The idea sounded so good that Feeney quickly threw his support behind legislation authorizing sale of the state's driver photos, helping ensure that it would pass easily without a single public hearing. He never dreamed that when newspapers described the plan in detail, months later, citizens would become furious. The transfer of the pictures grew into an intense emotional issue all over Florida, and in much of the country. Selling driver's license photos amounted to creating "a mug file of law-abiding citizens," charged privacy advocate Robert Ellis Smith. In Smith's view, the legislation would contribute to a climate in which people feel "they are being watched" all the time.
Florida and other states quickly backed down. "People felt violated," recalls a chastened Feeney. "They were just beginning to learn that people can find out their addresses, phone numbers, Social Security numbers and other personal information over the Internet, and they reacted viscerally to the idea that the government was transferring personal information without their approval."
As Feeney's unhappy experience demonstrates, it is nearly always a mistake to underestimate sensitivities on the privacy question, even when facts may suggest little to worry about. Millions of Americans are convinced that the celebrated "Information Revolution" is producing an unpleasant and perhaps dangerous side effect: a steady erosion of their personal privacy. These worries don't always lead to explosions like the one in Tallahassee, but elected leaders beware: Your constituents are learning that digital technologies give businesses and government unprecedented powers to track their travels around the Internet, trade information about their lives, and store and analyze their personal data. It will not be an easy job convincing them they have nothing to fear.
In truth, it will require a delicate balancing act. On one hand, government must demonstrate that new information technologies really can streamline operations and bring services closer to the people. But it also must show that these same technologies won't enable prying bureaucrats to move in too close or become too powerful. The task is especially difficult because public attitudes about privacy are volatile, inconsistent, subjective and frequently emotional. It's easy to stir suspicions, and hard to reconcile conflicting interests. And, as Florida lawmakers learned, trust, once shaken, can be very difficult to restore.
"Privacy is full of contradictions," agrees Wisconsin Senator Jon Erpenbach, who has wrestled with all these issues as head of his state Senate's Privacy Committee. "It's hard to figure out what's logical, what's reasonable and what's right. What sounds like a good idea might not be so good if you sit down and think about it, and what sounds like a bad idea, might actually be a good one."
The tension between privacy and digital government is readily on display in Wisconsin, which is moving on several fronts to introduce digital government. Among other things, state agencies are eager to use the Internet to "personalize" government service. Just as Amazon.com monitors its customers' purchases and recommends additional items they might want to buy, state information experts would like to track individual citizens' concerns in order to respond better. "If someone consistently asks for hunting licenses, the government can know you're interested in hunting," explains Amy Moran, an information technology consultant in the Wisconsin Department of Administration. "So we could notify you anytime there is a change in laws, new regulations, a change in particular game seasons or other information that might be relevant."
It sounds like a straightforward, good-government idea, but Wisconsin officials are hesitant about deploying such customer-service strategies for fear they will be seen as invasions of privacy. The concerns are legitimate, insists Kara LaPierre of the National Information Consortium, which builds Web portals for governments. "People might be happy to have the government know some things about them--to send them a reminder when it's time to renew a driver's license, for instance," she says. "But you might not want the government to know if you visit a public health program's page on, say, teen pregnancy."
The Internet isn't the only place where privacy concerns are colliding with the push toward digital government. Privacy advocates also voice concern about the way government agencies share information on citizens with each other. "Data matching" or "data merging," as the practice is known, has become an important tool to increase efficiency, detect fraud, track benefit recipients and enhance public safety. To make sure that school districts hire only safe and responsible bus drivers, for instance, Wisconsin authorities cross- check applicants' driver's license information against driving records and crime data. To capture lost revenue, they match the names of lottery winners against the list of delinquent taxpayers. And they leave no stone unturned in going after "deadbeat dads," routinely checking a national registry of newly hired employees to locate them, reviewing applications for hunting or fishing licenses so as to deny them those privileges, maintaining a Web site to inform title companies about liens on property, and reviewing bank records in order to locate and seize the violators' accounts.
Such data-matching programs are primitive compared to newer "data- mining" techniques being pioneered in both the private and public sectors. Using computers and sophisticated mathematical techniques, information experts now can discover patterns in data drawn from completely unrelated databases, thus making inferences about details of people's lives that the subjects never agreed to disclose. Tax departments are particularly interested in the technique. "Using a mosaic approach, revenue departments might find that people who own boats and have vanity license plates are more likely to under-report their income," explains Richard Varn, Iowa's chief information officer. "That will tell them where to conduct more tax audits."
Varn's example is hypothetical, but a real-life situation shows the stakes can be higher than catching a few tax cheats. In Lane County, Oregon, an interagency group called the Public Safety Coordinating Council is developing a system that will piece together information from 30 different social agencies to create an "early-warning system" for child abuse. Children and families who are in trouble often have numerous contacts with social agencies; a father may visit a drug- or alcohol-treatment facility, for instance, or a wife may seek counseling for depression, or a child may start misbehaving in school. Seen in isolation from each other, such contacts may not seem too troublesome. But when separate encounters with service providers are connected to form a larger picture, they may point to a more serious problem. Officials in Lane County believe certain combinations of variables will lead them to children who face the most serious risk of abuse, and service agencies can then intervene before it's too late.
To many, such activities seem unassailable. Jean Gerstner, chief of the Wisconsin Department of Revenue's Audit and Technical Services section, hopes that data mining will increase tax collections and enable the state to target its audits on the people who really should be audited. "This will mean less inconvenience for people who shouldn't be audited," she says. "It's a way to improve customer service." Myra Wall, director of the Lane County project, firmly believes that the Oregon data project will save lives. It was launched, in fact, in the wake of a public outcry that officials had failed to intervene in the lives of a troubled family until a three- year-old was killed by her mother's live-in boyfriend.
But others find such data mining truly scary. At what point does surveillance through data analysis, even if relatively unobtrusive, amount to unreasonable search and seizure? What is the danger that projects such as Lane County's will snare innocent people? And how much privacy are we willing to sacrifice for public safety and security?
"Each individual program seems so rational when you hear the justification, but when you look at the whole picture, we're on a slippery slope when it comes to our democratic values," argues Carole Doeppers, director of the Wisconsin Data Privacy Project. Doeppers, whose work is financed by the American Civil Liberties Union, served as state privacy advocate until the position was eliminated in 1996. She estimates that state agencies in Wisconsin operate more than 200 separate data-matching programs, and she says the number is growing every year. "People don't have a clue that the information they are providing for one purpose is being used for others," she says. "There is no accountability."
While Doeppers and others debate how much government intrusion into people's lives should be allowed, many people are more concerned with invasions of privacy by criminals and by commercial interests. They have a point: Government lags far behind the private sector in deploying new information technologies, and many of the concerns about government misuse of these tools are based more on conjecture than on actual experience.
But state and local governments do provide much of the raw information that fuels intrusive marketing efforts, including motor- vehicle records, land titles, property-tax assessments, voter- registration lists, occupational and recreational licenses, numerous types of permits, and boat and airplane titles. The sources of information are growing rapidly. To assist planning efforts, for instance, many jurisdictions are creating "geographic information system" databases that pull together tax data, building permit records, vital statistics, results of special surveys and information collected from numerous other sources. Meanwhile, electronic toll- collection systems, such as E-ZPass in the Northeast, utilize cameras that could provide a wealth of information on people's personal movements.
Such information is not only becoming more abundant, it also is increasingly easy to tap. In the past, detectives and other snoopers searching for personal information about someone usually had to work hard to find it. Now such information is available online, and computers make it possible to amass data from numerous sources almost instantly and effortlessly. ChoicePoint Inc., one of a growing number of personal-information brokers, boasts that it regularly searches more than 1,600 databases containing 3.5 billion local, regional and national records.
The sheer volume of personal information is staggering. Carolyn Purcell, executive director of the Texas Department of Information Resources, once hired a private company to test what it could learn by searching the Internet for public records about her. "They had my Social Security number from dozens of different sources; they had the Social Security numbers of former owners of homes that I owned; they knew what cars I owned; they had information about my ex-husband and his various addresses and Social Security number; they knew I had been a pilot and when I got my last medical examination for the license," she said. "Their report was 12 pages long, and it ended with an apology that I live such a modest and inconsequential life that they couldn't get very much information on me."
While many people are unsettled by stories such as Purcell's, attempts to address their concerns frequently collide with principles of openness and freedom of information. Indeed, advocates of open records believe that the growing concern for privacy may now represent the leading threat to their cause. Florida, for example, which boasts one of the nation's strongest open-records laws, has already enacted more than 750 exemptions to it. "Privacy is secondary to open records here, but I have a lot of trouble getting people to understand why we need to protect this incredible right of openness," says Barbara Petersen, head of the First Amendment Foundation, a group that promotes open public records.
Other times, privacy is used as a pretext for more self-serving motives. A few years back, Florida's veterinarians persuaded the legislature to remove pet-vaccination records from public view. The veterinarians claimed their goal was to protect the privacy rights of pets and the sanctity of the doctor-patient relationship, but it seemed clear to many that the real aim was to keep the names of pet owners away from companies that were marketing pet medication at deep discounts, in competition with the vets themselves. Petersen calls the pet exemption "the stupidest exemption in the history of open government."
A more serious case involves access to Florida's voter-registration lists. Privacy advocates generally believe people should have a right to keep their addresses private; in particular, they note, stalking victims, licensed professionals who work out of their homes, teachers and others should not be forced to choose between their right to vote and a legitimate desire to keep people who might wish them harm from knowing where they live. Open-records advocates take a different view, arguing that voter lists should remain public because public scrutiny of them is an important safeguard against vote fraud.
The Florida legislature, however, has come up with a solution that raises as many issues as it solves. It closes the state's voter lists to general scrutiny, but keeps them available to candidates and political action committees. "Leaders can get the list, but community action groups opposing them can't get it to send a mailing criticizing our leaders," complains Petersen. "This isn't designed to protect privacy, it's designed to protect the political interests of those in power."
Privacy will remain a tempting issue for special interests to exploit as long as government and the public at large fail to sort out their own conflicting ideas about where to draw the line between public and private information. At the moment, "support for any result can be found by selective use of available policies and principles," says Robert Gellman, a Washington, D.C., information-policy consultant. Countless court opinions have failed to clear things up, Gellman adds, noting that "existing case law provides a wealth of material from which support for any desired result can be found."
The volatility and complexity of the privacy issue leaves many states reluctant to try to sort out this mess. "States have pretty amorphous, open-ended agendas," says Fred Cate, an expert on information law at Indiana University Law School. Their one clear goal is to avoid being caught flat-footed the way Florida and its sister states were over driver's license photos. As Cate puts it, "Nobody wants to be the next deer in the headlights."
In their eagerness to avoid controversy, states frequently have deferred to the federal government on the privacy issue. In 1994, Washington ordered states to give people the option of removing their names from lists of licensed drivers being sold to marketing companies, and a 1999 federal law similarly requires financial institutions to give customers an opportunity to prevent disclosure of personal information to third parties. The federal Office of Management and Budget, meanwhile, is spearheading an effort to delete personally sensitive information from the public record, focusing initially on bankruptcy records.
Still, there is no way to keep the issue off the state legislative agenda. StateScape, a legislative tracking service, reported late this summer that more than 375 privacy bills had been introduced in legislatures, and more are likely next year. At least nine states have appointed special task forces to explore the issue and report back to the legislature during the 2001 session.
Even if they enact no new legislation, states will have to address privacy concerns raised by their own Internet portals. As of last June, only 19 states and just one of the 25 largest cities had posted privacy policies on their Web sites, according to the National Electronic Commerce Coordinating Committee.
One exception to the general pattern of reticence is Washington State. In September, Governor Gary Locke issued an executive order requiring state agencies to develop and prominently display privacy policies on their Web pages, and to take steps to ensure that Social Security, bank account and credit card numbers are removed from documents subject to public scrutiny. The order says government agencies should collect only the personal data needed for "legitimate" public purposes, and prohibits agencies from selling or releasing such information for commercial purposes. Citizens are supposed to be notified if personal information collected from them may become public, and agencies are directed to designate officials to deal with privacy complaints and questions from the public.
While only time will tell how effective Locke's policy is, privacy advocates believe that these last two elements of his order-- disclosure and establishment of a mechanism for balancing privacy and open-records concerns--may be crucial in providing a long-term answer.
Richard Varn, Iowa's CIO, argues that disclosure of purpose is the most important issue of all. He says government has to do a better of job letting people know what information it wants to collect, why it wants to collect it and what it intends to do with it. "You have to publicly announce it, talk about benefits and explain the choices people face," Varn says.
That hardly sounds like a revolutionary idea, but in fact it implies a substantial change in the way most states operate. Only about a dozen states currently have laws restricting the collection and release of personal information. "In state government, we typically don't ask people for their approval when we start collecting new information, and legislatures typically don't weigh in," confirms Texas information officer Purcell.
States are particularly weak when it comes to letting people know that information may be used for purposes other than those intended at the time of collection. Doeppers, the Wisconsin privacy advocate, suggests that state forms should include language advising people that the information they provide may be used for so-called secondary purposes. "Records-keepers go ballistic every time I suggest this," she says, "but every government agency should have an obligation to reveal conspicuously to citizens that information they are giving for one reason could be used for other reasons."
Full disclosure of such uses, of course, could inflame the public and make the existing backlash worse. States are ill equipped to respond to such pressures. Only six have freedom-of-information offices to help interpret freedom-of-information laws; elsewhere, open-records disputes must be settled in court, which have given, at best, murky guidance on the issue. This makes it difficult for states to balance the competing interests of privacy and openness, and creates a real possibility of overreaction. "In so many instances, an extreme position is inappropriate," says Robert Freeman, of the New York Committee on Open Government, a state agency that oversees freedom-of- information and privacy laws. "I'm terrified that legislative bodies will adopt standards that are not flexible."
While legislatures can delegate some of the authority to handle privacy and open-records claims to agencies such as Freeman's, the toughest questions--including, perhaps, those raised by data matching and data mining--almost inevitably will end up in lawmakers' laps. "There should be a very strong public policy consideration before you commingle records," argues J.D. Williams, Idaho's state controller and chairman of the National Electronic Commerce Coordinating Committee. "I suspect that type of decision should be left to the legislature."
Indeed, the stakes are too high for legislatures to shrink from such decisions. The future of digital government may well depend on how effectively privacy concerns are addressed.
If you think that warning is overblown, consider the fate of an earlier push to use computer technology in revolutionizing government. Thirty-five years ago, voicing hopes that state and local information officers today can readily appreciate, the federal Bureau of the Budget proposed consolidating all government information functions in a single National Data Center. Such a center, the bureau argued, would make operations more efficient, improve the quality of government-held information, and increase public access to government databases.
It never came to pass. Much to the bureau's surprise, commentators rebuked the budget bureau for failing to address privacy concerns, and a special House Subcommittee on Invasion of Privacy decreed that no work should be done on a centralized national database until privacy could be guaranteed. After watching the plan languish for several years, the budget bureau reluctantly shelved it.
There is a lesson in that for the digital government enthusiasts of the 21st century.
