« PreviousContinue »
Neither these seven suggested principles, nor any other set, will resolve, nor should be expected to resolve, the productive tension between the needs and advancement of science and the vibrant diversity of human personality. If it is correct, however, that there has been a growing imbalance in the relation of science and research to the values of privacy, then either the dignity, diversity and strength of the individual in our free democratic society will be diminished, or society will correct the balance. If the balnace is to be corrected—as it will and must be the lead should be taken by the scientific community through its own codes, its own attitudes, and its own behavior.
“CENTRALIZED GOVERNMENT INFORMATION SYSTEMS AND PRIVACY”—TWA SYSTEMS
S. Rothman* “The sole end for which mankind are warranted, individually or collectively, in interfering with the liberty of action of any of their number, is self-protection. That the only purpose for which power can be exercised over any member of a civilized community, against his will, is to prevent harm to others. His own good, either physical or moral, is not a sufficient warrant. He cannot rightfully be compelled to do or forbear because it will be better for him to do so, because it will make him happier, because, in the opinion of others, to do so would be wise or even right ... Over himself, over his own body and mind, the individual is sovereign.”—J. S. Mill, “On Liberty”.
Many fears have been expressed about the government maintaining personal dossiers on all citizens in one large computer. The threat is generally considered a problem of the future. While such a system does not yet exist, the threat and concerns have a rational immediate basis in that all of the components of the national system are in place today. All of the major federal agencies have computerized files. Most contain some type of personal identity data. These files are either directly or indirectly accessible to people who program and operate the computers. Thus, there is, probably, today a small group of people who can find out anything they want to know about anyone in the United States from the documentation in these many federal files. The threat to socity is not solely a government threat, however, nor can it realistically be termed a problem originating with digital computers. Manual files present the same dangers. There are centralized national credit systems that contain millions of people's dossiers which available for a price. To date, there have been no obivous disastrous consequencies of this availability of information. In fact there are many obvious benefits. However, police files, for example, has been pilfered for non-police purposes and in some cases a criminal record has even been expunged simply by removal of a criminal file.
The role of the computer in this problem area is simply stated. It makes the operation of all these files cheaper and faster. Thus, personal information may be made available cheaper and faster. It may be possible to protect computer files, however, better than manual files, and one large installation under the most stringent of rules may be better protected than many installations with lesser controls. It may be possible to raise the cost of pilfering a computer file by narrowing down the number of people that have access to the programs and files, complicating the access and raising the cost from corrupting clerks to corrupting computer programmers.
Only a very specific type of government computerized information system will be discused in this report. The Bureau of the Census, for example, has adequately demonstrated over many years that it is possible to operate a purely statistical system without the disclosure of individual data. This has been done, in part, by avoiding the release of statistics based on small sample sizes. This type will not be discussed. Files strictly concerned with government employees' records will not be included, nor will the problem of unauthorized release of proprietary business information. The one specific kind of information system
*The opinions expressed by the author are his own and do not reflect the position of TRW Systems. This paper was written for the President's Crime Commission at the request of the Institute for Defense Analysis.
that will be discussed is that which contains information about the lives of people, retains the identity of the people in the file, and releases the information and personal identity to authorized federal employees.
The initial purpose of this paper as requested by the Institute for Defense Analysis was to define the problems of privacy of the individual and the dangers inherent in unauthorized access to the information contained in such systems. A second purpose was to outline the analyses required to define the threat, automatic solution, and the security offered by such solutions. As it turned out, the paper is broader, and somewhat conjectural.
II. THE THREAT
In part, the threat is posed hysterically as "the computer will treat a person like a machine; direct him from birth to death; select his schools, jobs, mates and salaries; measure his status; act as a censor; and assemble a composite picture of a person.” These kinds of sentiments express fear of a computer as a symbol of authority. This authority is really government authority and the concern is not privacy but manipulation.
The more sophisticated objections of a philosophical nature are that the use of such a system would trip a man of his individuality and privacy, and provide a force for depresonalization and confromity. Because of the fallibility of humans, our society has a need to forgive and forget and because of the fallibility of our present information systems we have the capacity to forget and thus forgive the errors of a man. This capacity could be limited by the inhuman use of a national computer system. At the very least the potential existence of such a system forces some attention to the question of what circumstances allow for the forgiveness of what kinds of errors.
In the political realm there is the concern that a power elite can be created to “narrow the corridors of power" either by blackmail or election engineering. As an example of this concern, we have a recent election contest on the East Coast of the United States that has been debating the potential destruction of a crime commission file during the transfer of power after the election. This file could presumably disclose the criminal support of elected or appointed officials. This really has nothing to do with privacy or computers, but is revelent to whether knowledge is political power. Politically, there is also the feeling that such a system would increase the distrust that the populace, in general, has of govern. ment and inject a certain element of fear. Both confirmation and counter argument, here, is the increase in tax revenue obtained by the Internal Revenue Service upon the installation of a computer. People simply started submitting more honest tax returns. However, should a legitimate set of purposes and safeguards be arrived at for a national computer system, it should be possible to construct a convincing public education program. The image of a demagogue has been called up by some as being even more threatening with a computer at his disposal. A computerized system might be used to automate the production of proscription lists. However, demagogues have never been limited by either a lack of names or facts.
The law enforcement community has known for a long time that organized crime will use its unlimited financial resources to penetrate a system by attempting to corrupt government employees if enough is at stake. The most obvious area in which organized crime would have an interest in penetrating the system is in its attempt to acquire legitimate enterprises. There are some non-criminal organizations that would have an interest in penetrating the system-newspapers, private detectives, and credit agencies. Con-artists with deep psychological insights using personal information stored in such a system could sell, coerce, or even pose as government officials on the basis of having such information. While again these concerns are not related to privacy per se, they do raise the spectre of a national system being used to the disadvantage of the public.
There are a group of fears that are more likely to occur to technical people because of their knowledge of similar systems. (a) There would be mistakes made because of over simplification in the
statement of a man's dossier. This is a more serious problem in a computerized system than a manual one because the costs of the system
can be related more directly to the size of the unit record (the dossier). (0) Some government information systems presently depend upon a volun
tary supply of information by the populace. Should such a system
become really threatening to the populace, these voluntary sources
woud dry up in some degree. (c) Strictly digital information without signatures or seals is easily copied,
counterfeited and transmitted. (d) There could be inadvertent libels through procedural mistakes. (e) Changes or deletions in the files intentional or inadvertent would
have tremendous consequences. For example, and this is somewhat of an oversimplification, a person could effectivel cease to exist because
his file was lost. (f) Errors could be caused by confusion of people's identity. The positive side of the ledger is not as lengthy as the negative. First of all, it has not yet been said what the operational purpose of integrating all personal information is. So, in part, this is a nameless threat. The largest single argument for such a system, however, probably stems from the rising costs of government and the savings to be obtained by reducing duplicated information gathering and processing and the economic sharing of computer equipment. This may be the tail wagging the dog to the extent that the character of life is dictated unnecessarily by either technological or financial purposes.
The research community makes an argument that better economic modeling and psychological research could be done with such files. One analyst posed the thesis that there could be a more closely controlled production of consumer goods and therefore lower prices and less business fluctuation, presumably, by the government making available very detailed analyses of consumer purchasing patterns. The impact of this on free competitive enterprise could certainly bear some investigation. However, this kind of research does not require the personal identity or specific address in the particular statistics being processed.
As was mentioned above, more honest income taxes resulting from computer processing have an obvious advantage to our society as would (say) a nationwide automated matching of employment opportunities to personnel qualifications, but these are special purpose systems that do not require integration with other files.
While it has been argued that vast depersonalization would be the result of a national computer system, it could also be argued that government bureaus are not really famous for dealing rapidly with problems involving individual differences of any subtlety. There is the legitimate conjecture that very involved computer programs working with very detailed personal histories would enable more humane bureaucratic systems than the present hoards of clerks operating under relatively inflexible manual procedures that require a form filled out with the same personal information at every confrontation.
The threat of this information system and the potential benefits depend more on the organization using the system than anything inherent in the computer itself. Such a system could not be used by any existing organization, today, without seriously changing its structure or purposes. This gives rise to the question of whether our present federal organization is such that the information could be protected. Is there any single department constituted to tell IRS, Treasury, the Attorney General or Congress that they cannot under any circumstances (war or peace) have certain information ?
Thus, at this time we have, first, hysterical threats. They are significant because they are politically saleable, and easily communicated. The danger here is that we may get laws born of hysteria that inhibit the legitimate development of government information systems with rational, non-threatening purposes. The threat of attempted political misuse is realistic but the technical feasibility of election engineering is not obvious. The system would surely constitute a ripe target for the list of potential commercial and criminal penetrators. The benefits of such a system, which can and should be considered separately from the potential corruption of the system, seem to be solely efficiency of government operations. The philosophical question about the effect on the privacy of individuals should be and is considered below more in the context of the prevailing conditions.
III. INDIVIDUAL PRIVACY Historically, privacy is a western concern. As a value, it is difficult to define. Privacy permits one to keep the past from interfering with the future. If one flunks out of school, fails to pay the bills, violates the law or even has a minor heart attack, one need not forever be excluded from schools, credit, jobs or insurance. As has been said before, this freedom to change is in jeopardy today. Another notion of privacy is the right to choose whom you communicate with. Clearly the files collected voluntarily from the populace for one purpose and transmitted to another agency for another purpose without the permission of the populace is a violation of that right. Privacy permits an individual to invest a measured amount of himself in any given effort or organization. There is a common feeling that anything less than a complete commitment of a man is equivalent to disaffection. Here we are concerned with a judgment that a public official could make about a person's commitment to the country, a project or an idea. Kuowledge of a man's education, hobbies, financial expenditures, marital relations, etc. can easily convince a decision maker that he can make this judgment. However, one must distinguish when this judgment must be made and when not. If a man is being considered for a Presidential appointment, the judgment must be made. If he is being considered for a janitorial position, obviously not. The problems are: (a) Who is to make what kind of judgment on whom and for what purpose? (0) What information is strictly relevant under each circumstance? To some the right of privacy means the right to be let alone. This, typically, is the feeling of the rich, the famous, the artist, the hermit, etc. Here, we are concerned with the dunning, selling, or conditioning that could be effected through such a file. Privacy, to some extent, may be a 19th century value which like conservation is an unrealistic longing for the past. For example, as it stands now only about 8–13% of those that have telephones use unlisted numbers. However that may be, privacy as understood in the above four notions would be in jeopardy from a national information system.
What is the contemporary environment of a concept such as privacy? After 200 years of social, economic and technical progress, we in the United States have discovered that some distressing percentage of our population are sex deviates, addicts, ex-convicts or liars. Whether this percentage is greater now than in the past is unknown but it seems to matter more now. Psychologically, there are many influences in our society that are producing conformity and depersonalization. Conformity seems to breed the need to be reassured that others are conforming as well. This is because those that grant loans or security clearances or hire people must, reasonably enough, assure themselves of stability and normalcy. This is done through dossiers. Thus the “need" for the dossiers seems to stem from activities of the deviate and anxieties of the conformist segments of society.
People have become conditioned to surrendering more and more of their privacy. The requirements for credit, security clearances and insurance are pre sently such that people are accustomed to telling strangers the intimate facts of their lives.
While the computer is the object of this essay, there are other more personal and more threateningly effective devices in current use today. They are the lie detector, bugging equipment, wire tapping gear, psychological tests and truth drugs.
Thus, the threat to privacy is real and the current high level of anxiety provides a motivation for more use of dossiers. Furthermore, some people have become accustomed to voluntarily relinquishing their privacy for their own purposes and others have become accustomed to relieving them of their privacy through devices. It would seem that the time is ripe for adding this one additional assault (the computerized dossiers) on man's unspecified right of privacy.
The question then arises as to what the remedial measures may be. In order, we discuss government, law, and technology.
IV. THE GOVERNMENT
Government, typically, deals with constitutional rights better than it does with such values as privacy. There may be some disputing this statement when it comes to the beautification program but even there, certainly, at the local level the philosophy of maintaining “open space" often loses out in zoning arguments against commercial interests.
If, with J. S. Mill, we take the attitude that values are really options for people to choose with their own free will, not to be enforced by a government, then a reasonable question is, are there any irrevocable errors inherent in the existence of a national computer system that could deny these options? Conversely, could privacy be better protected in a large single system or could better protection laws be devised?
The largest, most threatening, irrevocable error in any government system is absolute political power. It has a way of being difficult to uproot because of long standing fear and passivity. As a free society we should always be in a position to correct an error. How could we be certain that such a system, if it was built and in some way contributed to absolute political power, could be destroyed? It might, for example, be very difficult economically, once public services were centralized on such a file, and manual records and special purpose systems were no longer maintained, to ever destroy the system; to be assured that it literally had been destroyed; or reassure the public that it had been. If the rationale for the system was economy, then strong arguments would exist for abandoning manual or separate special files, and keeping the information content to a minimum. These manual and separate files could be re-constituted automatically but the information content would be strictly digital and no greater than that of the central file.
V. THE LAW
There are federal laws concerning confidentiality restrictions. It has been reported that these laws have no statement limiting the transfer of data within government according to the purposes of the collector or the receiver (i.e., the need to know). There are laws providing penalties for public disclosure and these penalties transfer with the data. The Civil Rights Act prohibits gathering or mentioning data on race, creed, color and, most recently, sex. It is also against the law to keep the photograph of a person in an individual's file. These restrictions are there because we have not yet learned how to control the use of information.
Privacy laws vary from state to state. Nineteen states provide privacy rights by judicial decision. A number of states have no privacy laws or decisions. Some states prohibit the unauthorized use of the name, portrait or picture of a living person in advertising or trade. The broadest statement of law seems to be in Georgia where “privacy is derived from natural law and is an inalienable right." 2
There are a number of unresolved legal problems in this area. What controls the federal-state exchange of personal information? Does confidentiality oppose or re-enforce secrecy in government? Does voluntary commitment by a narcotic addict, sex deviate or mentally incompetent person waive the right to anonymity? What is the privacy status of ex-convicts, juveniles, seniles and welfare dependents? Are machine records admissible as court evidence? At what point a man's dossier so complete that anyone who reads it is invading his privacy as surely as if he had broken into the man's desk and read his private records? The provision of the Fourth Amendment, “the right of the people to be secure in their ... papers ... against unreasonable searches and seizures ...,
," raises the possibility of requiring a search warrant to read a person's dossier. If a person's dossier becomes a legal instrument, under what circumstances can the file be changed, and what kind of legal review is required to change or even retire some aspects of a person's file?
Lockheed Missiles and Space Company,“ under contract to the State of California, looked into the legal problems involved in implementing a statewide information system. They came up with the following kinds of legal areas to be researched before the implementation of a general statewide system. (a) Exchanges of information that are prohibited by statute, such as the disclo
sure of adoption proceedings. (6) Exchanges that are at an administrator's discretion such a public health
transmission of venereal disease cases to the police department. (c) The class of privileged communications such as those between doctor and
patient that a state collects through its hospital systems. (d) The immunity and liability laws relating to individual government em.
ployees and government itself. Thus, there is as yet no general legal protection for the individual. What about technical protection?
VI. TECHNOLOGY The protection of this highly sensitive computer system is discussed here. Such a system would be accessible to machine operators, maintenance men, programmers that are improving the system and physically remote users. Each is discussed in turn.