TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | Why tech companies don’t need to stymie democratic governments Related reading: European Commission proposes formal ePrivacy Regulation

rss_feed
S18_Web_300x250-COPY
OneTrust_tile_ads_300x250_final_20170725_
iapp-privacycore

In a recent Privacy Tracker update on the European Commission’s newly proposed ePrivacy Regulation, Jan Philipp Albrecht, the member of European Parliament in charge of steering through the GDPR last year, was quoted as saying, “We know that intelligence agencies are applying blanket data collection and service providers should respond by doing everything technically possible to secure the fundamental right of privacy.”

As someone who’s worked in and with U.S. and international intelligence agencies, and who works in the private sector today, I have to disagree.

Perhaps Albrecht simply means that service providers should remain in strict compliance with government regulations such as the GDPR. However, language like that has often been used by others to suggest that technology companies should do all in their power to resist, oppose, and prevent government access to data under any circumstances. The heart of that more extreme position seems to be a belief that government intelligence activities are so unconstrained that an appropriate response is to encourage private entities to act outside of democratic processes in order to thwart – or at least impede – government action. 

Although I understand the roots of the privacy concerns that drive this kind of thinking, it seems to me that: 1) the premise is flawed, and 2) the proposed solution risks oversimplifying complex privacy challenges and undermining the democratic processes of government that lie at the heart of the most effective privacy legislation and reforms.

First, the premise. Albrecht states that “we know that intelligence agencies are applying blanket data collection.” Although the quote doesn’t offer specific context, it’s a position that – for accuracy’s sake – begs to be clarified and put in context. “Intelligence agencies” from many governments around the world do in fact engage in widespread collection of data that they are charged to gather in order to carry out their missions. But the collection of that information doesn’t happen in a vacuum, and it is not necessarily “blanket.”

Intelligence gathering in liberal democracies takes place within a context: a duly constituted representative government, in which elected officials set intelligence priorities, enact legislation that defines the outer limits of lawful intelligence collection, issue government policy guidance to further clarify that legislation, and respond to internal and independent overseers who have robust powers to ferret out misdeeds and impose sanctions or take other corrective action. 

This context provides a critically important foundation, and we have to start from two assumptions: 1) that, in the context of western democracies, the government is itself legitimate, and 2) that part of government’s role is to balance multiple public interests, to include both the need for national security and public safety, and the critically important fundamental right to privacy. 

It’s no accident that the Declaration of Human Rights recognizes the existence of competing interests by making the right to privacy a qualified right – one that is not absolute and therefore ought not be elevated above all other concerns, no matter the social cost.

Even with personal data, every liberal democracy recognizes that there are times when collection of certain information is appropriate–even necessary–to protect national security or to prevent serious crime.

Sometimes “blanket” collection is not of personal data at all – that is, it isn’t of information that relates to any individual persons. It can include information about communication networks or flows of data or movement of cargo or detonation of weapons or missile telemetry or blips on a radar screen – or any of a range of other types of information that can’t (or ought not) be characterized as “personal data.” The collection of that data should hardly be seen as intrusive, but imagine the risk to safety if private companies were encouraged to take actions that would prevent duly authorized government entities from producing the intelligence reports about tests of weapons of mass destruction simply because, for example, it was company policy to create a satellite imagery shield that would interfere with images being taken from space.

Even with personal data, every liberal democracy recognizes that there are times when collection of certain information is appropriate–even necessary–to protect national security or to prevent serious crime.

Imagine, for a moment, this scenario: A shipping company creates for the first time a shipping container that is completely impenetrable. It has standard dimensions that allow it to be hauled by trailers and on ships in interstate and international commerce. Its interior can be adapted to ship toys, clothing, and refrigerated foods, and it can also be used to smuggle chemicals, weapons, and human beings–at their request or against their will–to other parts of the world. Imagine that when those containers arrived at a border, the customs agents were given only information about the outside of the container: the fact that it exists, the color of its exterior, where it was shipped from and where it is headed. But the customs officials are forbidden from opening the interior of the container, and literally cannot open it. It is, after all, impenetrable. There is no way to know what it contains inside.

Now imagine perfectly impenetrable encryption, and consider its use for the information that circulates the world today. There are countless benign transfers of information–cat videos, internet commerce, banking transactions and travel bookings. There are transfers of information for which the importance of privacy is especially high: medical information, attorney-client communications, the work of many journalists and human rights activists. There are also some transfers of information that create genuine danger, because of the impact of the content they convey, or because of the content itself: plans for human trafficking or blueprints for creating chemical and biological weapons, plots for terror attacks, and child pornography.  

If privacy is viewed in a vacuum, then any amount of data collection will always raise questions. 

In truth, though, privacy doesn’t happen in a vacuum. That Universal Declaration of Human Rights I referenced above? It also includes a right to life, liberty, and security of person; those, plus all of the other enumerated rights, are heart-achingly difficult to secure in a failed state, or in one that lacks basic national security and public safety. In that context, it’s deeply ironic to ask the private sector to obstruct the government, since the private sector thrives best in countries that have stable, democratic governments. It would be hard for a tech company to hire top talent and write its best code, or design, build, and market groundbreaking products, if the company also had to secure its own borders, build a national infrastructure, and shoulder responsibility for education, food and energy supply, environmental protection, the safety of food and drugs, and the myriad other tasks governments perform, or support, in industrialized societies.

I continue to take the view that the antidote to unchecked power cannot be to create an alternative center of unchecked power. When government overreaches, the answer is to impose more effective democratic oversight, not to cede power to an opaque private sector that can’t easily be held to account.

I write these words against a backdrop of the transfer of power in the U.S. that was followed by worldwide demonstrations of historic proportions, amid concerns about rising trends towards authoritarianism across the world. I write them with deep appreciation for the many ways that government surveillance powers have been distorted to oppress and abuse the rights of citizens and non-citizens in the past century and around the world. Nonetheless, I continue to take the view that the antidote to unchecked power cannot be to create an alternative center of unchecked power. When government overreaches, the answer is to impose more effective democratic oversight, not to cede power to an opaque private sector that can’t easily be held to account.

Of course, we can let the technology arms race continue with a falsely split dialogue, one that makes out government to be a villain at all times and casts the tech sector as a shining knight riding in to save consumers for government overreach (an image that’s coincidentally quite good for global sales and profits). This narrative ignores the genuine complexity of striking the right privacy balance in private-sector collection and monetization of information, and it fosters an overly-slanted narrative of distrust for government, one that rejects altogether the idea that duly empowered oversight bodies can be entrusted to carry out their jobs effectively, and can be corrected, bolstered, or enhanced when they don’t. 

That kind of hard dichotomy risks pushing us all into an ever-escalating technology arms race, in which the private sector tries to develop capabilities that government cannot penetrate, and the government races to find ways to detect and inspect the packets of information that will stop child pornography or prevent a terrorist attack. That us-vs-them dialogue risks putting privacy on a pedestal while ignoring real dangers to other human rights. It even risks creating incentives for government to go to greater extremes to collect legitimate information, and thereby, intrude more on privacy than we would wish.

The way forward can’t be a false juxtaposition of privacy-vs-safety or private-sector-against-government. 

The characterizations shouldn’t start from a presumption that government always engages in sinister overreach, and the private sector always acts in noble and benign defense of personal privacy. Instead, we should be looking to foster cooperation between the two sectors; to recognize the importance of effective government oversight and bolster those mechanisms when we need to do so; and to expect transparency, balance, and responsibility from a diverse and innovative private sector as it works through its own challenges on the balance of surveillance and privacy.

photo credit: ...-Wink-... Global Economy via photopin (license)

2 Comments

If you want to comment on this post, you need to login.

  • comment Lisa Lagrow • Jan 26, 2017
    I don't trust google or facebook with personal info but certainly do not believe THIS:
    
    "Intelligence gathering in liberal democracies takes place within a context: a duly constituted representative government, in which elected officials set intelligence priorities, enact legislation that defines the outer limits of lawful intelligence collection, issue government policy guidance to further clarify that legislation, and respond to internal and independent overseers who have robust powers to ferret out misdeeds and impose sanctions or take other corrective action. "
    
    Ever since the so-called "Patriot" Act, our government has definitely been violating our 4th Amendment rights. There have been no "outer limits" and no overseers.   I don't believe the private sector is innocent, as they want our data for non-stop marketing, but certainly don't trust the NSA, CIA and the like with my data either.  They have shown, through the Snowden leaks, they are not following the laws and that Congress doesn't care to provide any meaningful oversight.
  • comment Jay Libove • Jan 30, 2017
    The comparison of a perfectly impenetrable shipping container to perfectly impenetrable encryption is not quite right. Inside the shipping container is something that, upon opening (whether from the outside, from the inside, or from a detonation timer, etc) could be immediately harmful. Physically crossing a security boundary (such as a national border, but could be other types as well) does require the ability to open that container.
    Information in-transit, unless it is the final step in a chain of law enforcement failures e.g. "Attack now", will almost never, or never, be immediately harmful. It will relate to potentially harmful acts, which acts are planned, resourced, and finally carried out.
    As it is technologically impossible to encrypt in a way which is generally secure and can also be accessed "when appropriate" by any third party (be it an authorized government or anything else), and the immediacy of the need to inspect not being quite the same as with the shipping container, it is the wrong balance to suggest that the encryption used on data in-transit must always be inspectable. It is equally wrong to suggest that technology companies should not build the strongest practical security (including impenetrable encryption) into all consumer products, given the extremely real threat to that data every day from many actors (including, at times, State actors).
    Laws in democratic societies already provide for law enforcement power to gain access to various parts of the attack / crime chain. Telling tech companies to leave their products more vulnerable (to governments, as well as to general cyber criminals, and to hacktivists, and anarchists) suggests an incorrect balance which will have more negative effect than positive. The tech companies should continue their trend towards better and more complete encryption and security.