Privacy Abuses: How, Why, Where? EDITOR: Which "practices" today pose the most serious invasions of privacy? From which institutions—government, private business, the media? JOHN GILLIOM: We are in the middle -- or, perhaps, still at the beginning -- of a widespread and breathtaking revolution in surveillance technology and policy. From DNA "fingerprinting," to the rapid sorting of digital imagery, to number matching, to endless standardized "testing," to the increasingly pervasive swapping of consumer and personal information, we are in the midst of a transforming moment in the capacity to watch, monitor, and control. The particular practices that pose the most serious invasion would depend on whom we are talking about and what they are doing. For middle class consumers, it is probably the financial, medical, and marketing industries and their seemingly unquenchable thirst for more information about us. For younger people, it is probably the education industry and the whole sweep of evaluations—SAT, ACT, LSAT, grade point average and other assessments—which have now become part of their easily traceable, permanent record. For lower class and minority citizens, it is probably the police—with "DWB" (driving while black) policies, profiling, and life under what appears to be an ongoing premise of "reasonable suspicion." PRISCILLA REGAN: I am not sure that there is one practice that poses the most serious invasion of privacy. There are some practices (most notably, medical and marketing practices) that occur without public accountability and knowledge, which have resulted in quite negative consequences for many people and, for a variety of reasons, have been resistant to legislative initiatives. The anecdotal record here provides fairly conclusive evidence of out-of-control and somewhat irrational information exchanges and disclosures. No organization seems to be thinking through what it "needs to know," what the real value of information is, and whether the organization already has that information. I think the accumulation of practices now poses the most serious invasion. The "surveillance imperative" and the "panoptic sort" have permeated all areas of our lives. Corrections in any one area may be necessary and result in some positive changes. But the problem is really systemic and needs to be addressed as such. The American sector-by-sector approach is part of the problem, in that distinctions among information are irrelevant given the exchanges that occur across sectors. An omnibus data protection policy better addresses a systemic problem. JUDITH WAGNER DECEW: John and Priscilla have described many of the practices that pose the most serious threats to, and invasions of, privacy-surveillance, DNA fingerprinting, sorting of digital imagery, collecting and sharing of personal information, etc. I endorse all of their concerns about political and institutional We are in the midst of a transformative moment in the capacity to watch, monitor and control. [JOHN GILLIOM] power, as well as John's thoughtful assessment on how the seriousness of the threat depends upon one's age and financial status. For most citizens, I would argue that the private business sector poses the most serious invasions of privacy. We are all getting to know more about the vast amounts of personal data collected—financial and credit information, medical data, pharmacy information, telephone call records, supermarket buying habits, etc. The ways in which these massive databases can be aggregated and then sorted in devious and dangerous ways pose the most serious privacy concern. Government, private businesses, and individuals all have the capacity to do this. Private businesses, however, have a profit motive that makes them a greater threat. If data about someone is not only aggregated, but also sorted in specialized ways, then businesses can release selective data that present a person in a way that can be exceedingly damaging. They can paint a horribly distorted portrait of someone, yet the individual cannot protest if all the data are "true." Nevertheless, the true tidbits, sorted and then combined selectively, may be totally misleading. Such customized packages can be constructed and sold to any customer willing to pay for them. The power of this capacity, increasingly used to alter or create identities, is invasive and frightening. This can be done without one's knowledge or consent and used to surprise and damage a person only when needed (in a divorce, custody, or other legal case, for example). Perhaps this is not very common now, but I believe it will become more common and will be used to target everyone, from welfare mothers to wealthy entrepreneurs. AMITA ETZIONI (George Washington University): I believe that as a rule we should look for the middle ground. Two recent unrelated news items highlight the need for new ways of thinking about the social problems that bedevil us. One concerns the debate over whether the Supreme Court should allow the Miranda rule to be eliminated. The other concerns whether the records of dangerous mental patients should be included in a databank that gun dealers must consult before they are allowed to sell a gun. In considering both matters we are following the advocacy model on which our court system is based. Each side makes its case as starkly as possible, disregarding intermediate positions. We assume that the light generated by the clash of two uncompromising viewpoints will lead the judge or jury to see the true course. One may wonder if this is the case in the courts. It clearly is not the case in matters of public policy, where a strong advocacy approach blinds us to other options. In the Miranda case, conservatives argue that the requirement to throw out voluntary confessions, if the suspects have not been read their rights, allows killers to walk free because of a technicality. Liberals maintain that unless Miranda is strictly adhered to, the police will wring confessions from innocent people. Overlooked are a whole set of intermediate positions -- for instance, one in which a judge determines whether police misconduct or a technicality led to the contested confession. And, when it is determined that a technicality and not coercion led to the confession, a note might be placed in the police officer's personnel file. In this way, any repetition of questionable actions would stand out when evaluating future confessions. The other news item concerns the inclusion of the names of dangerous mental patients in the "Brady Bill" databank. Most state laws ban the disclosure of mental patients' records in order to protect their privacy. At the same time, a study of recent serial killings and shootings at workplaces shows that about half of them are committed by people who have been previously institutionalized and who had exhibited violent tendencies-hence, the request of public authorities to include mental patients' records in the databank. An intermediate position would include the names of mental patients in the databank but without their records or any indication of why they are included. They would simply be coded together with, say, those underage and those who committed minor crimes as not suitable for gun ownership at this time. In these and many other situations, intermediate positions come to mind, once one is willing to dump both extreme opposite positions, once one is inclined to look for common ground that may allow meeting the concerns of both sides. It is time to recognize that extremism in the defense of virtue is a vice. DAVID SORKIN: There are various ways of evaluating the gravity of threats to privacy. One dimension, of course, is the magnitude of the injury that can result. For example, it is hard to imagine a threat greater than one caused by a stalker who tracks down and murders someone based upon personal information that the victim thought would be kept confidential, as occurred in a widely reported California case a few years ago. But all of us are victims of intrusions that often are invisible to us. I consider these invasions of privacy serious because of their ubiquity, even though it is difficult to quantify the damage that they cause. Because the lack of transparency is especially prevalent in private sector data collection and use, I would say that private businesses are responsible for the most serious invasions of privacy. HERB STRENTZ: Walt Kelly, through Pogo, observed "We have met the enemy, and he is us." Shakespeare, through Julius Caesar, said it more eloquently: "The fault, dear Brutus, is not in our stars, but in ourselves ... " The major threat to privacy is through the "FOI" movement, but not freedom of information. Rather, it is the fear of information movement that I worry about, a movement that worries about what can go wrong if we share information, that worries about all the risks an open society entails. The practices today that pose the most serious invasions of privacy have to include what we don't do, what we don't have. We do not have much of an information ethic in this country. People do not seem to recognize, or accept, the responsibilities that should go with collecting and disseminating personally identifiable information. Likewise, people are not eager, perhaps not willing, to embrace the risks that accompany an open society. The absence of a reassuring information ethic is Most state laws ban disclosure of mental patients' records, to protect their privacy. [AMITAI ETZIONI] compounded by the fear that permeates so much of society today. So for the institutions themselves, there is enough blame to go around. Only government can pose constitutional threats to our right of privacy. We the people can hurt ourselves through our expectations and demands for privacy protection, our concerns for security, and our efforts to make expression a commodity. Private businesses certainly are among those posing the greatest threats to commercial invasions and to sacrificing privacy to sales and marketing interests. In terms of expanding and exploiting privacy invasions, particularly those that abuse principles of access and openness and those that strike at the most vulnerable people, I worry about the news media. PRISCILLA REGAN:The business sector poses the biggest threat to privacy. In part, there are constitutional and statutory controls that impose some sense of restraint or accountability on the government. There is, for example, the possibility of filing a FOIA or Privacy Act request and getting some information about governmental practices. This is not to say that there are not problems (the matching of welfare information illustrates this), but compared to the private sector, there are more institutional checks and legal accountability on the government. The media have begun to give more attention to privacy issues. This attention has been very valuable in terms of educating the public about the flows of personal information and the practices of organizations, keeping pressure on those organizations to "do the right thing," and generating legislative interest. I realize that on some issues, such as restricting access to public record information, the press and privacy advocates have been at odds, but right now there is some productive synergy. I am skeptical that self-regulation in the private sector will work, and I'm also skeptical about the private sector's intentions and commitment regarding privacy protection. As long as it makes good business sense and there is a fear of losing customers, the private sector will continue to nod in the direction of privacy. But the logic associated with the targeting and profiling of customers seems so powerful that I suspect privacy concerns will always be determined by economic concerns. The institutional and legal checks on the private sector are not as apparent as on the public sector. The FTC's authority regarding "unfair and deceptive trade practices" seems to provide the best means of holding businesses accountable. But that requires the filing of a complaint, and generally the FTC looks for some pattern of practices, not isolated occurrences. HERB STRENTZ: One of the problems in protecting information privacy is that logical remedies may be unworkable. Back in 1979-80, I served on the Iowa Citizens Privacy Task Force, which examined state government record keeping and the right of privacy. We asked a social worker how many of her clients had asked to see their files. She was horrified by the thought, because she was already overworked and did not have enough time in the week to make contact with as many of her clients as she wished. If even a fourth of her clients requested, it would have been physically impossible for her to comply with a Fair Information Practices Act requirement of access. Therefore, calling for a right of the record subject to access the records was of little value in practice. Perhaps a better approach would be to limit record keeping and employ monitors to sample records from time to time (a form of peer review). We should also involve the record subject in the practice. At least we'd be checking the system, if not the individual record. PRISCILLA REGAN: Herb raises some fundamental questions in terms of remedies. The Fair Information Practices have indeed given to individuals rights that they may not know they have or that they don't have the time or resources to use. The burden of enforcement of the practices is shifted to the individual data subject. Also, Fair Information Practices impose responsibilities on the staff running the programs, and this typically occurs without additional support to implement. Your first proposal -- to limit record keeping -- is right on the mark. Limiting the collection of personal information was one of the key principles of the early codes of Fair Information Practices and of the Privacy Protection Study Commission. Once information is collected, it's an uphill battle to control the exchange and disclosure of information. Record audits, to which Herb refers, are also an appropriate mechanism of control. Organizations, whether public or private, have been reluctant to allow an outside body to review their record practices, but the audit is a standard accounting practice. JOHN GILLIOM: One final thought: Is this really "privacy" that we are talking about? That seems like such a tired, overburdened little word being forced to stretch all the way from the solitude for a long hot bath, to the autonomy to make decisions about pregnancies, to potential limits on the most sophisticated interstate digital surveillance systems ever devised. Perhaps a turn to broader and more facile language of political conflict -- power, domination, oppression, resistance, democratization, consent, etc. -- would be a more effective way to speak about a surveillance revolution that may be one of history's most significant concentrations and expansions of institutional power. EDITOR: In what arenas, if any, are women or racial/ethnic or other minorities more subject to a loss of privacy? Why? DAVID SORKIN: Technology has changed and possibly lessened the extent to which broad, generalizable groups are differentially affected by the collection and use of personal information. To be sure, insurance companies, banks, and merchants still redline and discriminate, based on objectionable characteristics, but now those decisions are increasingly based on much more precise characteristics. For example, an insurer may discriminate (to the extent that the law permits it to do so) based upon its estimate of an individual's predilection to develop a particular disease. But now, such "predictions" can be influenced by the person's supermarket purchases, parental medical history, DNA, or other data, rather than by relying upon gender and race or proxies for them. JUDITH WAGNER DECEW: I do think that women and racial/ethnic minorities are more vulnerable, but probably most often due to their poverty or lack of access to information. The poor cannot purchase Caller ID, nor do those without access to Once information is collected, it's an uphill battle to control exchange and disclosure. [PRISCILLA REGAN] more knowledge know how to "opt out" of threatening practices, if such an option is even available. Nor can they purchase legal and medical assistance when privacy invasions intrude. Thus, I suggest that often poverty makes one more vulnerable, not one's status as female or minority. JOHN GILLIOM: We are all increasingly subject to invasions of privacy, but there is a lot of variance in intensity and in how much it matters. For an affluent person, the credit reporting industry is likely to be a benign force -- for others, it is a source of fear and denial. For a welfare mother, the comparable system of financial surveillance that she faces has the horrific power to cut off benefits and even command jail if she is caught up in one of the many small deceptions necessary to live such a life. Surveillance policies are expressions of institutional power and, therefore, will be related to broader and more fundamental relations of power and domination in the society. Although there will be variations, turnabouts, and surprises, we should expect the degree and importance of privacy invasions to reflect these broader relations. Spring 2000 Issue Home | The 20th Century | Celebrity and Privacy | Privacy Abuses Driver's Privacy Protection Act | Legislation | Resources | Contributors Credits/Disclaimers| John Ryan Leaves ABA Focus on Law Studies Home | Subscribe to Focus | Questions/Ordering Back Issues