Tackling the privacy versus security debate

Spend 10 minutes around Nuala O'Connor Kelly and you realise this is a no-nonsense woman with a no-nonsense (and difficult) mission…

Spend 10 minutes around Nuala O'Connor Kelly and you realise this is a no-nonsense woman with a no-nonsense (and difficult) mission to protect the privacy of American citizens from the over-inquisitiveness of corporations, law enforcement agencies and, her own employer, the US government.

The youthful Princeton graduate, with roots in west Belfast, has for two years occupied one of the most unusual and high-profile jobs in the US Department of Homeland Security (DHS) - chief privacy officer. The role was created shortly after the department was born into a post-9/11 world to counter domestic terrorist threats.

The world might wonder whether her job has any meaning at all, says Kelly. After all, the US is the country that rushed through the controversial Patriot Act after the New York and Washington attacks in September 2001, which allows for increased levels of surveillance and data-sharing among law enforcement agencies.

The US has also pushed for airlines to hand over passenger data, demanded increased surveillance at borders, and argued for international use of biometric passports and identification cards. On the business side, the US has been aggressive in lobbying for the relaxation of European restrictions on the use and exchange of personal data that are shielded under the EU Data Protection Directive, leading to long trade discussions and contention between Europe and the US in recent years.

READ MORE

But while she keeps a wary eye on potential privacy infringements in the US - which has reportedly led to several prickly encounters - "the perception that the US is asking for more information [than other countries] isn't exactly right", Kelly says.

Visiting Dublin last week, she said that "the Irish actually ask for far more information at the border - and Europeans are the ones planning to use iris scans, for example in passports - things we are not even talking about".

She also points to the irony that Europeans, under data protection regulations, are protective of data as it can be used for marketing purposes, yet have few protections on how governments and law enforcement use data - the reverse of the situation in the US, she says.

Also, privacy advocates agree that Europeans have introduced almost no meaningful ways of actually punishing, or even policing, those who misuse data. By contrast, she says, the US has a range of case law and interpretations of the constitution which place strong protections on the general concepts of personal privacy and, by extension, data protection.

"Americans are also much more suspicious about the government having their personal information" than Europeans seem to be. As a result, the US has a very strong Freedom of Information (FoI) Act - "stronger than yours!" she laughs - which entitles citizens and non-Americans "to see how information is used".

About 200,000 FoI requests are made annually, she says. The US FoI Act is both "potent and robust", she says, part of the frontline in protecting privacy and exposing abuses of it.

Kelly's job requires that she report directly to the secretary of the DHS, Michael Chertoff, and to the US Congress and, hence, the American people. At times, her role places her in direct conflict with the 430 employees who report to her department, with large and small companies and law enforcement.

It is her department that is overseeing a massive harvesting of data using technologies that offer "the potential to co-mingle information in ways the public did not expect".

Therefore, companies selling technology to the US government "need a privacy officer plus controls built into the technology". While people often say that new concerns about terrorism require balancing privacy against security when using technology, she disputes this view. "That's nonsense. You can build privacy into security" with technologies. Internal controls are also needed - ombudsmen, checks on the technologies and so on, she says.

An interesting aspect of US federal law is that new technologies cannot be used to take advantage of a "knowledge gap" where the ordinary citizen might not be expected to understand the way they could be used to acquire data, Kelly says.

This principle was recently confirmed by the Supreme Court which argued that heat-sensing technologies used to determine that someone was probably using heat lamps to grow marijuana plants in their house could not be used as the basis for searching the house without a warrant.

US law allows for searches only where potential evidence is in "plain view", and the ability to use a technology that can "see" heat was not regarded as an interpretation that would be understood by the ordinary citizen.

Kelly has argued that data should carry with it protections against any use not specifically outlined for it at the time it was gathered.

Such provisions could prevent the "mission creep" that privacy advocates worry about - where data collected initially only for the "war against terrorism" might a year later be considered admissible for criminal or even misdemeanour offences.

Kelly's job is unlikely to become any less of a challenge for her. Privacy advocates have argued that her role is too weak. Kelly, like data protection commissioners in Europe, does not have enough power to conduct more thorough enquiries into the misuse of data within government, and she is still in the first instance answerable to the department that she also critiques.

What she does have on her side is a congress and a citizenry - especially on the business-protective Republican side - that tends to dislike the mass gathering of data for surveillance purposes. (Whatever about marketing, businesses fear the government having access to business-sensitive data.)

Some of the most interesting government battles are set to take place in her department, as the Department of Homeland Security continues to hew out what its own role should be.

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology