Monday, August 20, 2007

Privacy is not simple.

In 2002 and 2003 I participated in a Study Committee on "Privacy in the Information Age," sponsored by the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC). The committee was very diverse, and I learned a whole lot from trying to relate other members' legal, law enforcement, medical, sociological, economic, and philosophic perspectives to my own, primarily technical, perspective.

The result of the committee's study (and considerable further review, in accord with NRC policy) was the book, Engaging Privacy and Information Technology in a Digital Age, edited by the committee Vice Chair, Jim Waldo, and two NRC staffers, Herb Lin and Lynette Millett. This book is now available from the National Academies Press for free online browsing, as a PDF file, or in hardcopy.

I think it is safe to say that everyone has something that they would like to keep private from someone else. Anyone who seriously cares about privacy should read this book. They are likely to find that even the definition of privacy is more complex than they thought, let alone the trade-offs involved in privacy principles, practices, and policies.

Rather than trying to summarize a 400+ page book in a blog posting, I will quote one sentence, and then list the committee's summary recommendations. You'll have to read the book (or at least it's Executive Summary) for the background.
When privacy is at issue, the committee found that bland assurances that privacy will not be harmed offered by policy makers can do more to raise skepticism than honest presentation and assessment of tradeoffs.
  • If policy choices require that individuals shoulder the burden of protecting their own privacy, law and regulation should support the individual in doing so.
  • Organizations with self-regulatory privacy policies should take both technical and administrative measures to ensure their enforcement, routinely test whether their stated privacy policies are being fully implemented, produce privacy impact assessments when they are appropriate, strengthen their privacy policy by establishing a mechanism for recourse if an individual or a group believes that they have been treated in a manner inconsistent with an organization's stated policy, and establish an institutional advocate for privacy.
  • The U.S. government should undertake a broad systematic review of national privacy laws and regulations.
  • Government policy makers should respect the spirit of privacy-related law.
  • Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information.
  • To support greater trasparency into the decision-making process regarding repurposing, guidelines should be established for informing individuals that repurposing of their personal information might occur, and also what the nature of such repurposing would be, and what factors would be taken into account in making any such decision.
  • The principle of choice and consent should be implemented so that individual choices and consent are genuinely informed and so that its implementation accounts fairly for demonstrated human tendencies to accept without change choices made by default.
  • The U.S. Congress should pay special attention to and provide special oversight regarding the government use of private sector organizations to obtain personal information about individuals.
  • Governments at various levels should establish formal mechanisms for the institutional advocacy of privacy within government.
  • A national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments.
  • Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy.

Labels: ,


Post a Comment