,
        congratulations on engaging an issue where you can truly improve the
        quality and character of life for all Americans. There is widespread
        consensus that people in the United States want to protect their
        privacy from government encroachments. The Federal Agency Protection
        of Privacy Act will inform the public about the privacy impacts of
        federal regulations, and empower them to make informed decisions about
        government programs. There are many nuances to consider and understand
        privacy and information policy are very difficult areas but the
        legislation you have proposed is an appropriate, measured, and
        important step in the pursuit of enhanced privacy protection for
        American citizens.
          _________________________________________________________________
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed May 01 2002 - 11:04:27 PDT