Forthcoming in IEEE Security & Privacy

Privacy Interests
Government Access to Private-Sector Data
Fred H. Cate
Indiana University

Governments around the world are demonstrating a growing appetite for personal information held by the private
sector. Public-sector interest in private-sector data is nothing new. Governments have long sought access to private
enterprise data to administer social service programs, tax schemes, business and professional licenses, voter
registration, vital records about major lifecycle events, and public infrastructure. They have also sought access to
targeted data for law enforcement and national security purposes.
But the new voraciousness for private-sector data is reflected in expanding demands for wholesale access to
information, and not just about individuals who warrant suspicion but about everyone. Furthermore, this demand is
supported by the extraordinary growth of digital technologies that can record, store, and share electronically
individuals’ records, communications, movements, finances, relationships, and even tastes.

A Growing Demand
We’ve recently seen an explosion in the demand for private-sector data:

 India, Saudi Arabia, United Arab Emirates, Lebanon, and Indonesia have all demanded real-time access
to Research in Motion’s Blackberry Enterprise and Messenger services, so they can have access to
otherwise encrypted communications.1
 The US Treasury has announced its intention to move beyond the 1.3 million suspicious activity reports
and 14 million reports on international money transfers of more than US$10,000 that it currently
receives each year. Instead, it will require disclosure of all 750 million annual money transfers into or
out of the US.2
 The US Transportation Security Administration has implemented its Secure Flight3 and Automated
Targeting Systems4 programs, which require that all airlines—irrespective of their location—must
collect and report personal information about passengers on flights into or out of the US.
 Governments in Europe and elsewhere have created mandatory data-retention laws, giving governments
access to private-sector data even after the information would normally have been discarded.5
 The US Federal Bureau of Investigation is seeking an amendment to the Communications Assistance to
Law Enforcement Act that would require social networking companies and peer-to-peer providers, such
as Facebook, Twitter, and Skype, to give law enforcement access to private information. The
amendment would also require firms that offer encrypted communications to decrypt the text for law
enforcement.6
 Google has begun disclosing the number of demands for user data that it receives from government
agencies. Brazil and the US top the list, which altogether includes 13,700 requests during the first six
months of 2010 (see www.google.com/transparencyreport/governmentrequests/).
 The US, UK, and other countries have asserted the legal right to seize laptops and other computing
devices at the border, copy their contents, and require access to encryption keys without articulating any
suspicion or providing access to counsel.7

This is just a sampling of the recent expansion in the access that governments want. Each month brings new
demands as governments seek to expand their reach and individual data become more exposed to government
scrutiny.
A Shift in Surveillance
Law enforcement and national security officials claim that increased access to personal data from the private sector
is necessary to keep pace with changing technologies and to keep cyberspace from “going dark”—a term officials
use to describe an online world in which the bad guys can communicate free of surveillance. But there’s strong
evidence that these new data dragnets are qualitatively different and seek information never before subject to routine
government scrutiny. Consider four critical distinctions from past surveillance techniques.
First, more data than ever are created and stored in digital form. As Stanford law professor Kathleen Sullivan has
written, “Today, our biographies are etched in the ones and zeros we leave behind in daily digital transactions.”8 So
government officials now routinely access data that didn’t even exist two decades ago.
Second, they’re seeking data about everyone—not just those who are targets of investigations. Scholars often
note that one of the primary motivators behind the Fourth Amendment—the primary constitutional limit in the US
on the government’s ability to obtain personal information about individuals—was the hostility to “general
searches” by British troops, which weren’t based on specific suspicion. Yet general searches are the raison d’etre of
many government data programs, which collect and analyze vast swaths of data about individuals who have done
nothing to warrant the government’s suspicion.
Third, in most instances today, governments seek personal data without judicial oversight. And because of the
understandable secrecy that surrounds many data mining programs, legislative or popular oversight is often
nonexistent or ineffective. The Lisbon Treaty has gone far to reduce distinctions between first-, second-, and third-
pillar activities in the EU, thereby eliminating some of the barriers to oversight by data protection commissioners in
Europe. However, limits on the commissioners’ jurisdiction over national security activities and on their practical
ability to oversee other government data mining programs has tended to reduce the practical effectiveness of this
oversight.
Finally, because data are increasingly collected via the private sector and without notice to affected individuals,
the role of the individual has been starkly reduced. In years past, the government might physically follow a suspect
or search his or her home, thereby creating at least the possibility (and often the legal requirement) for notice and an
opportunity to object, whether through a judicial, legislative, or other process. Today, surveillance is far more
commonly conducted through cell phone service providers or GPS transceivers, thereby eliminating the opportunity
of individuals to be aware of, much less object to, the activity.
In his 1971 book, Assault on Privacy, Harvard law professor Arthur Miller warned of the “possibility of
constructing a sophisticated data center capable of generating a comprehensive womb-to-tomb dossier on every
individual and transmitting it to a wide range of data users over a national network.”9 His fear seemed far-fetched at
the time. Today, it’s much closer to reality.
But privacy doesn’t have to be sacrificed as a result. The risk of terrorists and other criminals exploiting the
“dark” world of cyberspace to plan and execute attacks might mean that governments need greater access to
personal data from the private sector and elsewhere. However, this doesn’t have to mark the death of privacy or its
trivialization into notices telling us that we have no privacy rights vis-à-vis the government when communicating,
traveling, banking, or even walking down the street. Privacy advocates, scholars, data protection commissioners, and
others have repeatedly stressed that privacy need not be eliminated just so we can be free and that if eliminated,
we’ll never be free.

Protecting Privacy
Several recommended “best practices” have emerged10–15 that lawmakers around the world would do well to
consider. Although the proposals differ in their details, there is broad consensus that government programs designed
to collect and use private data—especially from the private sector and without reason for suspicion—should at a
minimum require the following.

2
Explicit Authorization
The legislature or a senior elected official should authorize such programs based on an assessment of their likely
efficacy and compliance with legal requirements and only after confirming a high level of oversight and
accountability.

Legal Compliance
Programs should remain in compliance with the law both when accessing data and engaging in data mining. Also,
the government shouldn’t encourage or press private-sector entities to violate their legal obligation when providing
data to the government.

Ongoing Evaluation
The government should evaluate programs for effectiveness in accomplishing specified objectives prior to deploying
them and regularly thereafter. The assessments should consider practical experience with the system, technological
advances, changing needs, and the impact on individuals. However, the underlying goal should be to assess whether
the data collection or analysis works to effectively address a real threat. //Okay?// If not, any invasion of personal
privacy is unjustifiable.

Data Integrity
The government must carefully consider the appropriateness of the data for the intended use, especially when being
accessed from the private sector and repurposed. It should also define a system for ensuring that data are kept up to
date, accurate, and relevant.

Access Limitations
We need limits on who can access large datasets (and for what purposes) and tools to enforce those limits. Rules
should be built into data analysis systems that ask an analyst, for example, to specify his or her legal authorization
for requesting data or conducting a search.16

External Authorization
Before the government creates new data collection requirements or engages in mass surveillance, it should receive
some form of judicial or other external authorization. This is especially important if the personally identifiable
information will be used in a way that affects individuals, such as by denying or delaying access to a facility or
benefit or subjecting them to an intrusive investigation. The specific body providing the oversight is less important
than that the authorization be external to the agency engaging in the data collection and specified by the legislature.

Data Minimization
Data minimization and anonymization and other tools should limit the amount of information revealed to only
what’s necessary and authorized. This has been a major focus of the Markle Foundation Force on National Security
in the Information Age, which has proposed that “anonymizing technologies could be employed to allow analysts to
perform link analysis among data sets without disclosing personally identifiable information. By employing
techniques such as one-way hashing, masking, and blind matching, analysts can perform their jobs and search for
suspicious patterns without the need to gain access to personal data until they make the requisite showing for
disclosure.”13

Audits
Audit tools should ensure that the rules surrounding data collection and use are being followed.

System of Redress
Innocent individuals harmed by the use of their personal information need a system of redress so they’re made
aware of the role of data analysis, given the opportunity consistent with the nature of the setting to dispute and seek
correction of erroneous data, and compensated for any injuries. The system must also ensure that data analysis
programs log any errors and “learn” from such errors. False positives are inevitable, so they must be addressed both
in terms of recourse for the affected individuals and tools for avoiding them in the future.

3
Accountability
We need serious oversight of data collection, sharing, and use that delivers a high degree of accountability that data
systems are used appropriately, lawfully, and effectively. In the words of the US National Academy of Sciences
Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National
Goals, the oversight must be both “robust” and “independent.”13

The Effect on National Security

It seems clear that nations around the world need to update their laws to provide clear, appropriate, and substantive
limits on government access to broad swaths of personal data held by the private sector. European Commission Vice
President Viviane Reding has described the challenge for legislators to “establish a legislative framework that will
stand the test of time,” “guarantee a high level of protection,” and “provide legal certainty to businesses, public
authorities and individuals alike for several generations.”17
The reasons for doing so include advancing both privacy and security. The role of good data management and
oversight in enhancing national security is often overlooked, but it’s clear. With its seemingly insatiable quest for
more data, government threatens to exacerbate what’s already arguably its greatest challenge in the national security
context: making sense of the data it already has. The problem is “separating out the ‘signal’ of useful information
from the ‘noise’ of all of those data.”11 Poor analytical tools, sloppy data matching, or inappropriate data don’t
merely fail to advance security—they actively threaten it. In contrast, greater clarity and new attention to data
analysis rather than just data collection are likely to advance security.18

Even if there’s some perceived conflict with national security or law enforcement objectives, the law must not
allow privacy to be eviscerated. The words of the US Supreme Court apply with equal force to all nations that
respect and protect basic human rights: “It would indeed be ironic if, in the name of national defense, we would
sanction the subversion of . . . those liberties . . . which [make] the defense of the Nation worthwhile.”19

Fred H. Cate is a distinguished professor, C. Ben Dutton Professor of Law, and adjunct professor of informatics and
computing at Indiana University and directs the university’s Center for Applied Cybersecurity Research. A senior
policy advisor to the Centre for Information Policy Leadership at Hunton & Williams LLP, he was counsel to the US
Department of Defense Technology and Privacy Advisory Committee and a member of the US National Academy of
Sciences Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other
National Goals.. Contact him at fcate@indiana.edu.

References
1. E. Kinetz, “India eyes Google, Skype in Security Crackdown,” San Jose Mercury News, 13 Aug. 2010.
2. E. Nakashima, “Money Transfers Face New Scrutiny,” Washington Post, 27 Sept. 2010, p. A1.
3. “Secure Flight Program,” US Dept. Homeland Security, Federal Register, vol. 72, no. 163, 2007, pp. 48356–48368.
4. “Privacy Act of 1974; US Customs and Border Protection, Automated Targeting System, System of Records,” US Dept.
Homeland Security, Federal Register, vol. 72, no. 150, 2007, pp. 43650–43656.
5. “Council Directive 2006/24 on the Retention of Data Generated or Processed in Connection With the Provision of Publicly
Available Electronic Communications Services or of Public Communications Networks,” Official J., L105, Apr. 2006, pp.
54–63.
6. E. Nakashima, “U.S. Seeks Ways to Wiretap the Internet,” Washington Post, 28 Sept. 2010, p. A4.
7. Privacy Impact Assessment for the Border Searches of Electronic Devices, US Dept. Homeland Security, 2009;
www.dhs.gov/xlibrary/assets/privacy/privacy_pia_cbp_laptop.pdf.
4
 8. K.M. Sullivan, “Under a Watchful Eye: Incursions on Personal Privacy,” The War on Our Freedoms: Civil Liberties in an
Age of Terrorism, PublicAffairs, 2003, p. 131.
9. A. Miller, Assault on Privacy, Univ. of Michigan Press,1971, p. 39.
10. Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National Goals,
Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Assessment, Nat’l Research Council,
The Nat’l Academies Press, 2008.
11. Technology and Privacy Advisory Committee, Safeguarding Privacy in the Fight against Terrorism, US Dept. Defense,
2004.
12. Protecting America’s Freedom in the Information Age, Markle Foundation, Task Force on Nat’l Security in the
Information Age, Markle Foundation, 2002; www.markle.org/downloadable_assets/nstf_full.pdf.
13. Creating a Trusted Network for Homeland Security, Task Force on Nat’l Security in the Information Age, Markle
Foundation, 2003; www.markle.org/downloadable_assets/nstf_report2_full_report.pdf.
14. Mobilizing Information to Prevent Terrorism, Task Force on Nat’l Security in the Information Age, Markle Foundation,
2006; www.markle.org/downloadable_assets/2006_nstf_report3.pdf.
15. “The Cantigny Principles on Technology, Terrorism, and Privacy,” Nat’l Security Law Report, Feb. 2005, p 14.
16. I.S. Rubinstein, R.D. Lee, and P.M. Schwartz, “Data Mining and Internet Profiling: Emerging Regulatory and
Technological Approaches,” Univ. of Chicago Law Rev., vol. 75, no. 1, 2008, p. 261–285.
17. V. Reding, “Tomorrow’s Privacy: The Upcoming Data Protection Reform for the European Union,” to be published in Int’l
Data Privacy Law, 2010.
18. F.H. Cate, “Government Data Mining: The Need for a Legal Framework,” Harvard Civil Rights-Civil Liberties Law
Review, vol. 43, no. 2, 2008, p. 436.
19. United States v. Robel, Supreme Court of the United States, 389 US 258, 1967; http://laws.findlaw.com/us/389/258.html.