After seven years, government data-regulation committee recommends new federal bureaucracy

The NRC report says the United States should follow the European model of creating Yet Another Federal Bureaucracy.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

MONTREAL -- Remember the fable about the scorpion and the frog? The scorpion can't help himself from stinging the frog: "I could not help myself. It is my nature."

Keep that in mind when reading a new 400-page government report from the National Research Council, which is called "Engaging Privacy and Information Technology in a Digital Age" and has been in the works for seven years. Its availability was announced on Friday afternoon here at the 2007 Computers, Freedom and Privacy conference.

If this sounds a little tedious, you're right, but NRC reports tend to be cited by members of Congress and the press. So this could end up being pretty important. (An earlier NRC report in the 1990s played a role in loosening encryption restrictions.)

The NRC report says the United States should follow the European model of creating Yet Another Federal Bureaucracy (YAFB) that would supposedly rein in the excesses of the Feds and, eventually, probably be handed the power to impose new regulations on U.S. businesses. To wit: "The committee recommends... that a national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments."

The report isn't listed on the home page of the National Academies Press Web site or the site of the Computer Science and Telecommunications Board, which actually organized the committee that created it. But if you poke around, you can find it and the executive summary on their site.

The primary problem with creating YAFB is the obvious one: Can a federal privacy commissioner appointed by President Bush be expected to criticize the National Security Agency's warrantless surveillance program? Will a commissioner appointed by President Clinton have sufficient independence to say that the Clipper Chip and encryption restrictions are just plain stupid ideas? Why do we think that a Republican-appointed commissioner would not look more favorably on Intel (which gives plenty of money to the GOP) and a Democratic one would not whitewash issues with Google (which had only one employee give money to a Republican candidate in the first quarter of 2007).

After hundreds of years of attempting to find ways to secure judges who are insulated from bias and partisanship, and still coming up short, it seems unlikely YAFB will be all that useful. The so-called Privacy and Civil Liberties Oversight Board has been mostly useless. In fact, a YAFB for privacy could be actively harmful in two ways: First, its bureaucrats would have a strong incentive to expand their own power and budget by inventing new and economically onerous ways to impose unnecessary data collection and use regulations on private firms. Second, by endorsing harmful government privacy practices, it would provide a useful political shield for future administrations.

Other recommendations:

* "Principles of fair information practice should be extended as far as reasonably feasible to apply to private sector organizations that collect and use personal information."

* "The U.S. government should undertake a broad systematic review of national privacy laws and regulations. Second, the committee recommends that government policy makers should respect the spirit of privacy-related law."

* "Governments at all levels should take action to establish the availability of appropriate individual recourse for recognized violations of privacy."

To be sure, the report is extensive -- even the executive summary is 37 pages -- and I haven't had enough time yet to even begin to digest it. There are certainly may laudable sections, such as recognizing that many privacy regulations involve tradeoffs and insisting that politicians and bureaucrats take the issue seriously.

Because it's the product of a committee, many areas are relatively bland and general. "There are too many recommendations," said Susan Landau of Sun Microsystems. "There was far too much waffling."

Lee Tien of the Electronic Frontier Foundation added: "It suffers from not having enough civil liberties practitioners on the board and too many academics."

Representatives of the committee who spoke at the Montreal CFP conference defended the report by saying it was necessarily a consensus, which meant that it avoided taking strident positions. They added that it took seven years because it was a hard problem that took a lot of discussion and negotiation, plus updates as events overtook the report.