In the wake of the NSA scandals and daily corporate privacy invasions, the president asked one of his senior advisors, John Podesta, to perform a quick 90-day review of “big data” (corporate jargon for privacy) and lay out what next steps his administration should take. Today we submitted formal comments to the White House, but here is a slightly less wonky way of putting it:
Dear Mr. President,
Privacy isn’t really that hard. It’s not easy, because nothing is, but there are actually lots of easy things that government and companies could do to protect it. To do it you’ll have to buck powerful forces in your own administration (like spies and cops). Companies will have to take measure that might have a (small) impact on the bottom line, either now or in the future. Nonetheless, we do actually know what to do.
- Don’t routinely collect information on regular people. The Bill of Rights says it all—no searches without probable cause. We’re innocent until proven guilty in America and nobody should have to have a lawyer on retainer just because. You should endorse bills, like the USA Freedom Act, that enshrine that idea into law.
- If the innocent are getting caught up with police investigations, make how that happens public and purge the information. For example, police get tens of thousands of court orders every year to track suspects. Those orders also drag in hundreds of other innocent people each. Why are those orders kept secret in perpetuity? Why isn’t the data on innocent people purged?
- Do the occasional legal update. Technology changes often but laws don’t. The classic example is that mail carried by the U.S. Postal Service has a much higher statutory protection than email carried by Google. That’s nonsense that could be fixed by bi-partisan bills in the House and Senate. A hundred thousand people have signed a White House petition in support of those bills. You should endorse them.
- U.S. companies should play by the same rules the rest of the world follows. Almost every western democracy has baseline rules for handling personal information. These rules, called Fair Information Practice Principles, were ironically first created in the United States but never adopted here. Maybe it's unfair to put this on you—after all, companies vociferously resist these—but your administration wrote a report more than two years ago calling for legislation in this area. You should share your legislative language.
- Remember the non-techies. Use of data is creeping into every facet of our life—policing, lending, government benefits, insurance coverage. Sometimes it’s undermining traditional legal protections, other times it may be leading to more insidious discrimination. Sometimes it’s actually improving civil rights protections or people’s everyday lives. But we can’t forget the communities who often face discrimination, or are too poor (in money or time) to figure out privacy, or who can’t get online at all. They need to be part of the conversation as well.
I appreciate that you are talking about privacy. But please recognize that after the spying scandals you have a high mountain to climb. In our comment we’ve laid out 10 or so concrete ways you could make things better. We hope you’ll pick a few and get started.