PRIVACY Forum Archive Document

PRIVACY Forum Home Page

PFIR - "People For Internet Responsibility" Home Page

Vortex Technology Home Page

Date: Wed, 23 Sep 92 12:43:28 PDT
From: (David Redell)
Subject: Draft ACM whitepaper on computers and privacy

         ***  DRAFT ACM Whitepaper   ***     Wed Sep 23 1992  ***

         Information Technology and the Privacy of the Individual
                            Dave Redell

The Role of Privacy in Modern Society

Information technology and personal privacy appear to be on a collision
course in our society.  Facilities allowing the collection, storage,
retrieval, processing and communication of vast volumes of data are
transforming society in many beneficial ways, but there is a darker
side to this picture -- the continuing erosion of the privacy of the
individual.  It is sadly ironic that the United States, which assumed
a short-lived leadership role in privacy protection twenty years ago,
is today playing a half-hearted game of catch-up with the European
Community.  How did this situation develop?  What is likely to happen
to personal privacy during the next twenty years?  And what can we as
computer professionals do about it?

In any such discussion, it is important to recognize the central role
that personal privacy plays in our society.  It is all too easy for
us to take privacy for granted, regarding it as an pleasant but
inessential luxury, to be casually traded away for minor efficiencies
and conveniences.  Many people even regard privacy as a concern
primarily of those who are suspected of wrongdoing -- as something
dispensable if you "have nothing to hide".  Aside from the obvious
problem that privacy invasion can involve information that is inaccurate
or out of context, this view ignores a deeper point: personal privacy
is the foundation of personal freedom.  In both history and literature,
the first step taken by totalitarian states to assure a docile
population is the elimination of personal privacy.  But one need not
assume a tyrannical conspiracy to see the danger in devaluing privacy
as a cornerstone of our society's respect for the individual.  Our
traditional model of a nation bound together by voluntary ties of home,
family and community is fundamentally undermined when the individual
is stripped of the power to control private personal information --
the basic coin of individual autonomy and intimate relationships through
which such bonds are forged.

Privacy does not, of course, imply absolute secrecy.  Such secrecy
would require the individual's total withdrawal from the larger society.
The concept of privacy inherently implies an appropriate balance between
the benefit of revealing each item of personal information against
the desire to withhold it.  It is vital, however, that this tradeoff
be made with a full and explicit acknowledgment of whose benefit is
being served.  When people voluntarily trade their own privacy for
some direct benefit to them, it is a personal decision that each
individual can make on a case-by-case basis.  Too often, however,
the privacy of the individual is sacrificed for a "greater good" of
some other person or -- more typically -- some organization.  If this
is not based on a voluntary, informed decision by the individual
involved, then strong arguments are required to justify it.  There are
certainly cases in which such involuntary compromise is deemed necessary
and appropriate -- for example in the tax system or the criminal justice
system.  But each such compromise requires a carefully considered
foundation in mandated social policy, and appropriate safeguards to
protect the required personal information from misuse.

Of course, all these fundamental issues predate the advent of modern
information technologies -- computers, databases, and networks -- but
these technologies provide the ability to disseminate personal
information on a scale that was inconceivable until the middle of the
20th Century.  Not only is access to this enormous volume of personal
data now possible, it is rapidly becoming so inexpensive that virtually
anyone can afford it.  Moreover, one cannot reasonably conclude that
computers are simply making old practices more efficient; a quantitative
change of several orders of magnitude is effectively qualitative,
requiring a thorough reexamination of the legal protections and social
conventions surrounding personal privacy in our society.  This
qualitative impact is typical of most important new technologies:
initially motivated by simple efficiency considerations, they in fact
turn out to trigger sweeping changes in the way we conduct business,
govern ourselves and live our lives.

Current Threats to Privacy -- Some Examples

Threats from government

Although governments have been gathering data on citizens since long
before the development of computers, the advent of information
technology marks a giant leap in the ability of those in power to
monitor the lives of the citizenry.  In the U.S., as in most
industrialized nations, the result is a vast collection of databases
whose combined records would provide startlingly complete dossiers
for every man, woman and child in the country.

    Agencies at all levels of government cite strong arguments to
    justify their ever-increasing thirst for data.  Often the proposed
    use ends up being only the first of many to which the data will
    be put.  The information is utilized for purposes of taxation,
    social security, law enforcement, health care, motor vehicles,
    national security, the census, and innumerable other government

    Congress has found it necessary to deter repeated attempts by the
    executive branch to aggregate data into a unified federal government
    database, providing each agency access to the information gathered
    by all the others.  Although such partitioning is a key tool for
    preventing abuses in our democratic system, the agencies involved
    generally decry it as inefficient and wasteful, and the federal
    government is currently considering new proposals to encourage the
    transfer of personal information between federal agencies.
    Database matching across agencies often succeeds in circumventing
    the intent of partitioning.  Modern techniques of "federated"
    databases can blur the boundaries between separate databases.

    The various states provide totally inconsistent rules for privacy
    of personal data.  Moreover, the quantity and quality of the
    gathered data by state and local governments varies widely, as does
    its usage.

    Discrete items of personal information become more sensitive as
    they are computerized.  Even data that was originally in the public
    record can become sensitive when made available via a powerful
    database.  Various bodies, including the U.S. Supreme Court, have
    upheld the principle that the aggregation of personal information
    in electronic form creates a heightened privacy interest.

Threats from commercial organizations

>From its beginnings, our democratic system has regarded intrusive
government as the key threat to individual liberty, and a central thrust
of the U.S. Constitution has always been protection against this
threat.  As computers have magnified the risks, the effort to adapt
existing legal protections and Constitutional guarantees to the new
situation has often lagged behind, but at least it has had a solid
basis to build upon.  The U.S.  has no corresponding legal traditions,
however, with respect to the commercial sector.  For this reason,
commercial databases in this country function in a largely unconstrained
environment, lacking many of the constraints and safeguards that are
required in other nations, such as the European Community.

    Credit bureaus maintain detailed records on virtually every adult
    citizen of the United States.  These records, typically found to
    contain an alarming number of erroneous entries, are used in
    approving or disapproving millions of financial transactions each

    Health insurance claims generate a detailed record of each citizen's
    medical history.  Patients have little or no knowledge of or control
    over the gathering, retention and transmission of this data.

    Employee records contain information that is sensitive and often
    quite subjective.  Proper protection of such data is often left
    to the employer's discretion, yielding inconsistent and inadequate
    standards and practices.

    Electronic monitoring of the workplace has led in many cases to
    what has been called "the electronic sweatshop."  While employers
    have a legitimate right to assess employee performance, the use
    of intrusive, detailed monitoring and logging of an employee's every
    move is becoming widely recognized as both intrusive and
    counterproductive.  Protests over these practices have led to
    federal legislation currently pending in Congress.

    Direct-mail marketing databases contain lists of people grouped
    into a wide range of detailed categories, leading to a rising tide
    of junk mail.  This flood is more than just a nuisance; it is a
    symptom of the vast amount of information about the lifestyles of
    individual citizens that is being collected and widely disseminated
    by commercial firms.

    Credit card lenders have, as a matter of course, gathered consumer
    purchase data for many years.  More recently, merchants have begun
    compiling such data as well, often through "frequent shopper" and
    other incentive programs.  Such information, captured through
    point-of-sale equipment and logged in a database, records and
    characterizes the purchasing behavior of individual customers.
    Inducements such as prizes and personalized discounts are readily
    apparent, but much of the real motivation for these programs is
    obscured.  In the future, as consumer purchase profiles become a
    valuable commodity, these programs will more than pay for themselves
    by allowing the gathering and resale of data from all types of
    transactions -- not just those handled via credit card.

    Telephone companies propose to offer "Caller ID" services that
    require all phone customers to disclose their telephone numbers
    when they place calls.  Though proponents claim that the service
    would reduce harassing calls, in fact other services are better
    suited for this purpose.  In practice, the main effect of Caller
    ID would be increased collection of personal information for direct
    marketing purposes.

Threats from individuals

Much of the public concern about data privacy has focused on "hackers"
making unauthorized access to systems.  It is important to note that,
sensational media stories notwithstanding, the threat of such
information vandalism is only a small part of the threat to privacy
from malevolent individuals.  Illegally breaking into a computer system
is a serious offense, but as a practical privacy risk, it pales into
insignificance when considered in the broader context of the everyday
activities of the modern information infrastructure.

There are at least two ways in which computers play a role in the
compromising of one individual's privacy by another individual.  The
first is that government and commercial computers can, accidentally
or by design, disclose information against the wishes of the record
subject.  The second is that the rapidly falling cost of personal
computers allows individuals to perform many of the privacy-invasive
actions that only a few years ago were practical only for government
and commercial organizations.

    Credit bureaus -- especially the smaller resale "superbureaus" --
    have repeatedly been found lax in their standards for releasing
    personal credit information.  In some cases, a simple request via
    telephone has proven sufficient to obtain another person's financial
    data without any legitimate authorization.

    Sensitive data from law enforcement databases, such as criminal
    history files, have found their way into the wrong hands, usually
    via malfeasance of some authorized user.

    Information brokers of marginal legitimacy offer a broad range
    of services to private investigators and others who are willing
    to pay their prices.  By knowing how to use (and misuse) a broad
    range of existing databases, these brokers can assemble wide-ranging
    dossiers on private citizens without their knowledge.

    Personal computer databases are often used to store and disseminate
    detrimental information about individuals -- for example, alleged
    "bad tenant" status.  The total lack of any standards, controls,
    or even disclosures of such systems raises hard questions about
    meaningful distinctions between commercial and private databases.

It is important to note that the dividing lines between government,
commercial and individual threats to privacy are not always as clear
as one might expect.  For example, law enforcement access to telephone
calling records is not constrained by the laws governing wiretaps.
Similarly, the FBI has sought to obtain mailing lists that they felt
might generate investigative leads -- a chilling prospect for anyone
who has ever wondered "How did I get on that list, anyway?".  The FBI
has also discussed even more ambitious goals for linking their databases
with those of commercial organizations such as airlines, credit card
companies, and car rental agencies.  The Social Security Administration
received considerable attention a few years ago for arranging to provide
bulk verification of social security numbers in a major credit bureau's
database.  Such examples point out that while the provision of adequate
security firewalls between systems is an important issue, it does not
address the deeper question of which personal information should be
allowed to flow among institutions.

Emerging Threats to Privacy

The explosive improvement in cost/performance of computers and networks
shows no sign of stopping, or even slowing.  As this trend enables more
and more uses of computer technology, we can expect to see an
accompanying growth in threats to privacy.

    One example of an appealing and beneficial new technology with
    accompanying privacy risks is wireless digital communication.  The
    obvious risks involve eavesdropping on private communication.  More
    subtle risks arise involving authentication and masquerading.  In
    both cases, the use of wireless communication simply exacerbates
    problems that already exist in wired networks.  There are additional
    issues, however, that are unique to wireless communication.  For
    example, projections for future wireless digital communication
    include microcellular data networks with cells as small as 100
    meters.  This, combined with the notion of a unique, permanent
    personal ID used as a mobile phone number, suggests a network
    infrastructure capable of monitoring and logging the movements of
    any citizen in considerable detail.  So far, very little attention
    has been paid to this issue by the designers of such networks.

    Similar to tracking via the wireless infrastructure is the idea
    of tracking for its own sake.  Technology such as infrared "active
    badges" can help office workers locate each other, forward telephone
    calls, and so on.  However, this technology's potential for privacy
    invasion must be recognized and dealt with if it is not to outweigh
    any benefits gained.  Analogous proposals for tracking of automobiles
    by "smart highways" are also in advanced planning stages at
    numerous industrial and academic laboratories.

    As electronic communication media become commonplace in the
    business world, workers' expectations of privacy are often at odds
    with employer monitoring and control of electronic mail, voice mail,
    computer discussion groups and so on.  What the employer regards
    as simply prudent control of valuable resources is often experienced
    by the employee as intrusive and depersonalizing. At the very
    least, a clearer setting of mutual expectations is needed.

    As described above, consumer purchase histories are currently
    gathered in a somewhat fragmented manner.  Over the next decade,
    a growing market is projected in bulk purchase and reuse of purchase
    history data, largely through national clearinghouses similar to
    today's credit bureaus.  By aggregating data from many sources,
    such clearinghouses will be able to develop extensive lifestyle
    profiles on individual consumers, which can then be sold for
    targeted marketing use.

Future risks will also include some that have been discussed for many
years.  For example, as technology continues to improve, falling costs
and the lure of "efficiency" may threaten to tilt the balance against
the arguments that have so far held in check such proposals as universal
ID cards and monolithic government dossier systems.

History of Privacy Protection in the United States

Threats like those outlined above must be considered in the context
of recent history.  So far, policymakers have been only partially
successful in addressing the privacy concerns that new information
technologies have raised.  The first groundswell of concern over the
technological erosion of privacy began in the 1960s when a proposal
for a centralized collection of person data was considered by the
federal government.  Although the proposal was rejected, it was clear
that new safeguards for personal information stored in computer
databases would be necessary; the ACM was among the groups that began
playing an active role in studying the privacy issue.  A special task
force was convened by the Department of Health, Education and Welfare
to study privacy protection.  In 1973 the task force released "Records,
Computers, and the Rights of Citizens" and set out a group of
principles, known as the Code of Fair Information Practices, that made
clear the obligations of organizations that collect personal
information.  The basic principles of the Code are:

  - There must be no personal data record-keeping systems whose very
    existence is secret.

  - There must be a way for a person to find out what information about
    the person is in a record and how it is used.

  - There must be a way for a person to prevent information about
    the person that was obtained for one purpose from being used or
    made available for other purposes without the person's consent.

  - There must be a way for a person to correct or amend a record
    of identifiable information about the person.

  - Any organization creating, maintaining, using or disseminating
    records of identifiable personal data must assure the reliability
    of the data for their intended use and must take precautions to
    prevent misuses of the data.

These principles became the foundation for the Privacy Act of 1974,
a comprehensive law that circumscribes the actions of government
agencies in collecting, using, and disseminating personal data.
However, the Privacy Act did not cover personal information held by
private organizations, and this has led to growing efforts to develop
such legislation.

The Code was widely accepted as a cornerstone of privacy protection
in the context of modern information processing.  In particular, it
set the stage for much of the subsequent privacy legislation in Europe,
culminating in the Privacy Directive of the European Community.  This
directive, which unifies the privacy protections of the individual
member nations, goes substantially beyond the U.S. Privacy Act and
subsequent U.S. legislation.  In particular, it applies a set of
principles similar to those in the Code of Fair Information Practices
to commercial as well as governmental information processing.
Unfortunately, the U.S., despite initial intentions in the early 1970s,
has consistently failed to extend its treatment of governmental systems
to those operated by commercial organizations.  As a result, the
European Privacy Directive is now viewed here as a cause for significant
practical concern, since it limits the propagation of personal data
to countries -- like the U.S. -- in which privacy safeguards are seen
as inadequate.

In contrast with the European situation, privacy law in the United
States is a patchwork of specialized protections, liberally punctuated
with loopholes and exceptions.  For example, there is privacy protection
for bank records but not for medical records.  There is coverage for
videotape rentals, but not magazine subscriptions.  Credit records
are covered, but insurance records are not.  Even where privacy
protection exists, new business practices and new technological
developments often make good laws quickly outdated.  What is missing
is a larger context of legal and social principles, such as the notion
of "Informational Self-determination" originated in Germany and widely
embraced within the European Community.  This principle states that
all use of personal data, whether by government or business, must be
authorized and regulated by appropriate legislation.  Within this
framework, specific examples can and should be treated individually,
of course, but the general principle provides a unifying context for
such legislation, helping to avoid arbitrary loopholes and

Technological Safeguards

It is important to note cases in which improved technology can protect
privacy, as well as those in which privacy is threatened.  While it
is generally naive to expect a purely technological fix to any complex
social problem, it is equally unrealistic to depend entirely on
legislative safeguards in situations where appropriate use of technology
can at least lay a foundation for enforcing privacy protections.
Technology can and should be used to enhance privacy where possible.

A case in point is encryption.  The ability of inexpensive encryption
devices to insure privacy over emerging digital networks -- both wired
and wireless -- represents a fundamental advance in the technological
underpinnings of privacy.  In this regard, it is discouraging to note
that law enforcement agencies are already promoting legislation designed
to cripple such privacy protections.

Encryption-based techniques can yield much more general facilities
than simply protection against eavesdropping, such as verifiable digital
signatures and anonymous digital cash.  Such facilities will play key
roles in supporting privacy in our increasingly computerized and
networked world.  It is vital that these developments not be hampered
by the misguided perception that encryption technology should be the
exclusive purview of the military and intelligence communities.
Encryption technology will be widely available from foreign
manufacturers, and roadblocks preventing U.S. manufacturers from
offering competing products will simply be counterproductive.

The Responsibilities of Computer Professionals

In the context of the real and growing threat to personal privacy posed
by many uses of information technology, what is the responsibility
of computer professionals?  On the one hand, it is clearly unreasonable
to expect system designers to bear the entire responsibility for the
negative consequences that may emerge from the systems they build.
The governmental and commercial owners of the systems plan the usage
of the technology they pay for; moreover, in a democracy, the citizenry
as a whole is ultimately responsible for choices of social policy.
On the other hand, computer professionals do incur some special
responsibilities by virtue of their expertise, and their ability to
influence the character of the systems they build.  While there is
an understandable tendency on the part of many computer professionals
to avoid "getting involved in politics", the interaction of technology
with social policy is just too complex and too important to be left
to the politicians alone.  Our participation is crucial.

At the most basic level, it is essential that the responsible use of
technology be seen as something that society has both the right and
the ability to control.  The myth of the "technological imperative"
cannot be accepted as justification for an unstoppable erosion of
personal privacy.  Technology must be used to confer benefits without
incurring unacceptable costs -- including social costs.  The idea that
systems will inevitably be built and used simply because they are
technically feasible must not be allowed to beg this vital question.

Both as individual practitioners and as specially informed members
of the public, system designers have a professional responsibility
to insure that the impacts of computer systems on privacy and similar
social values are explicitly taken into account.  The ACM's draft Code
of Ethics and Professional Conduct states that "computing professionals
must insure that the products of their efforts will be used in socially
responsible ways".  It goes on to state that "it is the responsibility
of professionals to maintain the privacy and integrity of data
describing individuals." and that they have "a special responsibility
to provide objective, credible evaluations to employers, clients, users
and the public."

One important aspect of balancing costs against benefits falls
particularly to the computer professional.  If the design of a system
ignores important considerations like privacy, the result is often
a system architecture that forces inherently unnecessary tradeoffs.
For example, some recent proposals for automated toll collection on
toll roads and bridges involve collection of data on people's movements,
simply because this appears to be the most obvious way to bill drivers
for usage.  Such systems are often defended with the argument that
the anyone can simply decline to use them if they feel that the privacy
costs outweigh the benefits.  In many cases, however, a different
approach to the system architecture could confer most or all of the
benefits without invading individual privacy -- for example, by debiting
anonymous accounts and into which drivers could deposit money as needed.

Another important role of the computer professional is to point out
considerations that must be taken into account early in the system
design process if they are to be dealt with effectively.  Security in
general, and privacy in particular, are examples of goals that can
be prohibitively difficult to achieve by retrofitting features into
an existing system, and can thus be locked out if early design
decisions ignore them.


The erosion of personal privacy by modern computer systems is an
important and ongoing problem.  Both the individual and society as
a whole are hurt when the chilling effect of privacy invasion curtails
the effective scope of personal freedom.  Although the workings of
this erosion process have been largely invisible to the average citizen,
there are signs of growing public concern.

As social policy adapts to changes in technology, computer professionals
have a key role to play as citizens, helping to refine and apply
appropriate principles and to keep the policy-making process on a path
that will maximize the benefits of current and future technology while
minimizing the erosion of privacy.

Meanwhile, in their roles as working professionals, those who design,
build, maintain and operate computer systems have an equally important
role to play, taking personal responsibility for their own choices
and actions in the systems they create.  Public interest groups like
Computer Professionals for Social Responsibility have long been active
in this area.  More general professional organizations like the ACM
can well serve both their members and the larger society by studying
the current and emerging implications of information technology and
recommending principles of professional ethics to serve as guideposts
for computer professionals in their daily work.  As we help to design
tomorrow's information-rich world, and we have a special obligation
to ensure that this emerging world protects the privacy and dignity
of us all.

PRIVACY Forum Home Page

Vortex Technology Home Page

Radio, Television, and Press Contact Information

Copyright © 2005 Vortex Technology. All Rights Reserved.