In the last few months, several controversial government actions that arguably infringe on privacy have come to light. First, as part of a child pornography investigation, the Justice Department asked search engine companies, including Google, MSN, and Yahoo, for data on what users searched for and their results. Not long after, allegations surfaced that as part of the effort to fight terrorism, the National Security Agency has collected data from phone companies on which customers call which numbers, and how often.
Most recently it has been widely reported that Attorney General Alberto Gonzales is contemplating asking ISPs (such as Comcast and Verizon) and companies that provide other types of Internet service (including Google) to keep records of user activity for two years. The aim is to have that information handy for government investigations--the two examples cited are terrorist activities and child porn. There's even talk of making this two-year storage mandatory through congressional action.
Most of us wouldn't argue with the government's aims: I don't want terrorists or child pornographers running amok, and I expect my government to stop them. However, the government shouldn't trample on my civil liberties to do so, and it shouldn't endanger me in the process.
Protecting law-abiding citizens doesn't mean the plan has to be scrapped. Rather, in crafting new legislation, Congress should take care to address the needs of all parties involved, not just law enforcement.
Privacy Guidelines Needed
If companies are to be required to keep information about me for two years (or however long it turns out to be), then they should also be given clear rules for the storage of, and access to, that data. Congress has attempted to set privacy guidelines in the past as part of an effort to regulate information brokers (see a prior column for more), but the bills generally ended up disappearing in committee. Now would be the perfect time to finally act.
First, the data should be encrypted, especially if it is in any way sensitive and contains details that can be traced to a specific person. Second, users must be told up front about the fine print: what the company can do with the data while it's in the firm's possession, with whom the company may share that data, and under which circumstances. Users should be given a chance to opt out of data sharing except in the case of criminal investigations. There should be stiff penalties--either fines or prison terms--if companies fail to protect the data in their care.
Many companies already do some or most of this on their own, but if we are to make it a legal requirement that they keep data, we should also take the opportunity to set minimum standards for that data's safety.
Privacy Rules for Government, Too
It isn't only companies that need rules for how they store and access data-- government agencies need to keep the information secure as well.
Encryption is only the first step. Depending on the sensitivity of the data, law enforcement access should be strictly monitored and limited, especially if it involves interagency sharing. Once an investigation ends, the data should be destroyed, not kept indefinitely (in my opinion, there should be a termination date even in terrorism investigations, which could go on for years). Employees shouldn't be allowed to take the data home--ever. And if they do, and the data is lost (as happened with a Department of Veteran Affairs analyst), they too should face fines and possible jail terms.
Moreover, the agencies should be monitored regularly to ensure that they are adhering to the rules. No one intends to be careless with data, but the government does not have a spotless record in this respect. The Department of Veteran Affairs data loss came about because the employee violated stated policy. The IRS has been cited by the General Accountability Office more than once on its far-from-foolproof security, as well. Like businesses, the government should face strict penalties if the legislated security policies are not met.
Getting the Data
Lastly, Congress needs to spell out the circumstances under which law enforcement agencies can get data about individuals from third parties.
Typically, when the government wants information from companies, it must get a judge to sign off on a subpoena, and companies may fight the request and go to court if they feel the subpoena is too broad, violates other laws, or endangers users or the company itself. However, with the Patriot Act and ongoing terrorist investigations, law enforcement agencies have increasingly used a "National Security Letter" to request information without having to obtain a court order. Up until recently, recipients of such a letter could not even discuss that they had received the request (recent revisions to the Patriot Act have changed this point somewhat).
In the end, the government should not be allowed carte blanche when it comes to getting our data. It should have a good, substantial reason for needing the data, and courts should review these requests.
The piles of data about us are only going to grow. With that growth come new opportunities to make our lives safer by giving authorities better ways to fight criminals. However, there are just as many possibilities for abuse, either by corporations or by the government. That's why we need comprehensive privacy laws--and why they should apply to everyone.