Regime for Privacy Protection

Identity Woman has been telling us for some time about Daniel Solove's amazing book, The Digital Person.

Of course a lot of books have come out recently which discuss privacy issues – even making the cover of last week's New York Times Book Review section (William Safire discussing No Place To Hide and Chatter).

But Solove's work is in a class by itself.

In an argument worthy of George Lakoff he convinces us that privacy advocates need to move beyond the secrecy-based “Big Brother” metaphor, and embrace the metaphor of Kafka's “The Trial” – a novel in which the subject is arrested for charges which constantly elude him, put forward by unknown accusers who remain just out of sight – a situation which might be remedied at any moment should the bureaucratic process, which of course is undefined and impenetrable, wend its way to a positive conclusion (naturally it doesn't).

Solove argues that, in general, superdossiers are assembled not by punitive central government authorities, but by an uncontrolled and unknowable web of commercial actors whose self-interest lies in knowing-us-to-death.

Solove wants us to move away from the paradigm where an affront to privacy is defined as revealing something secret. After all, things like our names, sex, age, address and profession are in some sense public information (i. e. are published in public documents). If an invasion of privacy consists only in revealing secret information, then third parties who make personally identifying information available to others do nothing wrong, when in fact the construction of superdossiers that remain out of our control is fundamentally dehumanizing. He demonstrates clearly that the secrecy approach has failed to produce rational outcomes in many legal cases.

His main interest lies in updating the “legal architecture” protecting privacy in the United States. (The book includes an interesting discussion of the similarities between physical, software, and legal architecture).

Recently Solove has teamed up with Chris Jay Hoofnagle of the Electronic Privacy Information Center West Coast Office to author the Regime for Privacy Protection. This document proposes a series of concrete measures the authors see as practical ways of addressing privacy concerns of the modern technological period.

Identity colleague Chris Ceppi reviews “the regime” this way:

As someone who feels very strongly that the technical innovation surrounding digital identity is best seen as a reform effort, I was delighted to come across this extremely thorough and hopefully influential study of identity and privacy published by Daniel Solove and Chris Hoofnagle.

Solove and Hoofnagle's Model Regime presents a clearly defined set of problem descriptions and proposed regulatory remedies for a whole set of privacy concerns currently plaguing digital identity – it is a good bet that their thinking will find its way into the technology that is deployed in this reform effort.

Of particular interest is the historical context they provide for the development of privacy legislation. If you have ever wondered how in the world the Social Security Number was allowed to proliferate as a universal identifier used by businesses, you'll be heartened to learn that restricting the use of SSN by businesses was proposed for inclusion in the 1974 Privacy Act – but the restriction on SSN use did not make it into the final Act. Ouch

As much as I think Chris understands policy issues, I don't think anyone could be more wrong than he is in eliding the role of technical innovation in achieving the new architecture Solove is looking for. Legal remedies will not be plausible without the right technological infrastructure. We need everyone to understand this. It is what underlies the historical urgency of the present identity discussion. And it explains why identity architecture must make possible specific capabilities, like formal ways to demonstrate the contract under which a user has made information available. We must think about the long term.

Readers of this blog will be aware of my conclusion that the technical designers of the identity metasystem need to avoid architectural decisions which impose their prejudices on it. Instead we should provide the framework in which various kinds of technologically and operationally unrelated identity providers suitable to specific contexts can be selected by users who are effectively given ultimate freedom of choice.

This kind of technological freedom puts the levers of technology in the hands of citizens and thereby allows the normal processes of legal architecture to reach out into the newly evolving technology realms.

I trust that one day legal and techological architects will meet up to further discuss these issues.

Published by

Kim Cameron

Work on identity.