A Defining Moment for Info Privacy

The government's war on terrorism necessarily means more data-sharing among agencies. But corporations must be more protective

By Heather Green

No matter how familiar it seems now, the notion of information privacy is actually pretty new. The idea that individuals should have control over information about themselves was really established only about 30 years ago. Ironically, it was the U.S. government, one of the pioneers in collecting and keeping citizens' information in databases, that ended up defining and passing laws to safeguard information privacy. Little by little, Corporate America followed the government's lead in establishing practices that, in varying degrees, gave more privacy protection to consumers.

Now government is leading the way again -- but in the opposite direction. In this new age of terror, Washington is starting to collect and share more information about people, and that could erode the notion that information privacy must be respected. Of course, law-enforcement and intelligence agencies need to be able to conduct more efficient investigations. Americans' security is the top priority now.

The risk, though, is that businesses will be under less pressure to guard consumer privacy. As the government begins working more closely with financial companies, Internet service providers, and airlines to learn more about suspects, it will encourage the private sector to collect and share more information with its agencies. Conceivably, overburdened government agencies could also outsource to private companies and industry-run regulatory bodies the work of pulling together and sifting through information.


  Are we really at the beginning of a new intelligence-gathering era? If you have any doubts, just look at the sweeping federal anti-terrorism law passed last month. It did away with restrictions on wiretapping, acquiring information from corporations, and exchanging data among government agencies. It set the stage for broader monitoring of individuals, with the likelihood that data will slosh around with little oversight. Now that Washington has removed many limits on how it collects and uses information among federal agencies, it'll have little justification to come down hard on commercial entities.

Clearly, this is a critical, complex juncture for the privacy debate. Industry's adoption since the '70s of consumers' right to information privacy was the direct result of steps taken by the U.S. government. Even though the feds are aggressively increasing their ability to monitor citizens, companies should be careful about how they follow suit. Consumers, meantime, need to be watchful of how corporations work with government and whether they're taking advantage of the lower privacy standards for their own benefit.

In the public sphere, at least the U.S. has courts to oversee that law enforcement doesn't overstep its bounds. For instance, with wiretapping, law enforcement typically has to tell suspects after an investigation that they were under surveillance. Information monitored by companies has no such auditing trails put on it.


  Another potential pitfall: Will companies come up with new ways of amortizing the costs of collecting individuals' information for the government's use? The implementation of the e-911 service is an indication of how this could happen. In 1996, Washington mandated that wireless telecom networks come up with a system that pinpoints where people are when they make emergency calls on cell phones. To offset the e-911's costs, wireless carriers came up with the idea of offering services and advertisements that could be targeted based on an individual's location.

Why should we worry about information privacy while the country is threatened? Because of history's lessons. The notion of information privacy was defined by the government after overstepping its powers during troubled times in the past. After World War II, the U.S. government pioneered the use of computers developed during the war to store information about citizens, including health, tax, and welfare data. And perhaps inevitably, the feds also led the way in misusing files on people during the Vietnam War and civil rights movement.

So in the housecleaning furor of the 1970s, Washington produced seminal legislation that recognized the need for protecting information privacy. A set of guidelines called the Fair Information Practices were developed by a special committee for the then-named Education, Health & Welfare Dept. in 1973. The guidelines, which were enacted more broadly in the Privacy Act of 1974, govern how the government deals with citizens' personal information.


  The idea was to give people more control over their data. Under Fair Information Practices, secret databases aren't allowed. People have a right to look at and correct their information, with the aim of preventing wrong decisions from being made because of incorrect information. Data collected for one reason can't be used for another, and they should be gathered only to provide a decision or service. Aggregate information could be used for statistical purposes, but individuals' names couldn't be attached to that information. These principles became widely accepted, and most corporate privacy policies today include some or all of these guidelines.

Now, however, the pressure will be on to add exceptions to these guidelines within the government so that personal information can be shared more readily. For instance, if the U.S. ever does implement a national ID card, information from tax returns, motor-vehicle records, and health records could conceivably be put on those cards.

And the minimal number of laws that restrict use of individual information in corporate databases are already being undermined. The new anti-terrorism law does away with restrictions on the disclosure of investigative credit reports collected by credit agencies. It also codifies exemptions that allow companies to pass information about threatening behavior onto law enforcement without a court order.


  As America moves into new territory, citizens need to be aware that the changes the government makes in how it handles information privacy will have direct and indirect affect on corporations. At the very least, we should make sure that the Federal Trade Commission continues to monitor how corporations use personal info when conducting general business, even if the government won't be held to the same strict standards.

Separately, Americans need to monitor the increasing flow of data between government and corporations. History shows that, in its zeal to protect society, government can exceed its boundaries. Because of the rising use of databases in the U.S., corporations will be asked to contribute to the country's protection. But remember that the extensive legal system of court orders and audits doesn't exist in the private world as it does in the public arena. In this evolving collaboration between government and industry, America needs to tread carefully.

Green covers the Internet for BusinessWeek