"Nothing to Hide: The False Tradeoff between Privacy and Security," by Daniel J. Solove

Published by Yale University Press (2011)

Reviewed by Paul Rosenzweig

In 1077, St. Anselm of Canterbury offered an analysis that has come to be known as the ontological argument for the existence of God. God, posited Anselm, was “that than which nothing greater can be conceived.” Since, in Anselm’s view, physical existence was superior to non-existence, it followed logically that God must necessarily exist, for if he did not then those things in existence would be greater than God. In this way Anselm offered an a priori argument from logic alone proving that God must be real. Many modern philosophers (including, for example, Kant) have concluded that the ontological argument is tautological, because it relies on an implicit agreement with the underlying principle that nothing greater than God can be conceived and that “existence” is a predicate for greatness. If you don’t buy the assumption, you don’t accept the conclusion. Still, as Bertrand Russell observed, it is much easier to be persuaded that ontological arguments are no good than it is to say exactly what is wrong with them. So too in this elegantly written and bracing argument, Nothing to Hide: The False Tradeoff between Privacy and Security. Daniel Solove, a law professor at George Washington University, has, in effect, offered an ontological, indeed Anselmian, argument for privacy. He begins, implicitly, from the premise that privacy is a value than which no greater value can be conceived. From this, he argues that most of our current policies regarding security are misguided. Those who agree with his premises will welcome the book – it is as clear and solid an argument as I’ve seen made for that perspective. It is a powerful exposition and Solove is a deeply articulate proponent. But, in the end, Solove’s argument won’t convince those who started out skeptical of his viewpoint. Which is surprising, in a way. Solove’s analysis starts off with great promise of broad agreement, beginning from what seems to me to be an inarguable premise: namely, that privacy is more than an individual right, but is instead also a societal value (p. 48). Privacy is, Solove says, more than simply my personal right to keep things secret. And that, I think, must be correct – Solove’s initial critique (ch. 2) of the “Nothing to Hide” argument (i.e. “who cares about government surveillance, I have nothing to hide”) is exceedingly powerful. After all, everyone has something to hide. More saliently, freedom from government observation is only one of a host of values that we as a society esteem under the rubric of “privacy.” As Solove explains (ch. 5) privacy can be much more. Sometimes we value privacy as an enabler of democracy (keeping ballots secret); sometimes it fosters personal morality (in the privacy of the confessional). Privacy can be about the utility of restraining government misbehavior (requiring a predicate showing and judicial oversight before a search may be conducted or a private conversation intercepted). It can refer to a right to autonomy in behavior (when, for example, we talk about a privacy right to secure an abortion), or to the value of being able to act anonymously (as in not being subject to surveillance when walking down the street). Privacy is sometimes about transparency – knowing what someone else knows about you. It may be about control of one’s own image when privacy laws enable an individual to limit the type of information that is publicly available about him. It may even be about shame in hiding a vice or peccadillo. Indeed, as Solove rightly points out, privacy values can sometimes be seen as the embodiment of the small “l” liberal value of not being obliged to justify yourself to the government without good cause – in effect, a background rule that fosters limited government. But from this convincing theoretical beginning, Solove’s analysis seems to go astray in a few ways – or, at least, carry him well beyond stances that are widely accepted today. This might be a virtue or a vice depending upon how persuaded one is by the premises, but consider where the argument turns next. After September 11, the 9/11 Commission in its comprehensive review (and agreeing with many other observers) concluded that a contributing factor to the success of the attack was a legal limitation (colloquially known as “the Wall”) on the sharing of intelligence information with law enforcement authorities. Many of our post-9/11 modifications of law, including two provisions of the Patriot Act (sections 218 and 504) have been aimed at reducing the barriers to information sharing and, in effect, tearing down the Wall. Solove argues (in chapter eight) that this was a mistake. He calls the Wall the “Crime-Espionage Distinction” and lauds it as an important protection of American privacy interests: “The distinction is essential to prevent government espionage from swamping the system we have in place to protect privacy rights and civil liberties. …. Espionage is a necessary function of government, but it is a dangerous and shadowy one, and it must remain confined lest it start polluting our constitutional democracy, where the government must be subjected to oversight and public accountability.” (p. 80). Solove sees the case of Brandon Mayfield as an example of the problems that arise when the crime-espionage distinction is eliminated. Mayfield, an Oregon attorney, was wrongly suspected of a connection to the Madrid March 2004 bomb plots. The connection was supported by faulty fingerprint evidence that, in the end, proved unreliable. Based on that evidence, Mayfield’s home was bugged and, in the end, he was wrongfully detained as a material witness. The government later acknowledged its error and apologized. The rest of us might demur from Solove’s contention that this case illustrates the virtues of the Wall. While everyone can agree that Mayfield’s surveillance and detention were horrible mistakes (the government paid him a $2 million settlement for that very reason) his case hardly seems to be a poster-child for abusive use of the new post 9/11 espionage tools instead of criminal law. Solove (p. 79) says that “the focus of the investigation [of Mayfield] was clearly criminal” (and thus that espionage surveillance under the Foreign Intelligence Surveillance Act (FISA) should not have been used). But the opposite is really the case, as the Inspector General for the Department of Justice concluded in a 2006 review of the Mayfield case. According to the IG (not a man with a reputation for going easy on the Department), given the devastating terrorist impact of the Madrid bombings (with which Mayfield was wrongly suspected to be connected), “the FBI's need for intelligence information to help identify and disrupt any potential plot would have led the FBI to seek a FISA warrant rather than a criminal warrant. In our view, therefore, Sections 218 and 504 [of the Patriot Act] did not affect the government's decision to pursue FISA search and surveillance authority in this matter.” The weakness of the Mayfield example suggests that Solove may have overestimated the threat to privacy and liberty from the demise of the Wall. More fundamentally, Solove’s analysis at the micro level does not do justice to the nuance of his appreciation for the multivariate nature of privacy that he initially offered at the macro level. One would have hoped that an understanding of the variegated nature of the societal privacy value would carry through to an equally differentiated analysis of potential methods for accommodating both privacy and security concerns. At least as a theoretical matter we might use (say) an administrative system to protect less significant privacy values and a judicial system to protect the more significant ones. Yet, Solove’s book offers an incessant, systematic preference for closer judicial scrutiny of government activity – almost to the exclusion of other management paradigms. Under Solove’s model, the best way to protect privacy is to require the government to establish some predicate showing of need or cause before it may act. Solove recognizes that enhanced judicial scrutiny and a predicate requirement come with a cost – the cost associated with greater barriers to government intervention. But, as the crime-espionage distinction analysis makes clear, this is a price Solove is willing to pay to more closely protect privacy values. I fear, however, that Solove underestimates the effect that his judicial scrutiny/predicate model will have on the practical application of security measures. The costs are more than the simple marginal decrease in activity that comes from adding a predicate requirement for government action. Predicates and judicial scrutiny mean more litigation. Even reasonable judgments will be subject to post-hoc review. And this, in turn, will require more detailed recordkeeping, and more rigid and formalized processes. Those are significant costs that will, in the end, result in the undervaluing of security concerns. Government employees are, by their nature, risk adverse and they need little incentive to avoid controversial action. If every exercise of a security function (say secondary screening at an airport) is to be accompanied by new paperwork and the specter of judicial review, the natural and inevitable consequence will a reduction in screening beyond that which we would expect from the addition of a predicate requirement. The costs are not merely marginal; they are finally institutional as well. One way of seeing how significant the follow-on and institutional effects would be is offered in Solove’s chapter on datamining (Ch. 19). Solove thinks most data mining programs don’t work – that they are overbroad, rife with false positives, and threaten civil liberties. But Solove does say that he would permit data mining in limited circumstances. How limited? Consider the following hypothetical that Solove analyzes (p. 195-96): Imagine that the government had a concrete tip from a credible source that two naturalized American citizens (formerly from Saudi Arabia) who worship at a particular mosque intend to rent a U-Haul truck and detonate a bomb in Los Angeles tomorrow. Under current law, the FBI could take two data sets (of mosque members and U-Haul renters) available to them through a subpoena and cross-match them to see if a lead could be developed. From this we might expect on the order of a half-dozen leads, some of which would prove to be dead ends, but two of which might be our suspected terrorists. Solove, however, would subject the analysis to judicial review. He would first require the FBI to explain the nature of the tip to a court, and then also require it to show why the U-Haul records (of how many rentals in Los Angeles on a typical day? Hundreds? Thousands?), alone, were inadequate. He’d also require the destruction of the records after they were used (though not, presumably, if in fact the records led to the apprehension of two terrorists, for then they would be evidence of a crime). Yet this example isn’t really data mining in the first instance. Data mining, strictly speaking, is an effort to discern patterns where there is no predicate for action (as, for example, in trying to use a “red team” to develop a pattern of terrorist activity). Here, what Solove defines as “data mining” is really more a form of link analysis, taking a factual predicate (or, in this case, two factual predicates) and using orthogonal sets of data to determine whether or not a suitable lead for investigation is presented. This distinction is more than pedantic. The government’s collection of this data is problematic not because of the uncertainty of pattern analysis. Indeed, we would expect a cross match of, say. mosque membership and U-Haul rental records to give us a pretty small set of leads. Rather, the analysis is problematic, if at all, because its effectiveness is bottomed on the collection a complete data set, including not only the data of those who might be planning terrorist acts, but also the data of thousands of innocent U-Haul renters and mosque attenders. Here I have some real sympathy for Solove’s argument. The collection of large data sets of innocent information allows the data holder to develop a picture of an individual that is more useful than any single data point. Small bits of data aggregated together form a mosaic of information that reveals information of incredible depth. But Solove’s solution – judicial oversight as a predicate to investigation – is, I think, the wrong one. Just reading the description of the requirements he would impose (judicial validation of the tip and proof that there were no other alternatives) would leave most FBI agents shaking their heads in wonder. With only one day to find the bomb, these barriers to effective action might well prove insurmountable. How, after all, are they to prove that the U-Haul records alone are not enough, save by using them in isolation and failing? Would resource constraints and time constraints count? If so, how much, and to what degree, and with what level of proof from the government? In short, Solove’s analysis doesn’t do justice to his own nuanced approach to privacy. The better approach would recognize that the intrusion of investigative scrutiny is less significant than intrusions on other privacy values. Here, the right place to interpose the judiciary, in my view, would be later in the process when the consequences of an investigation (search warrant, arrest, trial, conviction, and sentencing) and the nature of the privacy intrusion play out. This conception of privacy, as a protection against unwarranted adverse consequence, has the advantage of being tied to concrete action in the public sphere – a characteristic that enhances transparency and advances accountability, just as Solove’s theory of privacy would predict, without the significant adverse investigative consequences that his solution would incentivize and engender. In the end, I suspect that my concerns about his analysis won’t convince Solove. Nor would my failure to convince him surprise me. Fundamentally, we don’t agree on first principles. For Solove, privacy seems to be a platonic ideal – a critical social value that trumps many others. For me, privacy is an instrumental value. It acts in service of other social goods (democracy, limited government, autonomy, etc.) and the fundamental question is whether and how the particular mechanisms we’ve chosen to protect privacy relate to and advance those underlying social values. And that is why it seems to me fair to say that Solove’s argument is an ontological one. For him, privacy is a social good than which nothing greater can be conceived. And if you accept that premise, then his critique of the current security/privacy structure is both apt and convincing. But like Anselm’s ontological argument for the existence of God, the foundational premise requires a leap of faith – and if you don’t accept Solove’s premise, you won’t agree with his conclusions. (Paul Rosenzweig teaches law at George Washington University, and is the principal at Red Branch Consulting, a homeland security consulting firm.)