Q&A with Daniel Solove on How Bad Security Arguments Are Undermining Our Privacy Rights
By Jay Stanley
ACLU National Office
George Washington University Law School professor Dan Solove is one of the preeminent law scholars working on privacy issues today. In his latest book, Nothing to Hide: the False Tradeoff between Privacy and Security, Solove translates his research and thinking into a succinct analysis intended for a general audience. Via e-mail, I recently asked Solove about his book.
JS: What's the main argument or thesis of your book?
DS: My book responds to the arguments frequently made in the debate between privacy and security that improperly undermine the protection of privacy in law and policy. These bad arguments are based on faulty assumptions about privacy and about what it means to protect it, and they are pervasive. We've all heard the argument that "people shouldn't worry about government surveillance if they have nothing to hide." Or the argument that "in times of crisis, we must trade privacy and liberty for greater security." The book responds to these arguments, exposes their false premises, and corrects myths about how the law protects privacy. Each chapter (1) takes on an argument that is wreaking havoc on our civil liberties or (2) explains the law and Constitutional rights clearly and accessibly or (3) examines the often-unstated problems with new technologies, such as surveillance cameras and data mining.
The balance between privacy and security is essential for all of us. My main point in the book is that if we clear away the bad arguments, the fallacies, and the myths, we will reach a better balance between privacy and security, one that isn't wrongly skewed toward the security side.
JS: The line, "if you don't have anything to hide, why should you worry?" is one that we at the ACLU hear all the time. And of course you've alluded to that in the title of your book. What's your response to that argument?
DS: The Nothing-to-Hide Argument works by taking an extremely narrow and crabbed view of privacy — that privacy involves keeping dirty secrets and hiding bad things. But privacy is a much richer and more nuanced concept. Privacy involves many different yet related things. For example, privacy involves the right to know about how your data is being used and be able to correct errors. This has nothing to do with having nothing to hide. Privacy involves the responsibility on the part of those who collect and use your data to keep it secure in order to prevent fraud and identity theft. We don't say to an identity theft victim "don't worry if you have nothing to hide."
There are good reasons why law-abiding citizens want to maintain privacy about certain things even when they are not embarrassing or disgraceful. They want privacy because they don't want to have to justify their actions or explain their behavior to government officials. In the book I use the example of someone buying a book about manufacturing methamphetamine. The person has an innocent explanation — he was buying the book because he was writing a novel about a character who makes meth. Should the person have to worry about how the government will view this? In a free society, we shouldn't have to wonder before we do anything how some bureaucrat will view it. We shouldn't have to call government officials like a child checks in with worried parents.
And the nothing-to-hide argument assumes that the government will make the right judgment based on your data. But the government can readily get it wrong. There are compelling reasons why we should protect privacy even when someone claims they have "nothing to hide."
JS: You talk about something called the "all-or-nothing fallacy." Can you explain what that is?
DS: The All-or-Nothing Fallacy is the view that privacy and security are mutually exclusive — that any increase in privacy is a decrease in security and vice versa. People often ask whether we want a particular security measure or privacy. After the NSA surveillance program was brought to light — a program that involved warrantless wiretapping of phone calls by American citizens in violation of a federal statute — pollsters asked: "Should the NSA engage in surveillance in the war against terrorism?" Most people said yes. But the question was cast incorrectly. The question assumed that security and privacy were all or nothing. We could either have the NSA engaging in surveillance and being protected against terrorism or have privacy and be left exposed and unprotected. Of course most people said yes to the surveillance. But protecting privacy doesn't mean no government surveillance. Protecting privacy doesn't mean that a security measure must be scrapped. Under the Fourth Amendment and various privacy laws, the government can engage in searches and surveillance. Privacy is protected by judicial oversight and by requiring the government to justify its activities. For example, the Fourth Amendment even allows the government to enter and search a person's home with a warrant and probable cause. So we shouldn't ask "Do you want the government searching people's homes?" The question is wrongly put. With regard to the NSA surveillance, the question should have been: "Do you want the NSA to engage in surveillance in the war on terrorism without a warrant, probable cause, or any judicial oversight or do you prefer the NSA to engage in such surveillance with a warrant, probable cause, or some form of judicial oversight?"
The All-or-Nothing Fallacy leads to privacy protections being out-balanced when they shouldn't be. Privacy protections may make a security measure slightly less effective. They may be an extra burden on law enforcement officials. But that's the true sacrifice we make for privacy — not the entire security measures themselves.
JS: I would also argue that often, privacy-invading policies actually make our security weaker.
DS: I very much agree. Courts and legislators often are too deferential to whatever measures security officials propose. These measures often don't get much scrutiny, and they are frequently not as effective as alternative measures that are less privacy-invasive.
JS: What do you mean when you say that "privacy is not merely an individual right"?
DS: Privacy is often cast as a right of particular individuals while security is cast as a broad social interest. As a result, when privacy is balanced against security, security often wins because the well-being of the many outweighs the interests of one person. But this is a faulty way to see privacy. Privacy is a societal value. It protects all of us in society, not just the particular person whose privacy is being invaded. Privacy is not only about the individual, but it involves the extent and nature of government power.
JS: And the nature of that government power affects us all because of chilling effects, and the threat of abuse?
DS: Exactly. When government power chills speech, it doesn't just affect the speaker but all of society. We have less robust speech and fewer perspectives. A precedent is set that can chill speech by many others in the future.
JS: You also talk about the "Law-and-Technology Problem." What is that?
DS: The Law-and-Technology Problem is the difficulty caused when technology makes law obsolete. A key example is the Electronic Communications Privacy Act (ECPA) of 1986. This law is a central protection against wiretapping, government surveillance, and government access to ISP records, among other things. The law was passed in the mid-1980s before the rise of the Internet in everyday use. It is woefully out-of-date. Courts struggle fitting modern technologies into the law's ancient structure. The answer to this problem is to pass laws that are less tethered to the technology of the day and that are built around basic principles.
JS: One of your critiques of the Supreme Court is that it views privacy as equivalent to secrecy. Can you explain what you mean?
DS: The Supreme Court currently interprets the Fourth Amendment in a very narrow way. In order to have Fourth Amendment protection, you must have a "reasonable expectation of privacy." Without that, you get no Fourth Amendment protection, which often means the government can engage in searches and surveillance with no judicial oversight, no limitations, and often no accountability. Sadly, the Supreme Court's view of privacy is of secrecy — you only have privacy if you've completely hidden something away. Expose it to a few others — no privacy. If you're in public, no privacy. Consider the Third Party Doctrine. This is a rule the Supreme Court adopted which says that if your information is in the hands of any third party, then you have no expectation of privacy. In a world long before the Information Age, this would be okay, but today, nearly everything we do generates a record with a third party. Before, if the government wanted to find out what you were reading and writing, it would often need to search your home, and that would be regulated by the Fourth Amendment. But now the government doesn't need to enter your home to find out what you're reading and writing — it can get your Web-surfing records from your ISP, your credit card records, your purchase records from merchants like Amazon.com. None of this receives Fourth Amendment protection thanks to the Supreme Court's view that privacy is equivalent to secrecy.
JS: Do you see any prospect that the jurisprudence on this will change?
DS: I always hope the Supreme Court will eventually see the flaws of this view, but I don't expect the Court to make changes anytime soon. There is a better hope that we can add greater protections legislatively. And there is also hope for state courts, which in a number of instances, have diverged from the Supreme Court's approach when interpreting their state constitutions.
JS: Another line we confront all the time at the ACLU is, "you have no privacy in public." And this is used to justify things like warrantless GPS tracking, or pervasive video surveillance. What is your take on that?
DS: Privacy in public is extremely important. We go about much of our lives in public not expecting to be constantly monitored and recorded. Imagine if you were placed under surveillance at every moment you were outside your home. Everywhere you went, every time you entered a store and bought something, every restaurant, everything you did outside would find its way into a dossier about you. That would be tremendously oppressive. The Supreme Court has taken the view that you have no privacy in public, which means no Fourth Amendment protection. That means that the government can engage in a massive amount of surveillance without any judicial oversight or other protections and accountability. This is a ton of unbridled power to give the government in a free society. During the next year, the Supreme Court will be reexamining this view regarding GPS surveillance. New technologies are so much more pervasive and invasive than older ones, and the Supreme Court's "no privacy in public" view was formed during times before such technologies had become so potent. I hope the Court will be progressive and rethink its notions of privacy rather than cling to its antiquated views.
JS: So do you think that the GPS case the court will be deciding (U.S. v. Jones) could represent a landmark rethinking of that attitude, with effects far beyond GPS tracking?
DS: It certainly has that potential if the Supreme Court is up to the task. Sadly, though, I'm not optimistic.
JS: In one chapter, you look at the practice of data mining, or sifting through databases looking for statistical signs of "suspicious" behavior. When do you think government data mining is okay, and when is it dangerous?
DS: Government data mining is okay when it involves gathering information about a person suspected of a crime or when the government knows about a crime that occurred or is about to occur and is seeking to identify suspects based on specific information. Government data mining to identify suspicious people based on suspicious behavior is dangerous. This form of data mining — known as "pattern-based data mining" — tries to predict who will commit a crime based on their behavior patterns. This form of data mining is akin to a dragnet search — a broad canvassing for suspicious people. The Framers detested dragnet searches and preventing dragnets was the cornerstone of the Fourth Amendment. Data mining threatens to bring back the dragnet search in digital form.