I Second That Skepticism

The ACLU’s Chris Calabrese notes that nominations to the Privacy and Civil Liberties Board were forwarded from the Senate Judiciary Committee to the full Senate this morning. Congress created the Board in August 2007, and we have waited, and waited, and waited while the Bush and Obama administrations neglected to appoint anyone to it.

Calabrese is rightly skeptical that the “PCLOB” can make a difference:

[T]he national security establishment is huge, with tens of thousands of employees and a budget of more than $60 billion. The NSA alone has more than 30,000 employees. Contrast that with the PCLOB. It’s currently authorized (if it finally gets filled) to spend a whopping $900,000 and hire ten full-time employees for the 2012 fiscal year. With this level of staffing, it’s hard to imagine that the Board and its investigators can even begin to understand this vast national security infrastructure, never mind properly oversee it.

I have a fair amount of experience with privacy oversight in the U.S. government, having served on the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee. That experience has fairly well validated my thinking in 2001, before there were “privacy officers”:

The appointment of a privacy czar or creation of a privacy office is a poor substitute for directly addressing the voraciousness of many government programs for citizens’ personal information. Political leaders themselves should incorporate privacy into their daily consideration of policy options, rather than farming out that responsibility to officials who may or may not have a say in government policy.

To see how the PCLOB fits into government thinking, we can look at a 2007 speech given by Donald Kerr, principal deputy director of National Intelligence. To him, “privacy” is giving the government access to all the data it wants, subject to oversight.

[P]rivacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured. And it is that framework that we need to grow and nourish and adjust as our cultures change.

That’s not privacy.

So don’t think for a minute that privacy will be better protected with a PCLOB in place, except perhaps marginally in the few programs that the Board dips into.

The membership of the board is slated to be: Jim Dempsey of the Center for Democracy and Technology, a sincere and knowledgeable privacy player, whose “player” role I find incompatible with producing good privacy outcomes; Elisebeth Collins Cook, a former Department of Justice lawyer who I had never heard of before her nomination; Rachel Brand, an attorney for the U.S. Chamber of Commerce also unknown to me; Patricia Wald, a former federal judge for the D.C. Circuit whose privacy work is unknown to me; and David Medine, currently a WilmerHale partner who will chair the board. Medine is unquestionably government-friendly. He was a Federal Trade Commission bureaucrat who helped draft the Gramm-Leach-Bliley financial privacy and the Children’s Online Privacy Protection Act (COPPA) regulations.