Making sense of information privacy

With more and more initiatives focused on information sharing, data exchange, aggregation, and analysis, there is also increased attention on establishing and protecting privacy, particularly of personal information. As noted in yesterday’s post, a federal panel focusing on such issues has recommended substantial updates on the primary federal laws governing privacy protections, including the Privacy Act of 1974 and the E-Government Act of 2002. Federal legislation related to privacy is a large and complex area, with numerous narrowly defined requirements based on specific types of data (medical records, educational records, social security numbers, etc.) or on the nature of the individuals whose data is being stored (veterans, mental health patients, children, U.S. citizens vs. non-permanent residents, etc.). Efforts at establishing over-arching legal or policy frameworks on privacy have been frustrated by a number of factors, including technological advances beyond what was envisioned at the time existing laws were written. As noted yesterday by the New York Times, there are two conflicting perspectives on information privacy that are fundamentally at odds: one favors a “data minimization” approach centered on the idea that the best way to prevent the disclosure of sensitive data is not to store it in the first place; the other places great value on storing as much information as possible, as long as individuals are given control over who can see the information and under what circumstances. The latter perspective is a characteristic of social networking, although the extent to which individual users of sites like Facebook and MySpace are really in control of their data is subject to some debate.

Coming to some resolution or balancing point between data interoperability and privacy (and security) provisions is a prerequisite to success for many ambitious initiatives in both the government and private sectors. For instance, wide-scale adoption of health information technology such as electronic medical records or personal health records will not become a reality (no matter the industry incentives offered by the government) unless and until individuals are satisfied that their personal information will be appropriately secured and their privacy maintained. There are technical, legal, and philosophical arguments being proposed by privacy advocates, information sharing proponents, and neutral observers, but the goal of getting to common understanding of just what “privacy” means, in what contexts, and how that privacy should be protected remains elusive. Into this debate comes Daniel Solove, a law professor at George Washington University who has written quite a bit in recent years on the legal aspects of privacy and information technology. Solove’s most recent effort is Understanding Privacy, which provides a detailed analysis of why previous attempts at defining privacy and setting standards for its protection have failed. Solove also proposes his own method for resolving this issue, following a pragmatic methodology that does not seek to establish a single, over-arching conception of privacy, but instead accepts that privacy problems and their solutions are different depending on their contexts. While his writing style is by turns both academic and philosophical, his concise (the text is just under 200 pages) treatment of the topic does indeed contribute to developing an understanding of privacy and just why it remains so problematic, whether or not you agree with his take on addressing it.