Privacy and Security: "Big and Little 'P' Policy"

On the national policy front, or "Big 'P' Policy, both privacy and security issues are rising to the fore.  Do not track mechanisms are, to quote a New York Times recent article on this subject, "features on browsers — like Mozilla’s Firefox — that give consumers the option of sending out digital signals asking companies to stop collecting information about their online activities for purposes of targeted advertising."  The market sector is not happy.  Microsoft is releasing version 10 of its web browser, Internet Explorer, with a default do not track setting; to allow cookies or other tracking requires the user to change the setting.  Business interests have reacted angrily, with the Association of National Advertisers sending Microsoft's CEO, Steve Ballmer, an open letter objecting to that decision.  A slew of blue ribbon companies chimed in, including I.B.M., Verizon and Walmart.  (Interesting bedfellows ...)  According to this same article, nine Congressmen (lobbied by guess what interests?) sent a letter of concern to the F.T.C. skeptically inquiring about the Agency's association with the well-respected, independent Internet technology group W3C, World Wide Web Consortium, over privacy issues.  My heavens, don't the Congressmen know this is a free country?  This article is worth a full read.

I do not think U.S. political culture is at a tipping point on privacy whereby it will cause Congress to pass comprehensive privacy legislation, but I do think that the current is shifting toward more public scrutiny about the intersection of law and technology in this area.  Five to ten years ago -- and with Facebook's founder more recently -- the chant was "privacy is dead."  A ridiculous statement in any moment, these incantations are ringing more hallow lately as polling clearly reveals that the vast majority of American's express concern about corporate tracking of their Internet activities.  Europe, longer and more stringent on this matter due to its history, has been applying the screws to Google for some time now, and as of yesterday with 23 countries demanding that Google tighten its privacy policy to meet European Union standards on data collection.  American society would do well to take a lesson instead of contrasting itself with Europe.  Why?  Because it is not some amorphous ether that has spiraled privacy downward, and not even "technology" per se, but market interests, i.e. corporations, advertisers, data mining and profiling companies especially.  As the public comes to understand the driving forces behind these cultural shifts over privacy, the public may come to expect more pro-privacy options from the market sector and oversight by governmental agencies.  Microsoft is betting that the public will value its product because it has chosen the current counter-intuitive market path with IE 10 default do not track options.  To be sure, for them it is a market strategy, but it is a smart one precisely because it is pro-consumer in its orientation.

About security, the Obama Administration is unhappy with Congress for buckling to those same, mainstream corporate interests who fought robust cybersecurity legislation.  If one ever wanted evidence that corporations ultimately don't give a fig about our country, this one is a good example.  Defense Secretary Leon Panetta subsequently has taken his message on the road, most recently to the New York City Intrepid Sea, Air and Space Museum.  Comparing the potential for a cyber attack to the military one on Pearl Harbor in 1941, Panetta educates on two fronts.  First is the technical lesson.  For those who do not understand or appreciate how wired is our functional infrastructure, he is connecting the dots between, for example, how utilities work on networked connections.  Multiply that lesson into all the areas of everyday life: medicine, banking, and transportation, again just to take some examples, and one gets the picture of how quickly our everyday experience could grind to a catastrophic halt as the result of a successful cyberattack on our networked systems.  Second is the civics lesson.  For those who do not understand where the opposition comes from and why, he is painting a clear picture: the business community.  Why do they take that position?  Purely for financial reasons.  Businesses, thinking only of their fiduciary responsibilities and not their civic ones -- notwithstanding their legal standing as "individuals," a legal fiction if there ever was one -- do not want to spend the money to bring their systems into compliance with protective technical security measures.  It is in moments such as this one that I seriously question the wisdom of representative government heavily influenced by unrestrained lobbying.  President Bush sent the country on the path of spending close to a trillion dollars and many thousands of U.S. lives lost in wars half-way around the globe, but business bullies legislators to keep us from being safer at home?  That logic only makes sense if you recognize the corporate stranglehold on Congress through unrestrained advertising and lobbying.  And Defense Secretary Panetta might have a third mission: to prepare us all for an executive order to make this vital change happen.  It is the final tool in Obama's toolbox, and for one, I hope he uses it.

On the institutional policy front, what I call "Little 'P' Policy," these political developments demonstrate the difference between what is "privacy" and what is "security."  For too long now in higher education, institutions have collapsed the two categories.  Perhaps a decade ago when we were all scrambling to ramp up technical security operations, the confusion was understandable because it was suppressed under the rush to make network changes.  The long-term result has been that most people assumed that the two categories were interchangeable, or that privacy was something -- whatever it was -- subsumed by technical security.  Actually, the opposite is true.  Privacy practices include administrative, logical and physical security as one of a standard four measures (notice, transparency and relevancy are the other three).  Technical security on a national policy basis remains nonetheless a critical issue, as this debate over cybersecurity illustrates.  But the two concepts differ in important ways.  Therefore, to continue down a path that sows confusion about these distinctions would be to wrongly repeat a mistake whose time to correct is upon us for the sake of risk management.  Keeping abreast of "Big 'P' Policy" not only helps us be better citizens but may help us do our jobs better in colleges and universities.