As I See It: Commoditizing Privacy

The reason why the word “privacy” doesn’t appear in the Constitution or the Bill of Rights is probably that those noble documents were written before computers were invented. It’s impossible to know what the Founding Fathers would have thought about machines with such extraordinary capacities, but my guess is that they would have viewed them with a combination of awe and suspicion. The potential for abuse by governing authorities would certainly have concerned them, and with good reason. If privacy was a superhero, a computer would be its archvillain.

For decades, privacy has been losing a war of attrition. Computerized records of every sort can now be kept indefinitely and cross-referenced at the touch of an “enter” key. Electronic communications are monitored, spy satellites can read a license plate from space, cameras record activity at every business and intersection, and all of it is controlled by the ubiquitous computer. Even relatively modest systems are now armed with acres of cheap storage and assorted information-retrieval and data-mining capabilities. Everywhere, privacy is on the run and is being chased, perhaps unwittingly, by IT professionals. Vast armies of hardware and software developers, as well as huge marketing and distribution networks, support the development and dissemination of computers. Privacy, on the other hand, is defended by a few quirky lawyers at the American Civil Liberties Union.

Truth be told, privacy has always been at a disadvantage. People are basically nosey. Any person, male or female, with a Webcam and low self-esteem can profit from that aspect of human nature. Besides, it’s hard for a concept to compete against something tangible. In the age-old struggle between love and war, for example, bullets have a distinct advantage over good will. Consequently, when those giant fuel-filled bullets hit the World Trade Center three years ago, privacy was among the casualties.

In the aftermath of Sept. 11, the government was faced with a quandary: how to balance the civil liberties of its citizens with the urgent need for preventative information. How could authorities identify the evildoers in the haystack without collecting a lot of personal information on the activities of law-abiding straws?

Legally, they couldn’t. There are limits on domestic surveillance. As early as 1974, Congress was concerned with the unwarranted intrusion into the lives of innocent citizens and responded by passing the Privacy Act, which prohibited the government from compiling dossiers on Americans unless they were suspects in a formal investigation. In other words, fishing for suspects was verboten.

But these were unprecedented events on Sept. 11, and the people responsible for them were far more dangerous than the scruffy rock-throwing protesters that authorities were accustomed to tracking. Furthermore, the terrorists had evidently operated for years within the country, leaving clues like breadcrumbs, and authorities believed there were others who might be identified earlier if the right kind of information were available. The problem was, no one knew exactly where the right kind of information would come from, and erring on the side of quantity seemed prudent.

What to do? Well, since many government officials are corporate retreads, it’s a small wonder they adopted a solution that was probably used successfully at their former places of employment: outsourcing.

Conveniently, the private sector is not constrained by the laws that delimit the government’s ability to gather data. A shopper or a patient does not have to be the target of an investigation to have his personal information collected. What’s considered inappropriate for government is, in the private sector, simply a sound business practice.

Businesses of every sort and description have mountains of data on the activities and preferences of their customers, and after Sept. 11 the government was understandably interested in acquiring some of that information. And, given the circumstances, acquiring it was fairly easy. Many companies rushed to cooperate with authorities out of patriotic fervor and simply gave the information away. Others exercised their capitalist prerogative and sold it. Still others signed lucrative homeland security contracts and scoured public and private databases, compiling information that was otherwise restricted to government agencies.

Kim Zetter, writing for Wired News, reports that last year several airlines “secretly gave defense contractor Torch Concepts five million passenger itineraries for a government project on passenger profiling without the consent of the passengers.” Well, of course it would be without passenger consent; otherwise, what would be the point? And, given the nature of the attacks, a little profiling is quite understandable, and even sensible. But it’s somewhat unnerving that the government wants to extend passenger identification and profiling to train stations and bus depots. The problem, according to the ACLU, is that there are no restrictions on the type of information that is being trafficked, and the data-exchange frenzy is getting out of hand.

As an example, Zetter reports that in 2002 “the Professional Association of Diving Instructors voluntarily gave the FBI the names and addresses of some two million people who had studied scuba diving in previous years.” Even colleges and universities, traditionally staunch defenders of civil liberties, apparently provided the FBI with information about students “without having received a subpoena.”

While no single intrusion into our privacy is significant in and of itself, when coupled with bank records, credit card activity, book purchases, organizational affiliations and contributions, political activism, medical records, hobbies, Internet habits, and dozens of other bits of personal data, there is a danger that any one item could pop your name up on somebody’s watch list.

While being on some anonymous watch list may be nothing more than unfair, the ACLU warns that these lists find their way back into the computers of the private sector, where they breed discrimination. Zetter writes, “The government can submit a suspect list to financial institutions to see whether the institution has conducted transactions with any individuals or organizations on the list.” If you were a federally regulated bank wishing to stay on the good side of your regulators, having received such a list, it might be prudent not to do business with people who are considered terrorist suspects, regardless of whether they are guilty of anything. Or, if your name is distributed to the airlines, they may decide you shouldn’t be allowed to fly, just in case, without ever telling you the reason why. And, once on the list, how do you get off of it? Plus, if the past is any indication, such lists can and will be used for political purposes. During the civil rights movement and the Vietnam War era, the FBI investigated and intimidated many innocent people whose only crime was seeking social justice or disagreeing with national policy.

IT professionals play three distinct roles in this issue: we are victims, enablers, and protectors. As citizens, our private information is being compiled and sold like everyone else’s, and conclusions are being drawn about our intentions, our patriotism, and our potential danger to the nation, without our knowledge, input, or approval. As professionals, we make it possible for selected companies to overtly or covertly gather and traffic in information that defines the lives of their customers and clients. But we also protect sensitive personal data, and many notable industry leaders have spoken out, expressing grave concern about the computer’s fragile relationship to privacy. The irony of our profession is that the men and women working in the information technology sector serve as the front line of defense, as well as collaborators, in the privacy wars.

Orwell almost had it right. Big Brother, it turns out, is just another outsourceable function. Insulated from public scrutiny and circumventing privacy laws, private companies have become the pervasive eyes of government. Giant data collectors like Acxiom, ChoicePoint, Abacus, and LexisNexis, writes Zetter quoting the ACLU, have become a de facto “distributed surveillance” network. Whether such functions are appropriate for our nation and our times requires serious consideration before privacy is irrevocably turned into just another commodity.

Sadly, when everyone is presumed to be the enemy, the war is already lost.

Orwell defined “doublethink” as the power to hold two contradictory beliefs in one’s mind simultaneously and to accept both of them. Partially by circumstance and partially by design, we are being asked to believe that safety and freedom can only coexist in uneasy contradiction.

If privacy is to have a fighting chance, that contradiction will have to be resolved.