By Ananya Paul | MS Student, Cornell Tech
At the DLI Seminar on 26th September, DLI PostDoctoral Fellow Ido Sivan-Sevilla spoke about National Security and Privacy risks in US Federal Policy, how they complement and contradict each other, analysed over five decades and over three different policy arenas.
How to Measure Privacy vs. National Security?
While many works have theoretically addressed the desired relationships between privacy and national security, very few studies have empirically measured how these relations are mediated by policies over time or across policy arenas. Armed with this research motivation, this work comes with quantifiable definition of the two values, in order to measure how policies promote them.
Pro-privacy policies are policies that create privacy oversight and scrutiny over national security measures. Privacy, in this sense, is defined as the levels of control and knowledge that individuals have over collections, processing, and other uses of their personal information. In this context we care about privacy violations as actions that undermine individuals’ autonomy, dignity, and self-determination by threatening the ability to control how personal information is collected, accessed, and used, often without data subjects’ knowledge.
Pro-national security policies are policies that promote the set of practices that protect the nation from threats which originate in foreign states or within the nation’s border. These include intelligence gathering, foreign intelligence denial, enforcement of terrorism laws, and maintenance of national infrastructure.
This yields three types of dynamics between national security and privacy policies:
Policies that conduct a compromise between the two goals - allow the government to collect information in ways that are subject to oversight and scrutiny. (e.g. 1986 ECPA)
Policies that advance national security at the expense of privacy - increase the legal authority of the government to collect information or create mechanisms to disrupt digital technologies to make them ‘surveillance-friendly.’ (e.g. 2008 FISA Amendments)
Policies that advance both cybersecurity and privacy at the same time - increase the security of digital information systems, and by that also better protect the privacy of individuals who process their personal information through these systems (e.g. 2002 FISMA)
What do we already know about these policy spaces?
Privacy and National Security are interrelated, governed by different policies, laws and regulations. From the literature we know that legislatures usually prioritize national security over privacy: Privacy is framed as an individual rather than a collective value, the executive branch is loosely restricted by commercial interests, legislatures and judges constantly defer to security officials in times of crisis, and technology is used as a justification to advance national security for privacy.
Following this literature, the author conducted tests to validate or further elaborate drivers for policy change and empirically evaluate these policy relationships in US federal policymaking. Through a comparative process-tracing analysis of three policy arenas—criminal investigations, foreign intelligence, and cybersecurity—over five decades, this study shows how the state’s national security efforts enhance or infringe upon privacy safeguards, based upon two types of analyses:
1 - Time Based Analysis of National Security vs. Privacy
The study analyses by examining how federal statutes, executive orders, presidential directives, federal rules, policy guidelines, and court rulings constructed relationships between national security and privacy between the years of 1968 and 2018. It considers how these relationships have changed over time, across different stages of the policymaking process, and in various policy contexts.
2 - Arena Based Analysis of National Security vs. Privacy
The regulatory regimes are also analyzed across different policy arenas - Criminal Investigations, Foreign Intelligence and Cybersecurity - focusing on: (i) the contextual factors of policy changes; (ii) level of transparency in the policy process; (iii) variance of actors involved; and (iv) influence of commercial interests. It seems that different characteristics of the policy process in each arena yield different policy outputs .
Findings
From these analyses, Sivan-Sevilla finds that:
Privacy often ‘loses’ to national security, quantitatively (55%) and qualitatively: unprecedented expansions in surveillance authorities are never fully reversed.
Technological change is a significant factor for policy change – it is instrumentally used by privacy advocates, national security officials, and commercial companies according to the political climate of the time.
Policy framing is changing across policy arenas and mediates political patterns that vary on the levels of transparency, actor variance, and influence of commercial interests – leading to a construction of different types of policy relationships.
Coupling policy debates with security crises for gaining legitimacy to breach privacy is indeed evident (Solove, 2011) – but this trend varies over time and context. Security crises in the 1990s were not as effective. In addition, privacy scandals have led to a push-back against surveillance practices.
Commercial interests contributed to pro-privacy policies in the 1980s, but also resisted data security regulations on private infrastructures, leaving their clients exposed.
Conclusions
There is a full spectrum of policy relationships between national security and privacy and there is no single equilibrium between the two goals. Moreover, tracing the role of Congress and commercial interests over time reveals an alarming pattern : they were both much less effective since 9/11 - Congress rarely held the Executive accountable and private interests were absent from policy debates. Only whistleblowers came for rescue.
In addition, this study identified some difficult-to-capture dependent variables - the policy regimes and institutional settings that govern national security and privacy relationships - that are worth further investigation. And most importantly, we see that privacy is rarely lost at once, but rather erodes over time, and that is why the work of privacy scholars in highlighting those issues is so important.
More details in the paper that was published in the journal of Policy & Internet:
Comments