The Core Tradeoff: Privacy or Security?

US policy makers struggle with the tension between protecting personal privacy and enabling law enforcement surveillance. We know that both are important, but at a certain point, prioritizing one priority shortchanges the other. 

If we lock down electronic privacy, then terrorists can plan in secret and drug dealers’ jobs become much easier. Organizing crime or violence simplifies; paying for it stays hidden.

But giving the police free reign impacts privacy and restricts our lives, Think about it. If you believed that the police were watching everything you did – that everything you clicked on and every move you made could be public – you would live more carefully.

The US has been expanding privacy protections with two new omnibus personal privacy laws in California and similar new laws in Virginia and Colorado.  Dozens of state laws protecting personal privacy in some form or another have been enacted in the past decade. Most recently, several cities have passed rules restricting police use of facial recognition systems in law enforcement.

And yet, those same facial recognition systems are allowed to be applied everywhere else in the US – even without warrants. This may even include use of private facial databases like the much-maligned Clearview AI that has pulled millions of faces from the internet. Police in this country can also access vast DNA databases and some have famously used private consumer DNA companies to achieve convictions. They can tap into home security networks and break into smartphones and email accounts.

In the US, we generally resolve the conflict between privacy and surveillance in favor of law enforcement, although state and local laws are chipping away at this police legal domination and adding limited privacy rights.

Europeans, on the other hand, claim that privacy – a broad and elusive concept – is a human right, and therefore their governments are more restricted in what they can do. Companies are certainly more restricted in collecting data. Just this month the Austrian Data Protection Authority held that using Google Analytics violates privacy laws, mostly because data is sent to the US. This is a huge step toward demanding data localization in Europe, a requirement that could cause havoc for European and US businesses alike, despite the facts that Google Analytics neither tracks nor profiles people across the internet and that Google Analytics customers are prohibited from uploading information that could be used by Google to identify a person.

But European governments and law enforcement are similarly restricted and chastised by the privacy enforcers.  Weeks ago the European Data Protection Supervisor (“EDPS”) sanctioned the European Parliament for breaking data privacy rules. The supervisor ruled that parliament improperly used cookies on its COVID website and according to TechCrunch, “The parliament was also found to have failed to respond adequately to complainants’ requests for information — breaching additional legal requirements law which provide Europeans with a suite of access rights related to their personal data.”

More directly to the point of this column, two weeks ago the EDPS ordered Europol, the law enforcement agency of the European Union, to delete a huge volume of personal data—at least 4 petabytes (20% of the US Library of congress)—collected from police agencies and currently used in active law enforcement cases. According to The Guardian, “Among the quadrillions of bytes held are sensitive data on at least a quarter of a million current or former terror and serious crime suspects and a multitude of other people with whom they came into contact. It has been accumulated from national police authorities over the last six years, in a series of data dumps from an unknown number of criminal investigations.”  

The Guardian also notes that Europol is working to become the center of machine learning and AI in policing, so it will need as much data as possible to make the machine learning algorithms effective. Even European politicians, who can reliably expect favorable press from espousing privacy protection, are defending Europol in this matter. 

Europol denies any wrongdoing and defends its practice of collecting such massive amounts of data, stating in a press release, “The EDPS Decision will impact Europol's ability to analyse complex and large datasets at the request of EU law enforcement. This concerns data owned by EU Member States and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes terrorism, cybercrime, international drugs trafficking and child abuse, amongst others.” The EDPS wants most information trashed after six months, but Europol points out that its work frequently entails investigations of longer that six months. Apparently Europol tried over the past year to keep the conflict under press radar, but the EDPS wanted to have a public debate.

This particular issue is at the core of the privacy/surveillance tradeoff. This Europol database truly will have an impact on stopping drug rings, child abuse and terrorist attacks in Europe, but the privacy police don’t seem to care. The fight is ugly already and will get worse if the EDPS gets its way and changes the EU voters’ minds about how far to protect privacy.

Some of those European minds are already settled on protecting law enforcement’s investigation tools rather than personal privacy. While no longer in the EU, the UK approaches privacy issues with a similar mindset, but Rolling Stone just reported that the UK government plans a publicity program against tech companies enabling end-to-end encryption for messaging. The government wishes to mobilize public opinion against Apple’s bolstering of personal technology encryption and Facebook’s decision to encrypt its messenger app. “According to documents reviewed by Rolling Stone, one the activities considered as part of the publicity offensive is a striking stunt — placing an adult and child (both actors) in a glass box, with the adult looking “knowingly” at the child as the glass fades to black. Multiple sources confirmed the campaign was due to start this month, with privacy groups already planning a counter-campaign.” The UK government feels that end-to-end encryption of these technologies will “diminish the effectiveness of UK bulk surveillance capabilities, make fighting organized crime more difficult, and hamper the ability to stop terror attacks.”

The privacy-vs-surveillance debate will continue as long as privacy is prized while invading privacy is necessary to protect society from violence. The US is early in its attempts to set a balance, but Europe is further along. We can learn from the resolutions of their privacy/surveillance conflicts.