April 9, 2001

Privacy: For those who live in glass houses

H-327A U.S. Capitol Building
Washington, D.C. 20515
(202) 225-6007

TO: House Colleagues
FROM: Dick Armey
SUBJECT: Privacy: For those who live in glass houses
DATE: April 9, 2001

Americans put a high value on their privacy. And for good reason. I don't want strangers poking around in my business any more than they want me poking around in theirs. But new forms of communication like the Internet present an entirely new challenge for those of us concerned about privacy.

Figuring out exactly what we must do to protect sensitive information in this new environment is no easy task. Many unexpected pitfalls await those who rush into this complicated, emotional issue. In the fast-paced world of the Internet, we must avoid silver-bullet solutions that will quickly become obsolete or leave ourselves vulnerable to criticism that the government is not meeting the standards it requires from others.

The Government's Privacy Problems

Before the federal government becomes too preachy about privacy, it should review it's own practices. The Federal Trade Commission (FTC), for example, thought that it had developed some good ideas for regulating commercial websites to protect privacy. The Commission set out its own privacy principles last May in a report entitled "Fair Information Practices in the Electronic Marketplace." The problem was that the good folks at the FTC were so busy figuring out how to regulate the commercial sector that it forgot to regulate itself-and they fell into the hypocrisy trap.

Rep. Billy Tauzin and I asked the General Accounting Office (GAO) to apply the FTC's privacy criteria to the government itself. Not only did the FTC fail to meet the very standards it had asked Congress to impose on everyone else, so did 97 percent of all federal websites surveyed.

I think we can draw a lesson from this. The government should review it's own practices before it becomes too preachy about privacy. The IRS knows how much money you make and how you spend it. The Department of Labor knows where you work and how long you've worked there.

The Department of Health and Human Services (HHS) might well know everything about your medical history, especially if you are on Medicare or Medicaid. They all know your name, address, phone number, Social Security number and maybe even your email address.

According to a recent study by the privacy organization Privacilla, once an agency gathers information about you, it will routinely share that information with other agencies-combining your health, income, and other records. That means your complete life history is floating around the bureaucracy, whether you like it or not. Some of this information sharing is probably beneficial, allowing agencies to work more efficiently. But if government can't protect all that private information from prying eyes, the story changes.

The truth is that the government has a dismal record when it comes to securing sensitive information. According to a study last year by Government Reform Subcommittee Chairman Steve Horn, most federal departments and agencies received a failing grade for their lax computer security procedures. Those failing grades put privacy at risk.

For example, a Veterans' Affairs Oversight Subcommittee hearing last year exposed very disturbing privacy problems within the Department of Veterans' Affairs. The Department's own Inspector General was able to hack into the system and obtain control of individual medical records. The IG testified that weak computer security exposed the records of individual veterans to an assault from hackers armed with only minimal skills.

Unlike many non-VA patients, veterans have no choice about sharing their medical information and have few options if they are dissatisfied with the level of protection the agency gives to their medical privacy. Fortunately, VA Secretary Principi testified last week that the Bush Administration is taking steps to clean up this mess.

The VA's problem was no isolated incident. The GAO recently revealed perhaps the most disturbing example of the effect of lax government security. GAO auditors found during an investigation last year that IRS computer systems containing tax returns that are filed online were vulnerable to attack from even a hand-held computer. According to GAO's report, hackers not only had the ability to read your tax information, but they could also modify it. That's a scary thought.

Fortunately, Treasury Secretary Paul O'Neill has indicated that the Department is addressing this issue. It is clear, nonetheless, that the government has some privacy problems that it must address.

The Law of Unintended Consequences

As you can see, it takes more than good intentions to make good law. And some well-intentioned privacy initiatives may actually result in less protection than existing law. President Bill Clinton, for example, used his last hours in office to cobble together a rule designed to protect the privacy of medical information. But buried within the expansive text filled with new regulatory requirements for health care providers is a passage giving HHS the right to collect all personal medical records from a given health provider without a warrant or prior notice. (By the way, Chairman Horn gave HHS an "F" for its inability to protect personal information.)

It's hard to dispute the goal of assuring patients that they can share personal information with their doctor or insurance company without risk.

But it's unclear how requiring patients to sign a bunch of disclosure waiver forms will help protect privacy, improve health care or alleviate patient anxiety. What is certain is funneling all that information to HHS is a step in the wrong direction. Fortunately, Secretary Thompson has recently expressed his willingness to review and reconsider these new regulations.

A legislative or regulatory solution may be the slowest and least effective way to address consumer concerns. One of the most frequent reasons given for the need to enact commercial privacy legislation is that some consumers refuse to engage in e-commerce because they fear their information won't be adequately secured. I haven't made the transition to online banking myself for that very reason. Nonetheless, more and more people are turning to e-commerce, which shows that not everyone is obsessed with such concerns.

We should remember that these online services have a strong market incentive to address my privacy concerns if they want my business. The market is well suited to adapting and quickly changing to meet new circumstances or to address the concerns of consumers. And that's important because the way we understand the Internet and websites today is changing.

Web sites are simply the way that most of us interact on the Internet today-that may not be true tomorrow. Already, a substantial amount of Internet data, such as stock trades, travels by cell phone or other mobile devices. Imagine trying to read a legal privacy notice on your cell phone before opening that E-trade account. Should typing your social security number on your phone keys be treated differently than typing them in on a computer keyboard? Imposing notice rules on web sites may be as relevant next year as requiring airbags on horse buggies.

Some calling for additional online privacy regulations cite the need to address things that are, in fact, already illegal-like stealing credit card numbers or "identity theft." It makes no difference whether that information was illegally obtained on the Internet or by stealing your purse. Perhaps better enforcement of existing laws will address those concerns.

Motivated by the desire to "save" the Internet, others have argued that if Congress does not act soon, state governments will create a host of different and even contradictory rules that might derail our borderless Internet economy. Even if Congress could preempt these state laws-and I am not aware of any consensus to do so-rushing to create a single unworkable federal standard is as bad or worse than having many unworkable state standards. Let's not love the Internet to death.

So What Do We Do About Privacy?

Privacy is a difficult issue, and I don't pretend to have all the answers on this subject. Right now, Congress is an inexperienced and amateur mechanic trying to tinker with the supercharged, high-tech engine of our economy. We need to be careful not to let our good intentions get in the way of common sense.

That doesn't mean that we can't or shouldn't do something about privacy. Far from it. It means that we should start with what we know best and have the greatest ability to affect. We've already seen that the federal government needs serious attention when it comes to privacy. And there are plenty of things we can do to improve the way the federal government uses personal information-both in the bureaucracy and in Congress. We should clean our own house before dictating solutions for others.

Those who live in glass houses shouldn't throw stones. And right now, the federal government's online house is made of pretty thin glass.

 Other Resources

House Majority Leader Takes Stand for Privacy