Jim Harper

GAO Issues Report on Privacy

This week, for a hearing in the Senate Homeland Security and Government Reform Committee, the Government Accountability Office released a report on privacy titled “Alternatives Exist for Enhancing Protection of Personally Identifiable Information.” (GAO testimony based on the report is here.) I served on a National Academy of Sciences “Expert Panel” that gave the GAO some perspectives on issues related to the Privacy Act.

The report had three main conclusions, which follow with my comments:

The Privacy Act’s definition of a “system of records” (any grouping of records containing personal information retrieved by individual identifier), which sets the scope of the act’s protections, does not always apply whenever personal information is obtained and processed by federal agencies. One alternative to address this concern would be revising the system-of-records definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government.

The “system of records” definition has indeed fallen out of date. Thanks to the growth of search and other technological developments, records not organized by personal identifier can be accessed and used by the federal government, but they fall outside the purview of the Privacy Act. This should change. The report also highlights the fact that data used by the federal government, but held by information resellers, escapes the purview of the Privacy Act. This should also change.

According to generally accepted privacy principles of purpose specification, collection limitation, and use limitation, the collection of personal information should be limited, and its use should be limited to a specified purpose. Yet, current laws and guidance impose only the modest requirements in these areas. . . . Alternatives to address this area of concern include requiring agencies to justify the collection and use of key elements of personally identifiable information and to establish agreements before sharing such information with other agencies.

Once they have collected it, federal agencies can do anything they want with personal information simply by declaring their plan to do so in the Federal Register through a “System of Records Notice” or “SORN.” The statements agencies may make when they collect information do not bind them in the slightest. This is wrong and it should change. GAO’s recommendations to limit collection and sharing of information are rather tepid, alas, and they wouldn’t change agencies’ institutional incentives to over-collect and promiscuously share the personal information of the citizenry.

Privacy Act notices may not effectively inform the public about government uses of personal information. For example, system-of-records notices published in the Federal Register (the government’s official vehicle for issuing public notices) may be difficult for the general public to fully understand. Layered notices, which provide only the most important summary facts up front, have been used as a solution in the private sector. In addition, publishing such notices at a central location on the Web would help make them more accessible.

It’s true that Privacy Act notices don’t inform the public well. They are obscurely written documents in an obscure publication. But I’m not sure that the publication of “layered notices” would be an improvement. Sure, there’s a consensus among government types that layered notices are the next big thing, but I don’t believe that they will change citizen understanding or behavior in any significant respect. Notices are also not terribly relevant in the government environment because a person can’t decline to do business with a government based on its privacy practices or promises.

There’s more to learn on “notice” and its importance or relevance for getting people more privacy. The thing we know is that reducing data collection and use leads directly to privacy. Getting policymakers to understand the privacy costs they’re imposing on the public would be as effective, if not more, than notifying the public about what’s been done to them after a policy is made and the horse is out of the barn.

June 20, 2008 | Comments |

blog comments powered by Disqus

• Welcome

  The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology. More »

  • Home
  • About
  • Archives
  • Podcast
  • RSS

• Archives

  Select Month July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004

• Search

• Get TLF in your inbox
  Enter your email address:

• Categories

  • Advertising
  • Biotech
  • Broadband & Neutrality Regulation
  • Competition Policy
  • Copyright
  • Cutting the Video Cord
  • DMCA, DRM & Piracy
  • E-commerce Taxation & Regulation
  • E-Government & Transparency
  • First Amendment, Free Speech & Online Child Safety
  • Googlephobia
  • Inside the Beltway (Politics)
  • Internet Governance
  • Media Regulation
  • Miscellaneous
  • Open Source, Open Standards & Peer Production
  • Patents
  • Philosophy / Cyber-Libertarianism
  • Podcast
  • Privacy Solutions
  • Privacy, Security & Government Surveillance
  • Sin on the 'Net
  • Space
  • Tech Pork
  • Technology, Business & Cool Toys
  • Telecom & Cable Regulation
  • Things that Go 'Bump' in the 'Net
  • Trademark
  • Uncategorized
  • Video Games
  • What We're Reading
  • Wireless & Spectrum Policy

• Contributors

  • Adam Marcus
  • Adam Thierer
  • Alex Harris
  • Andrew Grossman
  • Berin Szoka
  • Braden Cox
  • Bret Swanson
  • Cord Blomquist
  • Drew Clark
  • Hance Haney
  • James Gattuso
  • Jerry Brito
  • Jim Harper
  • PJ Doland
  • Ryan Radia
  • Solveig Singleton
  • Sonia Arrison
  • Tim Lee
  • Tom W. Bell
  • Wayne Crews

• Tech Policy

  • The 463 Blog
  • ACT Blog
  • Broadband Politics
  • CDT Blog
  • Danny Weitzner – Open Internet Policy
  • Declan's Politech
  • Discovery's Disco-Tech
  • EFF's Deep Links
  • Freedom to Tinker
  • I, Cringely (Robert X. Cringley)
  • IP & Democracy (Cynthia Brumfield)
  • Lawrence Lessig
  • The Long Tail Blog (Chris Anderson)
  • Many 2 Many
  • Matthew Ingram.com
  • Media and Communications Policy Blog
  • Nick Carr
  • Public Knowledge
  • The PFF Blog
  • Space Politics
  • Susan Crawford
  • Tech Daily Dose
  • The Technium (Kevin Kelly)
  • Technology 360 (Dennis Haarsager)
  • Technology & Marketing Law Blog (Eric Goldman)
  • Technology Law Update
  • Tel Me Tech
  • TeleFrieden (Rob Frieden)

• Tech News

  • Ars Technica
  • CNet's News.com
  • Digg
  • Engadget
  • The Register
  • Slashdot
  • Tech Crunch
  • Tech Dirt
  • TechMeme
  • Telecom Watch
  • WSJ Business Technology
  • Wired News

• Bloggers We Like

  • Chris Anderson
  • Cato @ Liberty
  • Gene Healy
  • Reason Magazine: Hit & Run
  • Justin Logan
  • Marginal Revolution
  • Radley Balko
  • Virginia Postrel
  • The Volokh Conspiracy
  • Will Wilkinson

• Our Sites

  • Drew Clark
  • Jerry Brito
  • PJ Doland
  • Sonia Arrison
  • Space Frontier Foundation
  • Tim Lee
  • Privacilla
  • WashingtonWatch.com

• Where We Work

  • Association for Competitive Technology
  • Cato Institute
  • Center for Public Integrity
  • Competitive Enterprise Institute
  • Heritage Foundation
  • Mercatus Center
  • Pacific Research Institute
  • The Progress & Freedom Foundation

• 
  
  
  

• Podcast Feeds

  • 
  • 

• Sponsors