Posted by Lori Ayre on January 9, 2007

The Center for Democracy and Technology's Executive Director, Leslie Harris, appears today before the Senate Committee on the Judiciary. Her statement is entitled "Balancing Privacy and Security: The Privacy Implications of Government Data Mining Programs." She does an excellent job of explaining how our privacy protection policies no longer function as intended because of how information is acquired and used by the government in today's technological and political environment.

She states:

In the past, the government by and large collected data on one person at a time (i.e., with particularity), either in the course of administering a government program or where there was some suspicion that a person was engaged in criminal conduct, terrorism or intelligence activity. The government was authorized to keep this data for long periods of time, and to retrieve, share and analyze it for compatible purposes without serious controls. However, before it could take action based on that data, the government was bound by procedural due process principles of notice and an opportunity to respond. In the traditional data environment, the greater the consequences for the individual, the greater the due process requirements. For example, the criminal due process standards in the Bill of Rights place the burden of proof on the government and force it to disclose all of its evidence to the accused, for challenge.

Now, in contrast, Section 215 of the PATRIOT Act, the expanded National Security Letter authorities, the growing implications of the Supreme Court’s “business records” decisions (which place most commercial data outside the protections of the Fourth Amendment), the President’s claims of inherent power, and the nature of technology itself can result in the wholesale collection of data and databases by the government without particularized suspicion. Yet the traditional rules on storage and use remain in place, permitting the government to keep that data forever and to go back to it for further analysis (e.g., data mining) with little legal constraint.

The statement goes on to make very reasonable recommendations that would lead to better oversight of the government's data collection and data mining initiatives which would in turn ensure that money is spent on proven-effective programs and fair information practices are used.

Fair information practices, Harris argues, should be the basis for analyzing
the issues associated with data mining. Fair information practices evaluate the data collection/data mining practices against these questions:

  1. What information is being collected?
  2. How long will it be kept?
  3. How accurate and reliable is the information?
  4. How will an individual be able to correct erroneous information?
  5. What are the redress and enforcement mechanisms?

Reading Harris' statement made me realize that privacy is disappearing but maybe that isn't so bad. Many of us freely release private information about ourselves in favor of the convenience that disclosing information affords us. We give up privacy for cost-savings (loyalty cards) and to save time (personalized websites that we personalize to suit our needs at the expense of allowing lots of information to be collected about us - ever read Google's privacy statements?). And, of course if you are under 30, you could have your entire life history online at MySpace.

Privacy isn't necessarily what is important. But Fair Information Practices are critical.

As Harris says in her statement: "Information privacy is not merely about keeping personal information confidential. In the context of a function like data mining, privacy is equally about due process: how to make fair decisions about people."

It seems to me that due process is what its all about. It's almost too late to seriously try to keep information confidential. But that due process thing, that's very important.