August Thoughts on Privacy
In the Washington Post yesterday, Jeffery Frank described DC in August as deceptively sublime, and really quite contemplative (Cheers to You, August ). I think he’s right. DC gets hot and sticky, members of Congress go home and test the mood of the country, the crowds lessen, as does the hustle and bustle. Much of that opens-up the city, in a nice, easy, way, and while we’re here sometimes we have time to think.This week I’m thinking about privacy, globalization, and very old hills. Tomorrow night I’m heading up to Boston to join the symposium faculty and give a talk at the 2007 Privacy Symposium at Harvard. Since it’s an academic setting we are supposed to think big thoughts. I’m not sure I have one; but I’ll slog on.A few things are clear to me. We do not want privacy rules that stifle the ‘Interactions-Based Economy,’ either as technical matter, or with regard to emerging, and yet undiscovered business models. We don’t want privacy rules that by their terms pick technology winners and losers by government fiat -instead of market demands. In matters of security and privacy, policy affects architecture -so much so, that really, policy is architecture. And we don’t want to create a single situs (or perhaps worse, multiple situses) for techno-regulatory-arbitrage around security and privacy regulation that spirals us out of the cycle of innovation.We clearly live in a world where different people, cultures, and countries have different views and values about privacy and security. In the U.S. we have a Constitution that limits the power of government in areas like search and seizure (the 4th Amendment). In Europe, there is a view that information about a person belongs to that person. And of course, nations around the globe have different views and values about privacy, national security, and the proper role of government. Therefore it seems to me that we need a way of dealing with these differing historic and current views on privacy and security. And it seems to me that there must be some useful precedents. I tend to approach issues of technology and policy from an initial basic premise: the principles that animate rules in the off-line world are the same principles that should animate rules in the on-line world. Therefore, what’s defined as theft or fraud using the tools of the off-line world, is theft or fraud when using on-line tools too. In this sense, there is nothing new under the sun. The underlying principles are the same. But I also note that the speed at which things happen, the lower transaction costs through the use of IT, and the global nature of the network mean that we have to define these principles and analogies faster, recognize them quickly and then apply the principles directly. It also means, in the crime and consumer protection worlds, that we have to intensify and strengthen existing bi-lateral, and multi-lateral enforcement tools, and aggressively enforce the laws against crime globally. So, up in Boston this week I’ll be working to try to connect the dots about historic precedents that might be helpful to deal with today’s cross-boarder privacy and security issues. Governments have started to build-out bi-lateral and multi-lateral approaches already: the London Action Plan for voluntary consumer protection cooperation; the use of existing Mutual Legal Assistance Treaties for criminal law enforcement; building soft cultures of security and privacy through OECD principles; the global FIRST inter-governmental voluntary cyber incident response teams; and importantly -consumer education, awareness and training. But what else might we look to in history that sets the right analogy? I think we have to start by casting a wide net, then narrow it down. For example, what does the Law of the Sea have to add to this -or not? Or laws on the flow of capital? What is the right off-line analogy? It may be that there is nothing simple out there, or that we just haven’t ‘recognized’ the analogy yet. Remember, the ‘security’ issue is not homogeneous (it’s crime, and consumer protection, and critical infrastructure protection, and defense of national security -each of which is different, and each has a different role of government domestically and nationally) and the same for the ‘privacy’ issue (with its health care, financial records, or advertising focus, but also the right to be left alone, or the national security of governments, or a myriad of cultural values -domestically and globally). But possible off-line analogies must exist, and we must narrow the field -how about the equivalent to the International Competition Network where serious work on building both a practical and philosophical framework for voluntary substantive and procedural convergence on antitrust is well under way? One model for sure.In any case, it’s August, and as Jeffery Frank wrote in the Post, time to sit back and think big. September is right around the corner, and in September, the sprint’s back on.