Two stories in the news describe different approaches to government secrecy and citizen privacy:
- White House Orders New Computer Security Rules, By ERIC SCHMITT, New York Times (October 6, 2011)
"The White House plans to issue an executive order on Friday to replace a flawed patchwork of computer security safeguards exposed by the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year.
"...In addition to these immediate measures, Mr. Obama’s order creates a task force led by the attorney general and the director of national intelligence to combat leaks from government workers, or what the White House calls an “insider threat.”
"The directive also establishes a special government committee that must submit a report to the president within 90 days, and then at least once a year after that, assessing federal successes and failures in protecting classified information on government computer networks.
"...[Pentagon issued cyber identity] credentials allow supervisors to track what users are working on."
- Data Mining: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism, Government Accountability Office, GAO-11-742 (September 7, 2011). The report says that, until needed reforms are put in place the Department of Homeland Security and its component agencies "may not be able to ensure that critical data mining systems used in support of counterterrorism are both effective and that they protect personal privacy."
"By not consistently performing necessary evaluations and reviews of these systems, DHS and its component agencies risk developing and acquiring systems that do not effectively support their agencies' missions and do not adequately ensure the protection of privacy-related information."
See also: GAO Report: DHS Data Mining Needs Privacy Oversight, By Grant Gross, IDG News, PC World, (Oct 7, 2011). "One of the most disturbing findings by the GAO was that ICEPIC rolled out its law enforcement sharing component before it was approved by the DHS privacy office."
Declan McCullagh describes how the pre-2001 "Enhancement of Privacy and Public Safety in Cyberspace Act," which was unacceptable to Congress, morphed into the "Combating Terrorism Act of 2001" and then into the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001," which was rushed through Congress and passed without giving members time time to read the changes that had been incorporated in it.
- How 9/11 attacks reshaped U.S. privacy debate, by Declan McCullagh, cnet, (September 9, 2011).
After the attacks on the Pentagon and World Trade Center, however, the sentiment in political circles quickly shifted from protecting electronic privacy to facilitating government surveillance. The privacy bill approved by the committee by such a lopsided margin disappeared.
..."Perhaps the biggest systemic change in the way the government conducts investigations since 9/11 is the transition from targeted surveillance--where the government picks a target and spies on that person--to untargeted wholesale surveillance, where masses of people are surveilled," says Kevin Bankston, a senior staff attorney at the Electronic Frontier Foundation. "And then the government decides who it wants to focus on."
McCullagh suggests that "the political pendulum appear[s] to be swinging back to favor privacy. It's being driven by concerns over mobile device tracking, government access to data, airport body scanners--and the Patriot Act itself" but that "the FBI and other police agencies aren't exactly eager to relinquish their expanded authority."
A new poll reports mixed public opinion.
- Poll: OK to trade some freedoms to fight terrorism, By Jennifer Agiesta, Associated Press (Sept 6, 2011).
Ten years after the 9/11 attacks led to amped-up government surveillance efforts, two-thirds of Americans say it's fitting to sacrifice some privacy and freedoms in the fight against terrorism, according to a poll by The Associated Press-NORC Center for Public Affairs Research.
...A slim majority -- 54 percent -- say that if they had to choose between preserving their rights and freedoms and protecting people from terrorists, they'd come down on the side of civil liberties. The public is particularly protective of the privacy of U.S. citizens, voicing sharp opposition to government surveillance of Americans' emails and phone calls.
Congrats to Mary Minow!
A new state law that takes effect Jan. 1 will add an extra layer of privacy for library users in the digital age.
California’s library privacy laws were created before the advent of the Internet and, as a result, an individual’s interaction with the library outside of circulation was not protected under state law until Gov. Jerry Brown signed Senate Bill 445 earlier this month.
The bill was authored by state Sen. Joe Simitian, D-Palo Alto, but inspired by Librarylaw.com founder Mary Minow, who also manages the Stanford Copyright and Fair Use website.Minow proposed the legislation as part of Simitian’s “There Oughta Be A Law” contest.
The EPIC blog post includes links to old and new privacy policies and a couple of other relevant links.
The annual study of the impact of the Internet on Americans conducted by the Center for the Digital Future found that almost half of Internet users age 16 and older -- 48 percent -- are worried about companies checking their actions on the Internet.
Users are more concerned about corporations than governments:
By comparison, the new question for the Digital Future Study found that only 38 percent of Internet users age 16 and older are concerned about the government checking what they do online.
It is not clear from the press release that respondents were asked about any specific activities or behaviors of governments or if they were asked about any specific laws such as the "PATRIOT" Act.
Providing users with privacy and confidentiality when they read is one of the key, long-term values of libraries. As we look to our future, we should invest in our ability to continue to do that by hosting digital content and providing users a way to securely and privately browse and read digital content.
Privacy: "I have nothing to hide"
It almost seems like this is privacy week. After stories about a new book on privacy and Eli Pariser's compelling TED talk about how "search personalization" silently filters out useful information, now we have this:
- Take Your Paws Off Our Privacy Laws! Facebook, Google, Twitter, Zynga Formally Oppose California Social Networking Bill, by Liz Gannes, All Things Digital (May 16, 2011)
A coalition of industry associations and Internet companies including Facebook, Google, Twitter, Zynga, Match.com and Skype this afternoon submitted a formal letter of opposition to proposed California legislation that would mandate new privacy policies for social networking sites.
The California law would require social networks to be private by default and make California users choose privacy settings before they complete registration.
The tech companies say the law is unconstitutional, would hurt the economy, and would significantly undermine the ability of Californians to make informed and meaningful choices about use of their personal data.
We often hear the argument that it is okay for the government to gather or analyze personal information because only those who have something to hide need worry. As the British government slogan says, "If you've got nothing to hide, you've got nothing to fear."
Libraries take a different approach to privacy. As the American Library Association says, "Privacy is essential to the exercise of free speech, free thought, and free association."
Yet we continue to hear the "nothing to hide" argument. Daniel J. Solove, a professor of law at George Washington University, examines the argument in detail and exposes its flaws in an excerpt from his new book, Nothing to Hide: The False Tradeoff Between Privacy and Security:
- Why Privacy Matters Even if You Have 'Nothing to Hide', by Daniel J. Solove, Chronicle of Higher Education, "The Chronicle Review" (May 15, 2011) [subscription required]
Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. But the problem with the nothing-to-hide argument is the underlying assumption that privacy is about hiding bad things. By accepting this assumption, we concede far too much ground and invite an unproductive discussion about information that people would very likely want to hide. As the computer-security specialist [Bruce] Schneier aptly notes, the nothing-to-hide argument stems from a faulty "premise that privacy is about hiding a wrong." Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy.
Chapter 1 of the book is also freely available:
- Nothing To Hide: The False Tradeoff Between Privacy And Security, Chapter 1, by Solove, Daniel J., Yale University Press, 2011. SSRN.
Solove argues that, in many cases, privacy issues never get balanced against conflicting interests. Bruce Schneier, the security expert Solove quotes above and the author of the excellent monthly newsletter, Crypto-Gram, makes a similar argument in a recent presentation on security issues:
- The security mirage, Bruce Schneier. TEDxPSU. (Oct 2010), video, 21 min.
As we have mentioned here before, (see, for example, Will GPO guarantee user privacy? Can it? and PRIVACY: Key Challenges Facing Federal Agencies and "Policy neutral" does not mean "neutral policies"), privacy has important policy implications for individual FDLP libraries and their approaches to access to government information. What is your library policy? Will your library choose to retain its role as a protector of privacy, or will it abandon that role to government agencies?
My brother is a surgical resident. A few weeks ago he was complaining about the difficult Electronic Medical Record (EMR) software his hospital is using, particularly the unintuitive user interface. Then I read an article in the New York Times about the business opportunities that are growing in the world of electronic health records. According to this article, two brothers, who have already developed a software EMR package for small-practice doctors’ offices, are waiting for the Obama stimulus package to essentially kick in, as the medical community will eventually have to migrate to digital patient records, or pay the penalties for failure to do so.
To me, there are two primary issues: privacy and accuracy. In extolling the benefits of the EMR (Saves lives! Lowers costs! No more pesky paper!), what will prevent the doctors’ offices, hospitals, and health insurers from abdicating responsibility over the care and quality control of those records? I realize that the e-document movement is permeating all levels of our lives, from the personal to the professional, but I cannot help but feel that an attorney’s e-discovery litigation case papers are better protected than patient information in a hospital.
Further, not everyone knows that HIPAA entitles you to your entire medical record, doctor’s notes and all (which is why, from what I understand in talking to several medical residents, doctors are usually instructed to take care in how they write about the patient in the medical record, for subpoena purposes and patient record requests; it probably is not a good idea to write “this patient is an idiot”). But in the same DHHS website, HIPAA privacy rules seem to have a series of caveats. A Washington, DC public interest research center has the same concern: Apparently, the DHHS proposed rules required that privacy breaches need not be reported to patients unless the provider or insurer felt that there was a “significant risk” of harm. So then the discretion for the standard of “significant risk” is left to a large impersonal corporation or a doctor who does not have the time to return phone calls? Not good. DHHS is currently reconsidering that medical breach notification rule, but this caveat that the covered entities determine whether “significant risk” exists, does not appear on the DHHS’s website summary pages.
Accuracy is another issue, and I believe it will be a growing concern as records are increasingly kept in digital format. With the health care companies pushing the doctors and hospitals to get patients in and out of the hospitals as quickly as possible, the quality of time spent with the patient will inevitably be reflected in the patient EMR. Case in point: I visited the ophthalmologist a couple years ago for a routine check-up. I advised the technician that I had scar tissue on my left cornea from an old boxing injury. The technician then inserted the eye pressure gauge into my left eye and the instrument tore into my cornea. The doctor treated me for this second injury but my medical record has no indication of this new injury from the doctor’s office. How do I know? When I mentioned the injury to my GP in a routine checkup, he had no idea what I was talking about. I obtained the medical record myself and added notes for my own records, indicating the date and type of this new injury; I may need this information for future eye care.
Another example: my GP’s EMR for me does not include the list of drugs to which I am allergic (it also does not include any reference to the eye injury from above). I have called his office, but I have yet to see that information added to the EMR. This information is in his paper record on me (I know because I filled out the “patient information form” upon my first visit years ago), but the problem with the EMR is that it can be replicated to any doctor in the country with one phone call, and the information will be inaccurate – even though (or because?) it is digital.
So the government will monitor the transition to EMRs, a "cost-saving" and "patient care" measure, but just who benefits here?
Johanna Blakely-Bourgeois, Pratt SILS
Here are some links to stories and opinions about last week's announcement of a The National Strategy for Trusted Identities in Cyberspace.
The announcement: The National Strategy for Trusted Identities in Cyberspace. Posted by Howard A. Schmidt on June 25, 2010, The White House Blog.
The draft strategy itself: National Strategy for Trusted Identities in Cyberspace - Creating Options for Enhanced Online Security and Privacy, Department of Homeland Security (June 25, 2010)
- White House Proposes Vast Federal Internet Identity Scheme by Lauren Weinstein (June 25, 2010). "a rather chilling document -- tellingly hosted on Department of Homeland Security servers -- that proposes the creation of a vast, federally-led Trusted identities in Cyberspace infrastructure that would potentially reach into nearly every aspect of Internet use, from financial transactions to comments on blogs."
- White House wants to help you "blog anonymously". By Jon Stokes. ars technica (June 29, 2010)
- Analysis: Three privacy initiatives from the Office of Management and Budget. by Andy Oram, O'Reilly Radar, (Jun 28, 2010). "I can understand the strategy's reliance on PKI as the only social structure available to back up assertions of identity. But this is the wobbly leg of the table that holds up the OMB proposal. The document should recognize the flaws of PKI..."
Online 'Cookies' Crumble Under Tougher Fed Guidelines, by Chris Strohm, Tech Daily Dose (June 25, 2010).
An OMB spokesman said that the federal government is issuing new policies today governing how agencies may use Web "cookie" files and other technologies to collect information from visitors to government Websites.