Public-Private Partnerships: Sharing Data, Compromising Privacy
Our privacy is up for sale to anyone—even government and law enforcement agencies
There are things that the government is allowed to do that private entities can’t. This includes activities such as arresting people and throwing them in jail, executing search warrants and engaging in electronic surveillance and wiretaps without the express or implied consent of at least one of the parties. At the same time, there are things that the private sector may be permitted to do that either may be prohibited to the government or which the government eschews because it is politically unseemly or untenable. While Facebook can collect and use information about your political affiliation, preferences and the like, the government doing so would be loudly decried as undemocratic and violative of citizen’s rights of free association, free expression and other rights. Similarly, the private sector can collect information about a citizen’s purchasing history, credit information, employment information and other data which, if collected by the government on innocent individuals not suspected of any crime, would cause a public outcry.
However, in the era of big data, we are seeing an increase in the government access to and use of data collected by the private sector. For example, U.S.-based Securus Technology collected the location data of cell phone users from another company called LocationSmart in Carlsbad, California. (Oh, and because Securus didn’t … well, secure us, the credentials of those who were authorized to access this database were not secured and the location data was similarly leaked to anyone who could access the database.) While federal law restricts telcos from sharing customer data with law enforcement officials, it permits (sometimes with consent buried in user agreements) sharing some of that data with third parties, who then are allowed to share the data with whomever they want.
Location data also can be collected by third-party apps—entities such as Facebook and Google or any website itself. So LocationSmart shares with Securus, and Securus shares the data with law enforcement officials, and voilà! Cops can pull up both near-real-time location data and historical location data on anyone in the United States with no warrant, no probable cause or no paper trail. No muss, no fuss and no notice to the data subject. North of the border in Canada, the big three telcos— Rogers, Telus and Bell—share customers’ location data with a company called EnStream, which may then share that data with the Mounties.
In other reports, private companies such as Forth Worth-based Digital Recognition Network and its sister company Vigilant Solutions use stationary and mobile cameras to capture the location of every vehicle through automated license plate readers (ALPRs). While government agencies may be precluded from collecting and storing such data on innocent individuals (and from conducting data analytics on such data), these restrictions do not necessarily apply to the private sector. These technologies have the ability to collect, store and process the location of every car (and presumably their owners, drivers or occupants) anywhere in America. The data is then sold to repo men to look for both stolen cars and those late on payments, as well as to law enforcement agencies for whatever use they may want.
If the police want to know if someone is home at a particular location, in many jurisdictions they can simply access the local public utility (gas company, electric company, etc.) and check to see if the lights are on in the home. In many cases, the police have agreements with utilities (including those owned by taxpayers) to share that data.
Social media facial recognition software can be used by law enforcement to match the identity of suspects with activities both online and offline. Credit reporting agencies databases can be used to track individuals.
The problem is not law enforcement access to these databases. It’s law enforcement access to these databases without a warrant, without probable cause and without any limitation on what they can do with them. In effect, we are turning the private sector into agents of the police—collecting, storing, analyzing and reporting information that we prohibit to the police. In the United States we may not care if Waze knows where we are, but we may very much care if police are using Waze to conduct surveillance of us. We may not care if security cameras at our local church, synagogue or mosque capture our image as we walk in to pray, but might object to the government using facial recognition software to keep tabs on our religious preferences.
We know that data leaks. It leaks (deliberately or inadvertently) from the private sector to the government and vice versa. It leaks from secure database to insecure ones and, ultimately, to hackers or foreign governments. While information-sharing is generally thought to be a good idea—and as part of the public-private partnership, it must be done with appropriate safeguards. You know, the ones the Founders envisioned: court-ordered warrants.
There’s an old joke that the difference between capitalism and authoritarianism is that in an authoritarian government the government represses rights, suppresses liberty and makes life miserable for the citizenry. But in a capitalist country, those things are left to the private sector. With public-private partnerships, we may no longer make such a distinction.
