The machine operators have to handle and often duplicate the magnetic tapes containing the sensitive information and as such strict control over tapes and their mounting would be in order. The ability of operators to watch printers can be limited and in fact the offline printing and exchange of identification numbers for names of people on listings can be done as a last operation under the greatest possible control. The destruction of carbon paper and ribbons, and clearing of memory has to be handled carefully as well.

It will be difficult for maintenance men to be kept from the operating system software because some forms of machine failure can only be analyzed in terms of the operating system; i.e., the failure doesn't show up under any of the routine testing procedures. However, there could be a rule that prevents a maintenance man from ever working on a machine by himself. The other threat to the system is that, like the telephone repairmen who illegally facilitate wire tapping or bookie operations, a dishonest computer maintenance man could (say) covertly connect an operational tape unit to one that he was "testing or fixing" and transcribe a tape. Conceivably he could, through suitably modified "test equipment”, transmit the tape over an ordinary telephone line. Thus the telephone system has to be isolated and the radio environment has to be monitored and screened to be certain that the natural electromagnetic emissions from a tape unit are not propagated. Similarly, anti-tampering circuitry could be devised for the computer.

It is possible to distinguish between programmers' debugging additions to the system and users of the system and grant each a different kind of access. The programmer could always work with dummy files, whereas the user can't. The user need never have access to the programs. The programmer must have access to a copy of the functioning programs, but not the programs themselves as they operate. The protection programs themselves must be protected. These separations can be maintained by hardware (memory protection) and software techniques. It is quite possible to maintain absolute control over the programs that are in the system by checks against controlled duplicates (maintained by a single separate authority). Changes to the programs can be rigorously checked for purpose and impact before being entered into the operational programs.

Then, there is the protection of the user console. Lock and key, safe combination and identification number systems can be used along with a system that specifies which class of access each person has. Very involved systems have been devised to control different classes of access-retrieval, infilling, culling, and changing. Furthermore, the data access code systems can be put under separate security control and changed frequently. The ability to delete information requires the ability to delete information wherever it occurs in the file. The system itself could keep track of who has had access to what information (a capability difficult to achieve in a manual system) and any exceptions would require supervisory consent. A monitor system could inspect all queries or sequences of queries made by a single user to search for errors or tricks. Communication lines that carry personal information to users could be protected by encryption devices. However, even if they can be bought for non-military purposes, these devices are so expensive that they could only be used between computers or major facilities containing a number of user consoles and a remote computer. They are too expensive to assign to each remote user console, and the system would necessarily involve many such remote consoles.

Lastly, there is the character of the user himself. Bonding (for honesty) and clearance (for loyalty) would be required. The type of security clearance would have to be more severe than just loyalty or honesty clearance (to match the sensitivity of the material). Personnel using dossier information should also be judged for their humanity and empathy with the problems of mankind. Admittedly, this is a very difficult thing to do, but otherwise, the potentially immature judgments could provide a very strong force for conformity and injustice. Then, there is the question of who decides these questions of access, maturity and sensitivity.

Specifically, the Bureau of the Census' experience indicates that careful protection is very involved and raises a legitimate question of whether public discussion of the protection technique can compromise the security of the system. Conversely, if the security measures can't be discussed, can it be trusted? This may just argue for the same kind of restricted access that Congress has to CIA. Presently, security systems 10 exist, of course, for running computer centers with military classified information control. There are techniques for dealing

with magnetic tapes (degaussing), discs (overwriting), printing, janitorial maintenance, keypunching, listings, visitors and the disposition of waste. What remains as an unsolved problem is the operation of computer programs and data of differing security levels in the same computer simultaneously. This is the kind of operation that would be required if remote users of differing need-toknow were to use the same time shared dossier type data base.

Will people accept protection from the same device that they fear? It should be mentioned that arrays of devices such as ones posed above have been proposed to the National Security Agency for protection of sensitive intelligence from people that aren't cleared for intelligence information. None have been accepted. In summary, the system can be loaded down with protective devices. It will certainly be both imperfect and expensive. The question to be further pursued is how much cost will this protection add to the total, and then what will the probability of penetration be?

VII. OTHER TECHNICAL CONSIDERATIONS

There are a number of technically interesting problems having to do with the construction of such a system that should be looked at.

Correlating files gathered in different places for different purposes is not simple. It is difficult to determine if two given records are really concerned with the same person. The only certain identification technique that law enforcement has is the fingerprint, and as yet automatic processing of fingerprints is not technically feasible. There are a number of different techniques for handling spelling problems having to do with names in general and names that are homonyms. Present solutions to the handling of name files are far from perfect. In the long run, the social security number as a common identifier may facilitate these problems. A system that didn't positively confirm identity could be subject to the malicious mischief of one person confusing the system with false information about another person.

It is possible that the error rates in this type of information would cost large amounts of money to correct. Ideally everyone should be able to validate his own dossier. It should also be recognized that the techniques at the dispersal of the social scientist for quantitatively characterizing a person, a unique personality special talents, aspirations and motivations are very limited. In fact, a number of large corporations have abandoned efforts to automate personnel information retrieval systems because the subtlety with which a person can be represented is so low that an automated system doesn't compare with what a man's supervisor learns by having worked with him. A legitimate topic for research would be how much information is required to adequately represent a person's history for the different purposes to which the system might be dedicated.

VIII. LAW ENFORCEMENT INFORMATION SYSTEMS

The preceding remarks have been addressed to a large system in which all elements of government contribute personal information about all people of the United States. There are some distinctions that can be drawn between the general case and the case in which all of the people in the file have been convicted of a felony. Under that circumstance we have a different justification for the system. The mobility of the criminal and the geographic scope of his operations requires a national capability. Another distinction is that the legal restrictions of the Civil Rights Act against the recording of race, creed, color, nationality, photograph and sex do not apply to the law enforcement community. Furthermore, the law enforcement community has its own special risks in a National Police Information Center. These are false arrest due to errors in the system, public fear of police and compromised investigations. If, in fact, this last happened, the information system would soon be only an archive and not a living file.

6

A recent survey of current information sharing practices in the State of New York showed that there is considerable variability in the protection of sensitive information according to the number of people involved in its use. The controlling factors were the type of information, whether the potential user of the information was in the same organization as maintained the file, the origin of the data and how much the inquirer already knew. This last criterion is a particularly bad one for the protection of sensitive information. A semi-knowledgeable person can quickly accumulate the whole picture on this basis. Legally, it was

found that a court order is required for the general public to look at a public document concerning court actions. Interestingly enough, it was found that the level of sensitivity of the same piece of information varies in time. The association of a particular name with a particular address can be forbidden during the investigation of a criminal. The same association is routinely recorded after arrest, openly published in some cases in newspapers during the trial and then becomes sensitive again when the person is out on parole. Thus, the classification of the information for law enforcement purposes is far more dynamic than military security classification. It was also found that there was, of course, inconsistent application of sensitivity rules even within a single agency.

IX CONCLUSIONS

While it is not the purpose of this paper to come to any conclusions or to make any judgments in the situation, there are two inescapable conclusions. First, that the threats are so great and the protection so uncertain that the burden of proof of the security of the system should be on the proposer of the system. It should be necessary for the proposer of any such system to demonstrate that he has both a virtually incorruptable system and an economic justification that makes a major impact on the cost of government.

Ideally, a free society should provide the option to every individual to have as much or as little privacy as he desires. As it stands now, the individual unthinkingly trades his privacy for loans, jobs, insurance and security clearances. This trading of privacy should be a consciously considered matter.

The following and final paragraphs detail some research that should be pursued to investigate the advisability of the development of such a system.

X. RECOMMENDATIONS

As can be seen from the bibliography, most of this analysis has been based on secondary sources of information and the author's experience. There are a number of questions that have arisen and assertions that have been made during the course of this paper that are researchable in detail.

(a) New Options

The first field of inquiry concerns the positive purposes and options in government service that could be made available to the public through a national information system. What information is strictly relevant to these purposes? How much information about a person is required to assure that such services are fair, accurate and objective? The potential savings in the cost of government should be supported by a detailed cost analysis.

(b) Current Systems

A number of the potential problems associated with such a system have already been faced in current systems. What are the present privacy abuses in government information systems? How, and how effectively are the following functional problems handled in existing government personal information systems?

(1) establishment and maintenance of identity

(2) erroneous data

(3) procedural mistakes

(4) inadvertent disclosure

(5) counterfeit input and output

(6) libelous disclosures

(7) maintenance of name files

(c) Security Measures

(1) Compare the security available in today's dispersed special purpose systems versus the possible security of a centralized general purpose system.

(2) Where, organizationally, could such a system be safely placed in the Federal Government?

(3) Could a security system that was used to protect the confidentiality of the information be misused to increase secrecy in government?

(4) A large remotely accessible time shared computer system should be designed (on paper) with all of the possible security measures costed out. Then, an independent group should do a vulnerability study to determine the penetration possibilities and thus provide an assessment of the protection afforded by the security measures.

(5) Investigate the technical requirements of simultaneously protecting different classification levels of programs and data bases in a multiprogramming and multiprocessing mode on a modern computer system.

(d) Legal Measures

(1) What new laws are required to govern interdepartmental and intergovernmental exchanges of information?

(2) What is and should be the privacy status of broad classes of special people that the government receives information about?

-addicts

-sex deviates

-mental patients

--veterans

---juveniles

--seniles

-convicts and ex-convicts

-welfare dependents

-government employees

-cleared defense workers

(3) If machine records become legal instruments, who or what controls changes to these records?

(4) Does a government maintained dossier constitute a potential violation of the Fourth Amendment? Is the contribution of information to a dossier system self-incrimination (Fifth Amendment)?

(e) Sociological Questions

(1) What motivational research techniques could be used for election engineering with such a file?

(2) Would people accept protection from a device they fear?

(3) What are the prevailing attitudes toward government and how would such a system affect them?

(4) To what extent could people be sold or coerced through the use of personal information?

(5) To what extent is privacy a real concern of modern man?

BIBLIOGRAPHY

1. Brenton, M., "The Privacy Invaders," 1964.

2. Packard, V. O., "The Naked Society," 1964.

3. "In Defense of Privacy," Essay from Time Magazine, p. 38-39, July 15, 1966. 4. Lockheed Missiles and Space Company Report "California Statewide Information System Study,” p. G-1—G-4, July 30, 1965, Appendix G, Legal Considerations.

5. Michael, D. N., "Speculations on the Relation of the Computer to Individual Freedom and the Right to Privacy," The George Washington Law Review, Vol. 33:270, p. 270–286.

6. Witt, E. G., "Security Equipment and Procedures Study," SDC TM-(L)LO-1000/710/00, August 24, 1964.

7. Private Communication from W. A. Freeman, U.S. Department of Commerce, Bureau of the Census, June 15, 1966.

8. Conine, E., "A Clear and Future Peril," article in July 17, 1966 edition of the Los Angeles Times.

9. Statements made in Congress before the Special Subcommittee on Invasion of Privacy:

PRIVACY AND POWER

Edward Shils

I

The blast from the "information explosion" has hitherto been looked at from the point of view of the producers and consumers of information. It has been regarded as the outcome of an intensification and amplification of scientific creativity; it has been regarded as the problem of the productive but less creative scientist who "needs" (or thinks he needs) the information. But the explosion covers a much larger terrain, and it involves the fortunes of more classes of persons than the two who are the concern of scientists of science and informationretrievers.

The information explosion is not just an explosion of information about the events of the order of biological and physical nature; it is about human events as well. It is not just an explosion of scientific information; it is an explosion of information of all sorts, as raw as raw can be. The information explosion is not just an expansion of our scientific knowledge of the laws of nature, it is also an expansion of simple raw descriptive information about particular individual human beings with names, individualities, and, in many cases, claims to the possession of souls.

The information explosion is the resultant of the increased numbers of investigators and the increased time and other resources which they can consecrate to the pursuit of information-scientific and otherwise because those who dispose over money believe in the desirability of knowing, knowing as an intrinsically worthy action and as a link in a chain which connects with other desired outcomes. The information explosion is the product of a general expansion of a powerful aspiration to know the universe, to permeate it with the mind. The enlargement of the stock of knowledge of general laws and particular facts is, then, a consequence in part of the expansion, intensification, and enlivenment of the cognitive impulse, of large numbers and an efficient division of labor. The expansion, intensification, and enlivenment of the cognitive impulse entail an ambition to be in contemplative contact with all that is essential. But, unlike the religious relationship to the essential, which is content in the contemplation of an exhaustively known or ultimately inscrutable essential power which has previously disclosed or "revealed" what is essential and therefore needs to be known, this new phase in the development of man's cognitive powers entails a belief in the possibilities of continuously deeper and more revealing, more deeply reaching penetration into the inexhaustible essential. At the same time it moves to the essential through the active eontemplation of the immediate and the particular. More minds and greater efficiency in their organization and activity produce continously deeper disclosures (or revelations) in ever greater quantities.

II

It is unnecessary to enter into detail about the transformations of modern society which have followed from the aroused and opened aspirations of the citizenry, the improvement in administrative capacities, the aggrandizement of economic strength, and the new conception which authority has acquired of its obligations and powers. The night-watchman state is now only a dim trace of the past. The area of what is public has grown, the domain of the private has retracted, in capitalistic America as well as in socialist Europe and the "camp of peace and democracy." Even in the new states of Asia and Africa, feeble in administrative capacities, feeble in their economic capacities, and with still relatively undemanding populaces, the public authority is moved by aspirations like those of their more powerful counterparts in the advanced countries. They conceive of themselves, through the agency of their educated classes and their ruling politicians, as having the same obligations and powers. There, too, the sphere of what is public expands, at least on paper, the sphere of what is private contracts.

This change in the character of the tasks which rulers now take upon themselves, out of their own sense of obligation and power, and out of their responsiveness to a real or putative demand of the citizenry, coincides with the expansion of cognitive aspirations. Governments believe that they must be responsible for the enhancement of the economic strength of their societies and the physical well-being of their peoples. Doing or trying to do so much they