Jim is the Director of Information Policy Studies at The Cato Institute, the Editor of Web-based privacy think-tank Privacilla.org, and the Webmaster of WashingtonWatch.com. Prior to becoming a policy analyst, Jim served as counsel to committees in both the House and Senate.
Hmmm. What to do. I’ve already got a law. Harper’s law states: “The security and privacy risks increase proportionally to the square of the number of users of the data.”
So maybe I also have to have a theorem. Harper’s Theorem states: “People call privacy a ‘right’ just before they drop it in the blender.”
So my blender detector went on high alert today when I saw Hugo Teufel characterize privacy as a “fundamental right” twice in a recent post on the Department of Homeland Security’s Leadership Journal blog. He’s Chief Privacy Officer at DHS.
Isn’t it incredible that “a junior official” could simply “download” detailed personal and financial information on 25 million people? Why would a system be designed this way?
To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.
There is no need to store all of society’s dynamite in one place, and no need to run the risk of the collosal explosion that an error in procedure might produce.
Similarly, the information that is the subject of HMRC’s identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components.
Were our REAL ID Act implemented, we would have similar piles of identity dynamite placed around the country waiting to explode. The proposed regulations implementing REAL ID punted on the security and privacy issues, perhaps “on the assumption that excellent procedures would therefore be put in place” by states.
Final REAL ID regulations are expected Real Soon Now.
TheFunded.com is an interesting site where people who have pitched VCs get to report on their experience. There was a big story on it in Wired this month.
Interested as I am in the entrepreneurship that iswas is the Internet, I’ve been looking over the posts and came across an interesting one, about Accel Partners:
We pitched Kevin Efrusy on taking a round and he provided excellent advice …
He liked what we were doing but suggested to NOT take funding since we were profitable.
He was concerned that our exit wouldn’t be high enough to justify their investment but thinks that we’d probably get acquired in the next year.
Being a serial entrepreneur I’ll certainly pitch Accel again and recommend them to others.
Spot the albatross? I’ll point it out after the break.
I’ve testified and written several times about how such things as REAL ID and “electronic employment eligibility verification” are threats to our identity system. Collecting identity information in one place is the creation of new security risks. Now the UK has proven it – so we don’t have to!
The sensitive personal details of 25 million Britons could have fallen into the hands of identity fraudsters after a government agency lost the entire child benefit database in the post.
A major police investigation is being conducted after Alistair Darling, the Chancellor, admitted yesterday that names, addresses, birth dates, national insurance numbers and bank account details of every child benefit claimant in the country had gone missing.
Most likely, this data is just lost, but in the wrong hands it would provide criminals all they need to impersonate any of these 25 million people.
The persons responsible have been sacked. Specifically, Paul Gray, chairman of HM Revenue & Customs office.
Patient Privacy Rights is campaigning to restrict the use of prescription information. I was impressed by their video.
The thing I like about the campaign is that it’s mostly directed at pharmacy chains. I’d like pharmacies’ practices with prescription information to be one of the dimensions on which they compete. We need more information and we should use it when we decide which pharmacy to go to.
A wee quibble: The video talks about what the law should be, and the campaign cc:s members of Congress. I’m not impressed with legislative attempts to protect privacy. The legislative process is a playground dominated by organized interests – governments, corporations, and their lobbyists – not by consumers. In fact, the PPR site links to a Hastings Center report that documents nicely how the HIPPA “privacy rule” is not a privacy protection at all. My own effort on that score, from a few years back, is here.
That gloss aside, though, restriction of prescription information is the right outcome, and addressing the issue to pharmacy chains in the right way to pursue it.
The crzegrl.net link is to a flight nurse’s blog. She posted about a nursing bill, but the widget is in her blogroll and most of the traffic is coming from another, very touching entry. Strong stuff. I love the Web.
But I’m impressed with the general tenor of his recent comments encouraging a focus on preventing consumer harm. Many in the privacy community are deeply wedded to “Fair Information Practices” – a varying set of rules that, followed by rote, would allegedly take care of privacy. Well, they don’t. They produce a lot of churn, and they soak up a lot of energy with regulation, compliance efforts, and what-have-you. But they don’t address what matters: protection of actual privacy and prevention of consumer harm.
“FIPs” aren’t all bad. Some of them are good. Some conflict with others. They’re just not a helpful framework for addressing the problems presented to us by the information age.
Last year, the DHS Privacy Committee produced a document unpacking the human values that matter (generally referred to as “privacy”). The focus should be on how information practices affect privacy and related values – chiefly, whether modern information practices cause people harm.
In the recent Verizon Uprisin’ (successor to the Comcast Kerfuffle – how’m I doin’?), the blogospheric back-and-forth between TLFer Tim Lee (writing at TechDirt) and TLFriend Ed Felten illustrates nicely the difficulty with both parts of the case for ‘net neutrality regulation.
The first question is whether there is a problem that needs solving. The two disagree about whether Verizon’s operation of its DNS servers is a ‘net neutrality violation at all.
The second question is whether the problem is better solved by regulation or by market processes (expert agitation, consumer pressure, etc. that carry with them the threat or reality of lost customers and profits). As a technical matter, Tim points out that people are free to point their computers to another DNS server, such as OpenDNS. Ed says “it might turn out that the regulatory cure is worse than the disease.”
Even among those who disagree on whether there’s a substantive ‘net neutrality violation here, regulation doesn’t seem to be the cure. Even Harold Feld hasn’t written a triumphal post. (Though, in fairness, he seems to be distracted – and oh so giddy – about cable regulation.)
The New York Timesreports today that New York Governor Eliot Spitzer (D) has dropped his plan to issue licenses without regard to immigration status.
His original, correct decision to break the tie between driver licensing and immigration status met with hails of derision from anti-immigrant groups and his political opponents. He attempted to quell the outrage by agreeing to sign New York up for the federal government’s “REAL ID” national ID system, but this did not please anyone. So now he’s back at square one.
He said the state would put on hold the plan to adopt the Real ID, which has been championed by the Bush administration. The governor said he wanted to wait until federal regulations for Real ID licenses were issued next year before deciding how to proceed.
Now that he’s – ahem – studied the issues, one hopes he’ll recognize that REAL ID is costly, privacy-invasive, and ineffective, and he’ll decline to involve his state in the national ID program.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology. Learn more about TLF →
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.