acm - an acm publication


What would Justice Brandeis say?

Ubiquity, Volume 2001 Issue October, October 1 - October 31, 2001 | BY Robert C. Heterick 


Full citation in the ACM Digital Library

Institutions of higher education should help define technology limits and avoid further shrinking the realm of privacy.

Identity theft appears to be the fastest growing crime in America. Armed with little more than a name, a mildly enterprising amateur can find a corresponding Social Security number and from there unlock a world of information about an individual, information that the individual might have thought was private and known only to his or her physician, accountant or academic institution. Your bank, your credit card company, even your State Motor Vehicle Department may be selling your name and possibly your Social Security number to anyone willing to ante up a few cents per name.

We have come a long way from Justice Brandeis' right to be left alone. The Supreme Court recently seemed to extend Justice Brandeis to the 21st century in an Oregon case where a man, suspected of growing marijuana in his house, had his house surreptitiously scanned by thermal imaging in an attempt to detect the presence of high-intensity lamps. In that case, by a bare margin, the Court ruled the scanning unconstitutional. In his opinion, Justice Antonin Scalia asked, "The question we confront today is, what limits there are upon this power of technology to shrink the realm of guaranteed privacy?"

Indeed, does anyone using the Internet have any expectation of privacy? And, does any organization that facilitates exchanges on the Internet have any obligation to meet its transaction partners' expectations?

A recent seminar I attended broached this and a host of similar questions in the security/privacy domain. I was mildly surprised by the sanguine attitude of my educational community colleagues who unanimously were of the opinion that there could be no expectation of privacy when making a transaction over the Internet -- not e-mail, not for business, not even medical transactions. This is not to say that many didn't feel that some expectation of privacy might be appropriate or desirable, only to say that such expectation would be futile.

The issue is not encryption -- where the transaction partners do have an expectation of privacy. A "secure" Web site, to which one entrusts a credit card number for instance, does have an obligation to protect the specific data with which it has been entrusted. However, one should not expect that transmission security effort to extend to the realm of customer privacy. That same organization may well be selling your name and other personal information to anyone prepared to buy its customer list.

The recent spate of "disclosure" statements by financial institutions is instructive. Changes in the federal banking laws require all financial institutions to alert their customers to their privacy policies and provide an opportunity for them to "opt out" so as to protect their privacy. It appears that a very small minority of folks (less than five percent) has sufficiently disentangled the prose of these statements to realize that some overt action is required to protect their privacy.

Equally dismaying is the track record of bankrupt firms offering their customer profiles for sale. Information given voluntarily to a specific business partner suddenly becomes available to other businesses with which you may have pointedly chosen not to do business. In some cases, this is not just information overtly collected from customers, but information covertly gathered through the use of "cookies."

Institutions of higher learning have been slow, if not reluctant, entrants to the domain of e-commerce. However, we do have significant numbers of potential students meeting their application requirements over the Internet. An increasing number of institutions have Web portals linked to back office systems containing copious amounts of personal information about students. The burgeoning business of online coursework is yet another salient point through which personal information about individuals is potentially available.

As increasing numbers of students pass personal information to their academic institutions, we might ask, in the spirit of Justice Scalia, has technology shrunk their expectation that such personal information will be kept private? Do institutions of higher learning have an obligation to provide protection of private information that extends beyond that which we currently observe in the commercial sector?

With the projected increase in for-profit educational ventures, many historic institutions of higher education will be seeking differentiators -- those products, services and business methods that will distinguish themselves from their commercial competitors. A paramount concern for the privacy of its students would appear to be one area in which our historic institutions could distinguish themselves.

The difficulty in doing so is the antipathy toward secure systems on the part of educational institutions that view themselves as champions of free, open and unfettered access. Like so many of our defining issues, two strongly held values come in conflict -- access and privacy. The problem can be likened to finding a guard dog that is mean enough to scare off burglars but sufficiently docile so as to not bite the mail carrier.

Institutions of higher education could do themselves and their publics a big favor by helping to define Justice Scalia's limits of technology to avoid further shrinking the realm of privacy so important to people in an open society. As institutions of higher learning are constrained by federal law as to what they can reveal about their students, the problem is not so much overt as inadvertent disclosure of personal information. To avoid inadvertent or unplanned disclosure will require a major commitment to encryption and the assumption of the costs that go with the overhead required. Finding the right balance of openness and privacy protection is a difficult, but extraordinarily useful, endeavor.

Robert C. Heterick is a past President of Educom, Vice President Emeritus at Virginia Tech and currently a Fellow at the Center for Organizational Learning and Technological Advancement at Virginia Tech. This article first appeared in The Learning MarketSpace, which is a publication of The Leadership Forum at the Center for Academic Transformation.


Leave this field empty