each time you use a computer, you leave an electronic footprint. By now -- or, certainly, by the end of this century -- your local bank, your kid's school, the community hospital, the brokerage firm downtown, even your church, will likely have compiled a database that contains hundreds of pieces of information about you, including your Social Security number and mother's maiden name, and maybe even your credit history, your medical problems and your family background.
The Internet, digital commerce and other aspects of the information explosion can intrude on individual space as easily as they can open up new horizons. Surveillance cameras linked to computerized databases, for example, are already raising troubling questions about privacy rights in shopping malls and school lunch rooms.
These concerns have reached Capitol Hill. Lawmakers, both Republican and Democrat, have introduced more than a dozen new privacy-related bills this session and more are being drafted. With various interests, including the Clinton administration and major corporations, lining up on both sides, the privacy issue is shaping up as a major-league battle in the 105th Congress.
On the eve of the annual Computers, Freedom & Privacy conference, the popular forum to be held March 11-14, Salon talked with Marc Rotenberg, co-founder of the Electronic Privacy Information Center, a Washington-based information clearinghouse, about the political climate surrounding computer-related privacy issues.
Congress is barely a month old, yet already there's been legislation introduced to protect the privacy of medical records, cell phone calls, Internet usage and other electronic data from prying eyes and unwanted commercial trade. Why the sudden concern on Capitol Hill?
There's a backlash against all the hype surrounding the "information revolution." Personal information is pouring out all over the place, and people are getting wary about how all this data is being collected. This concern has spilled over to Congress, where privacy has become a bipartisan issue. In fact, the problem isn't with Congress anymore. It's with the White House. The Clinton administration has probably been the most anti-privacy administration since Richard Nixon wiretapped political opponents and gathered their personal files from the IRS.
Why do you say that?
First, their encryption proposal attempts to limit a very important privacy-enhancing technology -- cryptography -- that will be critical for the future growth of the Internet. The White House support for the Clipper Chip reflects solely the concerns of the law-enforcement community. They don't want any codes out there in the hands of criminals that they can't break. That's a legitimate concern, but it shouldn't be the only concern.
Second, they have a wiretapping proposal that would cost American consumers $2 billion over the next five years as telephone companies are required to engineer the network for wiretapping. It's clearly a case of the White House favoring commercial and law enforcement efforts over the individual privacy rights of American citizens.
But isn't asking Congress to protect privacy like asking the fox to guard the chicken coop?
Maybe it's not popular these days to talk about government doing much of anything, but there's clearly a role for the government to promote good policies on privacy. Lots of people in the online world have good reason to be leery of government action and regulation because government has made some big mistakes -- like the Clipper Chip and the Communications Decency Act. But the real challenge is not to have no policy but to have good policy. Congress should legislate in this area, like it is trying to do with bills to regulate the sale of Social Security numbers and to limit how much information school districts can put on a district database of children, and so forth.
But isn't privacy inevitably a price we pay for a technology that puts all kinds of information at everybody's fingertips -- literally?
No, not at all. Privacy is a requirement for an information society, because without it, you can't sustain an open information society. You can't have free and open exchanges of information if you have to worry that your privacy is going to be violated or sold to the highest bidder, or to a database without your knowledge.
But isn't that much easier said than done? How do you protect privacy on the Internet?
True, the Internet now is both leaky and like a data sponge. It's like a sponge because there are a lot of Web sites right now sucking up all the data they can about their users. As more of this is publicized, though, I think you're going to see quite a bit of reaction on the part of computer users of all stripes.
But databases that store a lot of information about us that we can't see -- or that we don't know about -- aren't new.
Yeah, databases aren't new and they're as plentiful as paper in our society today. But what I think is changing, and where people should have some concern, is the collection and sale of personal information. That's an area that's exploded in the last 10 years. It's very troubling. People don't know how that data is collected or how it's to be used or what the impact of revealing that information may be on their lives.
Especially when it gets into the wrong hands.
Right. We're seeing a lot of concern about what's being called "identity theft," which is essentially impersonating someone else's identity to open a bank account, make credit card purchases and so forth. It's a new kind of fraud based on the easy availability of personal information. It's something we anticipate will increase in the years ahead unless steps are taken now to reduce the risk.
How can it be reduced?
Banks want to require a lot more authentication of their customers. We may wind up with a system by which you may have to provide a thumbprint or a retina scan before you can get your bag of groceries from Safeway. We actually see some of that happening now, with welfare payments and driver's licenses and so forth. You're seeing a greater use of fingerprints for authentication.
We think the best solution is to promote the development of anonymous payment systems or electronic cash. The metro-subway card in Washington, D.C., for example, is a form of e-cash. Library copy cards, phone cards -- these are all systems of payment that allow you to purchase things in a computerized environment without disclosing your identity, which is what a credit card does.
Last June, after an onslaught of complaints, Lexis-Nexis discontinued a new online service that provided access to millions of people's Social Security numbers. It was one feature of the Lexis-Nexis P-Trak Person Locator. The service still provides the names, addresses and former addresses of tens of millions of people. Should these practices be stopped?
We were involved in a successful challenge of the misuse of Social Security numbers by the state of Virginia. Cases like that are only the tip of the iceberg. And we know this is the kind of privacy issue that individuals would like to see more restrictions placed on. But the White House has chosen instead to follow the recommendations of the Direct Marketing Association, a coalition of business groups who want to collect as much information as they can about potential customers. So nothing's been done, and the White House continues to promote the collection and sale of personal information.
What about privacy in the workplace? Aren't high-tech workplaces becoming high-tech fishbowls?
The protection of personal privacy in the Information Age may be as crucial for American workers as the protection of safety was in the age of machinery. But it's very difficult. Take e-mail privacy: The general approach the courts are taking is that the business you work for owns the computer equipment and therefore has proprietary interest in its use and control. Some companies recognize the importance of basic levels of privacy rights for employees but we don't have any type of national standard. We still have lots of companies openly eroding their workers' privacy on the job as computer use proliferates.
In January, parents of schoolchildren in Fairfax, Va., were up in arms over the school district's proposal to create an $11 million database with 1,200 pieces of information on each school student, including information about medical histories and family income. School officials said it will allow them to better track how well the district is educating children -- and tell them what personal, medical and family problems might be impeding their progress. What's your take on this?
I'm enthusiastic about computers in the schools -- for teaching. But if you create a giant database on kids without revealing to them or their parents what it is, then you've created a very different environment, one much more consistent with surveillance and monitoring. One of the new bills in Congress would require schools to inform kids and parents about what types of information are being collected.
Is it an uphill battle, going against the political and corporate powers arrayed against you?
That's an interesting question, because when you ask individual businessmen about privacy and computers, they're personally very concerned about it, too -- bosses as well as worker bees. But when it comes time to set policy for customers and clients and employees, those concerns take a back seat to profits. I think that's one of the ways we're going to have to continue to educate our decision-makers. That's the theory and practice of digital activism. If we do our job right, we make them see that they have an interest as well as anyone else to see individual privacy protected. We are all consumers, all members of families and all citizens.