Shostack + Friends Blog Archive


New American Privacy Law: What Could It Say?

With recent events (Choicepoint, Bank Of America, PayMaxx, and Lexis Nexis) leading to a new privacy law for the United States, what should it say? How can we tell a good law from a bad one?

Some disclaimers: I’m not entirely in favor of a new law. There’s a lot of potential for harm when you write new laws. Also, these are ideas of things to look for, depending on how “forward thinking” or “agressive” you want a new law to be. It’s clearly not a proposal for a law. I don’t really focus on the harms these things could do. I trust that the blogosphere will do that for me.

  • Fair Information Practices form the basis of most privacy laws around the world. California has added some useful innovations, like disclosure, and a prohibition on using SSNs as identifiers, or putting them on ID cards of any sort.
  • Explicit Disclosure: Require all businesses to disclose specifics of both accidental and intentional disclosure. What information about a person they transfer to whom, and why. The American people are unhappy with what’s happening. The solution is not to shut us out, but to let some sunlight in.
  • Is it Sectorial?: Will the law cover the data warehousing industry, as poorly defined as that is? It should not. We need a general privacy law in the US to avoid having a patchwork of laws, or a repeat of this as the next Choicepoint claims to be exempt because they’re not a covered entity.

    (To not conflict with free speech rights, make the law cover anyone who relies on, or includes, government provided data (such as a drivers license or SSN). If you just have a list of people on your local softball team, you’re not covered.)

  • Social Security Numbers: Forbid their use as authenticators or passwords. Add substantial penalties for disclosing them.
  • Fair Data Collection: Require that businesses offer a reasonable (1-2 month or less) deposit in lieu of a credit check, with the same plan as everyone else gets. Today’s “poor credit” plans from cell phone providers are a rotten deal, because the company knows that their customer can’t get a better one. Allow a business to petition, say, the FTC, to require larger deposits.
  • Disclose Algorithms: Today, companies you’ve never heard of, using algorithms you’re not allowed to see make decisions about your life. They’ve had privacy, and they’ve used it to invade yours. Companies like Fair Issac, who create the credit scores which have come to dominate our lives won’t tell us how they work. If a company is “rating” Americans, require that they explain how they do so, so we all have a chance to get ahead. (Allow these algorithms to be patented to reduce the business impact of the disclosure.)
  • Law Enforcement: When the 4th amendment was written, a person’s papers contained most of their personal information, and a warrant was required to get to it. Now that the same information is stored at a host of service companies,
    Require a warrant to get this information out of a database. Don’t exempt databases, such as the one run by Lexis-Nexis that are nominally restricted to law enforcement from the provisions of the law.