The following text is copyright 1998 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

Rough seas in safe harbors

By Scott Bradner

Regular readers of this column know my general level of distrust of the U.S. government's willingness to protect individual privacy in the face of the desire for some U.S. businesses to know everything about you and to sell that information to anyone with enough cash.

I've commented on the fundamental differences in approach between the European and American approaches to privacy protection. The Europeans feel that the only way to actually protect privacy is to make it a crime to violate regulations designed to protect privacy. The U.S. government claims that such laws offer false comfort and so there should not be any laws to compel protection. Instead we should trust that the companies in the data business will voluntarily agree to protect your private information with no penalty other than bad publicity if they are lying.

We have now reached another turning point in the privacy saga. On October 25th the European Union's Directive on Data Protection became effective. This directive requires that the member states of the European Union must pass specific legislation to protect the privacy of information about individuals and to prohibit the transfer of data that can identify an individual to third countries that do not provide an "adequate" level of protection for the data. If the laws that are being adopted to comply with the directive were to be strictly enforced no U.S. based business or individual would be able to import data, including for example, personnel files or credit card transaction logs, into the U.S. from Europe.

The U.S. government is currently trying to deal with this issue. Since they are unwilling to pass laws to actually protect personal information they are trying to get the Europeans to agree to a "safe harbor" for U.S. companies who what to import European data. The U.S. proposal is to publish a list of companies who agree to abide to certain privacy protection principals. (See for the proposal.)

There are many things wrong with this idea, not the least of which is the fact that no creditable penalty is proposed for companies which agree to the principals then proceed to ignore them. The principals are good ones but they are expressed in generalities and it is very easy to see many ways that a company which wanted to could evade their restrictions.

This proposal, which treats non-US citizens far better than citizens reminds me of a internal Boston Globe headline that got accidentally printed during the Carter administration. This proposal is "more mush from the wimp." The U.S. government is being a wimp in the whole area of privacy. They are using excuse after excuse to avoid having to actually confront the far too many in the U.S. business community to whom genetic information about you is just another commodity to sell to all, not just the highest, bidders.

If there was serious concern about the privacy of individuals a proposal of this type would have included proposals for clear unambiguous laws which would make the unauthorized disclosure of private data a felony. Without such laws, this is just mush.

disclaimer: A boathouse on the Charles river is the Harvard's closest approximation to a harbor so the above is my mush.