Commentary

Fixing Privacy

“This process is broken,” federal legislators incanted when they discovered that their omnibus spending bill contained language opening citizens’ tax records to members of Congress. In fact, the incident proved that more things are broken than the process. Americans’ privacy from government snooping is broken too.

Taxation is a favorite tool of social engineers in both parties. To do their work they need personal information - lots of it: on children, charitable giving, investments, home-based business, and home ownership, to name a few. The modern income tax guts our privacy and exposes the entrails of our personal and financial lives.

The Washington Post has reported that the IRS has denied congressional staff access to facilities where tax returns are processed for the protection of citizens’ privacy. That is a cute excuse, if not a believable one.

To get around it, someone snuck language into a giant congressional spending bill giving certain members of Congress carte blanche access to “Internal Revenue Service facilities and any tax returns or return information contained therein.” When this language was discovered, Sen. Kent Conrad (D.-ND) pitched a fit and attempts to pass the bill ground to a stop.

In the larger scheme, this was a tempest in a teapot. Privacy of tax return information is already a dead letter. The Internal Revenue Code makes abundant provision for sharing taxpayers’ returns with congressional committees, Treasury Department officials, the president, and a host of other government institutions and interested parties. Were tax returns going to become even less private? It’s a little beside the point.

The point is the massive amount of data required from Americans to administer the income tax. Plans to reform the tax system and Social Security, discussed so prominently since the election, should include the restoration of privacy as a fundamental goal.

Though all eyes were on this controversy, privacy did gain a little ground in one provision of the omnibus spending bill. Buried deep in the text of the bill, there is a provision requiring each federal agency to have a Chief Privacy Officer. Each agency CPO’s job is “to assume primary responsibility for privacy and data protection policy.”

Among other things, federal CPOs are supposed to assure that privacy is sustained by new technologies, to guard compliance with the Privacy Act, to assess the privacy consequences of new rules, and to report to Congress on Department activities that affect privacy.

This is progress, though it may not amount to much. Without aggressive and continuous oversight from Congress, agencies may relegate the CPO job to remote and soundproof corners of the bureaucracy. CPOs themselves may minimize their roles by pretending that compliance with the Privacy Act creates privacy itself. Worse, CPOs could be co-opted by their agencies and become the chief apologists for data-voracious bureaus and programs.

Experiences with the federal agency privacy officer have been mixed. The Department of Homeland Security’s Privacy Officer, Nuala O’Connor Kelly, has slipped into advocating for her agency at times but, in general, she has done a creditable job of maintaining distance from the programs and bureaus she oversees.

The new privacy law in the omnibus spending bill requires independent, third-party review of the use of personal information in each agency - the fingerprints of a major accounting firm, one must assume.

But it does not call for a complete catalogue of the personal information collected, stored, used, and shared by each federal agency. If it were even possible to collect this information, it would be a blockbuster and a real eye-opener to Congress, which rarely considers privacy when it pushes a new program onto the bureaucracy.

Without clear requirements to provide specific information, or a clear definition of “privacy,” the privacy language in the omnibus bill will probably not advance privacy protection very substantively.

Rather, it will start a privacy meta-debate: Are CPOs reporting about the things that Congress meant them to? Are CPOs talking about privacy, or other data protections? What kinds of technologies protect privacy and what erode it?

These are worthwhile debates to have, but they reflect just how much government has already eroded our privacy. A journey of a thousand miles begins with one step. Perhaps this will be that step.

Jim Harper is director of information policy studies at the Cato Institute.