The Other Side of Privacy

After attending last week’s Federal Trade Commission online privacy roundtable, I struggled for several days to make some sense out of my notes and my own response to calls for new legislation to protect consumer privacy. The result was a 5,000 word article—too long for nearly anyone to read. More on that later.

Even as the issue of privacy continues to confound much brighter people than me, however, the related problem of securing the Internet has also been getting a great deal of attention. This is in part due to the widely-reported announcement from Google that its servers and the Gmail accounts of Chinese dissidents had been hacked, leading the company to threaten to leave China altogether if its government continues to censor search results.

Both John Markoff of the New York Times and Declan McCullagh of CBS Interactive have also been back on the beat, publishing some important stories on the state of American preparedness for cyberattacks (not well prepared, they conclude) and on the continued tension between privacy and law enforcement. See in particular Markoff’s stories on Jan. 26 and on Feb. 4th and McCullagh’s post on Feb. 3.

Markoff reports a consensus view that the U.S. does not have adequate defensive and deterrent capabilities to protect government and critical infrastructure from cyberattacks. Even worse, after years of effort and studies, the author of the most recent effort to craft a national strategy told him “We didn’t even come close.”

Markoff reports that Google has now asked the National Security Agency to investigate the attacks that led to its China announcement and the subsequent exchange of hostile diplomacy between the U.S. and China. Dennis C. Blair, director of the Office of National Intelligence, told Congress earlier this week that “Sensitive information is stolen every daily from both government and private-sector networks….”

That finding seems to be buttressed by findings in a new study sponsored by McAfee. As Elinor Mills of CNET reported, 90% of survey respondents from critical infrastructure providers in 14 countries acknowledged that their enterprises had been the victim of some kind of malware. Over 50% had experienced denial of service attacks.

These attacks and the lack of adequate defenses are leading companies and law enforcement agencies to work more closely, if only after the fact. But privacy advocates, including the Electronic Frontier Foundation and the Electronic Privacy Information Center, are concerned about increasingly cozy relations between major Internet service providers and law enforcement agencies including the NSA.

They are likely to become apoplectic, however, when they read McCullagh’s post. He reports that a federal task force is about to release survey results that suggest law enforcement agencies would like an easier interface to request customer data from cell phone carriers and rules that would require Internet companies to retain user data “for up to five years.” The interface would replace the time-consuming and expense paper warrant processes now necessary for investigators to gain access to customer records.

Privacy advocates and law enforcement agencies are simply arguing past each other, with Internet companies trapped in the middle. Unmentioned at the FTC hearing—largely because law enforcement is out of the scope of the agency’s jurisdiction—is the legal whipsaw that Internet companies are currently facing. On the one hand, privacy and consumer regulators in the U.S., Europe and elsewhere are demanding that information collectors, including communications providers, search engines and social networking sites, purge personally-identifiable user data from their servers within 12 or even 6 months.

At the same time, law enforcement agencies of the very same governments are asking the same providers to retain the very same data in the interest of criminal investigations. Frank Kardasz, who conducted the law enforcement survey, wrote in 2009 that ISPs who do not keep records long enough “are the unwitting facilitators of Internet crimes against children.” Kardazs wants laws that “mandate data preservation and reporting,” perhaps as long as five years.

ISPs and other Internet companies are caught between a rock and a hard place. If they retain user data they are accused of violating the privacy interests of their consumers. If they purge it, they are accused of facilitating the worst kinds of crime. This privacy/security schizophrenia has led leading Internet companies to the unusual position of asking for new regulations, if only to make clear what it is governments want them to do.

The conflict becomes clear just by considering one lurid example (the favorite variety of privacy advocates on both sides) that was raised repeatedly at the FTC hearing last week. As long as service providers retain data, the audience was told, there is the potential for the perpetrators of domestic violence to piece together bits and pieces of that information to locate and continue to terrorize their victims. Complete anonymization and deletion, therefore, must be mandated.

But turn the same example around and you reach the opposite conclusion. While the victim of the crime is best protected by purging, capturing and prosecuting the perpetrator is easiest when all the information about his or her activities has been preserved. Permanent retention, therefore, must be mandated.

This paradox would be easily resolved, of course, if we knew in advance who was the victim and who was the perpetrator. But what to do in the real world?

For the most part, these and other sticky privacy-related problems are avoided by compartmentalizing the conversation—that is, by talking only about victims or only about perpetrators. As Homer Simpson once said, it’s easy to criticize, and fun too.

Unfortunately it doesn’t solve any problem, nor does it advance the discussion.