http://www.cato.org/tech/tk/041111-tk.html

Privacy Threats from a Banana Republic

The Cato Institute
TechKnowledge Newsletter
Issue #93
November 11, 2004

by Jim Harper

By now, the economics of offshore outsourcing are clear. Offshore outsourcing creates economic growth, bringing more and better things to more people.

Free trade in services is equivalent to free trade in goods, of course, and data processing is the latest, greatest activity to ply the oceans of world trade. Outsourced services include tax preparation, handling of customer inquiries and complaints, accounts payable and accounts receivable operations, software development, and data entry. The twin revolutions in telecommunications and computing are making possible new waves of efficient Information Age production.

Some do resist the forward motion of a growing, changing economy. One way opponents fight offshore outsourcing in data services is by raising privacy concerns. Most of those concerns have little real weight. U.S. privacy promises and contract obligations go wherever data goes. Legal obligations like the privacy torts apply no matter the data's format, transfer medium, or location. And regulatory requirements do not cut out when data moves offshore.

Anywhere on the globe, good practices protect privacy and bad practices do not. Good outsourcers investigate their service providers carefully, making sure there is proper training of employees. They check that computers used for data processing do not have open Internet connections, e-mail, or instant messaging. They keep data processing rooms free of pencils, paper, printers, and copy machines so employees can't abscond with data. Information is not stored at remote locations any longer than necessary. And, of course, they use encryption when transferring data. Given all these good practices, data sent offshore may be more secure than data processed domestically.

Likewise, bad practices fail to protect privacy, onshore or off. The one known case where offshore outsourcing has threatened privacy illustrates this: In late 2003, the UCSF medical center in San Francisco originated a long outsourcing chain that stretched through many links to Pakistan. When the medical transcriber at the other end wasn't paid, she threatened to publish patient information on the Internet. That is a hardball practice, at best, but the mendacity and double-dealing that caused the situation was entirely homegrown, by a deceitful subcontractor in the exotic, faraway land of Florida.

There is one legitimate privacy threat from offshore outsourcing. This has been called the "foreign subpoena problem." Obviously, other countries do not have the same Fourth Amendment protections that the United States has. It is possible that data moved offshore could be collected by a foreign government in violation of data subjects' privacy. For example, a country trying to get tax information from its own citizens who invest in the United States might collect U.S. financial records that appear within its borders.

The primary solution to the foreign subpoena problem is the self-interest of "insourcing" countries. It would be job-destroying foolishness -- economic suicide in some cases -- for the government of a data processing country to arbitrarily seize foreign data. The mere threat of local government seizure would chase foreign clients away. Only the densest government would attack its economic base in this way.

The "foreign subpoena problem" with offshore outsourcing first came up as a theoretical possibility that could arise if some banana republic lacked the good sense to protect data transferred to it for processing. Unfortunately, that banana republic may turn out to be the United States.

Section 215 of the USA Patriot Act dramatically lowered the threshold for secret judicial orders requiring data holders to turn over information about non-U.S. persons. It also expanded the scope of what could be sought. American law enforcement now may seize entire databases of information, and it is against the law for anyone to reveal this when it happens.

Section 218 of the act also broadened the authority of investigators to perform physical searches and electronic surveillance in foreign-involved cases. Formerly, foreign intelligence gathering had to be the "primary purpose" for such activities. Now, it only need be a "significant purpose." This small change in wording is a huge expansion in investigative authority.

USA Patriot Section 505 lowered the threshold for the FBI to issue secret orders requiring businesses to disclose customer information without the permission of a judge. Subsequent legislation broadened the scope from financial services providers, phone companies, and Internet service providers to include travel and real estate agents, the U.S. Postal Service, jewelry stores, casinos, and car dealerships. That section has been enjoined by a court in New York because the secrecy requirement is so restrictive.

Last month, the information and privacy commissioner for British Columbia released a report exploring the risk to British Columbians from outsourcing of data across Canada's long border with the United States. It concluded that the personal data of Canadians transferred to the United States is at unique risk of seizure thanks to the USA Patriot Act. It even found that data held in Canada by a subsidiary of a U.S. company could be at risk.

All countries have laws that require disclosure of data for national security and law enforcement purposes. The United States has long been a beacon of freedom because our laws have been more protective of privacy and civil liberties than others. But, today, Canadians are right to be concerned about the privacy of data they transfer to the United States because of the USA Patriot Act's provisions.

Make no mistake: this issue got where it is because of opposition to free trade. The British Columbia Government and Service Employees? Union brought it forth in a suit to prevent the British Columbia government from using a U.S.-linked contractor to run the province's public health insurance program. The union is no altruistic privacy group.

The problem is: they're right. Thanks to excessiveness in some provisions of the USA Patriot Act, the United States is reversing its global orientation from a beacon of freedom to the paragon of a surveillance society.

The USA Patriot Act provisions worrying Canada are not scheduled to sunset next year, as some portions of the law are. When Congress reviews the USA Patriot Act, it should consider whether these provisions are consistent with American freedom. It should avoid being terrorized or sloganeered by our country's national security bureaucracy. And it should protect not only our civil liberties but also our role as a world leader in technology and free trade.

Jim Harper ([email protected]) is the director of information policy studies at the Cato Institute in Washington, D.C. (www.cato.org/tech).