The Role of Government

With everything we've heard about Big Brother, how can we think of government as anything but the enemy of privacy? While it's true that federal laws and actions have often damaged the cause of privacy, I believe that the federal government may be our best hope for privacy protection as we move into the new millennium.

The biggest privacy failure of American government has been its failure to carry through with the impressive privacy groundwork that was laid in the Nixon, Ford, and Carter administrations. It's worth taking a look back at that groundwork and how it may serve us today.

The 1970s were a good decade for privacy protection and consumer rights. In 1970, Congress passed the Fair Credit Reporting Act. Elliot Richardson, who at the time was President Nixon's secretary of health, education, and welfare (HEW), created a commission in 1972 to study the impact of computers on privacy. After years of testimony in Congress, the commission found all the more reason for alarm and issued a landmark report in 1973.

The most important contribution of the Richardson report was a bill of rights for the computer age, which it called the Code of Fair Information Practices (see the shaded box). That Code remains the most significant American thinking on the topic of computers and privacy to this day.

The biggest impact of the HEW report wasn't in the United States, but in Europe. In the years after the report was published, practically every European country passed laws based on these principles. Many created data protection commissions and commissioners to enforce the laws.[5] Some believe that one reason for this interest in electronic privacy was Europe's experience with Nazi Germany in the 1940s. Hitler's secret police used the records of governments and private organizations in the countries he invaded to round up people who posed the greatest threat to the German occupation; postwar Europe realized the danger of allowing potentially threatening private information to be collected, even by democratic governments that might be responsive to public opinion.

But here in the United States, the idea of institutionalized data protection faltered. President Jimmy Carter showed interest in improving medical privacy, but he was quickly overtaken by economic and political events. Carter lost the election of 1980 to Ronald Reagan, whose aides saw privacy protection as yet another failed Carter initiative. Although several privacy protection laws were signed during the Reagan/Bush era, the leadership for these bills came from Congress, not the White House. The lack of leadership stifled any chance of passing a nationwide data protection act.

In fact, while most people in the federal government were ignoring the cause of privacy, some were actually pursuing an antiprivacy agenda. In the early 1980s, the federal government initiated numerous "computer matching" programs designed to catch fraud and abuse. (Unfortunately, because of erroneous data, these programs often penalized innocent individuals.[6]) In 1994, Congress passed the Communications Assistance to Law Enforcement Act, which gave the government dramatic new powers for wiretapping digital communications. In 1996, Congress passed a law requiring states to display Social Security numbers on driver's licenses, and another law requiring that all medical patients in the U.S. be issued unique numerical identifiers, even if they paid their own bills. Fortunately, the implementation of those 1996 laws has been delayed, largely thanks to a citizen backlash.

Continuing the assault, both the Bush and Clinton administrations waged an all-out war against the rights of computer users to engage in private and secure communications. Starting in 1991, both administrations floated proposals for use of "Clipper" encryption systems that would have given the government access to encrypted personal communications. President Clinton also backed the Communications Decency Act (CDA) , which made it a crime to transmit sexually explicit information to minors—and, as a result, might have required Internet providers to deploy far-reaching monitoring and censorship systems. When a court in Philadelphia found the CDA unconstitutional, the Clinton administration appealed the decision all the way to the Supreme Court—and lost.

Finally, the U.S. government's restrictions on the export of encryption technology have effectively restrained the widespread use of this technology for personal privacy protection within the United States.

As we move forward into the twenty-first century, the United States needs to take personal privacy seriously again. The final chapter of this book explores ways our government might get back on track, and suggests a federal privacy agenda for the twenty-first century.

[5] David H. Flaherty, Protecting Privacy in Surveillance Societies (University of North Carolina Press, 1989).

In 1989, David H. Flaherty, the privacy commissioner of British Columbia, published a revised set of 12 Data Protection Principles and Practices for Government Personal Information Systems. These 12 principles are (emphasis supplied by David Flaherty in May 1997):
The principles of publicity and transparency (openness) concerning government personal information systems (no secret databanks).
The principles of necessity and relevance governing the collection and storage of personal information.
The principle of reducing the collection, use, and storage of personal information to the maximum extent possible.
The principle of finality (the purpose and ultimate administrative uses for personal information need to be established in advance).
The principle of establishing and requiring responsible keepers for personal information systems.
The principle of controlling linkages, transfers, and interconnections involving personal information.
The principle of requiring informed consent for the collection of personal information.
The principle of requiring accuracy and completeness in personal information systems.
The principle of data trespass, including civil and criminal penalties for unlawful abuses of personal information.
The requirement of special rules for protecting sensitive personal information.
The right of access to, and correction of, personal information systems.
The right to be forgotten, including the ultimate anonymization or destruction of almost all personal information.

[6] One federal match program compared a database that had the names of people who had defaulted on their student college loans with another database that had the names of federal employees. The match then automatically garnished the wages of the federal employees to pay for the defaulted loans. The problem with this match, and others, was that there were many false matches that were the result of incorrect data or similar-sounding names. And because the wages were automatically garnished, victims of this match were required to prove their innocence—that is, to prove that the match was erroneous.

Get Database Nation now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.