Facing Privacy Tradeoffs to Restore Trust and the Rule of Law

The traditional balance of strong law and weak surveillance technology has been disrupted on both fronts since the arrival of cheap computing power and the global Internet. Today, the rule of law in the area of privacy is relatively weak, but technology shows surprising strength. First, weakness and gaps in both privacy and surveillance law have grown. Since the emergence of the Internet and smartphones, the US Congress has not managed to update consumer privacy law at all, and even changes in sectoral laws governing health and finance have been limited. Our most important surveillance laws, Title III and ECPA, remains frozen in the pre-Internet 1980s, and arguably even took a step backward with the Patriot Act.
...New information technology mostly tips its hand toward the possibility of great privacy intrusion. So our only option to restore the proud place of the rule of law is to be very explicit about what privacy protections we want with respect to both government and private action. First, we need to be very specific about the privacy-utility balance we expect with respect to specific uses of personal data. With the passage of CISA, for example, there will an increased flow of cybersecurity threat information to the government. Some of this will be personal data and some may be potential evidence of crimes. As DHS makes rules about how the personally identifiable information component of threat data is handled, it is important that there be very clear rules that limit onward usage and storage of threat data. Those rules have to be clear enough to set expectations with citizens about what will and will not be done with personal data.
Second, rules must be designed so that they can be enforced in large-scale data flows. CISA is but one context in which the volume of data flow requires that rules be susceptible to machine-assisted accountability. As Susan Hennessey argued yesterday, it is not reasonable to expect manual human review of every transaction, so rules must be sufficiently concrete that computers can automatically identify those transactions that are clearly compliant with the rules, and those that are clearly not. Human judgment can come into place for any transactions that fall into a gray area.