Privacy and Security: a Procedural and Structural Approach

Maeve Dion. Legal Research Associate. Email.
September 2005.

[NOTE: this article was published in the CIP Report (PDF) Sept. 2005].

In 2005, the CIP Program held a conference titled Privacy, Security and Technology in the 21st Century: Addressing the Legal Landscape of Today and Tomorrow. The conference was co-hosted by Distinguished Adjunct Professor of Law John O. Marsh and Professor Angie Chen, and speakers included Nuala O’Connor Kelly, Stewart Baker, John Poindexter, M.E. Bowman, Kate Martin, Paul Rosenzweig, and others. The following article was written in response to the conference.

Stewart Baker has argued that fears of theoretical privacy abuses limited our ability to guard against the terrorist acts of September 11, 2001. These same, valid fears seem to motivate Kate Martin’s critiques of proposed government technologies. At the conference, we witnessed Kate and Stewart, and then Kate and Admiral Poindexter, tossing the conversational ball back and forth as they sought to find an acceptable set of rules to keep technology from violating individuals’ privacy.

However, to cite a well-used phrase, technology doesn’t abuse privacy; people do. Framing the “Security and Privacy” conversation around specific, rules-based technological mandates is an entertaining, but distracting disservice to the importance of our discussion. This discussion should address flexible, comprehensive, structural protections, not merely protections based on technology rules. Technology restrictions cannot be the focus of our privacy and security dialogue for several reasons.

First, prohibiting the government from developing certain technologies will not stop the technology from being created. In fact, many of the scary, potentially privacy-invading technologies already exist -- because they are useful for various beneficial purposes in the private sector. As conference attendee Professor John Bagby commented, the genie is out of the bottle.

Second, the cycle of proposing software, and then being forced to scrap it because its technology rules do not protect against theoretical privacy abuses, could become a never-ending process that ultimately does little in the real world to provide a proper blend of privacy and security. We have already seen several iterations of this kind of cycle. And in the meantime, the government is using technology now, perhaps overprotecting or underprotecting both privacy and security.

Third, even if the government were “banned” from setting up certain technologies, that wouldn’t stop abuses of privacy. Creative people can always get around rule restrictions. For example, if the government were prohibited from running a certain targeted search in an interlinked system of databases, the same result could be obtained by creatively combining several searches in distinct databases. If these searches resulted in an abuse of privacy, the abuse would be neither detected nor prohibited by a rule that banned interlinked databases and specific targeted searches.

Fourth, no legislative privacy “rule set” could independently ensure protection. Rules might govern technology contracts, but to be confident in privacy protection, we need oversight and compliance enforcement. For example, recent studies have shown government agency improvements in including security and privacy protection provisions in contracts with private-sector providers; but the same studies have shown a lack of follow-up to see if the contractors have complied with the written requirements. Even if we could magically define the full set of proper technology restrictions, we would still need to develop a structure to oversee compliance and enforcement. Further, with the speed of technology changes, a legislative “rule set” could become outdated before it is enacted.

Thus, although technology should be an aspect of our “Security and Privacy” conversation, it should not be a central or controlling concept. I agree with Kate Martin that the speedy electronic assembly, searching, and sharing of comprehensive, individual dossiers is a modern concern that poses very real dangers. However, our fears of privacy abuses may be better assuaged by a flexible, comprehensive, structural protection rather than by a protection based on technology rules.

Perhaps history can help us figure out how to create these structural protections. Our current, high-technology society was not the first to be concerned about protection from the specter of an overreaching government. In his introductory comments, Secretary Marsh mentioned our Constitutional checks and balances, developed by the Founders to help secure justice and liberty. One of the Founders’ concerns was to provide protections for the people against abuses by a tyrannical national government.

Kate Martin said the Founders’ concerns of protection from the government were not comparable to today’s concerns of personal privacy protection from the government because the Founders did not face today’s reality of “having the FBI in your living room.” I acknowledge that today’s government possesses impressive surveillance tools, but the Founders faced British soldiers bivouacked in their private residences. Although the comparison is not exact, the Founders were well aware of the dangers of tyrannical government infiltrating every-day private lives.

Just as our privacy concerns today were valid in the 1780s, the privacy protections the Founders introduced may be valid and useful today. Fears of abuses of power were integral to the Founders’ decisions of how to structure our government. The concepts of separated powers, checks and balances, and Article III courts act as mechanisms for protection against aggrandizement and abuses of power. These are critical concepts to keep in mind during our “Security and Privacy” debates.

The Founders developed a flexible solution that focused on the structure of government; they did not establish strict rules regarding the minutiae of every-day life. Kate Martin argued that the Bill of Rights, a “set of rules” ratified a few short years after the Constitution, provided strong protection for the people. On one hand, she is of course right; but on the other hand, the Bill of Rights needs the Constitutional procedures that give it teeth. The words of our Bill of Rights, similar to the words of any legislation attempting to limit government databases, provide little protection standing alone. Rather, the structure of our Constitution empowers these rights and empowers the people by establishing oversight and enforcement mechanisms.

So instead of defining rigid, technologically-focused, temporally-limited legislative rules, perhaps we should be developing checks and balances--procedural and structural capabilities to ensure that theoretical abuses of power do not occur. Then, private individuals can more confidently trust that theoretical abuses of power will either remain theoretical or will be detected and corrected before our essential liberties are violated. And our government can more confidently move forward in using technology to improve our security.