In this environment, the real problem is not that your information is out there; it’s that it’s not protected from misuse. In other words, privacy problems are increasingly the result of poor security practices. The biggest issue, I’ve long maintained, is that decision makers don’t consider security a priority. By not insisting on secure systems, governments and corporations alike have allowed themselves to get stuck with insecure ones.
Consider the humble Social Security number. As a privacy advocate, I always chafe when people ask me for my “social.” As a security professional, I am deeply disturbed that a number designed as an identifier–for the single specific purpose of tracking individuals’ earnings to calculate Social Security benefits–has come to be used as a verifier of identity for countless other purposes. Providing my SSN should not “prove” that I am who I say I am any more than providing my name or address does. But in the absence of any better system, this number has become, in the words of Joanne McNabb, chief of California’s Office of Privacy Protection, the “key to the vault for identity thieves.”
Yes, privacy as we know it is under attack–by a government searching for tax cheats and terrorists; by corporations looking for new customers; by insurance companies looking to control costs; and even by nosy friends, associates, and classmates. Collectively, we made things worse by not building strong privacy and security guarantees into our information systems, our businesses, and our society. Then we went and networked everything, helping both legitimate users and criminals. Is it any wonder things turned out this way?
All of a sudden, we have a lot of work to do.
But while our current privacy issues feel as new as Twitter, the notion of privacy as a right is old. Americans have always expected this right to be maintained, even as technology opened ever more powerful tools for its subversion. The story of privacy in America is the story of inventions and the story of fear; it is best told around certain moments of opportunity and danger.
The word privacy doesn’t appear in the U.S. Constitution, but courts and constitutional scholars have found plenty of privacy protections in the restriction on quartering soldiers in private homes (the Third Amendment); in the prohibition against “unreasonable searches and seizures” (the Fourth Amendment); and in the prohibition against forcing a person to be “a witness against himself” (the Fifth Amendment). These provisions remain fundamental checks on the power of government.
Over time, however, the advance of technology has threatened privacy in new ways, and the way we think about the concept has changed accordingly.
Back in 1890 two Boston lawyers, Samuel Warren and Louis Brandeis, wrote an article in the Harvard Law Review warning that the invasive technologies of their day threatened to take “what is whispered in the closet” and have it “proclaimed from the house-tops.” In the face of those threats, they posited a direct “right to privacy” and argued that individuals whose privacy is violated should be able to sue for damages.
Warren and Brandeis called privacy “the right to be let alone” and gave numerous examples of ways it could be invaded. After more than a century of legal scholarship, we’ve come to understand that these examples suggest four distinct kinds of invasion: intrusion into a person’s seclusion or private affairs; disclosure of embarrassing private facts; publicity that places a person in a “false light”; and appropriation of a person’s name or likeness.