Privacy v. Security:

The Privacy Paradigm and Canadian Regulation

For: The Ontario Information and Privacy Commissioner

A Working Paper

By: Martin French

Department of Sociology

Queen’s

Abstract
This paper takes a snapshot of the recent privacy v. security debate. It observes that, where privacy, which has been paradigmatically articulated as a limited individual interest, is pitted against security, which is often articulated as a broad social interest, privacy is trumped by security. This formulation eclipses any discussion of people’s social interest in privacy. More importantly, it fails to contemplate the differential effects of increased security/surveillance measures. While post-9/11 austerity measures jeopardize the privacy of all, it is the already marginalized groups of society who are threatened most by increased surveillance. Although privacy advocates may no longer be able to speak of privacy without also speaking of security, they can put privacy on more equal terms with security by underscoring its collective dimension. This paper concludes with a brief discussion of that dimension and how privacy advocates might invoke privacy’s collective dimension to strengthen their position vis-à-vis security.
Privacy v. Security:

The Privacy Paradigm and Canadian Regulation

Last year, on September 26, Maher Arar, Canadian citizen and resident of Ottawa, was on his way to Montreal from Tunis. On a stopover at New York’s Kennedy International Airport, Mr. Arar was detained, fingerprinted, and photographed by the American Immigration and Naturalization Service (hereafter INS). The INS questioned Mr. Arar for nine hours and accused him of knowing suspected ‘terrorists’ in Canada - an accusation Mr. Arar patently denied. Mr. Arar was subsequently held in solitary confinement in a Brooklyn prison for 11 or 12 days before being deported to Syria (Khan 2002).

After having spent a harrowing 374 days in a Syrian jail, Mr. Arar was returned to Canada this October (CAF 2003a). His return was hailed by the Canadian federal government as a diplomatic success story. At the same time that the government was trumpeting its diplomatic prowess, a number of concerned groups were calling for a public inquiry into the strange events that led to Mr. Arar’s extraordinary deportation. Several federal Members of Parliament, The Canadian Arab Federation, The Council on American-Islamic Relations Canada, and The Canadian Civil Liberties Association have all expressed an interest in knowing the level of the Canadian government’s involvement in Arar’s deportation. As Riad Saloojee, executive director of the Council on American-Islamic Relations Canada, has observed that the Solicitor General “is unable to discount the possibility that elements in the RCMP passed on information to the Americans that led to the deportation of [Maher Arar]” (Saloojee, 2003). Did the RCMP or the Department of Foreign Affairs pass information they had collected on Mr. Arar to American authorities?

Has the Canadian state’s use of the personal information of Arab-Canadians changed since the enactment of the post-9-11 legislation? One must be careful not to over-exaggerate the effects of September 11 on surveillance practices - they were certainly already highly integrated in government practice before the terrorist attacks. Nevertheless, the September 11 event has undeniably been used to push legislative boundaries and intensify existing practices (Lyon 2003: 4-7). At this point in time it is difficult to untangle current events from their context and point directly to the manifest surveillance techniques that the state is using to track Arab-Canadians. Undoubtedly, there are a range of techniques being used.

Without having access to the details, the best we can do is infer from the mysterious nature of several arrests and detentions that the personal information of Arab-Canadians is subject to greater than average surveillance.[1] All of these incidents point to the tenuous nature of civil liberties for the non-white populations in this country. More than this, they tell us that today, not every Canadian can expect the same amount of privacy.

♦ ♦ ♦ ♦

Indeed, we are now living in an ethos in which security has become a paramount concern of the state. If the end of the Cold War and the driving forces of globalization had put the state’s role as guarantor of security into question by the 1990s, after 2001, this function has been pursued with rejuvenated vigor. But the job of making the state secure has seemed to change in some important, qualitative ways. The principle of these is that threats to security have been reconceptualized to account for non-state actors. The generic terrorist group has become a focal point of security and intelligence activity. The covert nature ascribed to such terrorist groups seems to demand extraordinary legislative power and, in Canada, laws that had at one time been deemed sufficient, have been retro-fitted to contend with elusive threats. The effect of this legislative make-over has been to draw interests, such as privacy, into a conflictual relationship with security.

This paper, which is a conceptual and exploratory exercise, opens with a description of the privacy paradigm drawn from Colin J. Bennett and Charles D. Raab’s recent book, The Governance of Privacy. The paper then turns to an examination of post-9/11 texts by the federal Office of the Privacy Commissioner. Articulations of privacy within these government texts are rooted within the privacy paradigm and therefore automatically subordinate privacy to security. As a corrective to such paradigmatic articulations, this paper concludes by positing a collective conceptualization of privacy that can be used to resist infringement in the name of security.

I

The Privacy Paradigm: Juxtaposition and Subordination

Let me, at the outset, establish a two-level analytical model that will help me to clearly explain where privacy looses ground to security. One level we may characterize as abstract and the other level we may characterize as concrete. These two levels are in dynamic interaction with each other. The abstract level is constituted by a number of concepts whose relation to each other actually establishes the foundation on which debate at the concrete level will occur. The act of definition is of paramount importance here. It is in this level that privacy has tended to be subordinated a priori to security. The subordinate relation of privacy to security in this level sets the conditions of possibility for discourse in the concrete level.

The necessities of administration tend to demand that, in any kind of government context, the majority of debate occurs on the concrete level. The concrete level is also perceived to be the pragmatic level, the level where practical action may be taken. Debate at the concrete level requires that we agree upon the terms of discourse that have been laid out at the abstract level. When we think about the Privacy v. Security debate in this two-level analytical model, we can descend from the largely procedural framework of law and policy that helps us reconcile different, often competing interests to a consideration of the generally agreed upon but seldom questioned terms that make up the points of reference at the concrete level.

While the word privacy may have a comparatively uniform meaning at the concrete level, it is an essentially contested concept in the abstract. Privacy has a long history of diverse, context-specific meanings (see, for instance, Westin 1967: 7). In a western context, however, few definitions of privacy adequately consider essential cultural, class-related, or gender differences (Bennett and Grant, 1999: 5). Indeed, when one tracks the history of the term in the concrete discourses of law and policy, a dominant conceptualization emerges. This conceptualization is a product of a set of assumptions that have generally gone unquestioned. Together, these assumptions have been described by Bennett and Raab, in their recent book The Governance of Privacy, as the privacy paradigm (2003: 13). They argue that the privacy paradigm rests on “an atomistic conception of society [where] the community is no more than the sum total of the individuals that make it up” (2003: 14).

The paradigmatic conceptualization is founded upon the belief that there exists a boundary around the individual that separates him/her from other individuals and organizations (Bennett and Raab, 2003: 14). This conceptualization is expressed in such early-modern definitions as the well-known one put forth by the American Judge Louis Brandeis who, in 1890, asserted that privacy was an individual’s “right to be let alone” (Warren and Brandeis). It is also expressed more contemporarily, by Roger Clarke, for instance, who has suggested that privacy is “the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organizations” (1999). Canada’s office of the Privacy Commissioner has frequently defined privacy as “the right to control access to one's person and to information about oneself” (see, for instance, Canada, 2002a). This statement is not only individualistic in nature; it also reflects the fact that the concept of privacy is often fused with the concept of data protection. This particular combination of concepts tends to frame the privacy discourse in terms of the management of personal information (Baniser, Andrews, et al., 2002: 1).

In law and policy discourse the privacy paradigm’s entrenchment has fostered four central assumptions about the nature and limitations of privacy protection. Bennett and Raab give a concise explanation of these. First, it is commonly assumed that information privacy protection must be procedural and cannot be substantive. This assumption turns on the subjective nature of privacy, holding it to be impossible to designate this or that kind of personal information as inviolable. Second, information privacy rights, it has been assumed, ought not be regarded as a property rights. This assumption stems from the perceived difficulty of assigning a financial value to seemingly intangible information. Bennett and Raab (2003) observe:

Consumers may have some bargaining power with a direct marketing firm that wants to trade lists of named individuals; citizens, however, have no bargaining power when faced with a warrant or any other potentially privacy-invasive technique backed up by the sanctions of the state. Let us recall that, at the outset of the privacy debate, it was the power of government agencies that were considered to pose the most significant challenges (17).

Consequently, privacy protection has tended to function at arms length from the often economic forces motivating organizations to carry out surveillance.

A third erroneous assumption is that privacy protection is achieved if the security of personal information can be guaranteed. This assumption stems from a confusion between privacy and security.[2] It has ensured that information privacy protection mechanisms hold the data, rather than the person, to be the object of protection. Fourth and finally, since privacy rights are in the province of the individual, it has generally been assumed that groups and organizations have do not have a right to privacy per se (Bennett and Raab, 2003: 18). This assumption is tied to the liberal conceptualization of privacy.

This fourth assumption is not limited to policy or legal outputs. Indeed, it seems to monopolize public imagination. As David Phillips and Michael Curry have argued, popular discourses of privacy in North America have, over the last thirty years, reflected this paradigmatic, individualist conceptualization of privacy. Since the 1970’s, popular media have linked computerized data management techniques with privacy concerns. However, rather than focusing on bureaucratic social management, privacy, and discrimination, the media discourse has employed “regressive privacy frames” (2003: 147). In essence, the media discourse has focused on personal affronts associated with data collection, such as identity theft and telemarketing. It has simultaneously ignored such structural effects as increased inequity and the creation of a society fractured into exclusive and precise segments (Phillips and Curry, 2003: 15).

The assumptions that constitute the privacy paradigm are firmly ensconced in the social imaginary and are, therefore, very difficult to overcome. The ramifications, however, for limiting privacy rights to individuals are substantial. The next section of this paper will consider some of these ramifications by looking at two texts from the federal Office of the Privacy Commissioner. These texts are interesting because they attempt to balance privacy against security. However, because of the way that privacy is paradigmatically articulated, it’s simple juxtaposition against security automatically subordinates it in this context. Hence, to speak of balancing privacy with security is to make it difficult to come to a consideration of whose privacy is being given up for whose security.

II

Paradigmatic Articulations - Privacy v. Security: The Debate in Action

The privacy issue first appeared on the legal agenda in Canada, as in other places, in response to three important developments: the computerization of personal information systems in the public sector; use by the state of the Social Insurance Number as a general identification number; and an increasing sense of alienation from government agencies. These developments prompted the creation of the Office of the Privacy Commissioner in 1977, as part of the broader Canadian Human Rights Act. The privacy sections of this Act were not retired until 1982 when Canada passed a stand alone Privacy Act (Bennett, 2001). The Privacy Act makes the Privacy Commissioner an independent officer of Parliament. Under this act the Commissioner has a mandate to:

Investigate complaints and conduct audits under two federal laws; publish information about personal information-handling practices in the public and private sector; conduct research into privacy issues; and promote awareness and understanding of privacy issues by the Canadian public (Canada, 2002b)

Consequently, the Commissioner may subpoena witnesses, compel testimony, enter premises in order to obtain documents and conduct interviews, and conduct audits of federal institutions, recommending changes where necessary (Baniser, Andrews, et al., 2002: 135).

It is clear from the above descriptions that the principal aspects of the federal Privacy Commissioner’s mandate are of an investigative and regulatory nature. I am interested, however, in emphasizing the educative role that the Privacy Commissioner ought to play at this juncture.[3] I will return to this point by way of conclusion. Suffice it here to say that the texts I am about to examine were likely written with this educative role in mind. The former Privacy Commissioner, whatever his shortcomings, must be given due credit for at least making sure that there was a privacy side in the federal security v. privacy debate.

Unfortunately, in spite of his efforts to keep privacy on the agenda, the Commissioner was working squarely within the privacy paradigm. He consequently framed privacy in a regressive way, automatically subordinating it to security interests. In perhaps one of his most progressive speeches, former Privacy Commissioner George Radwanski discussed the connection between privacy and racial discrimination. This timely address observed a clear connection between systematic racism and the systematic reduction of privacy by new policies advocating the use of intrusive technologies. Radwanski observed:

When the right to privacy is not sufficiently respected, particularly by the State, those who are likely to feel the intrusion first and most sharply are those who stand out from the crowd - those who are racially or ethnically different (Canada, 2003a).

Given this consideration, Radwanski asked whether increased surveillance is linked to an erosion of social solidarity. Could intensified surveillance make people choose their associations “…on the basis of their skin colour or ethnic background” (Canada, 2003a)?

This is an important question to ask. It raises the social dimension inherent in privacy when privacy is situated, in the abstract, against surveillance. It implicitly asks whether the systematic violation of some people’s privacy fosters a climate of mistrust. Surveillance theorists have gone some considerable way to articulate this chilling effect of the surveillance society (see generally: Dandeker, 1990; Ericson and Haggerty, 1997; Gandy, 1996; Haggerty and Ericson, 2000; Lyon, 1994, 2001, and 2003; Marx, 1988; and Staples, 1997). Regrettably, Radwanski does not here extend his discussion of privacy’s social dimension to the debate on how best to articulate privacy interests in the face of a collective interest in security. He simply reverts to the paradigmatic discourse which frames privacy as an individual interest to be balanced against the powers of the state. The protection of privacy, he argues, is “founded for the dignity, autonomy and freedom of the individual” (Canada, 2003a).

This way of framing privacy is perhaps nowhere more problematic than when the former Privacy Commissioner specifically attempted to discuss the balance between privacy and security. In a May, 2003 speech, Radwanski addressed “the balance between our fundamental human right of privacy and our need as a society for security against crime and terrorism” (Canada, 2003b). This statement established security as a social need. Privacy, however, is constructed as an individual interest. Radwanski drew on an opinion he commissioned by retired Supreme Court Justice Gérard Laforest to make the point that privacy underpins freedom. Unfortunately, at the same time that he was making this claim, he suggested that the freedoms enumerated in our constitution are “grounded in the notion that individuals have a right to a private sphere of thought and action that is no business of others - including the state” (Canada, 2003b). This framework conforms to the commonly held liberal notion that pits individual interests against social interests in attempt to justify policy and legal decisions. Thus dichotomized, this framework promises the possibility of striking some balance between individual and social interests.

Indeed, Radwanski argued: “We do not have to choose between privacy and security. We have to balance them. There is no reason we cannot have both privacy and security if we apply our minds to the question of how to balance them” (Canada, 2003b). However, as Raab has argued, although it may be possible to balance privacy against other interests in a theoretical sense, achieving such a balance in actuality is likely impossible. Indeed, there are so many variables and interrelations that cannot be conceived within such a theoretical balancing framework that it is generally fallacious to speak of striking a balance (Raab, 1999: 76-77). As Raab puts it: