Protecting Privacy in the 2020 Census

In 2018 the Census Bureau discovered that results of the 2010 census could be processed and matched with external sources in such a way as to reveal confidential personal information, in violation of the law.

“This had not been thought to be feasible owing to the large amount of data and computation involved,” a new report from the JASON science advisory panel said. But in fact it was feasible, the JASONs confirmed. The risk of re-identifying protected personal information “is four orders of magnitude larger than had been previously assessed.”

In order to prevent this potential privacy violation, the Census Bureau proposes to use an approach called Differential Privacy. This method, developed by Cynthia Dwork and colleagues, adds “tailored noise” to the results of any query of the census data. Doing so makes it possible “to publish information about a survey while limiting the possibility of disclosure of detailed private information about survey participants.”

The JASONs affirmed that the Differential Privacy technique would provide the necessary privacy protection but said that it would come with a cost in accuracy, particularly with respect to small data groups.

“As the size of the population under consideration becomes smaller, the contributions from injected noise will more strongly affect such queries. Note that this is precisely what one wants for confidentiality protection, but is not desirable for computation of statistics for small populations.”

See Formal Privacy Methods for the 2020 Census, JASON report JSR-19-2F, April 2020.

“Depending on the ultimate level of privacy protection that is applied for the 2020 census, some stakeholders may well need access to more accurate data,” the JASONs said.

“A benefit of differential privacy is that products can be released at various levels of protection depending on the [desired] level of statistical accuracy. The privacy-loss parameter can be viewed as a type of adjustable knob by which higher settings lead to less protection but more accuracy. However, products publicly released with too low a level of protection will again raise the risk of re-identification,” the new report said.

*    *    *

The JASONs are currently working on a new study of how to safely reopen research laboratories during the ongoing pandemic, Jeffrey Mervis of Science Magazine reported this week.

“Jason is examining such issues as the 1.8-meter separation rule, the efficacy of personal protective equipment, and the optimal way to reconfigure work space given how the virus is thought to spread.” See “Secretive Jasons to offer advice on how to reopen academic labs shut by pandemic,” May 11.

2017 Intelligence Bill Would Constrain Privacy Board

The jurisdiction of the Privacy and Civil Liberties Oversight Board (PCLOB) would be restricted for the second year in a row by the Senate Intelligence Committee version of the FY2017 Intelligence Authorization Act (S.3017). Section 603 of the Act would specifically limit the scope of PCLOB’s attention to the privacy and civil liberties “of United States persons.”

Internal disagreements over the move were highlighted in the Committee report published last week to accompany the text of the bill, which was reported out of Committee on June 5.

“While the PCLOB already focuses primarily on U.S. persons, it is not mandated to do so exclusively,” wrote Senators Martin Heinrich and Mazie K. Hirono in dissenting remarks appended to the report. “Limiting the PCLOB’s mandate to only U.S. persons could create ambiguity about the scope of the PCLOB’s mandate, raising questions in particular about how the PCLOB should proceed in the digital domain, where individuals’ U.S. or non-U.S. status is not always apparent. It is conceivable, for example, that under this restriction, the PCLOB could not have reviewed the NSA’s Section 702 surveillance program, which focuses on the communications of foreigners located outside of the United States, but which is also acknowledged to be incidentally collecting Americans’ communications in the process,” they wrote.

“Over the past three years, the Privacy and Civil Liberties Oversight Board has done outstanding and highly professional work,” wrote Sen. Ron Wyden in his own dissent. “It has examined large, complex surveillance programs and evaluated them in detail, and it has produced public reports and recommendations that are quite comprehensive and useful. Indeed, the Board’s reports on major surveillance programs are the most thorough publicly available documents on this topic. My concern is that by acting to restrict the Board’s purview for the second year in a row, and by making unwarranted criticisms of the Board’s staff in this report, the Intelligence Committee is sending the message that the Board should not do its job too well.”

In support of the provision, the report said that “The Committee believes it is important for the Board to consider the privacy and civil liberties of U.S. Persons first and foremost when conducting its analysis and review of United States counterterrorism efforts.”

But the PCLOB already considers U.S. person privacy “first and foremost.” And the language of the Senate bill does not appear to permit even “secondary” consideration of the privacy of non-U.S. persons. Last year, the FY2016 intelligence authorization bill barred access by the Board to information deemed relevant to covert action.

On June 16, Sen. Patrick Leahy paid tribute to retiring PCLOB chair David Medine on the Senate floor. “[PCLOB] reports and Mr. Medine’s related testimony before the Senate Judiciary Committee have been tremendously beneficial to Congress and the American people in examining government surveillance programs,” he said.

Data and Goliath: Confronting the Surveillance Society

Within a remarkably short period of time– less than two decades– all of us have become immersed in a sea of electronic data collection. Our purchases, communications, Internet searches, and even our movements all generate collectible traces that can be recorded, packaged, and sold or exploited.

Before we have had a chance to collectively think about what this phenomenal growth in data production and collection means, and to decide what to do about it, it threatens to become an irreversible feature of our lives.

In his new book Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World (Norton, 2015), author and security technologist Bruce Schneier aims to forestall that outcome, and to help recover the possibility of personal privacy before it is lost or forgotten.

“Privacy is not a luxury that we can only afford in times of safety,” he writes. “Instead, it’s a value to be preserved. It’s essential for liberty, autonomy, and human dignity.”

Schneier describes the explosion of personal data and the ways that such data are harvested by governments and corporations. Somewhat provocatively, he refers to all types of personal data collection as “surveillance,” whether the information is gathered for law enforcement or intelligence purposes, acquired for commercial use, or recorded for no particular reason at all. Under this sweeping definition, the National Security Agency and the FBI perform surveillance, but so do Google, Sears, and the local liquor store.

“Being stripped of privacy is fundamentally dehumanizing, and it makes no difference whether the surveillance is conducted by an undercover policeman following us around or by a computer algorithm tracking our every move,” he writes (p.7). Others would argue that it makes all the difference in the world, and that while one never wants to be followed by an undercover policeman, a computer algorithm that helps us drive a car to our destination might be quite welcome. Schneier, of course, knows about the benefits of such applications and acknowledges them later in the book.

Having gained access to classified NSA documents that were leaked by Edward Snowden and having aided reporters in interpreting them, the author is particularly exercised by the practice of bulk collection or, the term he prefers, mass surveillance.

“More than just being ineffective, the NSA’s surveillance efforts have actually made us less secure,” he says. Indeed, the Privacy and Civil Liberties Oversight Board found the “Section 215” program for bulk collection of telephone metadata to be nearly useless, as well as likely illegal and problematic in other ways. But by contrast, it also reported that the “Section 702” collection program had made a valuable contribution to security. Schneier does not engage on this point.

Aside from the inherent violations of privacy, Schneier condemns the NSA practice of stockpiling — instead of repairing — computer software vulnerabilities and government strong-arming of Internet firms to compel them to surrender customer data.

His arguments are fleshed out in sufficient detail that readers will naturally find points to question or to disagree with. “For example,” he writes, “the NSA targets people who search for information on popular Internet privacy and anonymity tools” (p. 38). It’s not clear what “NSA targeting” means in this context. Many people conduct such information searches with no discernible consequences. In any case, Schneier positively encourages readers to seek out and adopt privacy enhancing technologies.

“Surveillance is a tactic of intimidation,” Schneier writes, and “in the US, we already see the beginnings of [a] chilling effect” (pp. 95-96). But this seems overwrought. One may curse the NSA, file a lawsuit against it, advocate reductions in the Agency’s budget, or publish its Top Secret records online all without fear of reprisal. Lots of people have done so without being intimidated. (Agency employees who defy their management are in a more difficult position.) If there is a chilling effect associated with NSA surveillance, it doesn’t appear to originate in the NSA.

What is true is that surveillance shapes our awareness and that it can alter our conduct in obvious or profound ways. Many people will slow down when driving past a police car or a traffic surveillance camera. Almost all will modify their speech or their behavior depending on who is listening or watching. The book is particularly good at exploring the ramifications of such surveillance-induced changes in the way we behave and interact, and the risks they pose to an open society.

In the latter portions of the book, Schneier presents an action agenda for curbing inappropriate surveillance including steps that can be taken by government, by corporations, and by concerned members of the public. The proposals are principled and thoughtful, though he admits not all are readily achievable.

Schneier’s core objective is to preserve, or to restore, a domain of personal privacy that is impervious to unwanted intrusion or monitoring.

He acknowledges the necessity of surveillance for valid law enforcement and intelligence purposes. Among other things, he calls for the development of privacy-respectful innovations in these areas of security policy.

“If we can provide law enforcement people with new ways to investigate crime, they’ll stop demanding that security be subverted for their benefit.” Similarly, “If we can give governments new ways to collect data on hostile nations, terrorist groups, and global criminal elements, they’ll have less need to go to the extreme measures I’ve detailed in this book…. If we want organizations like the NSA to protect our privacy, we’re going to have to give them new ways to perform their intelligence jobs.”

Along these lines, a 2009 study performed for the Office of the Director of National Intelligence that was released last month raised the somewhat fanciful possibility of “crowdsourcing intelligence”:

“The intelligence community has a unique opportunity to engage the public to help filter and solve a multitude of difficult tasks…. For example, consider a citizen-driven Presidential Daily Brief and its potential to enable truly democratic communication to the highest levels in the United States.”  See Mixed Reality: Geolocation & Portable Hand-Held Communication Devices, ODNI Summer Hard Problem (SHARP) Program, 2009.

Anyway, for many people the erosion of personal privacy has arrived abruptly and overwhelmingly. They might reasonably conclude that the changes they’ve experienced are beyond their ability to control or influence. Schneier insists that that is not necessarily the case– but that the future of privacy depends on how much the public cares about it. This challenging book explains why privacy matters, how it is threatened, and what one can do to defend it.

“In the end, we’ll get the privacy we as a society demand and not a bit more,” he concludes.