Striking the Security/Privacy Balance

Earlier this year, the German Federal Constitutional Court overturned a law on the retention of data on telephone calls, email and internet traffic for law enforcement purposes, finding that the law posed a "grave intrusion" to personal privacy. The court concluded that the communications retention law does not make sufficiently clear what the data would be used for and does not provide adequate protection of personal information. The law, the judges ruled, failed to balance the need to provide security with the right to privacy and contradicted a basic right of private correspondence.

The German case is emblematic of a conundrum facing governments and citizens in a digitally connected world obsessed by a desire to be secure against terrorism. Law enforcement agencies have the potential to capture large volumes of telephone, email and internet data as well as pictures stored by the millions of surveillance cameras mounted in cities and towns around the world.

The question is whether law enforcement agencies will be availing themselves of this data, or better yet, under what circumstances and for what purposes they may do so. As suggested by the ruling of the German court, the retention and examination of private data ought to be subject to common sense conditions which would restrict access to clearly defined law enforcement needs and which would protect the privacy of the innocent.

Widening the net

Ever since 11 September 2001, governments around the world have sought to expand the scope of their access to hitherto private data. Perhaps the classic example is the USA PATRIOT Act, passed in 2001 by the US Congress in the wake of the attacks. Proponents call the legislation an important toolbox for US authorities to fight terrorism. Detractors, pointing to provisions which authorize US law enforcement officials to snoop through records of bookstores, video stores and libraries, condemn it for allowing authorities to scoop up piles of private information on ordinary citizens.

Another example has been the proliferation of surveillance cameras. There are tens of millions of surveillance cameras now deployed in the US alone, and millions more in the UK and elsewhere, shooting billion of hours of footage a week. Supporters of the cameras say they detect and prevent crime, aid in criminal investigations and counter terrorism. The first clues to the identity of Faisal Shahzad, the alleged Times Square bomber, came from surveillance cameras.

But critics claim that the use of surveillance cameras is not in keeping with the values of an open society. Many citizens could be engaging in perfectly legal activities that they would not want exposed to others.

"Privacy is a fundamental human right," noted a external pagedocumentcall_made published in December 2009 by the United Nations General Assembly Human Rights Council. "Individuals should have an area of autonomous development, interaction and liberty, a 'private sphere' [...] free from state intervention and free from excessive unsolicited intervention by other uninvited individuals [...] While privacy is not always directly mentioned as a separate right in constitutions, nearly all states recognize its value as a matter of constitutional significance."

Toward sensible security policy

There have been a number of efforts to develop guidelines to help policymakers balance the provision of robust security measures while protecting individual privacy. Some of these involve detailed discussions on how to evaluate the efficacy of specific security programs while others make recommendations for the proper governance of the security/privacy balance.

In many cases, these guidelines, much like the German Federal Constitutional Court decision, revolve around the application of common sense by ensuring clearly defined purposes to and privacy protections for information collection programs.

In 2008, the National Research Council of the National Academies, a US government entity, published a external pagemonographcall_made providing detailed guidelines on how to assess the efficacy of various kinds of government data collection programs. Entitled Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, the program proceeds from a number of premises, one of them being that "challenges to public safety and national security do not warrant fundamental changes in the level of privacy protection to which non-terrorists are entitled." Another pearl worth noting is that "program deployment and use must be based on criteria more demanding than 'it's better than doing nothing.'"

"It is simply not true that doing something new is always better than doing nothing," the monograph contended. "Indeed, policymakers may deploy new information-based programs hastily, without a full consideration" of a program's usefulness, its potential privacy impacts, "the procedures and processes of the organization that will use the program, and countermeasures that terrorists might use to foil the program."

Among the building blocks of an assessment program, according to the book, involves an inquiry into its effectiveness: Does it work? How well does it work? How might it be made to work better in the future? And how does it compare to available alternatives?

"It is impossible to assess a program's effectiveness without knowing what it was intended to accomplish," the work noted. "A system's purpose should be the basis for judging if the system is appropriate."

Other elements of a sound program, according to the report, include "a clearly stated set of operational or business processes" which define "who interacts with the program [...] and with what authority; the information sources and how they are processed; and how the operations defined by the processes contributes to achieving the stated purpose." The report also calls for ongoing assessments of information-based programs and detailed documentation of its compliance with key requirements.

Because of the serious threats still posed by terrorists, the guidelines acknowledge that high priority is legitimately given "to detect intended attacks before they occur." But highly automated tools designed to detect indications of ongoing terrorist activity from vast amounts of communications, transactions and records "are likely to return significant rates of false positives [...] Because the data being analyzed are primarily about ordinary, law-abiding citizens and businesses, false positives can result in invasion of their privacy."

Programs using advanced analytical techniques, such as data mining and record linkage, even when the data is of high quality, "are likely to be error-prone" when they are linked. "The utility of pattern-based data mining," the monograph concluded, "is found primarily if not exclusively in its role in helping humans make better decisions about how to deploy scarce investigative resources. Action, such as arrest, search, denial of rights, should never be taken solely on the basis of a data mining result."

The Markle Foundation Task Force on National Security in the Information Age, a New York-based think tank, published a report in March 2009 which included recommendations on the overall shape and governance of information collection systems.

One principle articulated in Nation At Risk: Policy Makers Need Better Information to Protect the Country is that that programs should be based on the discoverability of emerging information "rather than the creation of large centralized databases." "When government officials have the capacity to locate relevant information and to make sense of it," the report said, "they can find the right information in time to make better informed decisions - including the prevention of terrorist attacks." Such a system also "improves security and minimizes privacy risks because it avoids bulk transfers of data."

The Markle report charges the highest levels of government, in the case of the US, the President and Congress, to "develop government-wide privacy policies for information sharing [...] These policies must be detailed and address the hard questions not answered by current law - who gets what information for what purpose under what standard of justification."

"Without those privacy policies in place," the report concluded, "the American people won't have confidence in their government, while the analysts and operatives using the information sharing framework won't have confidence that they know what they are expected and allowed to do, and that their work is lawful and appropriate."

The UN Human Rights Council document advocated a governance scheme for information collection based on four core principles: minimal intrusiveness; restriction on secondary use; oversight; and transparency and integrity.

And, perhaps most significantly, the UN document suggested that it might be a good idea for legislators contemplating the authorization of information collection to include sunset clauses in their proposed legislation, so that the intrusiveness of the information collection lapses into oblivion when it is no longer needed.