This story appeared on Network World at

http://www.networkworld.com/columnists/2007/111307-bradner.html

Anonymity as a thing of the past

By Scott Bradner

Network World , 11/13/2007

As is too often the case, the story's headline was quite misleading. Reading the AP headline "Intel Official: Expect Less Privacy" certainly got my attention, as did the second paragraph of the story: "Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information." But reading Kerr's actual speech and transcript of the Q&A session that followed it provides a rather different picture.

Some of what Kerr said could have been said by the most ardent privacy supporter (like me). Kerr did not say that the government was taking away our anonymity. He said that Google, just like Mr. Peabody's coal train in the old song, has hauled our anonymity away. I can't argue with that fact. (See "Google: looking good by doing less evil".)

Kerr also said that people toss away their own privacy every day on MySpace, Facebook and YouTube. As he put it: "Protecting anonymity is a fight that can't be won." Kerr said it's time to understand that privacy is not the same as anonymity and it's time "to engage in a productive debate, which focuses on privacy as a component of appropriate levels of security and public safety."

The comments on anonymity and privacy were a small but important part of a short talk that focused on the work of U.S. intelligence agencies in areas as diverse as predicting, tracking and examining hurricane damages and embassy bombings.

Kerr, as principal director of national intelligence, should know about such things. He also talked about how things were going (in very high-level terms) with the cooperation between agencies that the 9/11 report called for.

I can't disagree with much of Kerr's premise in saying it's time for a debate on privacy and security. I also can't disagree with him when he says that if we make security and privacy "an either/or proposition, we're bound to fail" and that such a debate is "not necessarily best carried out in hearing rooms; it's certainly not best carried out in television environments where people just scream at each other." But I expect that we run out of agreement soon after that.

Kerr asserts that privacy "is a system of laws, rules and customs with an infrastructure of Inspectors General, oversight committees and privacy boards on which our intelligence commitment is based and measured." But this is the very system that has totally failed us again and again in the past and even now. In answering a question, Kerr noted that it is a felony for a federal employee to misuse data, with fines of up to $100,000 and five years in jail, but he also says that he does not think it ever happened. Mr. Kerr: How about decades of illegal spying by the FBI on civil rights and other legal activities? Where were the prosecutions of the FBI employees? There are dozens of other similar examples. There is no history that shows that the current system of checks has ever produced an actual balance between privacy and security when the system is primary controlled by the government.

Kerr is right that there needs to be a debate, but it cannot just be the debate between members of the Office of the Defense and the National Interest that Kerr says has started. The debate has to involve us all: individual citizens; universities; business interests; privacy advocates; and, yes, importantly, national security experts.

Disclaimer: There are people at Harvard from across the security vs. privacy spectrum but the university itself has not expressed an opinion. The above one is mine