Making the Web safe
- By Ari Schwartz
- Mar 12, 2000
Agencies must highlight privacy from the onset as part of the design of
any new system.
Three years ago, the Social Security Administration learned this lesson
the hard way when it released an Internet version of the Personal Earnings
Benefit Statement (PEBES). The project had good intentions: Give citizens
online access to information about their Social Security contributions and
future benefits.
But public perception turned on SSA when the press reported that the
privacy of the system may not have been assured. SSA had not adequately
consulted privacy advocates and had not built privacy protections into the
system.
Even though SSA thereafter held public meetings and addressed all of
the concerns of the privacy advocates and the public the online version
of PEBES had been too badly tainted. What should have been one of the first
great interactive government applications has been shelved indefinitely.
The privacy backlash from the PEBES project has reverberated among information
technology program managers in the federal government. The Clinton administration
has begun to push forward on e-government proposals, but many agencies still
seem wary.
The CIO Council seems to have recognized those concerns in its latest
strategic plan, which announces that the
council's Security, Privacy and Critical Infrastructure Committee plans
to build model privacy impact assessments.
Although the plan is short on specifics, the idea is obviously based
on the environmental impact of statements that agencies routinely write
for a variety of projects affecting the physical environment. This new privacy
version could help agencies identify, mitigate and avoid privacy snafus
in procuring of new software and the creation of new e-government projects.
Policy-makers will often stress the strict rules against the misuse
of data, and following the recent denial-of-
service attacks on e-commerce sites, there are calls for more laws.
However, as Harvard University law professor Lawrence Lessig aptly notes
in his recent book Code and Other Laws of Cyberspace the technologies and
design standards play a more powerful role in accomplishing a goal than
the establishment of laws or policy guidelines.
Privacy impact statements could help weed out technologies that do not
embed the widely accepted code of fair information practices.
With privacy as the No. 1 fear of potential e-commerce customers, many
private-sector companies and standard setting bodies have also begun looking
into products and technical standards that are built with privacy in mind.
In Toronto next month, the 10th Annual Computers, Freedom and Privacy
Conference (www.cfp2000.org) will kick off with its first-ever "Workshop
on Freedom and Privacy by Design." Policymakers and technologists should
follow this discussion and begin to look into the elements that would make
up a quality impact statement.
Schwartz is a policy analyst at the Center for Democracy and Technology.