Forthcoming in IEEE Security & Privacy Privacy Interests

Government Access to Private-Sector Data

Fred H. Cate Indiana University

Governments around the world are demonstrating a growing appetite for personal information held by the private sector. Public-sector interest in private-sector data is nothing new. Governments have long sought access to private enterprise data to administer social service programs, tax schemes, business and professional licenses, voter registration, vital records about major lifecycle events, and public infrastructure. They have also sought access to targeted data for law enforcement and national security purposes.

But the new voraciousness for private-sector data is reflected in expanding demands for wholesale access to information, and not just about individuals who warrant suspicion but about everyone. Furthermore, this demand is supported by the extraordinary growth of digital technologies that can record, store, and share electronically individuals’ records, communications, movements, finances, relationships, and even tastes.

A Growing Demand

We’ve recently seen an explosion in the demand for private-sector data:

India, Saudi Arabia, United Arab Emirates, Lebanon, and Indonesia have all demanded real-time access to Research in Motion’s Blackberry Enterprise and Messenger services, so they can have access to otherwise encrypted communications.1

The US Treasury has announced its intention to move beyond the 1.3 million suspicious activity reports and 14 million reports on international money transfers of more than US$10,000 that it currently receives each year. Instead, it will require disclosure of all 750 million annual money transfers into or

out of the US.2

The US Transportation Security Administration has implemented its Secure Flight3 and Automated

Targeting Systems4 programs, which require that all airlines—irrespective of their location—must collect and report personal information about passengers on flights into or out of the US.

Governments in Europe and elsewhere have created mandatory data-retention laws, giving governments

access to private-sector data even after the information would normally have been discarded.5 The US Federal Bureau of Investigation is seeking an amendment to the Communications Assistance to

Law Enforcement Act that would require social networking companies and peer-to-peer providers, such as Facebook, Twitter, and Skype, to give law enforcement access to private information. The amendment would also require firms that offer encrypted communications to decrypt the text for law

enforcement.6 Google has begun disclosing the number of demands for user data that it receives from government

agencies. Brazil and the US top the list, which altogether includes 13,700 requests during the first six months of 2010 (see www.google.com/transparencyreport/governmentrequests/).

The US, UK, and other countries have asserted the legal right to seize laptops and other computing devices at the border, copy their contents, and require access to encryption keys without articulating any

suspicion or providing access to counsel.7

This is just a sampling of the recent expansion in the access that governments want. Each month brings new demands as governments seek to expand their reach and individual data become more exposed to government scrutiny.

2

A Shift in Surveillance

Law enforcement and national security officials claim that increased access to personal data from the private sector is necessary to keep pace with changing technologies and to keep cyberspace from “going dark”—a term officials use to describe an online world in which the bad guys can communicate free of surveillance. But there’s strong evidence that these new data dragnets are qualitatively different and seek information never before subject to routine government scrutiny. Consider four critical distinctions from past surveillance techniques.

First, more data than ever are created and stored in digital form. As Stanford law professor Kathleen Sullivan has

written, “Today, our biographies are etched in the ones and zeros we leave behind in daily digital transactions.”8 So government officials now routinely access data that didn’t even exist two decades ago.

Second, they’re seeking data about everyone—not just those who are targets of investigations. Scholars often note that one of the primary motivators behind the Fourth Amendment—the primary constitutional limit in the US on the government’s ability to obtain personal information about individuals—was the hostility to “general searches” by British troops, which weren’t based on specific suspicion. Yet general searches are the raison d’etre of many government data programs, which collect and analyze vast swaths of data about individuals who have done nothing to warrant the government’s suspicion.

Third, in most instances today, governments seek personal data without judicial oversight. And because of the understandable secrecy that surrounds many data mining programs, legislative or popular oversight is often nonexistent or ineffective. The Lisbon Treaty has gone far to reduce distinctions between first-, second-, and third-pillar activities in the EU, thereby eliminating some of the barriers to oversight by data protection commissioners in Europe. However, limits on the commissioners’ jurisdiction over national security activities and on their practical ability to oversee other government data mining programs has tended to reduce the practical effectiveness of this oversight.

Finally, because data are increasingly collected via the private sector and without notice to affected individuals, the role of the individual has been starkly reduced. In years past, the government might physically follow a suspect or search his or her home, thereby creating at least the possibility (and often the legal requirement) for notice and an opportunity to object, whether through a judicial, legislative, or other process. Today, surveillance is far more commonly conducted through cell phone service providers or GPS transceivers, thereby eliminating the opportunity of individuals to be aware of, much less object to, the activity.

In his 1971 book, Assault on Privacy, Harvard law professor Arthur Miller warned of the “possibility of constructing a sophisticated data center capable of generating a comprehensive womb-to-tomb dossier on every

individual and transmitting it to a wide range of data users over a national network.”9 His fear seemed far-fetched at the time. Today, it’s much closer to reality.

But privacy doesn’t have to be sacrificed as a result. The risk of terrorists and other criminals exploiting the “dark” world of cyberspace to plan and execute attacks might mean that governments need greater access to personal data from the private sector and elsewhere. However, this doesn’t have to mark the death of privacy or its trivialization into notices telling us that we have no privacy rights vis-à-vis the government when communicating, traveling, banking, or even walking down the street. Privacy advocates, scholars, data protection commissioners, and others have repeatedly stressed that privacy need not be eliminated just so we can be free and that if eliminated, we’ll never be free.

Protecting Privacy

Several recommended “best practices” have emerged10–15 that lawmakers around the world would do well to consider. Although the proposals differ in their details, there is broad consensus that government programs designed to collect and use private data—especially from the private sector and without reason for suspicion—should at a minimum require the following.

3

Explicit Authorization The legislature or a senior elected official should authorize such programs based on an assessment of their likely efficacy and compliance with legal requirements and only after confirming a high level of oversight and accountability.

Legal Compliance Programs should remain in compliance with the law both when accessing data and engaging in data mining. Also, the government shouldn’t encourage or press private-sector entities to violate their legal obligation when providing data to the government.

Ongoing Evaluation The government should evaluate programs for effectiveness in accomplishing specified objectives prior to deploying them and regularly thereafter. The assessments should consider practical experience with the system, technological advances, changing needs, and the impact on individuals. However, the underlying goal should be to assess whether the data collection or analysis works to effectively address a real threat. //Okay?// If not, any invasion of personal privacy is unjustifiable.

Data Integrity The government must carefully consider the appropriateness of the data for the intended use, especially when being accessed from the private sector and repurposed. It should also define a system for ensuring that data are kept up to date, accurate, and relevant.

Access Limitations We need limits on who can access large datasets (and for what purposes) and tools to enforce those limits. Rules should be built into data analysis systems that ask an analyst, for example, to specify his or her legal authorization

for requesting data or conducting a search.16

External Authorization Before the government creates new data collection requirements or engages in mass surveillance, it should receive some form of judicial or other external authorization. This is especially important if the personally identifiable information will be used in a way that affects individuals, such as by denying or delaying access to a facility or benefit or subjecting them to an intrusive investigation. The specific body providing the oversight is less important than that the authorization be external to the agency engaging in the data collection and specified by the legislature.

Data Minimization Data minimization and anonymization and other tools should limit the amount of information revealed to only what’s necessary and authorized. This has been a major focus of the Markle Foundation Force on National Security in the Information Age, which has proposed that “anonymizing technologies could be employed to allow analysts to perform link analysis among data sets without disclosing personally identifiable information. By employing techniques such as one-way hashing, masking, and blind matching, analysts can perform their jobs and search for suspicious patterns without the need to gain access to personal data until they make the requisite showing for

disclosure.”13

Audits Audit tools should ensure that the rules surrounding data collection and use are being followed.

System of Redress Innocent individuals harmed by the use of their personal information need a system of redress so they’re made aware of the role of data analysis, given the opportunity consistent with the nature of the setting to dispute and seek correction of erroneous data, and compensated for any injuries. The system must also ensure that data analysis programs log any errors and “learn” from such errors. False positives are inevitable, so they must be addressed both in terms of recourse for the affected individuals and tools for avoiding them in the future.

4

Accountability We need serious oversight of data collection, sharing, and use that delivers a high degree of accountability that data systems are used appropriately, lawfully, and effectively. In the words of the US National Academy of Sciences Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National

Goals, the oversight must be both “robust” and “independent.”13

The Effect on National Security

It seems clear that nations around the world need to update their laws to provide clear, appropriate, and substantive limits on government access to broad swaths of personal data held by the private sector. European Commission Vice President Viviane Reding has described the challenge for legislators to “establish a legislative framework that will stand the test of time,” “guarantee a high level of protection,” and “provide legal certainty to businesses, public

authorities and individuals alike for several generations.”17

The reasons for doing so include advancing both privacy and security. The role of good data management and oversight in enhancing national security is often overlooked, but it’s clear. With its seemingly insatiable quest for more data, government threatens to exacerbate what’s already arguably its greatest challenge in the national security context: making sense of the data it already has. The problem is “separating out the ‘signal’ of useful information

from the ‘noise’ of all of those data.”11 Poor analytical tools, sloppy data matching, or inappropriate data don’t merely fail to advance security—they actively threaten it. In contrast, greater clarity and new attention to data

analysis rather than just data collection are likely to advance security.18

Even if there’s some perceived conflict with national security or law enforcement objectives, the law must not allow privacy to be eviscerated. The words of the US Supreme Court apply with equal force to all nations that respect and protect basic human rights: “It would indeed be ironic if, in the name of national defense, we would

sanction the subversion of . . . those liberties . . . which [make] the defense of the Nation worthwhile.”19

Fred H. Cate is a distinguished professor, C. Ben Dutton Professor of Law, and adjunct professor of informatics and

computing at Indiana University and directs the university’s Center for Applied Cybersecurity Research. A senior

policy advisor to the Centre for Information Policy Leadership at Hunton & Williams LLP, he was counsel to the US

Department of Defense Technology and Privacy Advisory Committee and a member of the US National Academy of

Sciences Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other

National Goals.. Contact him at fcate@indiana.edu.

References

1. E. Kinetz, “India eyes Google, Skype in Security Crackdown,” San Jose Mercury News, 13 Aug. 2010.

2. E. Nakashima, “Money Transfers Face New Scrutiny,” Washington Post, 27 Sept. 2010, p. A1.

3. “Secure Flight Program,” US Dept. Homeland Security, Federal Register, vol. 72, no. 163, 2007, pp. 48356–48368.

4. “Privacy Act of 1974; US Customs and Border Protection, Automated Targeting System, System of Records,” US Dept.

Homeland Security, Federal Register, vol. 72, no. 150, 2007, pp. 43650–43656.

5. “Council Directive 2006/24 on the Retention of Data Generated or Processed in Connection With the Provision of Publicly

Available Electronic Communications Services or of Public Communications Networks,” Official J., L105, Apr. 2006, pp.

54–63.

6. E. Nakashima, “U.S. Seeks Ways to Wiretap the Internet,” Washington Post, 28 Sept. 2010, p. A4.

7. Privacy Impact Assessment for the Border Searches of Electronic Devices, US Dept. Homeland Security, 2009;

www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_laptop.pdf.

5

8. K.M. Sullivan, “Under a Watchful Eye: Incursions on Personal Privacy,” The War on Our Freedoms: Civil Liberties in an

Age of Terrorism, PublicAffairs, 2003, p. 131.

9. A. Miller, Assault on Privacy, Univ. of Michigan Press,1971, p. 39.

10. Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National Goals,

Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Assessment, Nat’l Research Council,

The Nat’l Academies Press, 2008.

11. Technology and Privacy Advisory Committee, Safeguarding Privacy in the Fight against Terrorism, US Dept. Defense,

2004.

12. Protecting America’s Freedom in the Information Age, Markle Foundation, Task Force on Nat’l Security in the

Information Age, Markle Foundation, 2002; www.markle.org/downloadable_assets/nstf_full.pdf.

13. Creating a Trusted Network for Homeland Security, Task Force on Nat’l Security in the Information Age, Markle

Foundation, 2003; www.markle.org/downloadable_assets/nstf_report2_full_report.pdf.

14. Mobilizing Information to Prevent Terrorism, Task Force on Nat’l Security in the Information Age, Markle Foundation,

2006; www.markle.org/downloadable_assets/2006_nstf_report3.pdf.

15. “The Cantigny Principles on Technology, Terrorism, and Privacy,” Nat’l Security Law Report, Feb. 2005, p 14.

16. I.S. Rubinstein, R.D. Lee, and P.M. Schwartz, “Data Mining and Internet Profiling: Emerging Regulatory and

Technological Approaches,” Univ. of Chicago Law Rev., vol. 75, no. 1, 2008, p. 261–285.

17. V. Reding, “Tomorrow’s Privacy: The Upcoming Data Protection Reform for the European Union,” to be published in Int’l

Data Privacy Law, 2010.

18. F.H. Cate, “Government Data Mining: The Need for a Legal Framework,” Harvard Civil Rights-Civil Liberties Law

Review, vol. 43, no. 2, 2008, p. 436.

19. United States v. Robel, Supreme Court of the United States, 389 US 258, 1967; http://laws.findlaw.com/us/389/258.html.