IP: Rep. Armey tells colleagues to go slow on privacy, "be careful"

[David Farber <dave () farber net>]

> From: "Diamond, Richard" <Richard.Diamond () mail house gov>
> Subject: Armey privacy memo
> Date: Mon, 9 Apr 2001 10:08:32 -0400
>
> Mr. Armey sent the following memo on privacy to his colleagues this morning.
> Thought you might be interested.  (It's also online at freedom.gov).
>
> Richard Diamond
> Office of the Majority Leader
> US House of Representatives
> 202-225-6007 / www.freedom.gov
>
> TO:             House Colleagues
> FROM:   Dick Armey
> SUBJECT:        Privacy: For those who live in glass houses
> DATE:   April 9, 2001
>
> Americans put a high value on their privacy.  And for good reason.  I don't
> want strangers poking around in my business any more than they want me
> poking around in theirs.  But new forms of communication like the Internet
> present an entirely new challenge for those of us concerned about privacy.
>
>         Figuring out exactly what we must do to protect sensitive
> information in this new environment is no easy task.  Many unexpected
> pitfalls await those who rush into this complicated, emotional issue.  In
> the fast-paced world of the Internet, we must avoid silver-bullet solutions
> that will quickly become obsolete or leave ourselves vulnerable to criticism
> that the government is not meeting the standards it requires from others.
>
> The Government's Privacy Problems
>
>         Before the federal government becomes too preachy about privacy, it
> should review it's own practices.  The Federal Trade Commission (FTC), for
> example, thought that it had developed some good ideas for regulating
> commercial websites to protect privacy.  The Commission set out its own
> privacy principles last May in a report entitled "Fair Information Practices
> in the Electronic Marketplace."  The problem was that the good folks at the
> FTC were so busy figuring out how to regulate the commercial sector that it
> forgot to regulate itself-and they fell into the hypocrisy trap.
>
> Rep. Billy Tauzin and I asked the General Accounting Office (GAO) to apply
> the FTC's privacy criteria to the government itself.  Not only did the FTC
> fail to meet the very standards it had asked Congress to impose on everyone
> else, so did 97 percent of all federal websites surveyed.
>
>         I think we can draw a lesson from this.  The government should
> review it's own practices before it becomes too preachy about privacy.
>
>         The IRS knows how much money you make and how you spend it.  The
> Department of Labor knows where you work and how long you've worked there.
> The Department of Health and Human Services (HHS) might well know everything
> about your medical history, especially if you are on Medicare or Medicaid.
> They all know your name, address, phone number, Social Security number and
> maybe even your email address.
>
>         According to a recent study by the privacy organization Privacilla,
> once an agency gathers information about you, it will routinely share that
> information with other agencies-combining your health, income, and other
> records.  That means your complete life history is floating around the
> bureaucracy, whether you like it or not.  Some of this information sharing
> is probably beneficial, allowing agencies to work more efficiently.  But if
> government can't protect all that private information from prying eyes, the
> story changes.
>
>         The truth is that the government has a dismal record when it comes
> to securing sensitive information.  According to a study last year by
> Government Reform Subcommittee Chairman Steve Horn, most federal departments
> and agencies received a failing grade for their lax computer security
> procedures.  Those failing grades put privacy at risk.
>
>         For example, a Veterans' Affairs Oversight Subcommittee hearing last
> year exposed very disturbing privacy problems within the Department of
> Veterans' Affairs.  The Department's own Inspector General was able to hack
> into the system and obtain control of individual medical records.  The IG
> testified that weak computer security exposed the records of individual
> veterans to an assault from hackers armed with only minimal skills.
>
>         Unlike many non-VA patients, veterans have no choice about sharing
> their medical information and have few options if they are dissatisfied with
> the level of protection the agency gives to their medical privacy.
> Fortunately, VA Secretary Principi testified last week that the Bush
> Administration is taking steps to clean up this mess.
>
>         The VA's problem was no isolated incident.  The GAO recently
> revealed perhaps the most disturbing example of the effect of lax government
> security.  GAO auditors found during an investigation last year that IRS
> computer systems containing tax returns that are filed online were
> vulnerable to attack from even a hand-held computer.  According to GAO's
> report, hackers not only had the ability to read your tax information, but
> they could also modify it. That's a scary thought.  Fortunately, Treasury
> Secretary Paul O'Neill has indicated that the Department is addressing this
> issue.  It is clear, nonetheless, that the government has some privacy
> problems that it must address.
>
> The Law of Unintended Consequences
>
> As you can see, it takes more than good intentions to make good law.  And
> some well-intentioned privacy initiatives may actually result in less
> protection than existing law.  President Bill Clinton, for example, used his
> last hours in office to cobble together a rule designed to protect the
> privacy of medical information.  But buried within the expansive text filled
> with new regulatory requirements for health care providers is a passage
> giving HHS the right to collect all personal medical records from a given
> health provider without a warrant or prior notice.  (By the way, Chairman
> Horn gave HHS an "F" for its inability to protect personal information.)
>
> It's hard to dispute the goal of assuring patients that they can share
> personal information with their doctor or insurance company without risk.
> But it's unclear how requiring patients to sign a bunch of disclosure waiver
> forms will help protect privacy, improve health care or alleviate patient
> anxiety.  What is certain is funneling all that information to HHS is a step
> in the wrong direction.  Fortunately, Secretary Thompson has recently
> expressed his willingness to review and reconsider these new regulations.
>
>         A legislative or regulatory solution may be the slowest and least
> effective way to address consumer concerns.  One of the most frequent
> reasons given for the need to enact commercial privacy legislation is that
> some consumers refuse to engage in e-commerce because they fear their
> information won't be adequately secured.  I haven't made the transition to
> online banking myself for that very reason.  Nonetheless, more and more
> people are turning to e-commerce, which shows that not everyone is obsessed
> with such concerns.
>
> We should remember that these online services have a strong market incentive
> to address my privacy concerns if they want my business.  The market is well
> suited to adapting and quickly changing to meet new circumstances or to
> address the concerns of consumers.  And that's important because the way we
> understand the Internet and websites today is changing.
>
> Web sites are simply the way that most of us interact on the Internet
> today-that may not be true tomorrow.  Already, a substantial amount of
> Internet data, such as stock trades, travels by cell phone or other mobile
> devices.  Imagine trying to read a legal privacy notice on your cell phone
> before opening that E-trade account.  Should typing your social security
> number on your phone keys be treated differently than typing them in on a
> computer keyboard?  Imposing notice rules on web sites may be as relevant
> next year as requiring airbags on horse buggies.
>
>         Some calling for additional online privacy regulations cite the need
> to address things that are, in fact, already illegal-like stealing credit
> card numbers or "identity theft."  It makes no difference whether that
> information was illegally obtained on the Internet or by stealing your
> purse.  Perhaps better enforcement of existing laws will address those
> concerns.
>
>         Motivated by the desire to "save" the Internet, others have argued
> that if Congress does not act soon, state governments will create a host of
> different and even contradictory rules that might derail our borderless
> Internet economy.  Even if Congress could preempt these state laws-and I am
> not aware of any consensus to do so-rushing to create a single unworkable
> federal standard is as bad or worse than having many unworkable state
> standards.  Let's not love the Internet to death.
>
> So What Do We Do About Privacy?
>
>         Privacy is a difficult issue, and I don't pretend to have all the
> answers on this subject.  Right now, Congress is an inexperienced and
> amateur mechanic trying to tinker with the supercharged, high-tech engine of
> our economy.  We need to be careful not to let our good intentions get in
> the way of common sense.
>
> That doesn't mean that we can't or shouldn't do something about privacy.
> Far from it.  It means that we should start with what we know best and have
> the greatest ability to affect.  We've already seen that the federal
> government needs serious attention when it comes to privacy.  And there are
> plenty of things we can do to improve the way the federal government uses
> personal information-both in the bureaucracy and in Congress.  We should
> clean our own house before dictating solutions for others.
>
>         Those who live in glass houses shouldn't throw stones.  And right
> now, the federal government's online house is made of pretty thin glass.



For archives see: http://www.interesting-people.org/