As new legislative sessions begin, policy-makers are asked to make sense of an increasingly polarized debate among historic -- and sometimes competing -- values of security, secrecy, privacy and openness. Each is a public good, but there is no clear agreement on how they fit together. The challenge is not choosing sides, it's reconciling friends.
Progressive thinkers of an earlier time set a high standard for privacy. Early last century, U.S. Supreme Court Justice Louis Brandeis argued, "privacy is the right to be left alone." The conclusion echoed the polemic of journalist E.L. Godkin that, "privacy is a distinctly modern product, one of the luxuries of civilization."
A small number of communities -- Ann Arbor, Mich.; Cambridge, Mass.; Berkeley, Calif.; Portland and Eugene, Ore. -- attempted to defend such luxuries by prohibiting the use of local funds to implement the USA Patriot Act, the provisions of which principally expand latitude of authorized governmental surveillance. Less attention has been paid to attempts in at least 17 states to narrow the definition of governmental records subject to disclosure since the terrorist attacks.
Almost a decade ago, Beth Givens of the Privacy Rights Clearinghouse predicted, "The Internet will show us what happens when public records are truly public." Indeed, government's default reliance on privacy by obscurity -- in shielding paper records from disclosure -- was shaken by efficiency of digits, which Nicholas Negroponte, co-founder and chairman of MIT Media Laboratory, said, "commingle effortlessly."
The federal government is counting on such commingling in its efforts to secure the homeland, which is evident in the new Total Information Awareness (TIA) program -- a counter-terrorism initiative implemented this year by the Defense Advanced Research Projects Agency (DARPA).
DARPA, which gave us the Internet, is worth taking seriously when promising a system that "increases information coverage by an order of magnitude." As envisioned, TIA is built around a comprehensive surveillance architecture that uses "novel methods for populating the database from existing sources, create[s] innovative new sources, and invent[s] new algorithms for mining, combining and refining information for subsequent inclusion into the database."
The idea behind TIA is to play offense with personally identifiable information to find patterns otherwise unnoticed, and use that insight to preempt threats. TIA picks up where existing intelligence, law enforcement and analytic data leave off, adding identity and a wide swath of transactional records -- financial, education, travel, medical, immigration, transportation, accommodation and communications.
The secondary use of public records suggests state and local government privacy policies and practices are due for a test. Historically, the public-sector IT community tended to see privacy as the purview of the "policy shop," and has gone about its business. Privacy is now IT's business. There is precedent for taking the lead on complex policy and management issues in both year 2000 remediation and cyber-security programs.
It follows that those who care about technology and public service would have something to say about safeguarding this civilized luxury. It is a stewardship responsibility unique to government because of the type of records held. Government alone can compel people to provide personal information, and holds unique authoritative records to which all others refer -- a particular issue in vouching for an individual's identity in a transient society.
That starting point, coupled with the problem-solving orientation of IT professionals and common sense suggests a path forward:
As the subject and owner of personal data, they know what they prefer. Ask them.
Chief privacy officers have been slower to catch on than their security counterparts, but their issue is about to become at least as urgent.
Focus on nature and sensitivity of records or record types, not technology used to collect or deliver.
The orbit of personal data within government is defined in statute. Use existing provisions as a protective hedge; keep amendments record-centric.
Provide privacy notices anywhere personal information is collected or displayed, including the Internet, paper forms, call centers and face-to-face interviews. If people object, their argument is with legislature.
-Developer's Rorschach test:
Development teams' thoughts are often visible in the system diagrams drawn -- privacy and security tend to be relegated to the margins as a dashed red line; picture privacy at the center, not the edges.
-Design privacy in:
Privacy is sometimes seen as an impediment to elegant engineering. As we move forward, privacy is elegant engineering.
No watchdog activist or consumer group has greater interest in privacy and security of information exchange with citizens than government. The public-sector IT community needs to find its voice in this vital conversation. It is Y2K all over again -- except the stakes and noise level are much higher.
Paul W. Taylor, Ph.D., , is the chief strategy officer of the Center for Digital Government, former deputy state CIO of Washington and a veteran of startups.