The problem with Obama's privacy 'bill of rights'February 24, 2012: 10:39 AM ET
FORTUNE -- The data-privacy framework unveiled by President Obama on Thursday has received near-universal praise from privacy advocates. At the very least, they say, it represents a good start and proves that the administration is serious about protecting privacy rights as they apply to how businesses collect and use personal data. The only drawback is that while the administration is calling for Congress to enact a "privacy bill of rights," the actual Bill of Rights is nowhere to be found in the announcement.
The framework targets only the private sector's activities, not the government's. G-men can still, in certain situations, rifle through Americans' personal data without a search warrant. These can be seen as separate issues, but they shouldn't. Given the increasing Constitutional leeway the government has granted to itself on data searches, wiretapping and the like, it's not surprising that privacy advocates are a little taken aback by the difference in how the administration is treating the public and private sectors.
The framework is "more leadership on privacy from an administration than we've seen in a generation," says Justin Brookman, director of the Center for Democracy & Technology's Project on Consumer Privacy. The CDT's central worry, he argues, had been that the framework would include no calls for legislation, but the president was clear in saying that he wants a law passed governing how companies may collect, store, and use personal data. The administration "is practical and realizes that Congress isn't necessarily going to pass such a big piece of legislation anytime soon, especially in an election year," Brookman wrote in an email interview. But in the meantime, Obama is "going to try to use the bully pulpit to bring industry, advocates, and regulators together to devise consensus rules on emerging privacy issues."
And yet, while there was language in a draft version of the administration's report that addressed potential reforms to the Electronic Communications Privacy Act, that language didn't make it to the final version, an omission that disappointed the CDT and some other privacy advocates. ECPA allows law enforcement officials in certain, often confusingly applied circumstances, to access personal information such as stored email and wireless location data without a search warrant being issued. Privacy advocates generally agree that it was a good law when it was passed in 1986 (when Internet communications were much more like phone calls). But they say the law has been superseded by technology, leaving everyone confused as to how its provisions should be applied to today's smartphones and cloud-stored data, and leaving all kinds of room for abuse by law enforcement. Without reform, Brookman says, "Europe and the rest of the world may lose confidence in US companies and the US-based cloud." Protection of data from misuse by the government is "at least as a big a hurdle there as consumer privacy."
Adam Thierer, senior research fellow at the libertarian Mercatus Center at George Washington University, was harsher -- and more ideological -- in his assessment. "It would have been nice for the administration to at least give some lip service to the need for ECPA reform," he says. "But it's clear they have little interest in taking on those forces in the DOJ, FBI, NSA, or other agencies that want their broad, open-ended surveillance powers to remain undisturbed."
But Thierer is much less alarmed by the use of data by private companies. He characterized Obama's announcement as a case of the president "moralizing about how the private sector needs more regulation" while failing to highlight problems with government intrusion. The Mercatus Center says its mission is to "advance knowledge about how markets work to improve our lives."
"We should be much more concerned about what the government does with our data" than what private companies do, said Miriam H. Wugmeister, an attorney with Morrison & Foerster who represents businesses in privacy cases. But even she acknowledges that there are potential harms in allowing private companies to store and use data without oversight. She's not a big fan of the privacy framework because, she said, its "focus is on regulating collection, not use" of data. There's no harm, she said, in collecting information to target people with ads that would appeal to them. But "there are misuses of data" such as selling it to third parties who might use it to screen job applicants, for example. Still, many people believe that they should have control over their own data, and that's what the framework is aimed at.
Given the reactions to recent missteps by Facebook, Apple (AAPL), Google (GOOG), and other companies on the privacy front, it seems the political winds are with those who would prefer more regulation over less. That's not surprising. Many people still freak out when they see an online ad that's related to a search they had just run or a Facebook status update they had just written. They might freak out less -- and perhaps actually come to see such targeting as a benefit -- if they felt they had control over which of their activities they allowed to be shared with private companies and which activities they decided to keep to themselves. Or at least if the companies were more transparent about how they used the data they collected.
That's what much of the administration's framework is aimed at achieving. Although "we live in a world in which we share personal information more freely than in the past," Obama said on Thursday, "we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."
Also at the heart of our democracy, however -- in fact, written right into the Constitution -- is the concept of due process of law. As laudatory as the administration's effort might be, some of the applause is muted by the fact that the government, through ECPA, parts of the Patriot Act, and other laws and policies, sometimes doesn't live up to its own rhetoric.
But Marc Rotenberg, president of The Electronic Privacy Information Center, believes such concerns are "missing the point" and reveal a "misunderstanding" of the administration's efforts. EPIC, he noted, is "plenty critical" of the government's "Big Brother activities" (which it in fact is), but for "people who care about the protection of privacy, the announcement [on Thursday] is a big step in the right direction."