Keep Real Privacy Risks in Focus

IT pros need to distinguish between real privacy risks and merely apparent risks.

The prospect of putting surveillance cameras on high-crime streets in Los Angeles is unappealing, it seems, to Ramona Ripston, executive director of the American Civil Liberties Union in Southern California.

Ripston was a guest last month on Pasadenas KPCC radio program "Air Talk" when she invoked "the expectation of privacy" that a person should have while walking down a public street. Within seconds of that remark, I picked up the phone and dialed the call-in number.

/zimages/5/28571.gifClick here to read about the ACLUs "no-spy pledge" campaign.

I dont know where a person could possibly have less of an expectation of privacy than on a street in Los Angeles, but leave that aside for the moment. I felt compelled to put in context the practical issues of privacy on the one hand versus the commercial and personal value of new technologies on the other.

I tell this story here because IT pros will need to discuss these same issues in the course of making a workplace more productive or creating a more valuable customer relationship.

I wasnt really surprised by Ripstons position. Many people have an Orwellian discomfort with cameras. I do wish, though, that people would distinguish between fiction and reality.

If you wanted to know what a specific person was doing over an extended period of time, would you really want to go through hours of videotape in the hope that your subject wasnt wearing a hat that day? Its a whole lot easier to subpoena cell phone records and credit card statements, providing a much more precise profile of a persons activities at much less expense. Its much easier to analyze such records, automatically, even when they span a period of many years, than to scan for a face in the crowd.

A technology isnt intrusive, I would argue, merely because its good at monitoring someone whos already a focus of interest. Surveillance becomes a concern to the typical citizen, just going about everyday business, only when it generates a database thats quickly and inexpensively searched (a question of technology) and when many parties have access to that data (a question of setting and administering policy).

Video surveillance doesnt worry me, because its incredibly difficult to search. If you really want to be paranoid, I can give you something thats much more genuinely threatening: Ive seen, and have personally failed to fool, an IBM voice recognition system that can quickly navigate to any frame of video where the soundtrack includes a particular person speaking any given phrase. Professional paranoids, go ahead and worry about that.

What matters to the rest of us is the question of what kind of data gets stored and under what kind of access policies. We have a lot of options here, and IT planners should take the lead in offering innovative identification tools that address customers privacy concerns.

We can minimize long-term storage, for example, of searchable personal information by using technologies such as the single-use credit card numbers that Discover, among others, offers (under the trade name of Deskshop). Its interesting, however, that another such program, American Express Private Payments, was ended this past April. This suggests to me that people arent as worried about protecting their identities as the ACLU tells them to be.

Please note that Im not saying the ACLU is wrong but, rather, that people dont seem to be willing to make much effort to protect the privacy that many of them claim to consider important. It looks to me as if people want to enjoy the belief that theyre being careful, while actually making minimal effort to do so. To create a compelling mass-market incentive, I suspect you have to let people feel smart without actually working at it.

In the meantime, I dont want to yield the floor to the forces of hysteria. In an essay published in the Detroit News last year, Clyde Wayne Crews, director of technology studies at the libertarian Cato Institute think tank, said, "Data-mining and biometrics, at least in principle, are about enhancing convenience, service, authentication and individual security more than they are about invading privacy." Thats exactly right.

Lets keep real privacy risks in focus and merely apparent risks in the background, where they belong.

To read more Peter Coffee, subscribe to eWEEK magazine.

Technology Editor Peter Coffee can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.