Previous Politech message: http://www.politechbot.com/2005/03/11/request-for-critique/ Jim makes some very reasonable points. Keep reading. -Declan -------- Original Message -------- Subject: RE: [Politech] Request for critique: a 16-point plan for privacyregulation [priv] Date: Mon, 14 Mar 2005 13:00:00 -0500 From: Jim Harper <jharper@private> To: Declan McCullagh <declan@private> CC: <hoofnagle@private>, <dsolove@private> Declan, Chris, and Daniel: This document has much to commend it. Sections 12-14, in particular, dealing with "Government Access to and Use of Personal Data" identify serious problems that should be addressed. As more and more people conduct more and more of their lives online, Supreme Court rulings holding that there is no reasonable expectation of privacy in data held by third parties grow further and further out of synch with the true expectations of the people. "Data mining" is an ambiguous term but, to the extent it means sifting through databases trying to discover incipient wrongdoing, it is wrong, probably ineffective, and a violation of the Fourth Amendment. Investigators should use database information only subject to search warrant or subpoena, as appropriate, to follow specific investigatory leads. And, yes, the Privacy Act is a paper tiger. Congress should revise it, especially in light of the end-run made possible by companies like ChoicePoint who do the dossier-building that the Privacy Act is meant to prevent. Even a revised statute, however, does not reach the source of the problem: a large government with extensive tax and entitlement programs will demand tremendous amounts of personal information from citizens. The costs to privacy of government programs have gone unconsidered as they have been enacted and expanded. Because of their institutional incentives and unique powers, it is appropriate to circumscribe governments' use of data more closely. Everyone agrees (except for government agents and their hangers-on in the surveillance-industrial complex) that governments are the greatest threat to privacy. The sections that address private-sector data use are quite a bit less intuitive. They do not seem to emerge from a general theory of privacy. Rather, they focus on "business" and "companies" - as if wrongful collection, use, or publication of facts by a company is worse than the same behavior by an individual. (I'll admit my pro-corporate bias: I have started and today operate two corporations, one for-profit (but not profitable) and one non-profit. I do not know how I would have started or kept either one alive under the regulatory regime needed to carry out the aspirations in this paper, relying as they do on information about people.) Essentially, these rules attempt to reverse the general rule - a rule with foundations deep in physics and justice - that information flows freely unless constrained by its author. The solution is not to reverse or stop the flow of data streams, but to address harms caused by wrongful data collection, use, or publication. ChoicePoint has harmed people by subjecting them to identity fraud and the expense, time, and embarrassment of trying to rebuild their financial lives. It has also harmed various companies who in the main will suffer the bulk of the financial repercussions. ChoicePoint should pay for its negligence. The case of Remsburg v. Docusearch provides a good example of how courts adapt common law negligence rules to address dangers and harms in modern circumstances. In that case, a data broker sold information about a young woman to a man who ultimately murdered her. The New Hampshire Supreme Court found that the data broker owed it to the woman to protect her. http://www.courts.state.nh.us/supreme/opinions/2003/remsb017.htm ChoicePoint, likewise, owes a duty to all the people on whom it compiles information, a duty to protect them (us) from harm. It appears that ChoicePoint has failed in that duty, so ChoicePoint should pay. Lawsuits alleging ChoicePoint's negligence have already been filed. Politicians are grabbing headlines with hearings and legislation, but the real action is quietly underway in the courts. Recognizing a common law rule like this takes care of a lot of the problems that would otherwise require long, detailed regulations. The California law requiring consumer notice of data breaches has been given too much credit in this case. ChoicePoint's compliance with the California law broke the story, but it is both over- and under-inclusive: it requires notice in cases where notice doesn't matter, and it doesn't require notice in some cases that do. Once data holders recognize their legal duty to protect backed by the responsibility to pay, they will eagerly notify consumers when doing so will avoid harm - because this will save them money. They will also notify banks when that is appropriate, credit bureaus when that is appropriate, and credit card issuers when that is appropriate - all in direct proportion to need. The genius of simple, general rules like this is that they capture the self-interest of companies like ChoicePoint and direct it toward consumer welfare rather than trying to reverse information flows or weigh the economy and society down with unnatural, innovation-stifling regulation. Finally, many proposals in the document have a one-way privacy bias (which is appropriate in the government context where choice is not available). This bias will appeal to many, but it is not good public policy for a country that respects the will and genius of the people. Perhaps it is unfortunate, but my careful observation over many years finds that consumers often prioritize things other than privacy - goods such as convenience, lower costs, better customer service, and so on. Indeed, they are sometimes just plain indifferent. I am loathe to assume that the great mass of Americans are just wrong and in need of caring for by self-appointed elites (even really smart ones). We might like everyone to be more privacy conscious, but I do not think it is wise to force privacy on people who would not otherwise choose it. The section on preemption of state law illustrates this bias. It would allow states to institute more-comprehensive privacy protections, but not less-comprehensive privacy protections. Given that individuals choose less privacy protection all the time, I do not see why state legislatures should be disabled from representing their people in a way that may be perfectly rational. If there is to be legislation (and I don't think it's needed), states should be fully able to innovate, not just innovate in the federally preferred way. For your consideration. Jim Jim Harper Director of Information Policy Studies The Cato Institute and Editor Privacilla.org _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Thu Mar 17 2005 - 21:58:33 PST