iapp-privacycore
CS17_Banner_300x250-COPY
S17_Banner_300x250-COPY
Why tech companies don’t need to stymie democratic governments

In a recent Privacy Tracker update on the European Commission’s newly proposed ePrivacy Regulation, Jan Philipp Albrecht, the member of European Parliament in charge of steering through the GDPR last year, was quoted as saying, “We know that intelligence agencies are applying blanket data collection and service providers should respond by doing everything technically possible to secure the fundamental right of privacy.”

As someone who’s worked in and with U.S. and international intelligence agencies, and who works in the private sector today, I have to disagree.

Perhaps Albrecht simply means that service providers should remain in strict compliance with government regulations such as the GDPR. However, language like that has often been used by others to suggest that technology companies should do all in their power to resist, oppose, and prevent government access to data under any circumstances. The heart of that more extreme position seems to be a belief that government intelligence activities are so unconstrained that an appropriate response is to encourage private entities to act outside of democratic processes in order to thwart – or at least impede – government action. 

Although I understand the roots of the privacy concerns that drive this kind of thinking, it seems to me that: 1) the premise is flawed, and 2) the proposed solution risks oversimplifying complex privacy challenges and undermining the democratic processes of government that lie at the heart of the most effective privacy legislation and reforms.

First, the premise. Albrecht states that “we know that intelligence agencies are applying blanket data collection.” Although the quote doesn’t offer specific context, it’s a position that – for accuracy’s sake – begs to be clarified and put in context. “Intelligence agencies” from many governments around the world do in fact engage in widespread collection of data that they are charged to gather in order to carry out their missions. But the collection of that information doesn’t happen in a vacuum, and it is not necessarily “blanket.”

Intelligence gathering in liberal democracies takes place within a context: a duly constituted representative government, in which elected officials set intelligence priorities, enact legislation that defines the outer limits of lawful intelligence collection, issue government policy guidance to further clarify that legislation, and respond to internal and independent overseers who have robust powers to ferret out misdeeds and impose sanctions or take other corrective action. 

This context provides a critically important foundation, and we have to start from two assumptions: 1) that, in the context of western democracies, the government is itself legitimate, and 2) that part of government’s role is to balance multiple public interests, to include both the need for national security and public safety, and the critically important fundamental right to privacy. 

It’s no accident that the Declaration of Human Rights recognizes the existence of competing interests by making the right to privacy a qualified right – one that is not absolute and therefore ought not be elevated above all other concerns, no matter the social cost.

Even with personal data, every liberal democracy recognizes that there are times when collection of certain information is appropriate–even necessary–to protect national security or to prevent serious crime.

Sometimes “blanket” collection is not of personal data at all – that is, it isn’t of information that relates to any individual persons. It can include information about communication networks or flows of data or movement of cargo or detonation of weapons or missile telemetry or blips on a radar screen – or any of a range of other types of information that can’t (or ought not) be characterized as “personal data.” The collection of that data should hardly be seen as intrusive, but imagine the risk to safety if private companies were encouraged to take actions that would prevent duly authorized government entities from producing the intelligence reports about tests of weapons of mass destruction simply because, for example, it was company policy to create a satellite imagery shield that would interfere with images being taken from space.

Even with personal data, every liberal democracy recognizes that there are times when collection of certain information is appropriate–even necessary–to protect national security or to prevent serious crime.

Imagine, for a moment, this scenario: A shipping company creates for the first time a shipping container that is completely impenetrable. It has standard dimensions that allow it to be hauled by trailers and on ships in interstate and international commerce. Its interior can be adapted to ship toys, clothing, and refrigerated foods, and it can also be used to smuggle chemicals, weapons, and human beings–at their request or against their will–to other parts of the world. Imagine that when those containers arrived at a border, the customs agents were given only information about the outside of the container: the fact that it exists, the color of its exterior, where it was shipped from and where it is headed. But the customs officials are forbidden from opening the interior of the container, and literally cannot open it. It is, after all, impenetrable. There is no way to know what it contains inside.

Now imagine perfectly impenetrable encryption, and consider its use for the information that circulates the world today. There are countless benign transfers of information–cat videos, internet commerce, banking transactions and travel bookings. There are transfers of information for which the importance of privacy is especially high: medical information, attorney-client communications, the work of many journalists and human rights activists. There are also some transfers of information that create genuine danger, because of the impact of the content they convey, or because of the content itself: plans for human trafficking or blueprints for creating chemical and biological weapons, plots for terror attacks, and child pornography.  

If privacy is viewed in a vacuum, then any amount of data collection will always raise questions. 

In truth, though, privacy doesn’t happen in a vacuum. That Universal Declaration of Human Rights I referenced above? It also includes a right to life, liberty, and security of person; those, plus all of the other enumerated rights, are heart-achingly difficult to secure in a failed state, or in one that lacks basic national security and public safety. In that context, it’s deeply ironic to ask the private sector to obstruct the government, since the private sector thrives best in countries that have stable, democratic governments. It would be hard for a tech company to hire top talent and write its best code, or design, build, and market groundbreaking products, if the company also had to secure its own borders, build a national infrastructure, and shoulder responsibility for education, food and energy supply, environmental protection, the safety of food and drugs, and the myriad other tasks governments perform, or support, in industrialized societies.

I continue to take the view that the antidote to unchecked power cannot be to create an alternative center of unchecked power. When government overreaches, the answer is to impose more effective democratic oversight, not to cede power to an opaque private sector that can’t easily be held to account.

I write these words against a backdrop of the transfer of power in the U.S. that was followed by worldwide demonstrations of historic proportions, amid concerns about rising trends towards authoritarianism across the world. I write them with deep appreciation for the many ways that government surveillance powers have been distorted to oppress and abuse the rights of citizens and non-citizens in the past century and around the world. Nonetheless, I continue to take the view that the antidote to unchecked power cannot be to create an alternative center of unchecked power. When government overreaches, the answer is to impose more effective democratic oversight, not to cede power to an opaque private sector that can’t easily be held to account.

Of course, we can let the technology arms race continue with a falsely split dialogue, one that makes out government to be a villain at all times and casts the tech sector as a shining knight riding in to save consumers for government overreach (an image that’s coincidentally quite good for global sales and profits). This narrative ignores the genuine complexity of striking the right privacy balance in private-sector collection and monetization of information, and it fosters an overly-slanted narrative of distrust for government, one that rejects altogether the idea that duly empowered oversight bodies can be entrusted to carry out their jobs effectively, and can be corrected, bolstered, or enhanced when they don’t. 

That kind of hard dichotomy risks pushing us all into an ever-escalating technology arms race, in which the private sector tries to develop capabilities that government cannot penetrate, and the government races to find ways to detect and inspect the packets of information that will stop child pornography or prevent a terrorist attack. That us-vs-them dialogue risks putting privacy on a pedestal while ignoring real dangers to other human rights. It even risks creating incentives for government to go to greater extremes to collect legitimate information, and thereby, intrude more on privacy than we would wish.

The way forward can’t be a false juxtaposition of privacy-vs-safety or private-sector-against-government. 

The characterizations shouldn’t start from a presumption that government always engages in sinister overreach, and the private sector always acts in noble and benign defense of personal privacy. Instead, we should be looking to foster cooperation between the two sectors; to recognize the importance of effective government oversight and bolster those mechanisms when we need to do so; and to expect transparency, balance, and responsibility from a diverse and innovative private sector as it works through its own challenges on the balance of surveillance and privacy.

photo credit: ...-Wink-... Global Economy via photopin (license)

Written By

April Doss, CIPP/US

2 Comments

If you want to comment on this post, you need to login.

  • Lisa Lagrow Jan 26, 2017

    I don't trust google or facebook with personal info but certainly do not believe THIS:
    
    "Intelligence gathering in liberal democracies takes place within a context: a duly constituted representative government, in which elected officials set intelligence priorities, enact legislation that defines the outer limits of lawful intelligence collection, issue government policy guidance to further clarify that legislation, and respond to internal and independent overseers who have robust powers to ferret out misdeeds and impose sanctions or take other corrective action. "
    
    Ever since the so-called "Patriot" Act, our government has definitely been violating our 4th Amendment rights. There have been no "outer limits" and no overseers.   I don't believe the private sector is innocent, as they want our data for non-stop marketing, but certainly don't trust the NSA, CIA and the like with my data either.  They have shown, through the Snowden leaks, they are not following the laws and that Congress doesn't care to provide any meaningful oversight.
  • Jay Libove Jan 30, 2017

    The comparison of a perfectly impenetrable shipping container to perfectly impenetrable encryption is not quite right. Inside the shipping container is something that, upon opening (whether from the outside, from the inside, or from a detonation timer, etc) could be immediately harmful. Physically crossing a security boundary (such as a national border, but could be other types as well) does require the ability to open that container.
    Information in-transit, unless it is the final step in a chain of law enforcement failures e.g. "Attack now", will almost never, or never, be immediately harmful. It will relate to potentially harmful acts, which acts are planned, resourced, and finally carried out.
    As it is technologically impossible to encrypt in a way which is generally secure and can also be accessed "when appropriate" by any third party (be it an authorized government or anything else), and the immediacy of the need to inspect not being quite the same as with the shipping container, it is the wrong balance to suggest that the encryption used on data in-transit must always be inspectable. It is equally wrong to suggest that technology companies should not build the strongest practical security (including impenetrable encryption) into all consumer products, given the extremely real threat to that data every day from many actors (including, at times, State actors).
    Laws in democratic societies already provide for law enforcement power to gain access to various parts of the attack / crime chain. Telling tech companies to leave their products more vulnerable (to governments, as well as to general cyber criminals, and to hacktivists, and anarchists) suggests an incorrect balance which will have more negative effect than positive. The tech companies should continue their trend towards better and more complete encryption and security.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»