[iwar] PRIVACY Forum Digest V10 #04 (fwd)

From: Fred Cohen (fc@all.net)
Date: 2001-06-09 22:36:13

Return-Path: <sentto-279987-1313-992151375-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sat, 09 Jun 2001 22:37:07 -0700 (PDT)
Received: (qmail 13831 invoked by uid 510); 10 Jun 2001 04:37:19 -0000
Received: from ch.egroups.com ( by with SMTP; 10 Jun 2001 04:37:19 -0000
X-eGroups-Return: sentto-279987-1313-992151375-fc=all.net@returns.onelist.com
Received: from [] by ch.egroups.com with NNFMP; 10 Jun 2001 05:36:15 -0000
X-Sender: fc@all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_1_3); 10 Jun 2001 05:36:14 -0000
Received: (qmail 23923 invoked from network); 10 Jun 2001 05:36:14 -0000
Received: from unknown ( by l10.egroups.com with QMQP; 10 Jun 2001 05:36:14 -0000
Received: from unknown (HELO all.net) ( by mta2 with SMTP; 10 Jun 2001 05:36:13 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id WAA15730 for iwar@onelist.com; Sat, 9 Jun 2001 22:36:13 -0700
Message-Id: <200106100536.WAA15730@all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 9 Jun 2001 22:36:13 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] PRIVACY Forum Digest V10 #04 (fwd)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

[FC - I rarely reproduce such things in this forum but I thought this
one particularly relevant to our interest...]

Per the message sent by PRIVACY Forum:

PRIVACY Forum Digest     Saturday, 9 June 2001     Volume 10 : Issue 04

Date:    Sat, 09 Jun 2001 15:04:03 PDT
From:    lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Be Careful What You Wish For

Greetings.  Just slightly over two thousand years ago, an escaped slave named
Spartacus gathered together a force of like-minded individuals and
challenged the status quo of imperial Rome.  At first his "army" of runaway
slaves was merely a nuisance to the grand powers of the empire.  But when
Spartacus' forces seriously threatened to undermine aspects of society upon
which the vested interests had come to depend, Rome like a sleeping giant
awoke.  The forces that the aroused empire launched took a terrible toll,
with the result being over 6,000 of Spartacus' followers crucified in two
lines stretching for over a hundred miles along the Appian Way from Rome to
Capua.  This was the empire's dramatic way of Making a Point.

Those of us who have been concerned about issues of privacy in society have
also, until relatively recently, been largely ignored by the vested
interests.  Privacy rights are by their very nature typically undramatic in
their gradual process of decay, and only noticed by the average citizen when
end results directly impact individual lives.  By then, it's often too late
to get the genie effectively back into the bottle.

The rise of technology, in the guises of databases, communications (including
the Internet), and sophisticated mechanisms for the collecting, integrating,
consolidating, and marketing of personal data, have dramatically changed the
nature of the game when it comes to privacy.  Data that once sat isolated
and harmless on dusty index cards forgotten in the back rooms at businesses
and municipalities have become "profit centers" and treasure-troves for both
marketing and intelligence dossiers.  Our systems of laws, still grounded
largely in a 19th century view of the world, are ill-equipped to deal with
the environment of the 21st century in many respects.

As the calls for increased privacy protections have gradually risen over the
last few years, warning bells have been ringing in the hallowed halls of both
industry and government.  Opinion polls show public concerns over privacy
rising rapidly.  Most of those being polled are potential customers -- and
potential voters.

Like Rome of two millennia ago, many interests in both the commercial and
government sectors have awoken to the risks that such concerns may present
to the status quo.  And again like Rome, these interests are gathering their
own "armies" to battle.  It's a war of a different kind, fought with the
weapons of money and public relations rather than swords, but the battles
are quite real nonetheless.

One of the more potent weapons in the arsenal to fight back increased
privacy protections is attempts to trivialize both the nature of privacy
problems and those persons who sound the alarms regarding privacy concerns.
Executive Scott McNealy of Sun Microsystems has asserted that we have zero
privacy anyway: "Get over it!" he says.  On the other hand, U.S. Federal
Trade Commissioner Thomas Leary recently suggested that we have more privacy
now than we had a century ago.  He likens much of the current privacy debate
to "hysteria" -- this from a man whose commission is among the most important
involved with protecting individual privacy rights in the commercial sphere
within this country.  Zero privacy -- or plenty of privacy?  That these
statements from both of these men are clearly little more than "spin" for
public-relations purposes is patently obvious, but spin *is* important in
any modern war, especially a war of words.

Businesses also have other weapons at their disposal against the
"malcontents" who would call for greater privacy.  Appeals to the pocketbook
always make for a good show.  Industry groups, in attempts to derail pending
privacy legislation, have begun trotting out studies purporting to detail
how many billions of dollars they've calculated increased privacy
protections would cost.  Those calculations were immediately called into
dispute, but perhaps of more interest is the underlying concept, that
privacy doesn't matter if it gets "too" expensive to achieve.  If this
reasoning sounds familiar from another context it should -- it's basically
the same financially-grounded argument made by slave owners in the U.S. South
against the abolishing of slavery. 

Diversionary tactics can also play well.  If the law requires you to notify
customers about privacy policies, you can send out such notices buried in
legalize within bill inserts that you know most people will never have the
time to study.  Since you know that few folks would ever "opt-in" to your
data sharing plans, make sure that attempts to mandate opt-in requirements
never see the light of day, and bury any "opt-outs" where most people won't
find them.  Also, do everything you can to avoid having people looking into
the details of privacy issues in the first place, by trying to restrain your
existing and potential customers within a fabricated "comfort zone" that
they won't be tempted to leave.  Mechanisms such as P3P (Platform for
Privacy Preferences) will serve to help convince Web users that their
privacy is being protected, while in reality the system actually makes a bad
privacy situation even worse.

Governments too are highly skilled at the diversionary game -- especially of
the "giveth with one hand and taketh away with the other" variety.  A good
example of this is taking place in Europe, where ostensibly strong personal
privacy laws may be massively undermined.  European proposals for vast new
government-mandated Internet and other communications data gathering and
warehousing, often on a long-term basis for retrospective investigatory
analysis and other purposes, could render most other privacy protections
largely moot and impotent.

However, it wouldn't be fair to assign all of the blame for privacy problems
to industry and government.  Sometimes those persons pushing the hardest for
increased privacy protections inadvertently do the most damage to their own
causes.  Attempts to portray privacy issues in a one-sided manner, failing
to take into account the legitimate concerns of law enforcement, other
aspects of government, and commercial concerns when it comes to achieving
reasonable balance with these issues, are recipes for failure. 

For when it comes to the wide range of privacy issues, there *is* a need for
balance -- which would take the place of the status quo that has become
heavily skewed away from individual privacy concerns.  But in our enthusiasm
to correct this very real disparity, it's a critical error to assume that
skewing the equation fully in the other direction is necessarily an
appropriate course.  Privacy is but one of the many important issues with
which we must deal in society, and we need to take into account the impacts
that privacy-related concepts (for example "anonymity" -- to name just one)
will have in both positive and negative ways.

It's also important that when making our arguments for increased privacy
protections we avoid adopting the tactics of our perceived adversaries, and
instead attempt to stay on as high an ethical ground as possible.  So, if
one is going to argue that Social Security Number (SSN) data is too widely
available and subject to widespread abuse, it's a highly questionable
approach to demonstrate this by publicizing individuals' Social Security
Numbers on Web sites, then playing "catch me if you can" with the data
moving from site to site.  "Practice what you preach" is an old proverb that
still has value even today -- to take another course is to undermine the
validity of your own arguments, and to provide rhetorical ammunition to
persons and groups whom you may oppose on important matters.

Those of us who write and speak about privacy issues have long wished for
the attention of the "powers-that-be" -- well, now we have it.  Privacy
issues are among the most important with which we must deal today, but they
do not exist in a vacuum.  To achieve the laudable goal of increased privacy
protections, these issues need to be viewed through the context of society at
large, and the privacy battles must be fought ethically within that
framework.  Failure to follow this course risks not only the loss of
improvements in the areas of privacy, but also could set the stage for
backlashes which could take us all on a rapid ride in reverse to very dark
places indeed.  As Spartacus learned and we must remember, there is still
lots of wood out there -- and plenty of nails.

Be seeing you.

Lauren Weinstein
lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org
Co-Founder, PFIR: People For Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy


Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:16 PDT