"Privacy in the Age of Information," the seventh annual Catherine N. Stratton Lecture on Critical Issues, took the form of a panel discussion among experts in cryptography, security, law and policy.
The October 24 event was moderated by Institute Professor John Deutch, former deputy secretary of defense and former director of the CIA. The panelists were Professor Deutch; Ronald Rivest, the Andrew and Erna Viterbi Professor of Electrical Engineering and Computer Science (EECS); Professor Peter Szolovits of EECS; and Christine Varney, formerly a Federal Trade Commissioner and White House advisor on Internet privacy issues, now a partner in the Washington law firm of Hogan & Hartson.
"The attention to privacy reflects a very happy and welcome development in our cultural history because it addresses the right of every individual to be able to have thoughts, to have information and to communicate without interference or without unauthorized or inappropriate listening by others," Professor Deutch said.
The group of four agreed on some points and diverged to focus on their individual areas of interest and experience.
The panelists agreed that the Internet as a technology and as a symbol of information culture had drastically changed the way people think about what distinguishes public from private information. The group also agreed on the necessity for some coherent policy (preferably on a global scale) for serious sanctions against misuse of information and for methods of recourse for individuals whose rights are violated. They advocated ubiquitous, easy-to-use tools for privacy so that individuals could protect sensitive data from exposure.
"The cryptographic solution doesn't solve all privacy problems. In fact, it's more like letting the genie out of the bottle. Cryptography can aid law enforcement but violate the fundamental democratic right to a private conversation and the right to know what government officials are doing," said Professor Rivest, an inventor of the RSA public-key cryptosystem.
He noted that making privacy technologies easier to use and widely available would be helpful, as would better legislation to protect privacy rights.
"The Europeans are way ahead of us in terms of privacy legislation," he said. "Their Data Protection Act of 1998 says that organizations that collect personal data must register with the government. They may not collect, use or disseminate information about an individual without their consent. They must tell the individual the reason for the information collection. Individuals have a right to see the information collected about themselves and to correct mistakes. Individuals can opt out of information collection."
Health care is an "information-processing activity. To do that well is to improve the quality of care," said Professor Szolovits, head of the Clinical Decision-Making Group at the Laboratory for Computer Science. He has worked on the problems of controlled sharing of health information and privacy and confidentiality in medical record systems.
Privacy and confidentiality issues arising from how information technology is used in the context of health care include the inappropriate release of information by authorized users, as in the case of the inappropriate release by a nurse of medical information to a tabloid about Nicole Simpson; release of information by unauthorized users; and systemic flows of information among health care organizations which is both legal and unregulated, Professor Szolovits said.
To illustrate, he displayed a slide portraying the wide, intricate world of organizations to which a single patient visit was reported. Some but not all of these organizations were related to health care, he noted.
Professor Szolovits proposed a federal privacy ombudsman who would encourage national debate to determine the balance between patient privacy and organizational needs for information. The Health Insurance Portability and Accountability Act of 2000 is intended to build a set of regulations making it easy to allow the smooth flow of information on behalf of health care operations and prohibit its flow for other purposes, he noted. Records should be put in the hands of patients in the form of life-long personal health systems, he added.
Commenting wryly that she "had no privacy since being confirmed by the Senate," Ms. Varney went on to describe privacy as a consumer protection issue.
"In moving from the analog to the digital age, all economic barriers -- time, money, energy -- to the aggregation and dissemination of information have been removed. It used to be very expensive to aggregate information on any one individual. Now it's easy and cheap," she said.
Though Ms. Varney expressed some lack of cheerfulness about the federal government's helpfulness with privacy issues, she did predict that a privacy bill would be enacted by Congress in 2001 for nonsensitive commercial data. She also predicted that the children's online privacy act would be strengthened significantly, since Americans generally consider information about their children to be sensitive.
"I am still more comfortable with tools that empower individuals to protect their own privacy," Ms. Varney said.
Professor Deutch made three points in his comments as a panelist. Information technology itself is as neutral today as in France in the 1900s, when the telegraph was feared as the end of the world; the importance of privacy profoundly conflicts with the reality of national adversaries and our enormously fragile infrastructure in air traffic control and elsewhere; and attending to information needs to protect national security would entail less privacy for some individuals.
Profiling, for example, may protect air travelers from terrorists, and wiretapping may help capture drug traffickers, he said.
Professor Deutch joined the other panelists in advocating an international regime with common rules and commmon protocol to reduce both security and privacy risks in the global information marketplace. He suggested, however, that the audience ponder what "secure personal communications" might mean in Egypt, Russia, China, Israel, North Korea or the United Kingdom.
A version of this article appeared in MIT Tech Talk on November 1, 2000.