[Politech logo]

Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of culture, technology, politics, and law. Since 2000, so has the Politech web site.

Privacilla's Jim Harper to House: Worry more about .gov snoops!




---

Date: Wed, 1 May 2002 08:53:08 -0400
Subject: Privacilla Testimony to House Judiciary Committee
From: "Jim Harper - Privacilla.org" <jim.harper@privacilla.org>

This morning, I'll be testifying to the House
Judiciary Committee's Subcommitttee on Commercial and Administrative Law
regarding the Federal Agency Protection of Privacy Act (H.R. 4561).  (10:00
am in 2141 Rayburn House Office Building.)
My written testimony is up on the site at:

PDF: http://www.privacilla.org/releases/federal_agency_privacy_testimony.pdf
html: http://www.privacilla.org/releases/federal_agency_privacy_testimony.html

The html version has handy links to additional
reading.  And not just any additional reading.  Additional reading
about privacy . . . .

Jim Harper
Editor
Privacilla.org

---

          Prepared Statement of Jim Harper, Editor of Privacilla.org
                         at the Hearing on H.R. 4561
                the "Federal Agency Protection of Privacy Act"
           U.S. House of Representatives Committee on the Judiciary
              Subcommittee on Commercial and Administrative Law

                                 May 1, 2002

    Chairman Barr, Mr. Watt, and Members of the Subcommittee,

    It is a great pleasure to appear before you to discuss H.R. 4561, the
    "Federal Agency Protection of Privacy Act." I am Jim Harper, the
    Editor of Privacilla.org, a Web-based think-tank devoted exclusively
    to privacy. I am also an Adjunct Fellow at the Progress & Freedom
    Foundation and the Founder and Principal of Information Age lobbying
    and consulting firm PolicyCounsel.Com.

    Privacy is one of the most complex and difficult public policy issues
    confronting Congress and legislatures across the country today. I am
    pleased to lend what knowledge I have to your consideration of this
    legislation.

    Privacilla.org is a Web site that attempts to capture "privacy" as a
    public policy issue. The pages of Privacilla cover the issue of
    privacy from top to bottom. We deal with fundamental privacy concepts,
    privacy from government, and privacy in the private sector, including
    financial, medical, and online privacy. Anyone may submit ideas,
    information, and links for potential inclusion on the site. The site
    represents the thinking of many people and I would refer you to the
    Privacilla "Support" page to get an idea of the groups we work with.
    Please visit Privacilla at http://www.privacilla.org and use it as a
    resource whenever your work brings you to a privacy policy question.

    Privacilla takes a free-market, pro-technology approach to privacy
    policy. There certainly are other views, and you should consider them
    all. Please also be aware that Privacilla is currently a project of my
    lobbying and consulting firm, PolicyCounsel.Com. My firm does not
    represent any interest on privacy specifically, but nearly all issues
    touch on privacy in some way, so you should consider my potential for
    bias, as you would with any privacy advocate. The views presented on
    Privacilla, and those I express today, are not the views of any
    client.

    Chairman Barr, I salute you for introducing H.R. 4561 with broadly
    bipartisan support, and for holding these hearings today. Mr. Watt,
    and other Members of the Subcommittee, congratulations to you for
    joining in introducing this important bill.

    Privacy is a complex and widely misunderstood public policy issue.
    This legislation can help protect Americans' privacy by giving the
    American people, the press, and Congress information they need about
    how federal regulation affects privacy. This legislation presents an
    opportunity to refine the terms of the many different "privacy"
    debates, so that Congress, the press, and the public can find
    solutions to a number of important problems.

    Though they are motivated only by beneficent purposes, many government
    programs deprive Americans of control over personal information and
    their privacy. The Federal Agency Protection of Privacy Act can help
    restore to the people the power and autonomy that is one of the great
    benefits of living in the United States. There are several successful
    precedents in our nation's administrative laws for this proposal. Few,
    if any, changes are needed to perfect the legislation in terms of
    privacy. I urge you, though, to be aware of the many important
    elements of information policy beyond privacy that fall within the
    scope of the bill.

    Defining Terms: What is Privacy?
    The Judiciary Committee is the committee of American law and legal
    institutions. There is no better place to define and give structure to
    terms such as our focus today: privacy. By digging deeply into privacy
    as a legal concept, you as congressional leaders can dramatically
    improve the quality of many public policy debates, and the outcomes
    Congress produces for the American people.

    Left undefined, the word "privacy" has become far too much of a
    stalking horse for all variety of ideological and special interest
    groups. Indeed, a coterie of activist organizations - including
    Privacilla - thrives because there is not an agreed to and limited
    definition for the word "privacy" in current debate. Moreover, the
    lack of definition has rendered Congress, state legislatures, the
    press, and the public less able to find solutions to the many problems
    and legitimate concerns that popularly fall under the heading of
    "privacy."

    For example, identity fraud is widely perceived as a "privacy"
    problem. But it is better understood as a group of crimes that thrive
    on the use of personal identification and financial information.
    Because of this widespread misperception, the crimes that constitute
    identity fraud go poorly enforced while Congress considers banning
    many uses of Social Security Numbers in the name of "privacy."
    Limiting SSN use would likely stifle many benefits that consumers and
    the economy enjoy without effectively reducing this serious crime
    problem.

    Similarly, unwanted commercial e-mail, or "spam," is an intrusion into
    electronic communications and a serious annoyance that is often
    labeled as a "privacy" problem. Spam exists in large part because
    e-mail marketers know little or nothing about the interests of
    potential customers. It is difficult to reconcile spam - e-mails
    broadcast to unknown people nearly at random - with the heart of the
    privacy concept, which is too much personal information being
    available too widely.

    At Privacilla, we have a working definition of privacy that we believe
    should form the basis of policy discussions on the topic: Privacy is a
    subjective condition that individuals enjoy when two factors are in
    place legal ability to control information about oneself, and exercise
    of that control consistent with one's interests and values.

    Privacy is a personal, subjective condition. It is a state of affairs
    individuals enjoy based on sharing or retention of information about
    themselves consistent with their own preferences. These preferences
    are a product of such things as culture, upbringing, and experience.
    Because privacy is subjective, one person cannot decide for another
    what his or her sense of privacy should be. You can not tell me,
    either by giving your opinion or by passing a law, that my privacy is
    protected when I think it is not.

    The first factor above goes to the existence of choice the legal power
    to control the release of information. A person who wishes to maintain
    privacy in the appearance of his or her body, for example, may put on
    clothes and be relatively certain that no one will remove that
    clothing without permission. Few laws require people to remove their
    clothing and, thanks to the concept of "battery" in state tort and
    criminal law, private actors may be punished for touching our clothing
    in any way that interferes with bodily privacy. Our choices to hide or
    reveal information about the appearance of our bodies are protected by
    law.

    Likewise, a person who wants to prevent others from gaining knowledge
    of his or her purchasing patterns may pay in cash and regularly change
    the stores at which he or she shops. He or she may also arrange by
    contract to have personal information maintained in confidence.
    Various legal protections, such as the law of contracts, give us
    autonomy and choice that we use to protect privacy.

    The second factor is exercising that control of information consistent
    with our values. This is difficult in many commercial marketplaces.
    Many consumers are unaware of how the Information Economy works, and
    the fact that they are a part of it. Many industries are monolithic in
    their information practices. Arguably, they fail to fully inform
    consumers about what happens with personal information, and they offer
    consumers few alternatives. This is arguable, however. It may be that
    only a tiny, but vocal minority of consumers and activists actually
    wants to study commercial information practices and exercise choice
    among different options. If a significant number of consumers do, they
    are a market waiting to be served.

    As policy-makers, we should not presuppose that a certain amount or
    type of privacy serves consumers' interests in the marketplace, and
    Privacilla's definition of privacy does not do this. Advocates who
    claim to know what consumers want in terms of privacy prove their
    ignorance by making the claim.

    Consumers may rationally determine that they are safe from harmful
    uses of information when dealing with certain companies and leave it
    at that. The fact that hundreds or even thousands of mundane facts
    about themselves are in the hands of businesses may be a matter of
    indifference to reasonable people. Aware, empowered, and responsible
    consumers can demand of businesses what options they want in terms of
    information sharing or withholding. They can also demand, if they
    prefer, lower prices, customized service, combined offerings, and so
    on.

    Unless Congress and state legislators are going to guess at consumers'
    true preferences and impose them from the top down, only consumer
    education will deliver privacy on the terms consumers want it in the
    commercial world. Governments cannot protect privacy directly; they
    can only foster or destroy people's ability to protect their own
    privacy.

    Governments Pose a Unique Threat to Privacy
    While protecting privacy in the commercial world may be difficult,
    protecting privacy from government is impossible. Dealings with
    government are categorically different from interactions in the
    private sector. When citizens apply for licenses or permits, fill out
    forms for regulators, or submit tax returns, they do not have the
    legal power to control what information they share. They must submit
    the information that the government requires. It is either illegal to
    withhold information or withholding information penalizes citizens of
    money or benefits to which they are legally entitled. The notorious
    "Big Brother" in George Orwell's 1984 was a caution against the powers
    of governments. When dealing with them, the first factor in privacy
    protection - legal power to control personal information - is absent.

    It would be a mammoth, but worthwhile, task to catalogue all the
    personal information that is demanded by all federal programs.
    Additional study should include the purposes for which information is
    collected, other purposes to which it is put, and whether such
    information is ever eliminated from government records when it has
    served its original or successor purposes. The Federal Agency
    Protection of Privacy Act may help us do that.

    Some studies suggest the scope of personal data collection and
    warehousing done at the federal level. In September 2000 testimony to
    the House Government Reform Subcommittee on Information Management,
    Information, and Technology, Solveig Singleton, now of the Competitive
    Enterprise Institute, surveyed federal databases. Her non-exhaustive
    list included databases at the Commerce Department, the Department of
    Justice, the Department of Education, the Department of Energy, the
    Federal Bureau of Investigation, the Department of Health and Human
    Services, the Department of Housing and Urban Development, the
    Department of the Interior, the Department of Labor, the Social
    Security Administration, and the Department of the Treasury, which
    houses the Internal Revenue Service. Many of these databases include
    health and financial information.

    In March 2001, a study issued by Privacilla.org found that, during the
    18-month period from September 1999 to February 2001, federal agencies
    announced 47 times that they would exchange and merge personal
    information from databases about American citizens. New information
    sharing programs were instituted more than once every two weeks. We
    characterized these programs as only the tip of an information-trading
    iceberg. The Computer Matching and Privacy Protection Act, which
    causes agencies to report these activities in the Federal Register,
    applies only to a small subset of the federal agency programs that use
    personal data about Americans. New uses of personal information are
    made by federal agencies constantly. The Privacy Act requires only a
    declaration in the Federal Register of a new "routine use" before
    personal data is used and shared in new ways.

    In case it needs emphasis, the threats to privacy posed by government
    programs are not the result of malice or malfeasance of any kind. The
    political leaders who have instituted such programs, and the
    administrators who operate them, have the best intentions for serving
    the public. Similarly, the fact alone that any government program
    weakens American citizens' privacy should not be the sole reason to
    terminate or cut back the program. Rather, privacy should be an
    important factor that policy-makers consider whenever they are
    creating, implementing, or altering government programs. Studies like
    Privacy and the Digital State: Balancing Public Information and
    Personal Privacy by Progress & Freedom Foundation Senior Fellow Alan
    Charles Raul have made progress on that front. The Federal Agency
    Protection of Privacy Act would help make privacy part of the
    policy-making calculus in federal agencies and in the Congress.

    The Administrative Process Should Inform the Public About Privacy
    Impacts
    A prominent theory behind the Administrative Procedure Act's enactment
    in 1946 was the idea of "scientific government." This was the notion
    that a band of impartial public servants would discover the one true
    public interest underlying legislation, and regulate in its service.

    Experience and modern scholarship reveal that the regulatory process,
    like the legislative process, does not locate some singular public
    interest. It responds to a cacophony of competing interests and
    values, among which are the interests of regulators and bureaucracies
    themselves. Administrative government does not improve on
    constitutional legislative processes so much as it improvises to
    accommodate the growth of the federal government in the latter half of
    the last century.

    An increasingly prominent theory of the administrative process though
    perhaps still a fallback from the idea that regulation would discern a
    "pure" public interest is that it can open administrative lawmaking to
    public scrutiny, particularly along lines that are deemed important by
    Congress. Several amendments to the APA in the last twenty-five years
    are consistent with this approach.

    The Regulatory Flexibility Act, passed in 1980, requires agencies to
    consider the special needs and concerns of small entities. Each time
    it publishes a proposed rule in the Federal Register, an agency must
    prepare and publish a Regulatory Flexibility Analysis describing the
    impact of the proposed rule on small businesses, organizations,
    government jurisdictions, and the like. The Initial Regulatory
    Flexibility Analysis is subject to public comment, and a final
    regulation must be accompanied by a final Regulatory Flexibility
    Analysis. The Reg-Flex Act apparently provides the model for the
    Federal Agency Protection of Privacy Act.

    Along similar lines, Congress passed the Unfunded Mandates Reform Act
    in 1995. Among other things, UMRA requires federal agencies to inform
    and work with states and localities on major regulations. The Small
    Business Regulatory Enforcement Fairness Act, passed in 1996, requires
    agencies to work more closely with small business in formulating
    regulations. It also subjects the analysis requirements of the
    Regulatory Flexibility Act to judicial review.

    These laws provide extensive precedent for the Federal Agency
    Protection of Privacy Act. The federal administrative process has been
    modified several times to accommodate the interests of various
    private- and public-sector institutions. Opening that process to the
    privacy interests of individual Americans is a matter of consensus
    among a broad cross-section of advocacy groups and congressional
    leaders, as we see from the wellspring of support for this
    legislation.

    Some Important Details and Nuances to Consider
    The Federal Agency Protection of Privacy Act is modeled on the
    Regulatory Flexibility Act, which has been used with success for more
    than 20 years to get greater information about the impacts proposed
    regulations will have on small entities. Simply, the Act would require
    agencies to issue the same type of analysis an Initial Privacy Impact
    Analysis along with a notice of proposed rulemaking. After considering
    the comments of the interested public, agencies would have to issue a
    Final Privacy Impact Analysis along with the finally promulgated
    regulation.

    The success of the Regulatory Flexibility Act increased with the
    addition of the judicial review provisions to the Reg-Flex law in
    1996, and it is pleasing to see that the Federal Agency Protection of
    Privacy Act also would make agency action subject to judicial review.
    Knowing that judicial review is available will make agencies naturally
    solicitous of congressional intent without requiring a great deal of
    litigation.

    As with all legislation, there are some elements that could be
    improved. The casual reader may suspect that the Federal Agency
    Protection of Privacy Act would require agencies to assess how private
    sector implementation of regulatory mandates would affect privacy.
    This reading is probably a stretch and, judging by the public
    statements you and your colleagues have made, Chairman Barr, this is
    not your intent. Rather, it appears that your intent is for agencies
    to assess the consequences of their own information practices on
    privacy.

    Language perfecting the bill could require agencies performing an
    Initial Privacy Impact Analysis to "describe the impact of the
    agency's uses of information under the proposed rule on the privacy of
    individuals." (proposed 5 U.S.C.  553a(a)(1); suggested added
    language in bold). Likewise, agencies performing a Final Privacy
    Impact Analysis could be required to describe and assess "the extent
    to which the agency's uses of information under the final rule will
    impact the privacy interests of individuals . . . ." (proposed 5
    U.S.C.  553a(b)(2)(A); suggested added language in bold). These minor
    changes are one way to better express the intent of the legislation.

    As you consider this legislation, you should be aware that it
    incorporates many policies beyond privacy. Security, for example,
    (made a part of Privacy Impact Analyses at 5 U.S.C. 
    553a(a)(2)(A)(iv) and 5 U.S.C.  553a(b)(2)(A)(iv)) is any number of
    practices and processes that respond to threats against a company or
    government's ability to function. Only one such function is carrying
    out privacy obligations. A business or government that lacks proper
    security may well violate its privacy commitments, but may allow much
    worse to happen as well. The policy considerations that go into
    security of data in the hands of governments is a separate and
    significant issue beyond my expertise. There are benefits from
    requiring agencies to declare that they provide for security of
    personal information, as long as the agency is not so forthcoming as
    to breach security in the process.

    Providing access and an opportunity to correct personal information is
    an important consideration (made a part of Privacy Impact Analyses at
    proposed 5 U.S.C.  553a(a)(2)(A)(ii) and 5 U.S.C. 
    553a(b)(2)(A)(ii)). But access and the opportunity to correct
    information go to fair treatment much more than privacy. Consider that
    there is no reason to access or correct information that will never be
    used. It is only important that information be correct if it may be
    used adversely to the interests of the individual. Using incorrect
    information against a person is unfair, not unprivate.

    Access is also generally inconsistent with security. Giving access
    only to appropriate parties presents difficult security challenges
    clustered around authentication of identity. An Advisory Committee on
    Access and Security, convened by the Federal Trade Commission in early
    2000, concluded its work without reaching consensus because of the
    complex interaction between these two, essentially conflicting,
    interests. To illustrate this point: The privacy of information sealed
    in concrete and dropped to the bottom of the ocean is well protected,
    and it may remain private for eternity, but there is no opportunity to
    access it.

    As with security, there is no harm in requiring federal agencies to
    inform the public of access and correction rights. Similar fairness
    protections are found in the Privacy Act of 1974, which obviously
    deals with more than privacy.

    Using information for additional purposes (a part of Privacy Impact
    Analyses at proposed 5 U.S.C.  553a(a)(2)(A)(ii) and 5 U.S.C. 
    553a(b)(2)(A)(ii)) may affect privacy, depending on whether there is
    further disclosure of information. Information about a citizen's
    medical condition and address, for example, collected for making
    health care payments, may not be rendered less private if the same
    part of the same agency uses that information to research whether
    people with certain conditions reside in certain areas of the country.
    If a subsequent use of information involves sharing that information
    with a state agency or a different federal agency, however, then the
    subsequent use can be said to render the information less private than
    it was before.

    More importantly, though, a Privacy Impact Analysis that claims there
    will be no further sharing of information may provide false assurance.
    This is because nothing prevents governments from changing the rules
    about their use of information after it is collected.

    The National "New Hires" Database is an excellent case in point. The
    Personal Responsibility and Work Opportunity Reconciliation Act of
    1996 required the Secretary of Health and Human Services to develop a
    National Directory of New Hires. This directory is a database of
    information on all newly hired employees, quarterly wage reports, and
    unemployment insurance claims in the United States.

    The purpose of this new database was entirely laudable - helping
    states locate parents who have skipped out on their child support
    obligations. But, already, the data is being repurposed. The National
    Directory of New Hires has been expanded to track down defaulters on
    student loans. Additional expansions have been proposed that would
    give state unemployment insurance officials access to the database.

    In the better view, privacy in information is lost when it is
    submitted to government authorities. Unlike in the private sector,
    there is no higher authority to which Americans can appeal when
    personal information held by governments is put to new and
    unanticipated uses. A Privacy Impact Analysis that claims there are
    protections against use of information for changed purpose may be
    accurate for weeks, months, or years. But this is weak protection
    compared to contractual obligations formed in the private sector.
    Privacy-protecting contracts may be regarded as permanent because
    their breach is contrary to legally enforceable obligations that
    neither of the parties can unilaterally change.

    This does not counsel against requiring Privacy Impact Analyses to
    discuss use limitations. Such analyses may make Americans more aware
    when commitments to restrict uses of information are changed by
    subsequent Congresses and Administrations. We will be better informed
    if the Federal Agency Protection of Privacy Act is passed with all its
    current provisions.

    This discussion of the many nuances of the bill is intended to
    illustrate the enormous complexity of information policy, and to
    caution against unconsidered adoption of the so-called "Fair
    Information Practices." Often touted by pro-regulation privacy
    activists, they represent a vast array of different policies. Some are
    related to privacy; some are inconsistent with it. One does not have
    to agree with the baggage-laden concept of "Fair Information
    Practices" to support the Federal Agency Protection of Privacy Act.

    The concept of "Fair Information Practices" appears to have originated
    in the early 1970s from a committee convened within the Department of
    Health and Human Services called "The Secretary's Advisory Committee
    on Automated Personal Data Systems." The intellectual content of its
    report, commonly known as the "HEW Report," formed much of the basis
    of the Privacy Act of 1974 and its thinking is useful for controlling
    government data collection and use.

    The report treated the public and private sectors identically despite
    the vast differences in rights, powers, and incentives that exist in
    these different worlds. For this reason, it cannot be said that the
    HEW Report addressed all the complexities of the privacy issue. "Fair
    Information Practices" do not apply well to the commercial world. As
    an analysis of government information practices, however, the HEW
    Report was an important project and document. It also tells us that
    computers and privacy are not a new concern to Americans.

    Conclusion
    Again, Chairman Barr, Mr. Watt, and Members of the Subcommittee,
    congratulations on engaging an issue where you can truly improve the
    quality and character of life for all Americans. There is widespread
    consensus that people in the United States want to protect their
    privacy from government encroachments. The Federal Agency Protection
    of Privacy Act will inform the public about the privacy impacts of
    federal regulations, and empower them to make informed decisions about
    government programs. There are many nuances to consider and understand
    privacy and information policy are very difficult areas but the
    legislation you have proposed is an appropriate, measured, and
    important step in the pursuit of enhanced privacy protection for
    American citizens.
      _________________________________________________________________




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Sign this pro-therapeutic cloning petition: http://www.franklinsociety.org
-------------------------------------------------------------------------




Enter your email address to join Politech, Declan McCullagh's moderated technology and politics announcement list:

Return to politechbot.com