Download Government Access to Private-Sector Data

Privacy Interests
Editor: Fred H. Cate, [email protected]
Government Access to Private-Sector Data
G
overnments around the world are demonstrating a growing appetite for personal information held by the private sector.
Public-sector interest in private-sector data
is nothing new. Governments have long sought access to
Fred H. Cate
Indiana
University
private enterprise data to administer social service programs, tax
schemes, business and professional
licenses, voter registration, vital records about major life-cycle
events, and public infrastructure.
They have also sought access to
targeted data for law enforcement
and national security purposes.
The new voraciousness for
private-sector data is reflected in
expanding demands for wholesale
access to information, and not just
about individuals who warrant
suspicion but about everyone. Furthermore, this demand is supported by the extraordinary growth
of digital technologies that can
record, store, and share electronically individuals’ records, communications, movements, finances,
relationships, and even tastes.
A Growing Demand
We’ve recently seen an explosion
in the demand for private-sector
data:
• India, Saudi Arabia, United
Arab Emirates, Lebanon, and
Indonesia have all demanded
real-time access to Research in
Motion’s BlackBerry Enterprise
and Messenger services, so they
can have access to otherwise encrypted communications.1
68
• The US Treasury has announced
its intention to move beyond the
1.3 million suspicious activity
reports and 14 million reports
on international money transfers
of more than US$10,000 that it
currently receives each year. Instead, it will require disclosure
of all 750 million annual money
transfers into or out of the US.2
• The US Transportation Security Administration has implemented its Secure Flight3 and
Automated Targeting Systems4
programs, which require that all
airlines—irrespective of their location—must collect and report
personal information about passengers on flights into or out of
the US.
• Governments in Europe and
elsewhere have created mandatory data-retention laws, giving
governments access to privatesector data even after the information would normally have
been discarded.5
• The US Federal Bureau of Investigation is seeking an amendment to the Communications
Assistance to Law Enforcement
Act that would require social
networking companies and peerto-peer providers, such as Facebook, Twitter, and Skype, to
give law enforcement access
to private information. The
amendment would also require
firms that offer encrypted communications to decrypt the text
for law enforcement.6
• Google has begun disclosing the
number of demands for user data
that it receives from government
agencies. Brazil and the US top
the list, which altogether includes 13,700 requests during
the first six months of 2010 (see
www.google.com/transparency
report/governmentrequests/).
• The US, UK, and other countries have asserted the legal right
to seize laptops and other computing devices at the border,
copy their contents, and require
access to encryption keys without articulating any suspicion or
providing access to counsel.7
This is just a sampling of the
recent expansion in the access that
governments want. Each month
brings new demands as governments seek to expand their reach
and individual data become more
exposed to government scrutiny.
A Shift in Surveillance
Law enforcement and national security officials claim that increased
access to personal data from the
private sector is necessary to keep
pace with changing technologies
and to keep cyberspace from “going dark”—a term officials use to
describe an online world in which
the bad guys can communicate
free of surveillance. But there’s
strong evidence that these new
data dragnets are qualitatively different and seek information never
before subject to routine govern-
COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES ■ 1540-7993/10/$26.00 © 2010 IEEE ■ NOVEMBER/DECEMBER 2010
Privacy Interests
ment scrutiny. Consider four
critical distinctions from past surveillance techniques.
First, more data than ever are
created and stored in digital form.
As Stanford law professor Kathleen Sullivan has written, “Today,
our biographies are etched in the
ones and zeros we leave behind in
daily digital transactions.”8 Government officials now routinely
access data that didn’t even exist
two decades ago.
Second, they’re seeking data
about everyone—not just those
who are targets of investigations.
Scholars often note that one of
the primary motivators behind
the Fourth Amendment—the
primary constitutional limit in
the US on the government’s ability to obtain personal information
about individuals—was the hostility to “general searches” by British troops, which weren’t based
on specific suspicion. Yet general searches are the raison d’etre of
many government data programs,
which collect and analyze vast
swaths of data about individuals
who have done nothing to warrant the government’s suspicion.
Third, in most instances today,
governments seek personal data
without judicial oversight. And because of the understandable secrecy
that surrounds many data mining
programs, legislative or popular
oversight is often nonexistent or
ineffective. The Lisbon Treaty has
gone far to reduce distinctions between first-, second-, and thirdpillar activities in the EU, thereby
eliminating some of the barriers to
oversight by data protection commissioners in Europe. However,
limits on the commissioners’ jurisdiction over national security activities and on their practical ability
to oversee other government data
mining programs has tended to reduce the practical effectiveness of
this oversight.
Finally, because data are increasingly collected via the private sector and without notice to
affected individuals, the role of
the individual has been starkly
reduced. In years past, the government might physically follow a suspect or search his or her
home, thereby creating at least
the possibility (and often the legal requirement) for notice and
an opportunity to object, whether
through a judicial, legislative, or
other process. Today, surveillance
is far more commonly conducted
through cell phone service providers or GPS transceivers, thereby eliminating the opportunity of
individuals to be aware of, much
less object to, the activity.
In his 1971 book, Assault on
Privacy, Harvard law professor Arthur Miller warned of the
“possibility of constructing a sophisticated data center capable
of generating a comprehensive
womb-to-tomb dossier on every
individual and transmitting it to a
wide range of data users over a national network.”9 His fear seemed
far-fetched at the time. Today, it’s
much closer to reality.
But privacy doesn’t have to
be sacrificed as a result. The risk
of terrorists and other criminals
exploiting the “dark” world of
cyberspace to plan and execute
attacks might mean that governments need greater access to personal data from the private sector
and elsewhere. However, this
doesn’t have to mark the death of
privacy or its trivialization into
notices telling us that we have no
privacy rights vis-à-vis the government when communicating,
traveling, banking, or even walking down the street. Privacy advocates, scholars, data protection
commissioners, and others have
repeatedly stressed that privacy
need not be eliminated just so we
can be free and that if eliminated,
we’ll never be free.
Protecting Privacy
Several recommended “best practices” have emerged10–15 that lawmakers around the world would do
well to consider. Although the proposals differ in their details, there is
broad consensus that government
programs designed to collect and
use private data—especially from
the private sector and without reason for suspicion—should at a minimum require the following.
www.computer.org/security
69
Privacy Interests
Explicit Authorization
The legislature or a senior elected
official should authorize such programs based on an assessment of
their likely efficacy and compli-
large datasets (and for what purposes) and tools to enforce those limits. Rules should be built into data
analysis systems that ask an analyst,
for example, to specify his or her
With its seemingly insatiable quest for more data,
suspicious patterns without the
need to gain access to personal
data until they make the requisite showing for disclosure.”13
Audits
government threatens to exacerbate what’s already
Audit tools should ensure that the
rules surrounding data collection
and use are being followed.
arguably its greatest challenge in the national security
System of Redress
context: making sense of the data it already has.
ance with legal requirements and
only after confirming a high level
of oversight and accountability.
legal authorization for requesting
data or conducting a search.16
Legal Compliance
Before the government creates
new data collection requirements
or engages in mass surveillance, it
should receive some form of judicial or other external authorization. This is especially important
if the personally identifiable information will be used in a way
that affects individuals, such as
by denying or delaying access to
a facility or benefit or subjecting
them to an intrusive investigation.
The specific body providing the
oversight is less important than
that the authorization be external to the agency engaging in the
data collection and specified by
the legislature.
Programs should remain in compliance with the law both when
accessing data and engaging in
data mining. Also, the government shouldn’t encourage or press
private-sector entities to violate
their legal obligation when providing data to the government.
Ongoing Evaluation
The government should evaluate
programs for effectiveness in accomplishing specified objectives
prior to deploying them and regularly thereafter. The assessments
should consider practical experience with the system, technological
advances, changing needs, and the
impact on individuals. However,
the underlying goal should be to assess whether the data collection or
analysis works to effectively address
a real threat. If not, any invasion of
personal privacy is unjustifiable.
Data Integrity
The government must carefully
consider the appropriateness of
the data for the intended use, especially when being accessed from
the private sector and repurposed.
It should also define a system for
ensuring that data are kept up to
date, accurate, and relevant.
Access Limitations
We need limits on who can access
70
IEEE SECURITY & PRIVACY
External Authorization
Data Minimization
Data minimization and anonymization and other tools should
limit the amount of information
revealed to only what’s necessary and authorized. This has
been a major focus of the Markle
Foundation Force on National
Security in the Information Age,
which has proposed that “anonymizing technologies could
be employed to allow analysts
to perform link analysis among
data sets without disclosing personally identifiable information.
By employing techniques such
as one-way hashing, masking,
and blind matching, analysts can
perform their jobs and search for
Innocent individuals harmed by
the use of their personal information need a system of redress
so they’re made aware of the role
of data analysis, given the opportunity consistent with the nature
of the setting to dispute and seek
correction of erroneous data, and
compensated for any injuries.
The system must also ensure that
data analysis programs log any errors and “learn” from such errors.
False positives are inevitable, so
they must be addressed both in
terms of recourse for the affected
individuals and tools for avoiding
them in the future.
Accountability
We need serious oversight of data
collection, sharing, and use that
delivers a high degree of accountability that data systems are used
appropriately, lawfully, and effectively. In the words of the US
National Academy of Sciences
Committee on Technical and
Privacy Dimensions of Information for Terrorism Prevention
and Other National Goals, the
oversight must be both “robust”
and “independent.”13
The Effect
on National Security
It seems clear that nations around
the world need to update their
laws to provide clear, appropriate,
and substantive limits on government access to broad swaths of
personal data held by the private
sector. European Commission
Vice President Viviane Reding
has described the challenge for
legislators to “establish a legislative
Privacy Interests
framework that will stand the test
of time,” “guarantee a high level
of protection,” and “provide legal
certainty to businesses, public authorities and individuals alike for
several generations.”17
The reasons for doing so include advancing both privacy and
security. The role of good data
management and oversight in enhancing national security is often
overlooked, but it’s clear. With
its seemingly insatiable quest for
more data, government threatens
to exacerbate what’s already arguably its greatest challenge in the
national security context: making sense of the data it already has.
The problem is “separating out the
‘signal’ of useful information from
the ‘noise’ of all of those data.”11
Poor analytical tools, sloppy data
matching, or inappropriate data
don’t merely fail to advance security—they actively threaten it. In
contrast, greater clarity and new
attention to data analysis rather
than just data collection are likely
to advance security.18
E
ven if there’s some perceived
conflict with national security
or law enforcement objectives,
the law must not allow privacy
to be eviscerated. The words
of the US Supreme Court apply
with equal force to all nations
that respect and protect basic human rights: “It would indeed be
ironic if, in the name of national
defense, we would sanction the
subversion of … those liberties …
which [make] the defense of the
Nation worthwhile.”19
References
1. E. Kinetz, “India Eyes Google,
Skype in Security Crackdown,”
San Jose Mercury News, 13 Aug.
2010; www.mercurynews.com/
rss/ci_15768910?nclick_check=1.
2. E. Nakashima, “Money Transfers
Face New Scrutiny,” Washington
Post, 27 Sept. 2010, p. A1.
3. “Secure Flight Program,” US
Dept. Homeland Security, Federal
Register, vol. 72, no. 163, 2007, pp.
48356–48368.
4. “Privacy Act of 1974; US Customs and Border Protection,
Automated Targeting System,
System of Records,” US Dept.
Homeland Security, Federal Register, vol. 72, no. 150, 2007, pp.
43650–43656.
5. “Council Directive 2006/24 on
the Retention of Data Generated
or Processed in Connection With
the Provision of Publicly Available Electronic Communications
Services or of Public Communications Networks,” Official J.,
L105, Apr. 2006, pp. 54–63.
6. E. Nakashima, “U.S. Seeks Ways
to Wiretap the Internet,” Washington Post, 28 Sept. 2010, p. A4.
7. Privacy Impact Assessment for the
Border Searches of Electronic Devices,
US Dept. Homeland Security,
2009;
www.dhs.gov/xlibrary/
assets/privacy/privacy_pia_cbp
_laptop.pdf.
8. K.M. Sullivan, “Under a Watchful
Eye: Incursions on Personal Privacy,” The War on Our Freedoms:
Civil Liberties in an Age of Terrorism,
PublicAffairs, 2003, p. 131.
9. A. Miller, Assault on Privacy, Univ.
of Michigan Press, 1971, p. 39.
10.Committee on Technical and
Privacy Dimensions of Information for Terrorism Prevention and Other National Goals,
Protecting Individual Privacy in
the Struggle Against Terrorists: A
Framework for Assessment, Nat’l
Research Council, Nat’l Academies Press, 2008.
11. Technology and Privacy Advisory
Committee, Safeguarding Privacy
in the Fight against Terrorism, US
Dept. Defense, 2004.
12.Protecting America’s Freedom in the
Information Age, Task Force on
Nat’l Security in the Information
Age, Markle Foundation, 2002;
www.markle.org/downloadable
_assets/nstf_full.pdf.
13. Creating a Trusted Network for Homeland Security, Task Force on Nat’l
Security in the Information Age,
Markle Foundation, 2003; www.
markle.org/downloadable_assets/
nstf_report2_full_report.pdf.
14. Mobilizing Information to Prevent
Terrorism, Task Force on Nat’l
Security in the Information Age,
Markle Foundation, 2006; www.
markle.org/downloadable_assets/
2006_nstf_report3.pdf.
15. “The Cantigny Principles on
Technology, Terrorism, and Privacy,” Nat’l Security Law Report,
Feb. 2005, p 14.
16. I.S. Rubinstein, R.D. Lee, and
P.M. Schwartz, “Data Mining
and Internet Profiling: Emerging Regulatory and Technological Approaches,” Univ. of Chicago
Law Rev., vol. 75, no. 1, 2008, p.
261–285.
17. V. Reding, “Tomorrow’s Privacy: The Upcoming Data Protection Reform for the European
Union,” to be published in Int’l
Data Privacy Law, 2010.
18. F.H. Cate, “Government Data
Mining: The Need for a Legal
Framework,” Harvard Civil RightsCivil Liberties Law Review, vol. 43,
no. 2, 2008, p. 436.
19. United States v. Robel, Supreme
Court of the United States, 389
US 258, 1967; http://laws.findlaw.
com/us/389/258.html.
Fred H. Cate is a distinguished professor, C. Ben Dutton Professor of Law,
and adjunct professor of informatics
and computing at Indiana University
and directs the university’s Center for
Applied Cybersecurity Research. A senior policy advisor to the Centre for Information Policy Leadership at Hunton
& Williams LLP, he was counsel to the
US Department of Defense Technology
and Privacy Advisory Committee and a
member of the US National Academy
of Sciences Committee on Technical
and Privacy Dimensions of Information for Terrorism Prevention and Other
National Goals. Contact him at fcate@
indiana.edu.
Selected CS articles and columns
are also available for free at
http://ComputingNow.computer.org.
www.computer.org/security
71
This article was featured in
For access to more content from the IEEE Computer Society,
see computingnow.computer.org.
Top articles, podcasts, and more.
computingnow.computer.org