Saturday, October 23, 2021

Privacy Lessons: A Tale of Two Jobs

In just the last two weeks, two high-profile jobs in the worlds of

privacy and Internet public policy were filled, and the appointments say

a lot about the companies, the candidates, and how two major industry

names have chosen to approach some of the thorniest policy issues of the

day.

According to the National Journal, Google announced last week that it was

opening a new office in Washington, D.C. It will be devoted to lobbying

and public policy. Their choice to head this newly created office, Alan

Davidson, is one of Washington’s most respected technology policy

advocates.

About the same time, ChoicePoint hired Carol DiBattiste to be its new

CPO. But we’ll get into that in a minute. For now, let’s focus on

Davidson.

An MIT-educated programmer who developed software for the International

Space Station, Davidson also holds a law degree from Yale. As associate

director of the non-profit Center for Democracy and Technology (CDT) for

much of the last decade, his hands-on technical expertise and top-drawer

legal skills have helped Davidson earn a reputation in Washington as an

honest broker who deftly balances the realities of business with the

needs of sound public policy.

I’ve known Alan almost since his first days at the CDT, where we usually

collaborated, and occasionally clashed, on issues relating to spam,

Internet privacy, and telecommunications policy. So at a personal level,

I was very happy to see a friend moving to what will undoubtedly be an

exciting new gig at Google.

But more than that, I also was very excited for Google, and what their

choice says about them as a company.

I have criticize

d Google on a number of occasions, mostly for its executives’ lack of

foresight on many privacy-related matters. From the privacy implications

of their search capabilities, to the recent privacy questions arising

from spy satellite images in their Google Maps service, company execs

seem all too frequently to be caught flat-footed by privacy questions

that any good privacy analyst should have told them were inevitable.

I’ve also defende

d Google when I thought the company was being unfairly lambasted. For

example, when my own California state senator, Liz Figueroa, proposed

privacy legislation that would have crippled Google’s Gmail web-based

email service, I schlepped to Sacramento on my own time to meet with the

senator’s staff to discuss my concerns.

These privacy flubs are not unique to Google and are really just a

symptom of a chronic problem at many Silicon Valley companies: a lack of

appreciation for the importance of being engaged in the public policy

process. Google is by no means alone in being so slow to get its footing

in the policy arena, but its execs are to be congratulated for making up

for lost time by hiring someone of Alan Davidson’s caliber.

Meanwhile, another hiring last week in the high-tech world marked a

watershed moment in the history of corporate Chief Privacy Officers

(CPOs).

According to a report in the Atlanta Journal-Constitution, executives at

embattled

data broker ChoicePoint hired DiBattiste for an astounding $900,000

in annual salary and guaranteed bonuses.

DiBattiste, former deputy administrator of the Transportation Security

Administration (TSA) — the people who root through your unmentionables

and confiscate your nail clippers at airport security checkpoints — was

an interesting choice for ChoicePoint, especially at a time when the

company was facing increased scrutiny, including Congressional hearings,

over its lax privacy practices.

ChoicePoint trades in databases full of the private information of

millions of citizens. It claims its databases help law enforcement track

criminals, corporations uncover fraudulent vendors, and help HR

departments avoid hiring scoundrels. Yet, despite its claimed prowess in

fraud detection, ChoicePoint was recently forced to admit it had been

tricked by identity thieves into selling them the private financial data

of more than 140,000 consumers.

Having helped create the world’s first corporate Chief Privacy Officer

position, and as a continued advocate for companies to hire CPOs, my

initial reaction to the ChoicePoint announcement was shock, pride, and —

yes, I’ll admit it — a tinge of jealousy, at the size of the

compensation package. Because she’s not well-known in the privacy field,

I set out to learn more about who Ms. DiBattiste is, and why she could

command such a princely sum. What I found was not encouraging.

DiBattiste’s name surfaced recently in emails obtained through the

Freedom of Information Act by the Electronic Privacy Information Center

(EPIC), a non-profit privacy advocacy group. In their document request,

EPIC sought to uncover information about passenger records that were

released by the airline JetBlue to the Defense Department, in possible

violation of JetBlue’s privacy policy.

According to the documents, the privacy officer at the Department of

Homeland Security, Nuala O’Connor Kelly, was tasked with investigating

the JetBlue incident, but kept getting the run around. When Ms. Kelly

escalated the problems up the chain of command at TSA, the investigation

continued to hit one brick wall after another.

Frustrated, Kelly sent an email to TSA deputy administrator Carol

DiBattiste in November 2003. ”I had sent my first inquiry to TSA public

affairs, my second to (the agency’s risk assessment office), but

information has not been forthcoming,” Kelly wrote. ”This is

particularly disturbing… We’re getting better information from outside

then we have from our own folks at this time.”

DiBattiste’s helpful response? ”TSA Public Affairs has no information in

response to your request.” Indeed, it would seem that ChoicePoint chose

well, particularly if its goal is to avoid getting to the bottom of

privacy problems.

Unfortunately, the reality is that DiBattiste was mostly likely chosen

not for any privacy expertise but for her ability to smooth any feathers

among her former TSA colleagues that ChoicePoint’s recent disasters might

have ruffled.

You see, government agencies like the Department of Homeland Security and

the TSA represent a huge market for ChoicePoint’s products, so

whitewashing their privacy problems is clearly going to be a top

priority. And for nearly a million dollars in total compensation, their

new Chief Privacy Officer will be able to afford a lot of paint brushes.

The larger lesson to be learned from comparing these two hires comes from

seeing the contrasting approaches of Google and ChoicePoint. In my

estimation, Google chose somebody who could help them engage deeply in

the thorny issues facing them, while ChoicePoint opted for a government

insider whose recent trip through the revolving door gives them the best

opportunity to wave away past mistakes with the secret handshake.

While I wish both of these folks success in their new positions, you can

probably guess where my money is when it comes to which company will

successfully navigate its way through future privacy-related minefields.

Similar articles

Latest Articles