Anyone who's been to Seattle would probably tell you it's a pretty progressive city—at least compared to most in the U.S. It's home to some of the most cutting-edge tech companies in the world, including Microsoft, Amazon and Google. It's got almost as many bikes on the road as it does cars. And its homeless are hard-pressed to find a bottle in a trash can—they're all in the recycling bins. So it's not all that surprising that it's also become one of the most progressive cities on individuals' privacy rights.
In fact, it's seemingly in a league of its own.
This month, that policy officially went into effect. October 1, the city unveiled its public-facing website on its privacy initiative as well as a toolkit for city departments to use to implement changes as deemed necessary.
The long-term vision is to gain public trust in municipal data use, said Mattmiller.
"As we look to become more data-driven as a city, more driven by metrics, we recognize the amount of data we collect is going to increase," Mattmiller said. "And if we don't have the trust of the public, and if we don't do this in a transparent manner, we aren't going to be successful."
In fact, the city has a some experience in the backlash that can result without transparency and the resulting public trust. Seattle drew flak a couple years ago purchasing drones without giving the public notice, installing waterfront surveillance cameras without notice and installing them improperly—resulting in inappropriate surveillance of apartments, for example. None of it went over well with the public, and when Mayor Ed Murray took office in 2014, he vowed the city would do better.
Michael Wagers is chief operating officer of Seattle police. He said his team met with Mattmiller the say he was getting sworn in as the city's CTO and it was established then and there that the police would co-sponsor the city's new program.
"The chief said right away that we would do it," Wagers said. "The issues the department had gone through with drones and wireless mesh networks, where it had deployed technology without thinking through some of the other privacy concerns (made this the) perfect opportunity as it looks forward to new technologies."
Beyond just deploying new technologies though, Wagers said, is Police Chief Kathleen O'Toole's mission upon her appointment in 2014 to rebuild public trust.
"You do that through a lot of different ways, and one way to do that is through increasing transparency," Wagers said. "We needed a better framework."
But the kind of transparency the city wants to practice will take some time and work from each of its 28 departments. Realizing that, each one will assign a privacy champion who'll be responsible for incorporating the appropriate practices into daily operations and maintaining compliance. In addition, part of Murray's 2016 budget is for first-quarter funds to launch an online training and awareness program, which will be required for anyone who touches the public's personal data. The expectation is to reach true compliance with the new program by 2017, following refinements and tweaks.
Compliance will, of course, look different from one department to another. This is where doing citywide privacy gets a little interesting; the public services are so varied. Public safety will do privacy in different ways than water and utilities will, for example. And while it will clearly take departmental and individual buy-in—the city employs 11,000—for things to work, Seattle Privacy Manager Ginger Armbruster said she's not twisting any arms. It's a relief, in many ways, for departments to have a consistent approach to privacy, she said.
"There are concerns, of course, like, 'How much is this adding to my work load?'" she said. "But I've mostly heard excitement and appreciation that this is being dealt with."
"Departments want to do the right thing," Mattmiller said. "They understand the public wants better trust in government."
And besides, it's not about coming down on people or complicating their jobs so that they're more difficult operationally. The approach in Seattle has been about how to help employees be more successful.
"If you're seen as the department of 'no,' people work around you," he said. Instead, the approach has been to communicate to departments that this initiative aims to identify potential risks to help employees make better decisions to not only protect the public but, in the end, develop increasingly successful and innovative programs.
And there's flexibility there. In cases where department heads have said "this isn't going to work," the conversation becomes, "Well, then, let's try this. How would we make this a long-term win so that we're not just fixing this particular issue, we're enabling you to do a better job down the road," Armbruster said.
That collaborative approach has been really successful, she added: "I watch the expression change from, 'That really won't make a difference' to 'Hey, that thing I thought probably wouldn't work, let's revisit this.'"
Armbruster and Mattmiller say the task of asking departments to buy in was less burdensome than it perhaps could have been, given that support for citywide privacy comes from top-tier leadership. It was the City Council and the mayor who in fact tasked Mattmiller with seeing this privacy initiative through almost as soon as he walked through the door.
Police support has been big, too. Wagers said various Seattle Police were part of the initiative's working group, including captains, indicating the department's commitment to taking privacy seriously.
"We've learned a lot," he said. "That's influenced our thinking over the last year ... sitting around and hearing from real experts on this, in terms of thinking of new technologies."
Just because there's support at the departmental level, however, doesn't necessarily guarantee smart decisions are going to instantaneously be made by the employees touching data. And that's partly why the program has a two-year compliance plan. By 2016, the city hopes to have departmental privacy champions identified, begin reviewing new projects, finalize an employee training program and start assessing legacy operations.
"We do think about scale, where we have 11,000 employees. We need to be very vigilant about education on privacy principles," Mattmiller said.
Those principles include minimizing data collection, providing residents with notice about data collection, deletion and de-identification.
Of course, some of those principles will become problematic from time to time, Armbruster acknowledged. Especially as the city aims to incorporate emerging technologies into its processes. But it's not just government departments that will require some negotiating. Seattle also boasts an involved community of activists who are, well, active. For some of those groups, no amount of privacy will ever be too much.
"I think there will always be a place where, by virtue of being a government and providing government services, we may not always come to consensus," Armbruster said. "There is always going to be a tension that is appropriate around those (sensitive) issues."
But that's where transparency comes in, she said. And that's been the approach from the beginning.
"I think we have worked to include as many voices as we could from departments who had varying levels of maturity in terms of privacy and risk management," she said.
She also had a lot of input from groups like the ACLU, the activist community, the city's former chief information security officer, academics at the University of Washington and, of course, the city's temporary privacy advisory board, which has since disbanded now that the interdepartmental Privacy Champions group will become the subject-matter experts relied upon.
And it was important she did. Necessary, really. Because there really isn't a "How to create a citywide privacy framework" booklet out there, nor is there a city to look to as a case study.
"We kind of had to do that on our own and figure out what the model was," Armbruster said.
For that, she used a lot of different resources. One was the state of Washington's Access to Justice Board, chaired by Don Horowitz, former State Superior Court justice. It was established in 1990 to address law enforcement's need for access to technology and need to know the legalities surrounding it. She looked to the private sector for best practices, to stakeholders for stakeholder concerns and to the federal government for existing processes and critical infrastructure around privacy, and she leveraged the connections she and Mattmiller have with the IAPP for advice as needed.
Now that the groundwork has been laid, Armbruster is looking to network with other municipalities that want to begin or are already immersed in the process. For now, October 1 starts a new chapter in the city's history. Armbruster and Mattmiller are optimistic.
"I think we'll see this blossom across the city," Armbruster said. "I anticipate we'll continue to refine as we get feedback about what works and what we need more of."
If you want to comment on this post, you need to login.