James Waldo, Herbert S. Lin, and Lynette I. Millett, Editors Committee on Privacy in the Information Age Computer Science and Telecommunications Board Division on Engineering and Physical Sciences BOOKLEET © THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Gov- erning Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engi- neering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the W.K. Kellogg Foundation, Sponsor Award No. P0081389; the Alfred P. Sloan Foundation, Sponsor Award No. 2001- 3-21; the AT&T Foundation; and the Carnegie Corporation of New York, Sponsor Award No. B 7415. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the organizations or agencies that provided support for the project. Library of Congress Cataloging-in-Publication Data Engaging privacy and information technology in a digital age / James Waldo, Herbert S. Lin, and Lynette I. Millett, editors. p. cm. Includes bibliographical references and index. ISBN 978-0-309-10392-3 (hardcover) — ISBN 978-0-309-66732-6 (pdf) 1. Data protection. 2. Privacy, Right of—United States. I. Waldo, James. II. Lin, Herbert. III. Millett, Lynette I. QA76.9.A25E5425 2007 005.8 dc22 2007014433 Copies of this report are available from the National Academies Press, 500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or (202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu. Copyright 2007 by the National Academy of Sciences. All rights reserved. Printed in the United States of America BOOKLEET © The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal govern- ment on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the char- ter of the National Academy of Sciences, as a parallel organization of outstand- ing engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Wm. A. Wulf is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sci- ences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal govern- ment. Functioning in accordance with general policies determined by the Acad- emy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering com- munities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Wm. A. Wulf are chair and vice chair, respectively, of the National Research Council. www.national-acad emies.org BOOKLEET © BOOKLEET © COMMITTEE ON PRIVACY IN THE INFORMATION AGE WILLIAM H. WEBSTER, Milbank, Tweed, Hadley & McCloy, Chair JAMES WALDO, Sun Microsystems, Vice Chair JULIE E. COHEN, Georgetown University ROBERT W. CRANDALL, Brookings Institution (resigned April 2006) OSCAR GANDY, JR., University of Pennsylvania JAMES HORNING, Network Associates Laboratories GARY KING, Harvard University LIN E. KNAPP, Independent Consultant, Ponte Vedra Beach, Florida BRENT LOWENSOHN, Independent Consultant, Encino, California GARY T. MARX, Massachusetts Institute of Technology (emeritus) HELEN NISSENBAUM, New York University ROBERT M. O’NEIL, University of Virginia JANEY PLACE, Digital Thinking RONALD L. RIVEST, Massachusetts Institute of Technology TERESA SCHWARTZ, George Washington University LLOYD N. CUTLER, Wilmer, Cutler, Pickering, Hale & Dorr LLP, served as co-chair until his passing in May 2005. Staff HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Senior Staff Officer KRISTEN BATCH, Associate Program Officer JENNIFER M. BISHOP, Program Associate DAVID PADGHAM, Associate Program Officer JANICE M. SABUDA, Senior Program Assistant v BOOKLEET © COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chair ERIC BENHAMOU, 3Com Corporation WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Systems Group DAVID DEWITT, University of Wisconsin-Madison DEBORAH L. ESTRIN, University of California, Los Angeles JOAN FEIGENBAUM, Yale University KEVIN KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation MICHAEL KATZ, University of California, Berkeley RANDY KATZ, University of California, Berkeley SARA KIESLER, Carnegie Mellon University TERESA H. MENG, Stanford University TOM M. MITCHELL, Carnegie Mellon University FRED B. SCHNEIDER, Cornell University WILLIAM STEAD, Vanderbilt University ANDREW VITERBI, Viterbi Group, LLC JEANNETTE M. WING, Carnegie Mellon University JON EISENBERG, Director KRISTEN BATCH, Associate Program Officer RENEE HAWKINS, Financial Associate MARGARET MARSH HUYNH, Senior Program Assistant HERBERT S. LIN, Senior Scientist LYNETTE I. MILLETT, Senior Program Officer DAVID PADGHAM, Associate Program Officer JANICE M. SABUDA, Senior Program Assistant TED SCHMITT, Program Officer BRANDYE WILLIAMS, Office Assistant JOAN WINSTON, Program Officer For more information on CSTB, see its Web site at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Wash- ington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas. edu. vi BOOKLEET © vii Preface Privacy is a growing concern in the United States and around the world. The spread of the Internet and the seemingly unbounded options for collecting, saving, sharing, and comparing information trigger con- sumer worries; online practices of businesses and government agencies present new ways to compromise privacy; and e-commerce and technolo- gies that permit individuals to find personal information about each other only begin to hint at the possibilities. The literature on privacy is extensive, and yet much of the work that has been done on privacy, and notably privacy in a context of pervasive information technology, has come from groups with a single point of view (e.g., civil liberties advocates, trade associations) and/or a mission that is associated with a point of view (e.g., regulatory agencies) or a slice of the problem (e.g., privacy in a single context such as health care). Many of the groups that have looked at privacy have tended to be singular in their expertise. Advocacy groups are typically staffed by law- yers, and scholarship activities within universities are conducted largely from the perspective of individual departments such as sociology, politi- cal science, or law. Business/management experts address demand for personal information (typically for marketing or e-commerce). Although a few economists have also examined privacy questions (mostly from the standpoint of marketable rights in privacy), the economics-oriented pri- vacy literature is significantly less extensive than the literature on intellec- tual property or equitable access. In an area such as privacy, approaches from any single discipline are unlikely to “solve” the problem, making it BOOKLEET © viii ENGAGING PRIVACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE important to assess privacy in a manner that accounts for the implications of technology, law, economics, business, social science, and ethics. Against this backdrop, the National Research Council believed that the time was ripe for a deep, comprehensive, and multidisciplinary exam- ination of privacy in the information age: How are the threats to privacy evolving, how can privacy be protected, and how can society balance the interests of individuals, businesses, and government in ways that pro- mote privacy reasonably and effectively? A variety of conversations in late 2000 with privacy advocates in nonprofit organizations, and with private foundation officials about what their organizations have not been supporting, and ongoing conversa- tions with computer scientists and other analysts who focus on infor- mation technology trends indicated a dearth of analytical work on the subject of online privacy that incorporated expertise about key technolo- gies together with other kinds of expertise. Without adequate technical expertise, information technology tends to be treated as a black box that has impacts on society; with such expertise, there can be a more realistic exploration of interactions among technical and nontechnical factors and of design and implementation alternatives, some of which can avoid or diminish adverse impacts. For these reasons, the National Research Council established the Committee on Privacy in the Information Age. The committee’s analytical charge had several elements (see Chapter 1). The committee was to survey and analyze the causes for concern—risks to personal information associ- ated with new technologies (primarily information technologies, but from time to time biotechnologies as appropriate) and their interaction with nontechnology-based risks, the incidence of actual problems relative to the potential for problems, and trends in technology and practice that will influence impacts on privacy. Further, the charge called for these analyses to take into account changes in technology; business, government, and other organizational demand for and supply of personal information; and the increasing capabilities for individuals to collect and use, as well as disseminate, personal information. Although certain areas (e.g., health and national security) were singled out for special attention, the goal was to paint a big picture that at least sketched the contours of the full set of interactions and tradeoffs. The charge is clearly a very broad one. Thus, the committee chose to focus its primary efforts on fundamental concepts of privacy, the laws sur- rounding privacy, the tradeoffs in a number of societally important areas, and the impact of technology on conceptions of privacy. To what end does the committee offer such a consideration of privacy in the 21st century? This report does not present a definitive solution to any of the privacy challenges confronting society today. It does not pro- BOOKLEET © PREFACE ix vide a thorough and settled definition of privacy. And it does not evaluate specific policies or technologies as “good” or “bad.” Rather, its primary purpose is to provide ways to think about pri- vacy, its relationship to other values, and related tradeoffs. It emphasizes the need to understand context when evaluating the privacy impact of a given situation or technology. It provides an in-depth look at ongoing information technology trends as related to privacy concerns. By doing so, the committee hopes that the report will contribute to a better under- standing of the many issues that play a part in privacy and contribute to the analysis of issues involving privacy. In creating policies that address the demands of a rapidly changing society, we must be attuned to the interdependencies of complex systems. In particular, this must involve trying to avoid the unwitting creation of undesirable unintended consequences. We may decide to tolerate erosion on one side of a continuum—privacy versus security, for example. Under appropriate conditions the searching of travelers’ bags and the use of behavioral profiles for additional examination are understandable. But with this comes a shift in the continuum of given types of privacy. Perhaps most importantly, the report seeks to raise awareness of the web of connectedness among the actions we take, the policies we pass, the expectations we change. In creating policies that address the demands of a rapidly changing society, we must be attuned to the interdependen- cies of complex systems—and whatever policy choices a society favors, the choices should be made consciously, with an understanding of their possible consequences. We may decide to tolerate erosion on one side of an issue—privacy versus security, for example. We may decide it makes sense to allow security personnel to open our bags, to carry a “trusted traveler” card, to “profile” people for additional examination. But with such actions come a change in the nature and the scope of privacy that people can expect. New policies may create a more desirable balance, but they should not create unanticipated surprises. To pursue its work, the National Research Council constituted a com- mittee of 16 people with a broad range of expertise, including senior individuals with backgrounds in information technology, business, gov- ernment, and other institutional uses of personal information; consumer protection; liability; economics; and privacy law and policy. From 2002 to 2003, the committee held five meetings, most of which were intended to enable the committee to explore a wide range of different points of view. For example, briefings and/or other inputs were obtained from govern- ment officials at all levels, authorities on international law and practice relating to policy, social scientists and philosophers concerned with per- sonal data collection, experts on privacy-enhancing technologies, business BOOKLEET © x ENGAGING PRIVACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE representatives concerned with the gathering and uses of personal data, consumer advocates, and researchers who use personal data. Several papers were commissioned and received. As the committee undertook its analysis, it was struck by the extraor- dinary complexity associated with the subject of privacy. Most committee members understood that the notion of privacy is fraught with multiple meanings, interpretations, and value judgments. But nearly every thread of analysis leads to other questions and issues that also cry out for addi- tional analysis—one might even regard the subject as fractal, where each level of analysis requires another equally complex level of analysis to explore the issues that the previous level raises. Realistically, the analysis must be cut off at some point, if nothing else because of resource con- straints. But the committee hopes that this report suffices to paint a repre- sentative and reasonably comprehensive picture of informational privacy, even if some interesting threads had to be arbitrarily limited. This study has been unusually challenging, both because of the nature of the subject matter and because the events that occurred during the time the report was being researched and written often seemed to be overtak- ing the work itself. The temptation to change the work of the committee in reaction to some news story or revelation of a pressing privacy concern was constant and powerful; our hope is that the work presented here will last longer than the concerns generated by any of those particular events. The very importance of the subject matter increases the difficulty of approaching the issues in a calm and dispassionate manner. Many members of the committee came to the process with well-developed con- victions, and it was interesting to see these convictions soften, alter, and become more nuanced as the complexities of the subject became appar- ent. It is our hope that readers of this report will find that the subject of privacy in our information-rich age is more subtle and complex than they had thought, and that solutions to the problems, while not impossible, are far from obvious. The committee was highly diverse. This diversity reflects the com- plexity of the subject, which required representation not just from the information sciences but also from policy makers, the law, business, and the social sciences and humanities. Such diversity also means that the members of the committee came to the problem with different presupposi- tions, vocabularies, and ways of thinking about the problems surrounding privacy in our increasingly interconnected world. It is a testament to these members that they took the time and effort to learn from each other and from the many people who took the time to brief the committee. It is easy in such situations for the committee to decompose into smaller tribes of like-thinking members who do not listen to those outside their tribe; what BOOKLEET © [...]... blend in with the law-abiding population so that they do not come under suspicion and thus have a freer hand to plan and operate Thus, any information collection directed BOOKLEET © 12 ENGAGING PRIV ACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE at criminals and terrorists potentially gathers information about law-abiding citizens, and striking the appropriate balance between acknowledging the law enforcement/national... ENFORCEMENT, AND NATIONAL SECURITY 251 Information Technology, Privacy, and Law Enforcement, 252 Background, 252 Technology and Physical Observation, 254 Communications and Data Storage, 259 Technology and Identification, 266 Aggregation and Data Mining, 271 Privacy Concerns and Law Enforcement, 275 Information Technology, Privacy, and National Security, 277 Background, 277 National Security and Technology. .. Changes in Institutional Practice, 33 Discontinuities in Circumstance and Current Events, 36 National Security and Law Enforcement, 37 Disease and Pandemic Outbreak, 37 Important Concepts and Ideas Related to Privacy, 38 Personal Information, Sensitive Information, and Personally Identifiable Information, 39 False Positives, False Negatives, and Data Quality, 43 Privacy and Anonymity, 45 Fair Information. .. advances in processor speed, memory sizes, disk storage capacity, and networking bandwidth allow data to be collected, stored, and analyzed in ways that were barely imaginable a decade ago Other technology drivers are just emerging, including sensor networks that capture data and connect that data to the real world Increasingly ubiquitous networking means that more and more information is online Data... Financial Institutions, 188 Retail Businesses, 191 Data Aggregation Organizations, 196 Nonprofits and Charities, 200 Mass Media and Content Distribution Industries, 201 Statistical and Research Agencies, 203 Conclusion, 205 7 7.1 7.2 HEALTH AND MEDICAL PRIVACY Information and the Practice of Health Care, 209 Privacy in Medicine, 211 BOOKLEET © 209 xviii ENGAGING PRIV ACY AND INFORMATION TECHNOLOGY IN. .. technological systems described above and to the transformation of social institutions, practices, and behavior through their routine use To an unprecedented degree, making personal information available to institutions and organizations has become essential for individual participation in everyday life These information demands have increasingly appeared in licensing; administration and conferring of... Sociological approaches to the study of privacy have emphasized the ways in which the collection and use of personal information have reflected and reinforced the relationships of power and influence between individuals, groups, and institutions within society BOOKLEET © ENGAGING PRIV ACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE Key to any discussion of privacy is a clear specification of what is at... cameras, and some statistical methods and data-mining algorithms have been developed that facilitate the anonymization of information without changing the important statistical properties of the information taken in the aggregate • Policy. Policy measures, by which are meant actions that information collectors can or must take, are arguably the most important privacy protection tool That is, privacy. .. and to ensure that it is at least correct protects the individual against decisions being made on the basis of incorrect information A BASIC ANALYTICAL FRAMEWORK FOR UNDERSTANDING PRIVACY The notion of privacy is a basic starting point for this framework, and as suggested in the introduction, three essential questions arise: • What is the information that is being kept private (and with whom is that... protecting privacy Finally, because information technologies are continually dropping in cost, technologies for collecting and analyzing personal information from multiple, disparate sources are increasingly available to individuals, corporations, and governments • Societal shifts refer to evolutionary changes in the institutions of society—the organizations and the activities and practices that make . MEDICAL PRIVACY 209 7.1 Information and the Practice of Health Care, 209 7.2 Privacy in Medicine, 211 BOOKLEET © xviii ENGAGING PRIVACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE 7.3 Addressing. © xvi ENGAGING PRIVACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE PART II THE BACKDROP FOR PRIVACY 2 INTELLECTUAL APPROACHES AND CONCEPTUAL UNDERPINNINGS 57 2.1 Philosophical Theories of Privacy, . government, and other organizational demand for and supply of personal information; and the increasing capabilities for individuals to collect and use, as well as disseminate, personal information. Although