Today I am attending the Privacy and Civil Liberties Oversight Board hearing on "Defining Privacy" here in Washington, DC. Four sessions are planned for the day, as outlined on the PCLOB agenda, however due to a schedule conflict, I only anticipate being able to attend 2 or 3 of them, but will provide brief summaries of their salient points.
Before moving into the day's events, I commend the PCLOB for assembling robust panels of technologists, lawyers, academics, and government representatives. Far too many of these DC events are staffed with political folks, lobbyists, or those simply there to regurgitate their own turf's dogmatic talking points. But the four panels of the day look to be a responsible balance of perspectives, organizations, and professional backgrounds that hopefully will provide meaningful content to the public discussion of this most timely and critical issue.
That being said, for me, the lead-off panel, "Defining Privacy Interests" is the most important one of the day, as without public discussion about what constitutes privacy interests, it's hard to determine when those interests are being infringed upon.
Liza Goitein from the Brennan Center for Justice talked about how privacy is the control of one's own information and whom it is shared with, and that government surveillance measures have a far more coercive hand in people's behavior than similar activities conducted by private companies. She argued that government surveillance practices have the unfortunate consequence of silently telling citizens what aspects of privacy they should value versus what they are legally entitled to. Goitein emphasized that privacy is a fundamental human right that is enshrined in assorted national laws and international treaties.
Agreeing with Liza was GWU's Dan Solove, who then discussed how 'privacy' concerns tend to be viewed through the lens of the individual while 'security' is interpreted through a collective, societal one. (Rick here: I hadn't thought of that before - interesting point!) Accordingly, he posits this forces a change in behaviour by citizens who are afraid of having to explain themselves or their actions that occur within the full context of the law should they become caught up in the web of surveillance analytics and presumed suspicious. Solove believes that in a free society, government is the agent of the people, and not vice-versa -- but for this to occur, competent, knowledgeable and effective oversight of its actions, such as surveillance, must take place. In his view, there is a reachable "balance" between public security and individual privacy, but that many of the discussions surrounding this balance tends to result from privacy-infringing security practices taking place without effective oversight. Put another way, how can people truly know if they agree and/or want more (or less) surveillance absent its informed oversight leading to informed public discussion about the issue?
Former prosecutor Paul Rosenzweig believes that privacy notions from the 1970s are outdated in 2014. Equating how safety standards for a Ford Thunderbird are surpassed by those of a modern Tesla, he argues that a 'Tesla' approach is needed to modernize privacy oversight and regulations viz-a-viz the changing pace of both technology and society. Interestingly, he countered Goitein's remarks about privacy being a universal human right, proposing instead that it serves an instrumental or utilitarian value only if it enables other societal gains. Most notions of privacy, he says, are akin to seeking "autonomy from society" and that most of the calls for transparency regarding government surveillance programs simply are calls to abolish them. To Rosenzweig, Congress, as the elected representatives of civil society, is the correct place for surveillance oversight to take place and determinations of what society's interests are regarding privacy and security. (Rick here: I beg to differ. We need a group of informed - key word - overseers that are not paid-for or easily swayed by lobbyists and other special interests. More in the next post.) In terms of the oversight required for the government surveillance activities revealed by Edward Snowden, he believes that the broad Section 215 activites require significant oversight to ensure the reconciliation of any errors in the analysis of collected data, but that the more targeted Section 702 actions require less oversight since there is a reduced possibility of errors resulting from a less likely chance of inadvertent data collection under it.
Princeton's Ed Felten identified three processes within the surveillance-vs-privacy debate worthy of discussion: the collection, merging, and analysis of data. Of the three, he believes that efforts made to control the collection of data will be most effective and easier to implement, since its merging and subsequent analysis can present assorted gray areas open to subjective interpretation of context post-collection, especially when viewed from a mosaic-theory perspective. (Rick here: I agree. If you don't collect it, you don't run the risk of then figuring out what to do with it.)
Speaking of which, one item raised by Felten and subsequently discussed during Q&A by the panel was the notion of mosaic theory; namely, the belief that the collection of individual data points, when aggregated and analyzed, can provide much more detailed insight and/or new knowlege than its individual components -- and potentially raise new privacy concerns that need to be explored as part of this overall issue. (Rick here: Mosaic theory is a key contributor to overclassification in the intelligence community, so if they're worried about its potential adverse consequences, why shouldn't we?) Additionally, an interesting question emerged (but was not fully answered) over what controls/regulations could be applied at the point of collection to a government agency versus commercial entity when directly surveilling or collecting data from/on citizens -- and by extension, what controls/regulations could apply to the point of collection by a government agency requesting data on citizens that was collected by a private entity. All matters for consideration, analysis, and continued discussion, obviously.
I'm pleased to say the panel set a good tone for the day, outlining some of the key considerations in the security-versus-privacy debate.
On a side note, someone here had a great sense of humor. There is a wi-fi point entitled "NSA Surveillance Van 13" showing up nearby. Although I tend to play this game myself at various events, rest assured it was not me today!
Comments from panel #2 after the break....