LIBRARY
OF THE
MASSACHUSETTS INSTITUTE
OF TECHNOLOGY
JAM 13 1972
J-ZBRARIES
PRIVACY, TECHNOLOGY, AND
THE AMERICAN CITIZEN
Stephen J. Williams'^
Richard Owens
Edouard Cointreau
Peter Bloomsburgh
563-71
October
MASSACHUSE'
INSTITUTE OF TECHNOLOGY
50
MEMORIAL DRIVE
MASS. INST. TECH.
OCT 21 1971
OtWEY LIBRARY
PRIVACY, TECHNOLOGY, AND
THE AMERICAN CITIZEN
Stephen J. Williams
Richard Owens
Edouard Cointreau
Peter Bloomsburgh
563-71
October
PRIVACY, TECHNOLOGY,
AND THE AMERICAN ClTlZl
by
Stephen J, Williams
Richard Owens
Edouard Cointreau
Peter Bloomsburgh
01971
6331^7
Privacy* Technology,
and the American Citizen
1
*
IfilEoaUiiHOii
The
right
privacy
to
has
been
issue
an
b£
considerable proirinence in recent months as the congress and
the
American public have inc^reasingly questioned the extent
and nature of the constitutional and moral ramifications
This
privacy,
technological
presents an examination of privacy
article
particular
with
of
emphasis
the
on
advancement.
imolications
of
framevor^ is deveiooed within
A
Which managerial decisions related to questions
of
privacy
can be examined.
An
privacy
investigation
initial
presented
is
which
of
the
distinguishes
definition of
between
the
individual's need for privacy and the society's requirements
for infringing upon
determinants
of
need.
that
privacy
Next,
the
examines,
are
technblbcical
including
the
utilization of advanced electronic equipment (esoeciallv the
computer)
and
to
problems
collect
inherent
information.
in
The
unique orooerties
multiple^access
time-sharino
systems are considered,'
All
of
framevorlt for the
these
analysis
issues
of
are
specific
integrated
into
databanks.
a
This
fraPievork may be applied to databanks currently in existence
and to those which may be proposed at some future time.
The
Paae
DRAFT
are intended as an aid in determining
presented
guideiines
3
the suitability of such databanks.
Finally,
problems
the
to
are examined, followed by suoaestions
privacy
of
solutions
proposed
number of
a
for further thouaht,
2
£EIIA£i:
iii£ £R2Bii;ii
everyone.
cohcerns
Privacy
Americans would aSree that no
Although
should take
'one
most
challenoe to
a
his privacy lightly, few carefully consider the iiriDlications
of
applying
for
credit card or
a
transfer of information
aff«cted,
whether
it
a
bank loan.
privacy
occurs,
privacy
of
ve must act as
a
natioh to forge
a
accepted
definition
in
least one excellent definition (in the
been
that of our
organization,
an
clear national oolicy".
Privacy is not easily defined.
widely
way
with our individual considerations of privacv,
concorrently
no
some
in
is
be our personal privacy,
friends or neighbors, or the
Any tinie a
presented.
In
legal
In fact,
Is
use today, although at
iboical
terminology,
definition remains to be established.
there
a
sense)
has
satisfactory
(See also (2))
2,1 fififinitica af Piiiaci
The most important dimensions of
seen
through
an
individuals who have
Goldberg,
former
orivacy
can
be
examination of statements made by various
Vrestled
Associate
with
Justice
the
bf
problem.
Arthur
the United States
Supreme Court has put forth the following observation:
^«*^^
Pace
.
"The
dvindling
of
Privacy
has
been
U
as
vorld, ve have only belatedly realized
that privacy
Is
^''^^''^ ^°^^^^ resource, and one vhich
mLf'^Ko''!?^}?^^!,
protected against the claims of
eflLJent social
I-if"^^'orderino."
efficient
(16)
Congressman
Cornelius
Gallaoher. speaking before
the American Management Association, has defined
Privacy as:
''•••*'^®
free
choice by a free man
Tn
disclosing to public recard certain basic
^acts aboj?
nis actions, thoughts, and decisions, "{ l2)
He goes on to say:
^"^!5 lav...the cornerstone of a
free Am^rir^^^^^^
America. ..demands
that the past be
a
sorinQboard
ffP^^ssion and use bf abiUtv and not an
*nrhor^ J^v
"''^'^
*^°^"'
^"^
^"""s him In
vouthf,n i^\''v^^^ *
^^^^^ decisions.-(l2i
(S%'rfj^o"tll:(10.)?Mi?:in?r^'
These
attempts
at
definitions
are,
hovever,
incomplete.
The mbst comprehensive definition of
orivacv is
offered
Professor
by
Alan F. Westin (See also (20).(21))J
it highlights the privacy decision
individual
in
trading
as
the
choice
of
the
off his desire to be an IndLxldual.
and his desire tb participate in society:
"'^^
^'^^"^
sSeiiiLr°^ ^^^^
.s"^!^""
^^^'^y
society
fnfo^^i
r^ social norms.
enforce its
"(19)
2.2
Zhs. IiidiiiiiiiaijLfi iifivfiflini
^'^^
sets
processes
in
order
«.
to
Paae
PRAFX
from
Several facets of privacy are important
viewpoint.
individual's
5
the
his book, £rivacx and Eceedoia
In
(19)# Professor v;estin has identified four primary functions
which privacy perforins.
Individuals
A,
to
intrinsicly
Privacy provides the capability
autonomy.
control
the
aspects
some
direct
individuals
of information that relates to their
flow
personal lives, and# by so doi^ig, provides
to
personal
seeX
for
of
a
means for
their existence".
then
Indeed, the
history of literature is marked by references to cbntrbllina
fate.
one's
this
an
In
function
of
ever more complex and active societv.
privacy
assumes
increasing
ever
an
Importance.
protects
Privacy
B,
consequences resulting from
frustration.
Through
the
people
expression
from
of
damper
that
a
Of course, when the
cause.
infringe
anoer
and
this function, then, individuals are
afforded the opportunity for emotional release
continuous
undue
record
actions
without
the
their actions wbuid
bf
emotional
of
release
upon the rights of others, response by the sbciety
is Justified,
Privacy provides for
C,
introspection.
Individuals
must
be
allowed
their own performance for the purpose of
desires
and
actibns.
shoulder.
and
to evaluate
determining
their
Privacy allows this self-supervisibn
vithou.t the constant feeling that someone
your
evaluation
self
is
iboicino
over
Again, this function is not absolute -^ the
"^RA"
Pace
6
evaluation of an employee by his supervisor, for example, is
legitimate.
Privacy
D,
allows
for
privileged transfer of information,
individual
is
granted
the
the
protected
and
within this context, an
opportunity
discuss
to
a
supervisor with anbther employee without fear of dismissal'.
But the need for privacy
logical
considerations.
gbes
even
bevond
sUch
The work of manv anthropologists,
sociologists, and biologists indicates strbnalv that privacy
is
a
iifllijaicai
necessity
for
human
beings.
9estin has discussed , studies of animal behavior
that
for
men
and
seeking
Professor
which
show
animals may very well share basic mechanisms
privacy
Extrapolating
within
their
environments.
f19)
from the great importance ascribed to privacy
in the animal world, ohe must assume that Privacy is an even
more
significant
species,
determinant
Perhaps the inherent
of
behavior
desire
in
in
each
the
human
bf
us
occasionally seek solitude is an illustratibn of this
to
need'.
2,3 £fin£ii£ls £i Izii&Qi
However,
consideration
an individual by individual basis
consideration
privacy,
concerned
Host,
is
ignores
of the Privacy prbblem on
is
if not all,
of the data with
the
such
which
we
are
the joiht property of at least twb parties --
the person who originated the information,
fthom
sufficien;
not
the problems created by conflicts bf
data concerhs.
In many cases,
of these two parties conflict,
and
the
persbn
the Privacy riahts
consider the case bf medlcil
Paae
BRAFX
Included
records,
records are many Impressions
these
ih
7
himself in his future work
that the doctor might note to aid
might be very impbrtant
With the patient. For example, it
of
indications
shbved
patient
a
that
record
to
to
The physician would not want the patient
schizophrenia.
opinion
be aware that this
recbrded
was
medical
the
in
eiaminatibn
Thus, tb release the medical recbrd fbr
record.
with the physician's right
by the patient vbuld conflict
to
professional privacy.
The
formulation of
a
legal definitibn of privacv.
difficult
either by statute or precedent, is as
the
development
of
a
semantic
a
Within the
definition.
context of our democratic institutions, certain
specifically
was
privacy
a
in
the
However,
that
document
problem then than it is now.
Althiuah
number of Constitutional bases for the
exist
are
rights
cbnstitutibn.
mentioned
explicitly
not
because it was less
a
the
by
guarenteed
oroblem as
Fourth,
First.
in
riaht
Fifth,
and
tb
privacy
Fourteenth
varied frbm
Amendments, the interpretation by the cburts has
case
to
case.
However, guidelines have been developed by
the courts along which the
issues
can be evaluated.
(
legal
14)
implicatibns
of
One of the mbst impbrtant and
far-reaching of these is the concept bf the chilling
that
invasions of privacy
privacy
effect
tend to imPbse uoon the exercise
of civil liberties.
The chilling effect, as defined by the cburts.
is
Paoe
DRAFT
of individuals to viev invasions of privacy*
tendency
the
especi^ily surveillance activities, as
exercise
free
of
speech
or
protected by the Constitution,
other
a
threat
activities explicitly
invasions
such
their
to
privacy
of
It is the indirect effects of these
assume many forms'.
jnay
8
Invasions that the courts have viewed as unconstitutional.
ouidlines
The courts have developed three Priinarv
vhich
by
a
ruled
be
These guidelines are:
The, severity
A«
may
effect
chilling
given
unconstitutional (3).
scope
and
of
alleged
the
chiJtling effect bn the exercise of First Amendment freedoms.
The difficulty
proving
chilling
the
effect
guidline is indicated by the case of the United
this
under
of
tUblic Workers vs« Mitchell;
of
".•.the
threat
Bossiblfi
flfinsLal
interference with those appellants' rights by the Civil
Service commission under its... rules dbes not make a
justiciable case or controversy,
a hypothetical threat
ts not enough," (3)
Logically, of course, the chillina effect
dependent
an
upon aCliiai
individual
is
infringement of civil liberties,
perceives
a
threat
cf
activities are chilled whether or not such
inf rinqement.
a
not
if
his
threat actually
exists.
B,
vindicate,
The
liKlihood
rights as may be infringed upon.
cases
vhich
of
bpoortunities
to
with reasonable promptness* such First Amendment
involve
reasonable
The cburts seek only those
elaPsed
violation of rights occurred, and seem to
times
imply
since the
that
they
Paoe
CRAFT
establish
to
yant
statute
a
limitations
of
9
for
such
a
full
violations.
•
the
The nature of
C,
adjudication
of
which
issues,
merits must resolven ana the need for
the
factual referents in order to properly define and narrow the
There
issues.
between
exist
must
factual relationship
clear
a
violation
alleged
the
privacy
of
and
the
corresponding First Amendment right.
It should be clear from this brief discussion that
these
guidelines
Individual's
stringent
place
constraints
on
an
to legally proye invasion of privacv.
ability
In paragraphs beiow, we will show that advancing
technoibay
Is severly compounding these difficulties,
2.5
ihs.
sji£i£iiis yisjiEflint
desires
society
members,
definition emphasizes the fact that
Westin's
Dr.
Such
enforce
to
enforcement
individual
uoon
norms
its
is,
inherent in the
of course,
definition of "s^cietyT; very few People would question
necessity
enforcement
such
of
to
the
existence
the
of
civilization.
In order to enforce norms,
variety
of
institutions
monitor" their behavior.
places
constraints
cannot choose^ for
which
cumulative
Thus
establishes
society
social
pressure
on each citizen's privacy decision.
example,
to
a
watch over individuals and
drive
cars
at
We
excessive
speeds, or to burn dowh our neighbor's house.
In
the
absense
of
explicit
leaal and semantic
-
Peoe
0RAFT
definitions of Privacy, however, the institutions
enforcement
iO
norm
for
not themselves sufficientiv constrained In
are
institutions may therefore exceed the bounds
their actions,
of reason quite bY accident in their zeal to carry out their
assigned tasks.
Numerous examples of
excess
such
may
he
found in the press.
The seriousness of these excesses is cbmoounded by
the public's lack of sophistication in
implications
actions
people
many
decision:
are
information
for
obtaining
have,
a
completely
credit
information to
a
a
privacy
the
unaware
dissemination
represents consent to release quite
personal
making
card,
for
the
of
their
that
examole,
considerable amount of
system whose control of access Is
Such information as salary, bank balances,
relatively poor.
and marital status become available fbr distribution.
3,
IHIOgM^TlON COLlECTXON;
TliS
B££J0]JS
All of this is not to say, of course,
has no right to
Civilization
collect
information
about
that society
its
members.
could not exist without such collection.
has been lacking is
a
What
framework within which to discuss
ithX
data xs collected,
There
are
three
main
forces which drive men to
collect, analyse, and disseminate information.
1)
to
These
facilitate the management function of society;
help resolve conflicts of individual's
ricrhts;
disseminate informatioh for its own sake.
privacy can be traced to the fact that
a
and
areS
2)
3)
to
to
Most invasions of
Particular
system
Pace
DeaFT
11
is collecting data for more than one of these reasons, or is
distributlno
collecting data relevaht to one reason and
it
for another,
3.1
liiSi
n&Qa2£in£ni £iilicli&n
Perhaps
most
the
2a£i£ty
q.1
suceptible
abuse
to
the
is
collection of data to facilitate the management function
society,
order
in
maintain
to
tremendous coordinating
continuing
basis,
effort
must
example,
For
earning
hours of
his
rate,
undertaken
be
information,
wor'c,
be
known.
difficult
is
It
a
includino
his social security
number, his home address, and the number of
must
on
a
to distribute
order
in
paychecXs to employees considerable
his
of
cbmplei civilization,
a
his
Quarrel
tb
deductions
with
the
necessity for keeping this information.
The most
collection
common
over-eXtension.
is
collection
—
the third
force
for
collection.
systems, if left alone, will often collect
data far beyond their true needs and collection will
a
goal
The
of information has a very Powerful driving force
inherent within itself
Data
abuse
in
itself
rather
than
a
become
means tb a specific end.
Questions such as "Taking things all together* would you say
you
are
flays?",
very
happy,
pretty happy, or not too happy these
when asked of senior citizens by the
Census
Bureau
16), are clear examples of over-extension,
3.2 £finili£l£
Qi.
Indiildii&l £iabt&
The second driving force for data collection is to
set up systems fbr resolving
conflicts
in
the
rights
of
DRAFT
Paae 12
individual members of the society.
For examole, it is clear
that driver's licenses are necessary
inconipetent,
danflerous,
order
in
prevent
to
reckless persons from abusino
and
other people's rights to use our roads with some measure
safety.
Another
of
good example is the FBI fingerprint file,
whicn is tremendously helpful in preventino the
destruction
of life and property by criminal elements.
Perhaps
most common abuse of such systems is
the
dependence on the relative political
whose
rights
are
conflict
in
constructed carefully to
being
right,
avoid
the
of
svstems
such
#
the
cohstruct such
to
Power
Possibility
orouos
must
be
mloht.
of
system clearlv requires
a
that the agent maKing the final judgement not be Subject
to
political pressure,
3,3 aissfimiaAtifin icr inl£EiDa.i.ifials v^lue
The
reason
major
last
fbr
collection
the
information is the inherent value of infornatibn in its
right,
The
common expression "Xnowledqe is power" retains
its validity
climate
of
own
in
the
fast
of our society.
paced
and
hiohly
pblitlclred
Perhaps the best example of such
a
system is education!
In systems which are
dissemination,
care
inappropriately
should
not
open
must
for
the
Purpose
of
be taKen that information is not
disseminated.
its
built
For
example,
the
library
files of user's bbrrbwino records to
examination by the general public.
It is
especially
important
that
systems
which
DRAFT
logically
Paae 13
exist
for
one
of the first two purposes not be
allowed to disseminate information for its own value.
dissemination
is almost always inappropriate.
probation records are maintained in
order
to
such
For examole.
resolve
the
conflict between an inSividual's right to be given
a
sentence and society's fight to be protected from
dangerous
lighter
To release such records tb prospective emplovers
criminals.
(for either money or political favors)
is
an
illegitimate
invasion of privacy,
We
are
now
in
a
position to delineate the most
important aspects of the privacy decision
On
(see
Figure
^^,
the one hand, there are society's needs for information,
and on the other,
privacy,
The
there
data
are
the
individual's
collection. decision must be
between these sets of heeds.
needs
a
for
tradeoff
<
'"*-.
'^fa-
.
'
'^^S
r Gu
I
,._
<2.e
X
5cC.AW Co-^^
•
-
OSAFX
tt
Paoe 15
.
01 CAIA QQlliZgllQii
MlliiOiiS
-
individuals
The neans by which information on
numerous
are
coliected
and
varied;
Is
they rancre front very
unsophisticated to highly technical methods.
The most obvious means to obtain information
is simply to asK them questions,
people
questions
few people refuse to answer
sexual
income,
from
SurPrisinglVi very
topics
such
on
political and religious beliefs,
behavior,
and educational background, if only the questions appear
"legitimate"
gome
surveys, and the
People
question
are
villino
equally
to
the drinkinq habits and marital
about
behavior of their neighbors.
fc)eople
in
form (i.e. questionnaires, voter opinion
like).
information
divUl9e
as
is
It
that
clear
too
few
validity or necessity of reauests for
the
Simple questioning without cbersion or pretext
information.
is the major means by Which invasion of Privacy occurs.
A
second, and less direct, technique for obtaininq
oublic
Information is tb search readily available
town
as
such
newspapers,
books,
organizations,
purchased;
had
a
"
and
unofficial
sometimes
reports
of
information
this
the internal Revenue Service, for
policy
sources,
and published information includino
records
various
must
be
example,
has
of selling to anyone lists of all persons In
the u»s, who own registered firearms.
The third
physical
method
of
information
and psychological surveillance.
use of aianpbwer
and,
at
times,
collection
Is
This involves the
electronic
equipment
to
Pace 16
DRAFT
monitor
person's activities.
a
Course,
Of
flow
the
information
of
may
ao
considerably beyond the person to whom it is first released.
When
existing
future databan)ts become interconnected,
and
one of the most important sources
information
of
will
be
other databanks,
5
ZZllLgl 1^2
\
IScJilJaifiGX
development
Technological
important ramifications for privacy;
science
problems.
developments
Perhaps two
the raoid
carries with it
technology
and
increaslnai'y
has
advance
of
hornet's nest of
a
most
have
striltinoiy
the conflict between privacy and technolbov in
demonstrated
the United states -- sophisticated electronic communications
equipment and the high-speed digital computer.
5
. 1
£fiIIliillial£&lli2DS £aui£]i}£iii
communications
Electronic
brimming
challenge
capability
massive scale
espionage
in
implications
with
bugging
electronic
for
haS
been
the
U,e.
equipment
for
Moreover,
196/
study
concludes
performed
in
that
by
the
anti-bugging
industrial
The
a
industrial
at least as big a business as
is
government domestic intelligence operations.
specializes
Privacy.
a
surveillance on
and
developed.
presents
cbrooratlbn,
Saber
which
conservatively
devices,
espionage
For example, a
accounts
for annual
losses of more than three billion dollars. (1)
At least as
surveillance
important
devices
is
as
the
the
proliferation
proliferation
of
of
om
-«
DRAFT
Our
teiecom.nunicatlons equiment.
couhtry
the
around
data
pace 17
.
abilUv
propagate violations of privacy far
aware
becomes
anyone
the
of
nationwide integration of some
tremendous
present
privacy
enables
speed
high
at
re-distrlbuto
to
and
problem.
to
before
Current plans for
networks
telecommunications
problems
us
lono
vide
which no one has yet
addressed.
5,2
tiks.
camEiiist ani Etivaci
But buaging devices only facilitate the collection
The most powerful device vet developed for the
of rav data.
accumulation and processing of that data
However,
is
computer itself is not an invader
the
^computer.
the
-
privacvJ
of*
for man's ability to process
it is only an aitiplifyihg device
of
It becomes a major factor in the Problem by virtue
data.
the magnitude of that amplification,
consider, for example, the IBM Svstera 360/195,
It
million
is capable of performing on the order of twenty-five
calculations per second.
mass
storage
(an argon-laser devicel stbres 645,000,000 bits
Thus
inch.
contain about
such
one U800 foot reel of computer tape couid
twenty
double-spaced
a
on
system would be less than four minutes.
The
protection
advent
paaes
typewritten
File retrieval time for
person in the United States,
every
the
unit marketed by Precision Instrument company
of Palo Alto
j>er
In terms of storaae capacity,
of
has
greatest
come
progress
about
multiple-access
in
rather
time
computerized
privacy
indirectly through the
sharing
systems.
The
Pace 18
DRAFT
effort for these systems requires protection of
development
access
one user's information from accidental or Purposeful
by
other
users.
Considerable
effort
on
access control
systems which permit controlled sharing of resources in
multiple-access environment has been undertaken by
of
research
projects
such
(U),(7),(8)
M.i.T.'s
as
variety
&
Project
MAC.
.
\
Partial
protection
Provided
is
sharing systems by the requirement that
himself
terminal.
the
at
Schemes
passwords to signature recognition
implemented.
the
many
in
time
identify
user
from
ranaing
simple
proposed
been
have
transmission
over
data
lines
to
oattern
bit
a
transmission,
the
A
which the user's Password is the
on
a
string
of
is
different
at
answer
random
every
and
more effective scheme, in
t©
Computation
a
digits supplied by the
computer, is now in use at Project MAC.
password
for
computer; thus the
the
user's I,D. may be had simply by tapping his Phone line
performed
or
These static schemes suffer from the fact that
any identification must be converted to
recording
the
Since
the
user's
session, it is safe from
tappingi
However* tapping of data lines will
the
theft
of transmissions of data,
schemes for encoding and decoding
A
still
enable
number of effective
transmissions
have
been
developed, but nbne are in widespread use.
Within
the computer's storage svstem, the problem
is one of permitting
canltaliad
sharing
of
programs
and
Pace 19
DRAFT
Access
information.
schemes vary widely in their
control
sophlsticaiton; the only systems which offer even reasonable
are inplemented in academic computer facilities.
protection
employed
Perhaps the most successful scheme to date is that
by
Multics
at project MAC,
in which Protection is attained
through control of access paths to information couoled
a
which
structure
ring
with
to soecifv the
off*ers the abilitv
level of privileae of any program with resPect to others
the
system,
In
this structure, however, does not solve
Eyen
all access problems.
Another consideration is the fact
that
the
same
centralization of information and computing oower that maltes
time-sharing
systems
cost-effective
concentrated
efforts
to
cost-effective.
cause
break
the
may
very
well
maice
access control system
Centralization may therefore be expected to
increase in the number and Persistence of attacks
an
on the access control system;
its integrity becomes
a
very
important issue..
5,3 l££tlIl2lQSX Ind thS CQilltS
This
advancing
technology
whatever competence the courts
have
is raoidlv destroying
had
in
dealing
with
privacy Issues,
The
main
problem
information can be dispersed.
by
illegitimate
coupled
with
preventive
the
measures
is
cannot
speed
with
The irreversible damage
dissemination
courts*
the
which
done
of
adverse
information,
inherent
delays*
means
be
that
taken, and that corrective
DRAFT
Pace 20
^
measures would
conie
too late.
Moreover, any penalties which miaht be promulaated
require
would
considerable technical knowledge to enforce.
Given the present techhical sophistication of
branch*
the
fall to the same programmers who implemented the
the
iudicial
the job of executing the sentence would necessarily
first place.
guilty clearly is no solution to the problem.
the contents of
might veil be
a
system
in
Such dependence upon the aobd will of the
For
examole.
data bank which has been ordered destroyed
stored
on
microfilm
before
the
order
is
carried out,
Presently the world of the courts and the* world of
data processing have very little in common.
laws
exist
technology.
will
effort
for
protection
the
Even if such
be
required
Nb satisfactory
of Privacv from advancing
laws
are
to
bring
Passed,
stupendous
&
the rest of the legal
systeni into the computer age.
Having examined
privacy,
it
behobves
us
the
to
nature
develbP
problem
the
of
of
clear analytical
a
framework for viewing individual databanks.
The
obiective
of such an analysis is to develop criteria fbr the design of
specific, databanks.
careful
consideration
question of whether
bank
The analysis assumes, bf
which
does
a
has
previously
databank is needed
not serve one
course,
been
at
given
allJ
(and stnll one)
that
to the
a
data
bf the three
reasons for collecting- information should nbt exist.
DRAFT
_
The concepts discussed in the
Pace 21
foUowina caragraPhs
and the relationship among them are illustrated in Fiqure 2.
.
Vuoto
A. i-MFcKtuAVn^A
'.
raw^cY
fuo^e 2
Lj^^os'
Page 23
D.RAFT
6.1 £fiU£Sti£ii £rii££ia.
Unless there exists the possibility of
effect
chillino
a
on civil liberties, the collection of data is not of
itself an invasion of privacy.
information
The majority of
is collected through acceptable channels and for justifiable
personnel
company
records,'*
control
a
is
or is utilized for
data bank
has
been
once
the
made,
collection and distribution of information
the
of
and
has privacy been violated.
purpose
the decision to establish
data,
channels, is disseminated
to unauthorized persons or organizations,
inappropriate
are
Only when information
inappropriate
thrbUqh
collected
census
national
industry statistical information.
an
databanks
Among the most commonly developed
purposes.
becomes the central issue.
Of primary importance is
data concerning an individual or
for entry into
the
comprehensive
and
databank.
logical
the
In
set
criteria
group beconies
a
order
to
of criteria*
candidate
establish
a
prior thouoht
be given to the specific goals of the svstem.
roust
which
by
a
If
the
desired output can be stated precisely (and iustified on the
basis of the rights of individuals
their
groups
to
control
privacy), then input criteria can be defined and
own
bounded in
of
an^
a
useless
fashion that not only eliminates the
data
oathefirio
and promotes efficient system design, but
also prevents unwanted side effects.
Failure to clearly define the
databank
is
a
bbiectives
of
the
contributory factor in improper collection.
DRAFT
Pace 24
_
Khen a failure to specify objectives occurs,, any Information
might
Which
be
of
future is collected*
of
relevance
remote
at some time in the
This usually results in the collection
unnecessary information and in
considerable
a
potential
threat of invasibn of privacy,
6.2
lh.&
£ua.lilx
hi,
IniaLC&ii&a
Once reasonable standards
for
determining
have
established
been
data is to be sought as inout to the
what
system* it is necessary to set up procedures for contrbliina
the quality of that information.
Quality
control
tvo
has
aspects.
First,
the
accuracy of input data must be controlled as it is 'entered.
In
a'
computerized system, this might involve checlcing punch
cards for keypunching errors.
The second aspect of quality control concerns
removal
outdated.
information
of
corporations)
—
from
the
when
file
Perhaps information related to
should
the
becomes
it
individuals
rand
be classified like radioactive metals
by "half liveS", with
different
lengths
of
retention
time depending on the nature of the information.
6.3 &&1& AlldlXSXs
The
next
important
methodology used fbr aggregating
product,
The
collection
little in the way of Useful
must
of
consideration
raw
data
into
the
is
a
usable
data by itself produces very
managerial
information.
be analysed and manipulated into a usable format;
are the building blocks of information.
Data
data
The methods used in
-
DRAFT
Pace 25
.
analysis determine precisely the content of the output
this
result
biased,
in
information being transmitted by the
false
or
rolsleadin-g,
may
methods
Improper
information.
Such information may well constitute an Invasion of
system.
privacy,
6.4 i£££sa caaltoi
Given
system
a
is able to provide useful
which
information, it is necessary to carefuHv control access
Virtually every piece of information is
information,
that
sensitive to some degree
and
protection
requires
Information which consider both the authority
of
any
promulgation
Potential
of
against
Specific rules for the dissemination of
unauthorized usaqe.
Know
to
user must be established.
must
rules
these
*
and
need
But the
accompanied
be
to
by
procedures for enforcement,
6.5 Xikt£E-a.aial2a.nli Icatisf £ES
A
further
problem that must be considered is the
exchange of data between databanks,
taken
care
First,
to insure the propriety of such exchanges.
must
be
Moreover.
\
interchange demands verification
transmitted
information
of,
that
so
accuracy
the
errors
of
will
not
any
be
propagated,
6.6
ZllS.Lt&
Ss^s.ls.1
Finally,
information
the
system
social
effects
must be considered,
the system is to perform must be weighed
social
benefits
and
social
costs.
of
any
proposed
Each function that
in
The
terms
benefits
of
tnav
its
be
Pace 26
DilAFT
delineated In terms
o;E
establishment — win
the driving force behind the system's
the
system
management function of the society;
conflicts
assist
fact
in
will
the
resolve
cause progress
individual rights; or vill it
of
in
helo
it
through the distribution of knowledge.
These benefits must be balanced aoainst the social
costs
the System, which may be measured in terms of the
of
individual's loss of privacy, the resulting
freedom
degradation
of
and the possible chilling effect bn the exercise of
civil liberties,
7
LS.
lh.l^lkl, SQLuXifiil i^HE IIS
SHQEICQuHisS
Today the most commonly proposed solution
problem
to
the
of privacy is simply to allow individuals access to
their own
inaccurate
files
order
in
information.
they
that
This
correct
iniaht
any
proposal is over-simplistic
for several reasons.
First, the idea assumes that the individual is the
only entity which might be harmed by an invasion of privacy.
There are many arbups who
This is, of course, not the case.
have
been harmed by the illegitimate release of information
-- large corporations,
draft-resistance
groups, and the Government itself,
ipresumably
bf
have
Constitutional
organizational
some
guarantees
right
are
talce
rights,
to
even
organizations than for individuals,
pblitical
Althouoh it is true that
consideration of individual rights must
consideration
arbups,
precedent
these
privacy.
over
grbups
However.
less well defined for
DRAFT
Second,
individual
his
file
current
think/
interested
be
ridiculous
is
It
to
example, that a person should be able to chanoe
for
his medical record
at
Moreover,
will.
case
the
in
of
which in some way is unfavorable* it will never
information
information
be in the individual's interest to have correct
in
in
A«ain# this is a
accurate,
and
false assumption in mahy instances.
the
that
Qualified to
mbst
person
the
necessarily
is
assumes
access
individual
correct his own record, and that he will
having
Paae 27
^
If we do not tr«st a small oroup of people to
his file.
then
information,
sensitive
accurately report
we
surely
cannot trust everyone, en masse, to perform this function.
The most important shortcoming of this solution Is
that it does not
privacy*
recognize
show
To
the
problem
the
patient
his
to show
compromise the doctor's privacy;
letters
the
compromise
would
recommendation
of
conflicts
of
student
his
the authors*
clearly giving the individual access
rights to privacy,
of
medical record would
to
his own files is an inadequate solution to the problem.
1
8,1 g££&£&ti£ii
The
conflicts
of
distinction
fif
£&£i
icfiQ
Snini&n
first attempt at
Privacy
between
might
a
be
information
solution to the problem of
to
draw
example,
it
would
be
objectively provable facts from
clear
very
which is to be considered
fact* and that which is to be considered
medical
a
possible
the
opinion.
to
In
the
separate the
Physician's
opinions.
Page 28
DRAFT
giving patients access to the formeri but not to the latter*
distinction
Unfortunately, this
record.
information
factual
verified
between
and interpreted or heresay information
is not drawn in many detabanlcs.
Moreover* even if it
were*
there would still remain conflicts of privacvt
8,2
hlt&LIi?LS.il& g&liiii&Q.^
21tl£i:
Careful consideration should be given to Senator Sam J,
Ervin's proposal to?
"create a Federal agency wlth_ powers to
data bank operations,
military ^and
register
all
civilian^ to demahd justification for the records iceot
and to enforce a citizen's rioht to examine and to
even
challenge data which could hurt his reputation,
his ability to earn a livelihood, for the rest of his
*
days, -(15)
(See also (5))
would
however,
MOMXAf
organizational
be
invasion
an
privacy.
As
a
guidelines
explicit
require
of
such
an
aaencv»
such that the operations of that agency
be
itself,
in
powers
investigative
The
individual
of
and
result* such an agency would
directing
the
agencies
and
for which, and by whom, an investigation would be
databanks
performed.
Specific
criteria
for
evaluation
the
of
databanks would b© needed to enable investigators to conform
to the intentions of the regulatory agency.
problem
unique
An
additional
this proposal is the determination* for
to
the regulatory aqency, of what data files that agency itself
would
Xeep
in its investigative files.
of regulation by
further
by
a
Federal
agency
the necessity for both
a
is
The entire problem
complicated
eVen
legislative definition
,
Pace 29
DRAFT
of privacy and a national consensus as to the extent of each
This
rights.
citizens'
quite possibly is
question that
a
only the Supreme Court and the Congress could answer.
alternate*
An
analysis of databani^s.
similar
manner
reviewing
the
a
to
These companies would perform
Certified
in
Public Accountant firms,
determine:
databank the firm would need to
the legal basis
between
to
for.
individual privacy;
privacy and society;
C)
the
a
in
A)
of managerial functions in the brflanizationi
needs
desired
is
companies specializing in the review and
private
establish
solution
related,
though
B)
tradeoffs
and d) technblbotcal
factors,
To perform objectively,
be
free
from
these firms would have
political and non-professional pressure, and
whose
from involvement in the special interests of the firm
databank
investigation.
under
is
to
The
necessity
for
uniformity and Control of the subjective determinations that
would
required
be
if
such
firms
were organized implies
legislation either at the national or state level.
and
The complexity of the problem precludes any
QuicK
beyond
those
simple
solution.
Other
alternatives,
discussed here, need to be developed
and
studied
from
an
cperatiojial and feasibility viewpoint.
9.
£USG£STXONS
Every
individual
must
questions of privacy which determine
society,
consider
his
the
central
interaction
with
Byt managers have an even more complex problem In
paoe 30
BRAFT
veighlnj the advantages and disadvantages
information.
£fili££t
to
the
oroblem Is
advanced
technoiooy
complexity
The
of
highlighted by the decision to utilize
decisions
of
and the numerous tjrade'-offs involved in such a decision.
oeneral guidelines may be Provided, however.
Some
valuable
are
Xhey
both
considering
technologically
faced
manaoer
with
an
conflict/, and to the individual citizen
inforiuation-privacy
the
the
to
questions
central
advanced
society.
orivacv
of
in
a
These Guidelines can be
summarized as follows:
A,
comprehensive
A
national
This policy should only approve of
a
legitimate need of the organization,
weigh
must
the
social
policy
needed.
is
databank if it serves
Moreover, this
policy
benefits against the social costs.
There are three identifiable catagories of social costs:
direct
costs
in resources to the organization; 2)
to the chilling effect; and 3) cost due
misuse,
costs:
six
1)
2)control
issues
must
be
evaluated in weighing these
the
of the quality of the information;
control of
processed;
centralization
U)
control
in
the
the information sYstem is
terms
of
the criteria for inclusion of data in
of
access
3)
of
benefits,
files;
and
interfaced
it
should
6)
5)
filei
data
to
files and
the
to
technological questions of program access;
In
1)
cost due
danger
the
to
the nature of data processing and selection of the
be
a
the degree of
the degree to which
with
be
important not to hinder an organization in
other
noted
the
systems.
that
it Is
fulfillment
•
PaOe 31
DRAFT
of
example, the Internal
For
functions,
legitimate
its
Bevenue Service should not be prohibited from the collection
of
information
financial
tax-related
individuals and
on
organizationst
B,
A
means for enforcement, carried to the lowest
is required as an intearal
levels of affected organizations,
component of
solution
any
invasion
demonstrating
legally
legislation
should
Problems
of
privacv.
is required to establish grounds for
legislation
Moreover^
the
to
designed
l>e
Privacy.
of
as
deterrent
a
This
to
the
illegitimate accumulation of information.
C,
A
review of existing databanks and information
should
systems
undertaken
be
orsanizations
all
by
maintaining such files or systems.
action
However, legislative and judicial
levels
is
not
enough;
individual
at
all
citizens must be made
cognizant of the issues and solutions that this paper raises
for
frue, system builders must be educated
consideration,
in the variety of techhical considerations for protection of
privacy
and
given
Incentives for
ihcentives to use them.
further research should also be provided.
But
protecting
with
our
Privacy
lies
not
bniv
the
ibb
programmer andvith the cohiputer manufacturer; it lies
us.
Only
he
with
by increasing the sophistication of each citizen
In matters regarding his
which
of
the systems
lives
can
empty word in America,
relationship
to
the
society
In
we prevent "freedom" from becbmina an
0«AFT
•"
of
Page 32
The authors wish to gratefully acknbwledqe the
Dr.,
Richard
s.
Horse
assistance
and Dr. Robert H. Fano. both of
H.IfTt* vho provided ifevaluable assistance in
which forms the basis for this paper.
the
research
REFERENCES
.
I
.
.
Robert M.. Ih.£ Elficttflnic Iniasifln. John F.
Brovn,
Btder Publishert Inc.# New Yor)c, 1967.
(1)
(3)
law".
Bexiax* "chilling Effect in Constitutional
Volume 69/5, Hay# 1969,
CfiiiiaUia law
David, E, E. and Fano, 8, M., "some Thoughts About The
(U)
Social implications of Accessible Computing". EcaCefidiaas of
the lali slaiJil CbciEiiifir: Cflnifitancfii 1965.
Computer and Individual
Number 37,
volume
1l3,
"The
Sam J.,
Ervin Jr.,
(5)
Cflaflcessifiaal fieCflL4_»
Jrivacy".
March 8, 1967. Washington,
"Computers end Individual privacy". CoafJcessioaal
1969.
10,
November
184,
Number
115,
(6)
£ficac4» "volume
Washington.
Fano, Robert K. , Implications of Computers to Society^,
{7)
paper presented at the Kiewit Computation Center Dedication
Dartmouth College, Hanover. New Hampshire,
and Conference,
December 2-3, 1966,
"Computers in Human
j8)
volume
S£iifiii»
Ificliaaifiaz
Massachusetts
Massachusetts,
institute
Society-For Gobd or 111?".
March 1970,
Number 5,
cambridoe*
Technolbav,
of
72,
"Technolbav and Societvt A
Cornelius E,,
Gallagher,
(9)
115,
volume
conflict of Interest?"^ fiQnatassiaaal Eecard,
Number S5, April 1, 1969, vashington.
—
Data Security,
"Persbnal Privacy,
(10)
September
America"." CaHarfiSfiiakai £££atd#
Washington.
<11)
,
Balance".
"Science,
Privacy,
CanfltfisfiiaJiai Sficatd*
and
23,
a
Free
1970.
and
law^The Need for .a
August 18, 1966, Washinoton.
Pace 34
DRAFT
Speech before the American Management Association*
<12)
Rarch
(13)
8,
.
Politics,
Jersey.
1968, NeW York.
Speech before the Ninth Practicum on Practical
1968,
Jersey City State colleae. Hev
Kay 7»
(1U) Killer,
Age",
^^5)
Arthur R., "Personal Privacy in the computer
volume 67/6. April. 1969.
fiictiia^n Lait B£ii£lt,
iiS^i
iQCJt limfis,
{16) Ilaitfii:,
December 27, 197o.
Interview with Arthur J,
Goldberg'.
Sprague,
"The Invasion of Privacy and a
Richard E.,
ilS)
Rational Information Utility for Individuals"! fioBoutecs and
»
itttamaticiif January, 1970,
<19)
westin,
YorJc,
1967.
<20)
liliair
Aian
F.,
Zriiacy and Irefidom. Atheneum, Nev
"Life,
Liberty and the Pursuit of Privacy".
Volume 35, Number 3, May-June 1969, Armbnk, Sew YorJc,
"Computers and the Protection
of
Privacy"
(21)
IfiCbafiiaax EsxiSw* volume 71, Number 6< April 1969.
^^^^
Date Due
?&'
TOtQ DD3 701 34b
3
fiiffi'
3
II
3
llllllh:
TDflD DD3 b7D 3E7
iiiiiiiiiiiifiiii
TDflO DD3 7D1 353
..1-'
fSH-7(
3 TDflO
DD3 b7D 343
iillllilllllslll
3
TD6D DD3 7D1 EbE
3
TDflD
^''-^'
^(n-T[
DD3 b70 35D
3
TDflD
DD3 7D1 E47
3
^DfiD
DD3 701 37T
561-T