Rigidity in Privacy, Transparency and Security

There are persisting frictions among the public and policymakers regarding three privacy orientations: those who rank privacy above security, those who rank transparency of information above privacy, and those who rank security above privacy. These tribal orientations cannot be localized into “no go” neighborhoods, so we cannot “opt out” from the consequences of each orientation. The policies adopted will matter to consumers.

The “privacy is supreme” tribe behaves as if protection personal privacy is a human right and thus a government obligation. They reserve the right to release personal information, but not necessarily when society desperately needs it, and often not without the coercion of costly legal shenanigans. The most extreme group in the tribe is the “right to be forgotten” clan. They want their past public actions and any published accounts of them to be suppressed from public view at their whim. Of course, they want the cost of that effort to be borne by someone else.

The information transparency tribe thinks the public has a right to know every detail of government activity. The civilized members of the tribe will be found near freedom of information submission kiosks. Renegade members of the tribe hover near TV cameras to explain how they stole and distributed information that harms the national interest. Narcissism blinds them to the damage from their leaks and they usually see themselves as saintly liberators of truth. Some reporters find these troves of national security materials to be irresistible.

The “security trumps privacy” tribe regards personal information as just another security resource – something covered under their “need to know.” This tribe supports a strong national defense and aggressive law enforcement. Efficacy in security requires any information that can reveal the who, what, where, how and why of impending attacks. If any of that is contained in your private information, then too bad. They sometimes shame themselves with “parallel construction” scams in the courts. For this tribe, the loss of some personal privacy is considered just a cost inherent in improving security.

The themes of privacy, transparency and security are not orthogonal. We cannot strengthen along one dimension without weakening along the others. There is little on the subject of privacy that the tribes agree on and their spokespersons tend to be very inflexible and loud. That makes it nearly impossible to constructively discuss privacy unless the strident extremes are put on mute.

It is futile to expect a policy framework on privacy that pleases all tribes, but it is important to identify policies that on balance protect privacy and safety – as the public expects. In this era of cyber-attack and terrorist exposures, sanity on the privacy versus security issue is desperately needed. Viable policies will deliver some privacy and security but they cannot achieve absolute privacy or absolute security. Policies must serve the some of the goals of all three tribes not just of one tribe.

A policy balance needs to be codified in statute, else we’ll continue wasting huge amounts of time and taxpayer money as the legal process slowly grinds and exposes classified information under supervision from politically appointed judges. The policy balance should accommodate cooperation between government and industry. Why should we waste the “heads up” advantages in what industry frequently detects and monitors? There are also technical issues to address such as what constitutes inadequate security and under what conditions is government permitted to crack encryption?

No progress is made by watching privacy tribes loudly proclaim their prejudices. As a practical matter, just Congress can do what the public needs. A statute addressing these matters would be timely and welcomed.