A recent article in the Economist magazine explores how cell phones, PDAs, and other digital tools are becoming useful as payment mechanisms. A related opinion piece (subscription required, alas), touches briefly on privacy issues, one of my favorite subjects.

Some of my friends have written to express concern about the risks of transacting online, and how it may compromise their privacy. I've had considerable experience with eCommerce, and my first observation is that eCom is relatively safe in terms of ID theft. There were some lamentable lapses as the model developed, but best practices are now well-understood and nearly universally implemented to mitigate these risks.

The problems arise when databases of identity data are compromised physically; i.e., the theft of a laptop with credit card numbers on it. The vast majority of credit card number lists for sale (from nefarious interests to other nefarious interests) are compiled of conventionally obtained data (hard copy receipts, bills stolen from mailboxes, snatched purses and picked pockets, etc.)

I have to observe that the clearinghouses and banks have done a rather good job of scaring the bejesus out of Joe Sixpack with their "Identity Theft Protection" programs. Of course, they are protecting their own backsides, inasmuch as the consumer is only on the hook for $50 of liability when their card is swiped. The banks eat the losses, and certainly have a stake in minimizing them. The consumer class benefits from this, too, although not as directly as the ad campaigns would imply.

I am reminded of my old friend John Perry Barlow. His initial impetus in co-founding the Electronic Frontier Foundation (of which I am a charter member) with Mitch Kapor was in part due to a rude shock. He lived in Pinedale, Wyoming, and was proud of the fact that he never bothered to lock his door. He got into a tussle with some hackers on a bulletin board over ethics online, etc., and one of them produced, in very short order, a detailed dossier on the mundane minutiae of his life, including directions to his unlocked door.

Defeats proliferate faster than ice. Ben Pimentel, business technology writer with the San Francsico Chronicle, wrote an elaborate piece about fingerprint readers for computers to prevent unauthorized access. I wrote in response: "how long do you think it will be before this technology is effectively hacked? The core logic has been around for a decade, so it's reasonable to assume that development of exploit strategies has been proceeding in parallel. About the time these sensors are available for 99 cents wholesale, someone will be offering a quick and easy defeat on a USB dongle for 99 bucks."

Invasive technology is advancing far faster than protective technology, and even faster than our public policy ever can. I'm less concerned about opportunistic breaches of my checking account than I am of state surveillance of my digital correspondence (hi guys!), and less concerned about pyschographic profile marketing based on commercial datamining than I am about credit and insurance companies denying coverage or credit based on the same analysis. But it's all of a piece. In any event, if you use a credit card at the hardware store or the movie rental or bookstore, you're leaving an information transaction trail no less than if you bought it on Amazon. They may not have your email address and thus be unable to spam you, but they've got your number. Cash is the only cloak (and even then, you're probably on camera), and the state would be delighted to get rid of that.

Some would argue that the government has a legitimate right to monitor large cash transactions. I'm afraid I disagree. The state has no proper interest in the financial dealings of its citizens. The fourth amendment's "papers and effects" clause explicitly spells this out. Of course, if the state has other evidence of criminal activity, financial records certainly are fair game for subpoena and may be entered as evidence, but to give government either prophylactic visibility into confidential financial activity or to permit prior restraint of specific transactions (reporting cash deposits of $10,000 or more, e.g.) is contrary to both the letter and spirit of the 4th.

My friend Jack King, former Executive Director of the National Association of Criminal Defense Lawyers and notoriously successful litigant versus the FBI, frequently reminds us that "to live outside the law, one must be honest". To which I add a corrollary "the first duty of an outlaw is to remain at large". Prudence is always a watchword, but some protections may be irretrievably lost due to the avarice of the Reno, Ashcroft, and Gonzales "justice" departments. There can be no meaningful technical mechanisms to isolate sensitive data from malicious mischief, only statutory and, hopefully, constitutional remedies to prosecute those who abuse privileged access to it. Alas, no one in a position to advocate for such relief has anything to gain from doing so.

Posted by Alan Chamberlain at 11:30 AM | Permalink | Comments (0)

Identity theft: organized crime syndicates and petty thieves alike impersonate you, clean out your bank account, and ruin your credit. Corporate data-mining: insurance companies and banks sift through your personal medical and financial records to deny coverage or credit, and to target marketing messages. Domestic surveillance: cellular traffic, phone records, and email are fair game for interception by federal intelligence and enforcement agencies. The administration argues that its domestic espionage program is entirely legal, and it may be correct, because you have no constitutional right to privacy.

The European Union guarantees the personal privacy of its citizens through Articles 7 & 8 of the Charter of Fundamental Rights, stating unambiguously that “Everyone has the right to respect for his or her private and family life, home and communications� and that “Everyone has the right to the protection of personal data concerning him or her�. Americans, who taught the world about liberty, should be very proud to see the student surpass the teacher. What have the Europeans learned that we have not?

Democracy succeeds only when citizens enjoy freedom of conscience. No freedom of conscience can exist if a citizen’s personal business is subject to scrutiny and exploitation by criminals, corporations, or congress (these categories overlap). The Fourth Amendment has taken a severe beating from the Bush administration, but it was already weakened by violence at the hands of the Clinton administration. Neither party holds any moral high ground on the issue of privacy rights.

In 1973 the U. S. Supreme Court found that some personal rights "implicit in the concept of ordered liberty" are so "fundamental" that an undefined penumbra may provide them with an independent source of constitutional protection. I say let’s bring it out of the shadows, and settle the issue explicitly.

As the depredations of cynical infocrats become increasingly odious, let the people demand that congress pass, and states ratify, a constitutional amendment protecting personal privacy. Let us encode in our civic DNA that the right of the people to be secure from intrusions into matters of purely personal sovereignty shall not be infringed, neither by state agencies, commercial interests, nor criminal elements.

It will not be an easy fight. Powerful interests on both ends of the political spectrum are threatened by a right to privacy. But let’s at least make the rascals argue against it, so we know who our enemies are.

It may not even be necessary to successfully enact and ratify such an amendment. The Equal Rights Amendment failed to become a part of the Constitution, but the campaign for it ultimately disgraced and discredited gender-based discrimination. We don't need to win to win.

Technology is evolving far faster than our safeguards. Before it is too late, we must demand durable protection for personal privacy. As the inheritors of a grand libertarian tradition, we deserve nothing less. To learn more about privacy as a fundamental human right, please visit Privacy.Org, and the Electronic Frontier Foundation.

Posted by Alan Chamberlain at 12:34 PM | Permalink | Comments (0)