Chertoff’s Creeping Surveillance

Technology’s challenge to privacy
BBC
October 4, 2007

Every autumn the privacy world gather for the most important global privacy conference on the calendar.

The International Data Protection and Privacy Commissioner’s conference brings together hundreds of privacy commissioners, government regulators, business leaders, and privacy advocates who spend three days grappling with emerging issues.

The theme of this year’s conference, held in Montreal, Canada, was “Terra Incognita,” a reference to the unknown lands that typify the fear of the unknown in a world of rapidly changing technologies that challenge the core principles of privacy protection.

Yet despite a dizzying array of panels on new technologies such as ubiquitous computing, radio frequency identification devices (RFID), and nanotechnology, it was a reference by United States Secretary of Homeland Security Michael Chertoff to a simple fingerprint that struck the strongest chord.

Privacy threat

Canada last hosted the conference in 1996 and it quickly became apparent that privacy has become virtually unrecognisable in the intervening eleven years.

The technological challenges were on display throughout the event including eye-opening presentations on the privacy impact of popular children’s websites such as Webkinz and Neopets, on genetic innovation that is pushing the boundaries of science without regard for privacy, and on the continual shift toward tiny devices that can be used to collect and disclose personal information.

Prof Michael Geist (Michael Geist)
Chertoff seemed to say there is a known reality about our future course and there is little that the privacy community can do about it.
Michael Geist

The conference placed the spotlight on the growing “toolkit” of responses, including privacy audits of both public and private sector organisations, privacy impact assessments that are used to gauge the effect of new regulations and corporate initiatives, trust seals that include corporate compliance programs, and emphasis on global cooperation in a world where personal data slips effortlessly across borders.

While the effectiveness of these measures has improved in recent years, there remained a pervasive sense that these responses are inadequate.

Part of the unease arises from the growing realisation that the legal foundation of privacy law is being rendered increasingly irrelevant.

Privacy and data protection laws have long relied on the twin pillars of notice and consent whereby consumers are notified of, and consent to, the collection, use, and disclosure of their personal information.

Critics argue that both notice and consent are today little more than legal fictions, as consumers ignore overly complex notices and shrinking technology makes it virtually impossible to obtain informed consumer consent.

Moreover, privacy law has also emphasised the distinction between personally identifiable information - information that can be traced to a particular person and is therefore deserving of legal protection - and non-identifiable information that does not enjoy any legal protection.

Technology threatens the ability to easily distinguish between the two as powerful computers and ever-expanding databases make it easier to identify individuals from what was once thought to be non-identifiable information.

Addressing these legal shortcomings will command the privacy community’s attention for the foreseeable future; however, it was Chertoff’s keynote address that crystallised the challenge to global privacy protection.

‘Chilling future’

In a room full of privacy advocates, Chertoff came not with a peace offering, but rather a confrontational challenge.

He unapologetically made the case for greater surveillance in which governments collect an ever-increasing amount of data about their citizens in the name of security.

For example, in support of his security agenda, he noted that US forces in Iraq once gathered a single fingerprint from a steering wheel of a vehicle that was used in a bombing attack and matched it to one obtained years earlier at a US border crossing.

He added that there was a similar instance in England, where one fingerprint in a London home linked to a bombing was matched to a fingerprint gathered at a US airport (the identified person was actually innocent of wrongdoing, however).

Chertoff explained that in the autumn the US intends to expand its fingerprinting collection program by requiring all non-Canadians entering his country to provide prints of all ten fingers (it currently requires two fingerprints).

In the process, his vision of a broad surveillance society - supported by massive databases of biometric data collected from hundreds of millions of people - presented a chilling future.

Rather than terra incognita, Chertoff seemed to say there is a known reality about our future course and there is little that the privacy community can do about it.

As privacy advocates lamented the remarks, warning of creeping surveillance and urging commissioners to take action, delegates were left to wonder whether the privacy world will again be unrecognisable when the Data Protection and Privacy Commissioner’s conference next convenes in Canada.