Thursday, May 18, 2006

Engineering Privacy in the Computer Age

The Association for Computing Machinery (ACM) is the world's leading society for computer professionals. Founded in 1947, it is for professionals involved in information technology what the American Medical Association is for U. S. doctors. Prominently displayed on the ACM's website is a lengthy Code of Ethics, which includes the following words about privacy rights:

"Computing and communication technology enables the collection and exchange of personal information on a scale unprecedented in the history of civilization. Thus there is increased potential for violating the privacy of individuals and groups. . . . It is the responsibility of professionals to maintain the privacy and integrity of data describing individuals."

So far, so good. Few will argue that the ubiquity of computers has made it possible to collect, analyze, or steal unimaginable amounts of highly personal information. But the code doesn't simply stop with a call to maintain privacy. It goes into further detail:

". . . This imperative implies that only the necessary amount of personal information be collected in a system, that retention and disposal periods for that information be clearly defined and enforced, and that personal information gathered for a specific purpose not be used for other purposes without consent of the individual(s). These principles apply to electronic communications, including electronic mail, and prohibit procedures that capture or monitor electronic user data, including messages,without the permission of users . . . ."

President Bush has been in hot water this week after a report in USA Today that the National Security Agency has been collecting the phone call records of millions of Americans. One phone company after another has denied providing such information. While it is perhaps too early to decide the truth about the matter, the record of numbers dialed and calls received is something that most citizens would regard as personal information.

On the other hand, we have all seen TV shows in which the dialing records of a criminal suspect have provided important clues to the solution of a crime. Phone taps, call records, and traces have been a part of domestic law enforcement for decades. And of course, computers are involved in nearly all electronic communications of any description these days. How do the computer professionals deal with these cases? Here's how:

"User data observed during the normal duties of system operation and maintenance must be treated with strictest confidentiality, except in cases where it is evidence for the violation of law, organizational regulations, or this Code. In these cases, the nature or contents of that information must be disclosed only to proper authorities."

So, at least according to the ACM Code of Ethics, information such as call records should be disclosed to the "proper authorities" (e. g. the NSA) only when the user data is evidence for the violation of (1) law, (2) "organizational regulations," or (3) the Code itself. The ACM Code of Ethics or the internal regulations of the phone companies are not the inspiration for NSA activities, we hope. So it seems that an ACM member in good standing could participate in such an activity only if the records obtained were evidence for the violation of law.

That's a pretty narrow scope. Somehow I doubt that the phone records of all Americans, or even a substantial fraction of all Americans, constitute evidence for the violation of law. Maybe some of them do, but that is why most phone tap, trace, and call record requests are made by law enforcement officials only for specific individuals who are already under suspicion. If anything like the reported wholesale phone-record transfer took place, those members of the ACM who participated in it are under a cloud ethically, to say the least.

Some days it seems like the great internet-website-phone-fax-TV-MP3-instant message-chatroom behemoth runs on its own without human intervention of any kind. But there are people behind all the systems, and people make the decisions that protect or violate your privacy. Just the other day, I learned that the operator of the website at my church (!) has a way to tell if particular viewers bookmark the site. When I heard this, I had a chilling vision of some invisible guy looking over my shoulder as I sat in front of my computer in my supposedly private room at home. So far, no harm that I know of has come to me because people I don't know and will never meet can tell which websites I bookmark. But it may have something to do with the fact that even after we signed up for the national do-not-call list, I keep getting phone calls right at suppertime from organizations I could swear I have never had any dealings with. But maybe if bookmarking a website counts as a "dealing," this gives them the right to call me. Who knows?

The truth will eventually emerge about the NSA and national calling records. Laws always lag behind rapidly advancing technologies, and a certain amount of confusion and injustice results. But at some point, if things get too out of hand, the legal system may overreact with burdensome regulations that in some cases are worse than the disease they were designed to cure. The best protection against such an outcome is for everyone, especially members of the Association for Computing Machinery, to abide by sound ethical principles and every so often ask, "If I were on the receiving end of this, would it bother me?"

Sources: The Association for Computing Machinery's Code of Ethics is at http://www.acm.org/serving/se/code.htm.

No comments:

Post a Comment