|
RealAudio -- High Bandwidth or Low Bandwidth MP3 Download 
|
In 1997 technology journalist Simson Garfinkel wrote a piece for Hot Wired provocatively titled "50 Ways to Crash the Net." While his 50th crash prediction, "Wait until January 1, 2000," was a no-show, his #2 prediction -- massive denial of service attacks -- came frighteningly close to validating Garfinkel's headline.
Garfinkel's latest book is "Database Nation: The Death of Privacy in the 21st Century," in which Garfinkel takes one perceived privacy threat after another and extrapolates it out to a bone-chilling worst-case scenario; corporations that pass personal customer information around like joints, insurance companies that mine medical databases in order to deny coverage to anyone who might even remotely need medical insurance, massive databanks of individual genetic information collected and used for -- who knows what, but it's going to be bad whatever the reason.
 Simson GarfinkelAuthor of Database Nation |
|
|
• Salon columnist • Co-founder of Vineyard.net |
|
Now, having taken those cheap shots, I have to add something quickly -- this is an important book. While I found myself guffawing at some of Garfinkel's predictions (like the section entitled "Brain Wiretapping"), I was reminded that I had the same reaction back in the 1960s when I first read Rachel Carson's groundbreaking book, "Silent Spring." Carson too seemed to extrapolate apparently benign current trends into very hard-to-imagine outcomes. Yet, virtually all Carson's predictions of ecological degradation later materialized, in one form or another.
Authors like Carson and Garfinkel perform an important service. They turn a cold hose on those of us in heat over the wonders of modern life. And, once they have our attention, they force us to consider the larger implications. They make us consider the possibility that, though all may seem rosy today, there might be a price to pay further down the road, a price higher than we had bargained for.
Garfinkel on the need for government privacy regulation
There are a lot of arguments for not using the marketplace to regulate privacy, for the same reason that we don't use the marketplace to regulate the chemical industry or the food industry. We tried using the marketplace to regulate the chemical industry in the 1950s, and the result was that we killed a lot of species, we polluted rivers, and the air was unbreathable in many cities. The marketplace doesn't regulate issues when there are externalities. You need to have regulation so that companies are forced to bear the brunt of what they throw onto society. And privacy is very much like that. If you have a marketplace, as we do today, in which some people -- some companies -- can be privacy winners and some companies can be privacy mavens or not very good privacy people, what happens is that the poor players benefit from the good publicity created by the market leaders. It actually puts companies that have strong privacy policies at a disadvantage to those who claim that they have policies but violate those policies or those whose policies have tricky wordings and mislead consumers.
 |
|
||||
|
|
 Database Nation |
|
|
|
|
|||||
| |||||
What I have argued for in the book, first, is that you should have a combination of a regulatory process and technology. ... If you're worried about privacy violations by the government, what you do is you create a balanced structure within the government to deal with that. That's our system of checks and balances. ... If there had been a privacy commission in place before that happened, they would have reviewed the whole process and that Web site probably never would have been put up in the first place.
Garfinkle says "Opt In/Opt Out" policies are not a solution
The idea of using opt-in opt-out to resolve privacy issues -- it really minimizes the scope of privacy issues that we're facing. I'll give you two other examples. One of the large privacy issues is the role of government in preventing terrorism. Well, I can't envision a system where you could use opt-in opt-out to decide who the FBI is allowed to go after or who they're not allowed to go after. We establish standards for police investigations, and those standards have nothing to do with opt-in opt-out.
Garfinkel warns of privacy terrorism
I outlined in "The Privacy-Now Manifesto," which is on my Web site, that we're going to see acts of data vandalism, where people inject false information into the data streams. We're going to see outings of people involved in these anti-privacy organizations, personal details about them published. And we're going to see data terrorism, where large databases are liberated as a way of protesting. I can see people engaging in acts of data diddling and data subversion right now.
Continue to next page for full interview transcript
|
|
RealAudio -- High Bandwidth or Low Bandwidth MP3 Download
|
Pizzo: Simson Garfinkel, thanks for joining us today. I know you've been busy and it's nice of you to sit down and give us some of your time. Your book, "Database Nation," has been generally well reviewed in papers such as The New York Times. It has garnered some criticism, the criticism that mostly revolves around it being the worst-case scenario on each one of the issues that you brought out. How do you respond to those criticisms?
Garfinkel: I haven't heard that criticism. The criticism I've heard is that it's calling for government regulation, and people have argued that cyberspace shouldn't be regulated by government because government is the biggest threat to privacy issues. And the other two criticisms are that I don't really talk about the international experience and that we don't really talk about workplace monitoring issues except in the first chapter.
Pizzo: Have you read for example the book "Cluetrain Manifesto"? We did an interview with the authors of that a couple weeks ago. One of the main thrusts in their book is that the marketplace is the best place to regulate this kind of thing.
Garfinkel: Well, there's a lot of arguments for not using the marketplace to regulate privacy, for the same reason that we don't use the marketplace to regulate the chemical industry or the food industry. We tried using the marketplace to regulate the chemical industry in the 1950s, and the result was that we killed a lot of species, we polluted rivers, and the air was unbreathable in many cities. The marketplace doesn't regulate issues when there are externalities. You need to have regulation so that companies are forced to bear the brunt of what they throw onto society. And privacy is very much like that. If you have a marketplace, as we do today, in which some people -- some companies -- can be privacy winners and some companies can be privacy, you know, mavens or not very good privacy people, what happens is that the poor players benefit from the good publicity created by the market leaders. It actually puts companies that have strong privacy policies at a disadvantage to those who claim that they have policies but violate those policies, or those policies have tricky wordings and they don't really, they mislead consumers.
Another problem with relying on the marketplace to regulate privacy issues is that most users, most people in our society, are not really well-versed enough to protect their privacy by making informed decisions, just as they aren't really well-versed enough to protect their health by reading the ingredients and deciding if a particular ingredient on a bottle is known to cause cancer or not. Instead what we do is we have a law that says if a substance is known to cause cancer you can't put it in the food supply. But we don't have rules right now that say if a product is known to cause privacy problems you can't put it in the information industry.
Pizzo: Wouldn't it be better just to boil this down to an opt-in opt-out sort of policy, that if we just simply had a rule that simply said, "Look, people have to opt-in and opt-out of this," and if they want to give an online retailer like amazon.com a personal profile so that retailer can customize their content for them as a convenience, then they say "yes." If they don't want that to happen, they don't want Amazon.com to track them or their buying habits, they say "no."
Garfinkel: Well, it's really dangerous doing what you're doing, which is saying, "Isn't this just an opt-in opt-out?," because the first thing is that that's very much marketing speak and it's becoming very much Internet marketing speak, and we talk very little about the Internet in this book because the real privacy problems facing us in the 21st century are not online privacy problems but they're privacy problems from the real world. For example, many stores in the United States have video cameras, and stores in England are now adding face recognition features to those video cameras, building up profiles as people walk in the streets and as people walk through stores. Now there's no opt-in opt-out language that really applies there. You are in the environment, and the cameras are in the environment, and the only way you can prevent them from recording your image and making use of that information is to wear a ski mask. And I don't really enjoy shopping while wearing a ski mask, and the people in the store don't like it when I wear a ski mask either.
The idea of using opt-in opt-out to resolve privacy issues -- it really minimizes the scope of privacy issues that we're facing. I'll give you two other examples. One of the large privacy issues is the role of government in preventing terrorism. Well, I can't envision a system where you could use opt-in opt-out to decide who the FBI is allowed to go after or who they're not allowed to go after. We establish standards for police investigations, and those standards have nothing to do with opt-in opt-out.
And there's another issue that I talk in in the book and that is genetic profiling, whether you're going to be scanned so that medical services can be delivered better to you but sometimes that information might make it into other people's hands. You can apply an opt-in opt-out to that, saying that, "Well, if you opt to have your genetic profile compiled, then who knows who gets it?" But I think that's a very, that's a very punitive way of applying the advances that medical technology is bringing us, saying that the only way that you can benefit from these advances is if you give up all of your privacy. We know that we can benefit from those advances and simply regulate what people can do with that information.
|
Pizzo: But do you think that relying on the government to fix this -- assuming they pass laws that fit the criteria that you set forth in your book -- that that's a false sense of security? And I'll point to, for example, the government sets laws all the time that it violates. Don't ask, don't tell. And yet it was the government that went after a sailor who was in a chat room on AOL, coerced AOL into revealing who that person was, and they discharged them from the government, violating a number of privacy and some of the government's own laws, particularly the "don't ask, don't tell."
Garfinkel: And that sailor sued and that's why we know about it, because there was a system of laws in place. What I have argued for in the book, first, is that you should have a combination of a regulatory process and technology. If you have the regulatory process without technology, you're going to have more privacy failures. But if you have the technology without the regulatory process, then there's this incentive for people to bypass the technology and to cheat the system because there's no penalties for doing so.
Now, if you're worried about privacy violations by the government, what you do is you create a balanced structure within the government to deal with that. That's our system of checks and balances. And the real problem in the Navy situation is that there is no balance, there's no check, for the government's privacy malfeasance. We don't have an organization within the federal government responsible for enforcing the privacy laws that we have. We don't have a watchdog agency that's looking out to make sure that the rest of the government isn't screwing up. Now back in 1997, the Social Security Administration launched a Web site that would allow people to see their Social Security earnings over time, and the problem with that Web site was that it didn't really verify the identity of people who were going to it. So you could, with a little bit of work, see the earnings histories of anybody in the United States. Now, I found out about this in February of 1997, and I started talking to people at the Social Security Administration, and they assured me that there was no problem whatsoever. My only choice was to argue with them or to write an article about it. I wrote an article about it, and it appeared on the front page of USA Today. Three days later, there were Congressional inquiries, there were letters from senators, and the Social Security Administration shut the Web site down.
Now, if there had been a privacy commission in place before that happened, they would have reviewed the whole process and that Web site probably never would have been put up in the first place.
Pizzo: You outline in your book a number of good suggestions on how we can proceed on the federal level, and assuming that does not happen and that the problem doesn't resolve itself in the near future, you do end the book in a chilling way, suggesting that people might turn to information terrorism, privacy terrorism as ecological groups like Earth First and Act Up did in other issues.
Garfinkel: Yes, absolutely. I'm expecting that.
Pizzo: And what form do you think that would take?
Garfinkel: I outlined in "The Privacy-Now Manifesto," which is on my Web site, that we're going to see acts of data vandalism, where people inject false information into the data streams. We're going to see outings of people involved in these anti-privacy organizations, personal details about them published. And we're going to see data terrorism, where just large databases are liberated as a way of protesting. And, you know, already we're seeing this. Already we see a lot of people provide false information when they register a Web site. I actually get a lot of spam because people provide the name "homer@simson.net" and that ends up going into my mailbox, so I can see people engaging in acts of data diddling and data subversion right now.
Pizzo: Well, listen, "Database Nation" is a good read, and you state your case very well. Thanks for joining us today.
Garfinkel: Well, thank you very much.
Stephen Pizzo is an award-winning non-fiction author, and newsman for the O'Reilly Network.
Read more The Pizzo Files columns.
Discuss this article in the O'Reilly Network General Forum.
Return to the O'Reilly Network Hub.
Copyright © 2009 O'Reilly Media, Inc.
Listen to this interview