For most of the 25 years that I have worked on privacy issues, I described public interest in privacy as a mile wide and an inch deep. What people said about privacy was often different from what they did. Harnessing public anxiety was always difficult. No one can say that any more.
Privacy is incredibly hot right now. Public concern is bringing companies and politicians to their knees. Let's look at the record of recent events.
* In the summer of 1996, the sale by Lexis-Nexis of a database including individual names, addresses, phone numbers, social security numbers and other personal information created considerable controversy about privacy that started on the Internet. The controversy quickly moved to mainstream media and to Capitol Hill. The industry was under so much pressure that it even wrote some privacy guidelines. The privacy content of the guidelines is minimal, but, like the dog that talked, what is remarkable is the speech itself and not the content.
* In 1997, the Social Security Administration put up a Web site that permitted people to obtain a copy of their personal earnings statements online. When a front page story in USA Today raised questions about security and privacy, another major controversy erupted. Once again, the media and the politicians forced a hasty retreat. SSA is so scared that it still won't restart the service although changes to the disclosure system brought support from privacy groups.
* In the summer of 1998, a sleepy little advisory committee at the Department of Health and Human Services began hearings on the subject of a new patient identification number. Only the general issue was on the table, not a specific proposal. Once again, a privacy story was all over the newspapers and the airwaves, and bills to prohibit a new health identifier were introduced immediately. Vice President Gore intervened to delay the process, and Congress eventually passed a one-year moratorium. Everyone in government is now afraid to even discuss the issue. For the record, I served on that advisory committee, and I poured a little gasoline on the fire. But it didn't take much.
* In 1996, Congress passed a law requiring the states to collect social security numbers for drivers' licenses. The Department of Transportation initiated the rule-making process in 1998, and the comments drew a couple of thousand public comments in opposition. Opponents generated enough controversy that Congress passed another one-year moratorium on the regulatory process.
* Earlier this year, Intel announced that it would include a unique serial number in each of its Pentium III chips. This produced an immediate call by Internet privacy groups for a consumer boycott. The controversy generated press and government attention here and in Europe, and Intel beat a small retreat deemed by the boycotters to be inadequate so the anti-Intel campaign continues. Microsoft found itself in the middle of a similar controversy over the embedding of identification numbers in documents. Microsoft quickly offered new software to solve the problem. Microsoft clearly learned from Intel's mistakes.
* Late in 1998, all federal banking agencies proposed rules that would have required banks to undertake a new form of surveillance of bank customers and to report suspicious transactions to the government. The rules were known as Know Your Customer. This proposal evoked a widespread, extraordinary and unprecedented protest. When the dust settled, the Federal Deposit Insurance Corp. received more than 254,000 comments on the rules. All but 72 were opposed to the rules. Along the way, the House Banking Committee voted to kill the rules, and the Senate opposed them in a nonbinding 88-0 vote. Needless to say, the banking agencies dropped their proposal in March. The public response had to scare the daylights out of every other agency considering a proposal with a privacy impact.
* In January, the Washington Post ran a story about the sale of digitized drivers' photographs by three states for use in anti-fraud activities. As soon as people in those states heard about it, they were outraged. Legislators, administrators and politicians who previously supported the sale responded to the uproar by immediately finding ways to stop it.
Heard enough? I would love to be able to tell you where the privacy issue is heading. Consumer pressure seems relentless, and we haven't even considered the European demands on American multinational companies to comply with international data protection standards. Privacy self-regulatory programs continue to increase, but it isn't clear that any meet the mark expected by consumers or by EU regulators.
Over the years, I have seen interest in privacy wax and wane as a public policy issue. The cycle seems to last three to five years. Today, however, public concern over privacy is continuing to increase in intensity. I can't find any substantial evidence to suggest that privacy has peaked or will subside anytime soon. The Internet is clearly a major factor here, not only by providing a major new threat to privacy, but also by serving as a tool for communication, organization and opposition. It is not coincidental that the quarter of a million comments against the banking proposal were filed electronically.
Based on the past, I would be inclined to predict that the public will lose interest again. But what do I know? After all, I'm the one who used to say “mile wide and inch deep.”
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected]