IP: Rep. Armey tells colleagues to go slow on privacy, "be careful"

[David Farber <dave@farber.net>]

>From: "Diamond, Richard" <Richard.Diamond@mail.house.gov>
>Subject: Armey privacy memo
>Date: Mon, 9 Apr 2001 10:08:32 -0400
>
>Mr. Armey sent the following memo on privacy to his colleagues this morning.
>Thought you might be interested.  (It's also online at freedom.gov).
>
>Richard Diamond
>Office of the Majority Leader
>US House of Representatives
>202-225-6007 / www.freedom.gov
>
>TO:             House Colleagues
>FROM:   Dick Armey
>SUBJECT:        Privacy: For those who live in glass houses
>DATE:   April 9, 2001
>
>Americans put a high value on their privacy.  And for good reason.  I don't
>want strangers poking around in my business any more than they want me
>poking around in theirs.  But new forms of communication like the Internet
>present an entirely new challenge for those of us concerned about privacy.
>
>         Figuring out exactly what we must do to protect sensitive
>information in this new environment is no easy task.  Many unexpected
>pitfalls await those who rush into this complicated, emotional issue.  In
>the fast-paced world of the Internet, we must avoid silver-bullet solutions
>that will quickly become obsolete or leave ourselves vulnerable to criticism
>that the government is not meeting the standards it requires from others.
>
>The Government's Privacy Problems
>
>         Before the federal government becomes too preachy about privacy, it
>should review it's own practices.  The Federal Trade Commission (FTC), for
>example, thought that it had developed some good ideas for regulating
>commercial websites to protect privacy.  The Commission set out its own
>privacy principles last May in a report entitled "Fair Information Practices
>in the Electronic Marketplace."  The problem was that the good folks at the
>FTC were so busy figuring out how to regulate the commercial sector that it
>forgot to regulate itself-and they fell into the hypocrisy trap.
>
>Rep. Billy Tauzin and I asked the General Accounting Office (GAO) to apply
>the FTC's privacy criteria to the government itself.  Not only did the FTC
>fail to meet the very standards it had asked Congress to impose on everyone
>else, so did 97 percent of all federal websites surveyed.
>
>         I think we can draw a lesson from this.  The government should
>review it's own practices before it becomes too preachy about privacy.
>
>         The IRS knows how much money you make and how you spend it.  The
>Department of Labor knows where you work and how long you've worked there.
>The Department of Health and Human Services (HHS) might well know everything
>about your medical history, especially if you are on Medicare or Medicaid.
>They all know your name, address, phone number, Social Security number and
>maybe even your email address.
>
>         According to a recent study by the privacy organization Privacilla,
>once an agency gathers information about you, it will routinely share that
>information with other agencies-combining your health, income, and other
>records.  That means your complete life history is floating around the
>bureaucracy, whether you like it or not.  Some of this information sharing
>is probably beneficial, allowing agencies to work more efficiently.  But if
>government can't protect all that private information from prying eyes, the
>story changes.
>
>         The truth is that the government has a dismal record when it comes
>to securing sensitive information.  According to a study last year by
>Government Reform Subcommittee Chairman Steve Horn, most federal departments
>and agencies received a failing grade for their lax computer security
>procedures.  Those failing grades put privacy at risk.
>
>         For example, a Veterans' Affairs Oversight Subcommittee hearing last
>year exposed very disturbing privacy problems within the Department of
>Veterans' Affairs.  The Department's own Inspector General was able to hack
>into the system and obtain control of individual medical records.  The IG
>testified that weak computer security exposed the records of individual
>veterans to an assault from hackers armed with only minimal skills.
>
>         Unlike many non-VA patients, veterans have no choice about sharing
>their medical information and have few options if they are dissatisfied with
>the level of protection the agency gives to their medical privacy.
>Fortunately, VA Secretary Principi testified last week that the Bush
>Administration is taking steps to clean up this mess.
>
>         The VA's problem was no isolated incident.  The GAO recently
>revealed perhaps the most disturbing example of the effect of lax government
>security.  GAO auditors found during an investigation last year that IRS
>computer systems containing tax returns that are filed online were
>vulnerable to attack from even a hand-held computer.  According to GAO's
>report, hackers not only had the ability to read your tax information, but
>they could also modify it. That's a scary thought.  Fortunately, Treasury
>Secretary Paul O'Neill has indicated that the Department is addressing this
>issue.  It is clear, nonetheless, that the government has some privacy
>problems that it must address.
>
>The Law of Unintended Consequences
>
>As you can see, it takes more than good intentions to make good law.  And
>some well-intentioned privacy initiatives may actually result in less
>protection than existing law.  President Bill Clinton, for example, used his
>last hours in office to cobble together a rule designed to protect the
>privacy of medical information.  But buried within the expansive text filled
>with new regulatory requirements for health care providers is a passage
>giving HHS the right to collect all personal medical records from a given
>health provider without a warrant or prior notice.  (By the way, Chairman
>Horn gave HHS an "F" for its inability to protect personal information.)
>
>It's hard to dispute the goal of assuring patients that they can share
>personal information with their doctor or insurance company without risk.
>But it's unclear how requiring patients to sign a bunch of disclosure waiver
>forms will help protect privacy, improve health care or alleviate patient
>anxiety.  What is certain is funneling all that information to HHS is a step
>in the wrong direction.  Fortunately, Secretary Thompson has recently
>expressed his willingness to review and reconsider these new regulations.
>
>         A legislative or regulatory solution may be the slowest and least
>effective way to address consumer concerns.  One of the most frequent
>reasons given for the need to enact commercial privacy legislation is that
>some consumers refuse to engage in e-commerce because they fear their
>information won't be adequately secured.  I haven't made the transition to
>online banking myself for that very reason.  Nonetheless, more and more
>people are turning to e-commerce, which shows that not everyone is obsessed
>with such concerns.
>
>We should remember that these online services have a strong market incentive
>to address my privacy concerns if they want my business.  The market is well
>suited to adapting and quickly changing to meet new circumstances or to
>address the concerns of consumers.  And that's important because the way we
>understand the Internet and websites today is changing.
>
>Web sites are simply the way that most of us interact on the Internet
>today-that may not be true tomorrow.  Already, a substantial amount of
>Internet data, such as stock trades, travels by cell phone or other mobile
>devices.  Imagine trying to read a legal privacy notice on your cell phone
>before opening that E-trade account.  Should typing your social security
>number on your phone keys be treated differently than typing them in on a
>computer keyboard?  Imposing notice rules on web sites may be as relevant
>next year as requiring airbags on horse buggies.
>
>         Some calling for additional online privacy regulations cite the need
>to address things that are, in fact, already illegal-like stealing credit
>card numbers or "identity theft."  It makes no difference whether that
>information was illegally obtained on the Internet or by stealing your
>purse.  Perhaps better enforcement of existing laws will address those
>concerns.
>
>         Motivated by the desire to "save" the Internet, others have argued
>that if Congress does not act soon, state governments will create a host of
>different and even contradictory rules that might derail our borderless
>Internet economy.  Even if Congress could preempt these state laws-and I am
>not aware of any consensus to do so-rushing to create a single unworkable
>federal standard is as bad or worse than having many unworkable state
>standards.  Let's not love the Internet to death.
>
>So What Do We Do About Privacy?
>
>         Privacy is a difficult issue, and I don't pretend to have all the
>answers on this subject.  Right now, Congress is an inexperienced and
>amateur mechanic trying to tinker with the supercharged, high-tech engine of
>our economy.  We need to be careful not to let our good intentions get in
>the way of common sense.
>
>That doesn't mean that we can't or shouldn't do something about privacy.
>Far from it.  It means that we should start with what we know best and have
>the greatest ability to affect.  We've already seen that the federal
>government needs serious attention when it comes to privacy.  And there are
>plenty of things we can do to improve the way the federal government uses
>personal information-both in the bureaucracy and in Congress.  We should
>clean our own house before dictating solutions for others.
>
>         Those who live in glass houses shouldn't throw stones.  And right
>now, the federal government's online house is made of pretty thin glass.



For archives see: http://www.interesting-people.org/