Susan Crawford blog :: Marc Rotenberg

This Month

Month Archive

May 2004
April 2004
March 2004
February 2004
January 2004

Year Archive

2007
2006
2005
2004
2003

Search Google

Previous:	Sonia Katyal
Next:	Nicolai Seitz

Marc Rotenberg

by Susan on Sat 27 Mar 2004 05:36 PM EST | Permanent Link

Richard Clarke is the Washington personality of the week. Marc Rotenberg testified in early December 2003 before the same Commission on a separate issue re security/privacy issues for going forward in preventing attacks.

Four key points he made then:

1. long tradition of privacy protection for communications and records stored by governments. Established during times when US faced nuclear weapons, unrest, assassinations -- but Congress went ahead and set them up.

2. Sept. 11 provides major challenges, and the people involved in coordinating in govt. efforts completely changes the Terry landscape. Checks and balances have been changed.

3. Our understanding of privacy enhancing technologies following 9/11 has changed. We thought there were tools that could enhance privacy -- TIA bothersome because message was that it would protect privacy, because govt surveillance under it would be less intrusive than other alternatives.

To understand this issue, three dimensions:

1. What do we mean by privacy enhancing.

2. What's relationship between federal govt and legal obs to safeguard privacy

3. How does this all work in practice.

First, definitional problem. What is a privacy enhancing technology? Prior to 9/11, we all thought definition was an electronic world where transactions could occur that were verifiable and authenticated, but personally identifiable information wouldn't be necessary. So these techniques would limit use of this personal information.

In the physical world, we can imagine cash, postage stamps etc. -- forms of value that allow transactions without personally identifiable information. How translate this to the online world? This was our core concept prior to 9/11.

No one proposed in Florida in 2000 that there should be an availability to check that vote had gone through. Why? Because concept of anonymity at that point, and recognition of need to sever transaction from surveillance is a core part of our democratic society.

This concept of a privacy enhancing technology was derailed by two processes: first, in the private sector, the view that we wouldn't provide legal obligations to collection and use in the digital world. it's just notice and choice. So we saw P3P emerge to translate rights and obligations into a market-based transaction where anything goes.

Post 9/11, law enforcement said we need to enable surveillance that respect privacy -- but what they meant by privacy was "within the context of a larger scheme that anticipates surveillance." So, when a vote is cast, it becomes possible to link transaction back to the identified individual. That's a principle without a boundary.

Rotenberg thought this idea died in the Clipper chip era. People then said to open the door to this form of storage would create unlimited opportunities for abuse.

Now our challenge is: where do we stop? If you assume all information might be useful in some investigation, where do we draw the line?

Go back to Brandeis dissent in Olmstead v. US. What would be the appropriate 4A standard to apply to the conduct of telephone surveillance? Was this warrant-based, or just out there in the ether? Court said no physical entry has occurred, it's just information out there in the ether; if you are concerned, go to Congress.

Holmes dissented ("a dirty business"). Brandeis said: look at surveillance in electronic space -- this is far more invasive than what would happen in physical space. In electronic space, we're unbounded by space and time. Could be lots of people talking, on many different subjects. He argues for a higher standard of oversight, because oppty to obtain information is so vast.

When you go to wiretap statute of 1968, it's a "super warrant" when compared to what you get in physical space. Constitutional response is based on fear that govt will overreach.

So answer about incorporation of techniques to protect privacy post 9/11 is to keep in mind: to the extent actors seek to comply with legal obligations and claim that they are "privacy enhancing," then technologies must incorporate auditing, transparency, all other requirements -- because of the enormous risk of government misuse.

Posted to:

Main Page