« PreviousContinue »
age disposal system. It took a series of disastrous fires to get our electrical codes.
13. The national geographical extent of the new data systems, their impact, and the investment so large that the price of a “retrofit” after the calamities occur may be a higher price than we need have paid with some preplanning.
PROPOSED SPECIFIC SAFEGUARDS
To be more specific, what safeguards do I envision? Of course, we don't know all the answers yet. But, clearly, there are several steps that we should be considering, including:
1. Provision for minimal cryptographic type protection to all communications lines that carry potentially embarrassing data-not super-duper unbreakable cryptography-just some minimal, reversible, logical operations upon the data stream to make the eavesdropper's job so difficult that it isn't worth his time. The future holds the promise of such low-cost computer logic, so this may not be as expensive as it sounds.
2. Never store file data in the complete "clear.” Perform some simple (but key controllable) operation on the data so that a simple access to storage will not dump stored data out into the clear.
3. Make random external auditing of file operating programs a standard practice to insure that no programmer has intentionally or inadvertently slipped in a "secret door” to permit a remote point access information to which he is not entitled by sending in a "password.”
4. When the day comes when individual file systems are interconnected, let us have studied the problem sufficiently so that we can create sensible, precise ground rules on cross-system interrogation access.
5. Provide mechanisms to detect abnormal informational requests. That is, if a particular file is receiving an excessive number of inquiries or there is an unusual number of cross-file inquiries coming from one source, flag the request to a human operator.
6. Build in provisions to record the source of requests for information interrogations.
7. Audit information requests and inform authorities of suspected misuse of the system.
This list is open-ended, and it is hoped that more suggestions will be forthcoming. But, to serve as an example of the need for and type of safeguards we are talking about, to illustrate how such thinking can ameliorate the problem of loss of privacy, consider what we might do in the case of our present telephone system.
ONE EXAMPLE OF INCLUSION OF PROTECTION MEASURES : THE TELEPHONE SYSTEM
Today we are deluged with bogus telephone advertising, crank calls, bomb threats, false fire and police alarms. Obscene telephone calls, particularly to single women, have become so prevalent that it has been publicly suggested that female names be listed only as initials.
In Washington, the number of these calls has become so great that after much Congressional and press discussion the penalty for making obscene calls was raised from $10 to $500. Of course, it is a rare event when a person making an obscene telephone call is caught, so the deterrent effect is almost nil. But an increased penalty hidden in a law book is the standard legal response to a basically technological/social problem. This writer would prefer to see technology which created this problem be required to provide more effective safeguards.
For example, each telephone (or at least those plagued with these calls) should have a button which when pressed bridges the call to a bank of recorders at the police station and a teletypewriter
message with the name,
address, and telephone number of the calling party transmitted to the nearest police car. It wouldn't take long to clean up the undesired callers.
If you were to make this suggestion today you would be told that this is not practical because it would be prohibitively expensive since this requirement did not exist when the original electro-mechanical telephone system was set up. This is true, but let us look at the emerging use of the all-electronic switching centers we have been talking about. It will be relatively easy now to add such an immediate track-back feature. Will we do it? I don't know. It would cost money and there are many reasons telephone companies would wish to avoid getting involved
but here is a perfect example of the social implication of the instrument which can violate our right to be left alone. The telephone can be designed (at a somewhat higher cost) to provide safeguards forming added protection to prevent it from being socially misused.
Clearly here is an example of the trade-off between dollars and the type of society we want. It will fall to the computer system engineers to make such decisions more and more often in the future.
What a wonderful opportunity awaits the computer engineer to exercise a new form of social responsibility. The advent of the new computer-communications technology need not be feared with trepidation as we approach 1984. Rather, we have in our power a force which, if properly tamed, can aid, not hinder, raising our personal right of privacy.
If we fail to exercise this unsought power that we computer engineers alone hold, the word "people” may become less a description of individual human beings living in an open society and more a mere collective noun.
It may seem a paradox, but an open society dictates a right-to-privacy among its members, and we will have thrust upon us much of the responsibility of preserving this right.
ON THE CONFIDENTIAL STATUS OF CENSUS REPORTS
(By the Thomas F. Corcoran, professional staff member, Subcommittee on Census and Government Statistics, House Post Office and Civil Services Committee)
[When President Kennedy signed Public Law 87-813 on October 15, 1962, businessmen, economists, statisticians and many others breathed a collective sigh of relief. The law, passed in hectic closing days of the 87th Congress, amended section 9 of title 13, United States Code, to extend confidentiality to companyretained copies of census reports. A Supreme Court Court decision on December 11, 1961, in the St. Regis Paper Co. v. the United States had ruled that company-retained copies of reports made to the Census Bureau could be subpoenaed by the Federal regulatory agencies and the information thus obtained used in legal proceedings against the reporting company. The decision, in effect, “placed the entire Federal statistical system in jeopardy" and shook “the confidence of the business community in the Federal reporting system” according to the report of the House Post Office and Civil Service Committee.
The census has always been the keystone of our intricate Federal statistical structure. Confidence is the sine qua non of the census system. In the following article, the subject of census confidentiality is discussed with specific reference to the St. Regis decision and Public Law 87–813.]
On December 11, 1961, a 6–3 decision of the Supreme Court ruled ' in the case of the St. Regis Paper Company v. the United States, that copies of reports filed with the Bureau of the Census could be subpoenaed by the Federal Trade Commission and the information thus obtained used in legal proceedings against the reporting company. Based principally on decisions of lower courts in the Beatrice Foods Company and Bethlehem Steel Corporation cases (see below), it had been generally assumed prior to the Supreme Court decision that copies of census reports did, in fact, have confidential status similar to that of the original reports filed with the Bureau of the Census.
In the decision, the majority opinion of the Court held that section 9 of title 13, United States Code, did not specifically accord the protection of confidentiality to copies of census reports. Mr. Justice Clark, in delivering the majority opinion, stated :
"We fully realize the importance to the public of the submission of free and full reports to the Census Bureau, but we cannot rewrite the Census Act. It does not require petitioner to keep a copy of its report nor does it grant copies of the report not in the hands of the Census Bureau an immunity from legal process.
Indeed, when Congress has intended like reports not to be subject to compulsory process it has said so.”
1 See Supreme Court of the United States. No. 47, October Term, 1961, St. Regis Paper Company, Petitioner, v. United States, December 11, 1961.
In his dissenting opinion, Mr. Justice Black, with whom Mr. Justice Whitaker and Mr. Justice Stewart concurred, stated :
“But surely the Government's promises, fairly construed, do not indicate that the scope of the protection afforded against the use of census reports ‘for purposes of taxation, investigation, or regulation' is limited to the original of those reports and to the Census Bureau alone. The Bureau does not itself even engage in the activities against which the use of these reports is protected. Quite plainly, the promised protection was against governmental 'taxation, investigation, or regulation' generally, and, to protect the integrity of that promise, it is of course necessary that all of the particular arms of Government which are engaged in those activities be bound by the Government's pledges." Discussion of the Supreme Court Decision
In order to grasp the full import of the Supreme Court decision in the St. Regis case, it is necessary to understand the confidential relationship which has developed over the years between the Bureau of the Census and the millions of business firms which furnish statistical information to the Bureau, upon request. The census programs most affected are in the fields of manufacturing, mining and other mineral industries, and retail, wholesale, and service trades. In these fields complete censuses are taken every five years, and between censuses a great variety of current surveys are conducted, mostly on a sample basis.
The censuses are mandatory upon respondents; that is, the law provides penalties for refusal to return a filled-out form to the Census Bureau. Some of the current surveys are similarly mandatory, but the law specifies that most of those taken more frequently than annually shall be voluntary. More than half of the surveys, therefore, are voluntary. (See Table I.)
In the economic censuses it has been the regular practice of the Census Bureau to provide a second copy of each inquiry form to be filled out and retained by the respondent. This practice had its first application in the 1937 Census of Manufactures, the first economic census to use the mails instead of enumerators to collect information. It is used in all economic censuses today, and is followed also in the current surveys. TABLE I.—List of Census Bureau surveys dependent upon responses from business
men covering the year 1961
TABLE I.-List of Census Bureau surveys dependent upon responses from busi
nessmen covering the year 1961–Continued
1 The end-of-year report is mandatory.
Source: See hearings before the Committee on Post Office and Civil Service, House of Reprecentatives, 1962, “Confidentiality of Census Reports," p. 21.
The retention by respondents of file copies of questionnaires is important for two reasons: (1) when the Census Bureau staff reviews the questionnaires returned by reporting companies, it is often found necessary to communicate with respondents about certain details to secure explanations, corrections, or missing entries, and the retained copy gives the respondent a basis for answering the questions; (2) when the next census or survey is taken, the respondents' file copies of the previous inquiry provide a basis for reporting consistent data, so that the statistics will be comparable over time.
Until the St. Regis decision, businessmen had believed that their retained file copies were invested with the same confidentiality that governed the treatment of the forms returned to the Census Bureau-that they were created for and were to be used only for statistical purposes. They entered on these forms not only book figures but also estimates prepared to meet the Bureau's special needs and not always approved by the firm's accounting and legal departments. These estimates made it possible for the Census Bureau rapidly to compile reasonably accurate industry totals even though not all establishments in the industry kept books in the same way. Although the census was mandatory with respect to book figures, the respondent was under no compulsion to make estimates if book figures were not available; in many instances, he willingly provided estimates in order to assist the Census Bureau, and indirectly his own trade or industry association, in compiling meaningful statistics.
Thus, over the years, the Census Bureau developed a close and effective working relationship with the business community. The uniqueness of this relationship was described by the Solicitor General of the United States when he argued the St. Regis case before the Supreme Court in October, 1961 :
"An analyst of the Bureau undertakes to work out, with his opposite number in the reporting company, an estimate based on information in the records as kept ... the technician of the Bureau of the Census, because of his knowledge of the industry under consideration, may question some estimates as unrealistic and request consideration of other factors before an estimate is agreed upon. In like manner he may doubt, and therefore wish to verify, particular returns. The process of compiling the necessary statistics for even a single company often involves close and continuous collaboration between company technicians and Census Bureau experts."
As a result, the reports filed by business firms with the Census Bureau often contain approximations, estimates, and distributions not readily available from company books or records. Estimates may concern such important matters as inventories, intraplant shipments, and sales of specific commodities to various types of consumers. It should be emphasized that this information is often in excess of the legal requirement and is furnished voluntarily by these firms. It is widely recognized that this voluntary cooperation on the part of the business community has been earned over the years by the Census Bureau principally because of its excellent record in safeguarding the confidentiality of the data in the past and the Bureau's continued assurances that the data so furnished would be treated in strictest confidence.
The Census Act (U.S.C. title 13, sec. 9) states that "information furnished" the Census Bureau will be (1) examined only by "sworn officers and employees" of the Bureau, or the Department of Commerce, its parent organization ; (2) used only for “the statistical purposes for which it is supplied”; and (3) compiled in such manner that the data supplied by an individual company cannot be identified.
To emphasize the "confidential" character of its reports, it has been the custom of the Bureau to print on Census questionnaire forms this type of statement :
“CONFIDENTIAL-This report should be returned within 30 days of its receipt. This report is required by Act of Congress (13 U.S.C. 131). Your report is confidential and only sworn Census employees will have access to it. It cannot be used for purposes of taxation, investigation, or regulation.".
The importance of this promise of confidentiality was underscored in 1959 by the then Director of the Census Bureau-in particular relation to the value of estimates and speedy compilation of data. The Director pointed out that the purpose of the law's provisions of confidentiality was to protect companies "against any harm which might result from their complying with a Census reporting requirement”—and he added :
“This privileged relationship enables the Census Bureau to require response to inquiries which are necessarily formulated on a uniform basis for all com