In just the last two weeks, two high-profile jobs in the worlds of
privacy and Internet public policy were filled, and the appointments say
a lot about the companies, the candidates, and how two major industry
names have chosen to approach some of the thorniest policy issues of the
According to the National Journal, Google announced last week that it was
opening a new office in Washington, D.C. It will be devoted to lobbying
and public policy. Their choice to head this newly created office, Alan
Davidson, is one of Washington’s most respected technology policy
About the same time, ChoicePoint hired Carol DiBattiste to be its new
CPO. But we’ll get into that in a minute. For now, let’s focus on
An MIT-educated programmer who developed software for the International
Space Station, Davidson also holds a law degree from Yale. As associate
director of the non-profit Center for Democracy and Technology (CDT) for
much of the last decade, his hands-on technical expertise and top-drawer
legal skills have helped Davidson earn a reputation in Washington as an
honest broker who deftly balances the realities of business with the
needs of sound public policy.
I’ve known Alan almost since his first days at the CDT, where we usually
collaborated, and occasionally clashed, on issues relating to spam,
Internet privacy, and telecommunications policy. So at a personal level,
I was very happy to see a friend moving to what will undoubtedly be an
exciting new gig at Google.
But more than that, I also was very excited for Google, and what their
choice says about them as a company.
I have criticize
d Google on a number of occasions, mostly for its executives’ lack of
foresight on many privacy-related matters. From the privacy implications
of their search capabilities, to the recent privacy questions arising
from spy satellite images in their Google Maps service, company execs
seem all too frequently to be caught flat-footed by privacy questions
that any good privacy analyst should have told them were inevitable.
I’ve also defende
d Google when I thought the company was being unfairly lambasted. For
example, when my own California state senator, Liz Figueroa, proposed
privacy legislation that would have crippled Google’s Gmail web-based
email service, I schlepped to Sacramento on my own time to meet with the
senator’s staff to discuss my concerns.
These privacy flubs are not unique to Google and are really just a
symptom of a chronic problem at many Silicon Valley companies: a lack of
appreciation for the importance of being engaged in the public policy
process. Google is by no means alone in being so slow to get its footing
in the policy arena, but its execs are to be congratulated for making up
for lost time by hiring someone of Alan Davidson’s caliber.
Meanwhile, another hiring last week in the high-tech world marked a
watershed moment in the history of corporate Chief Privacy Officers
According to a report in the Atlanta Journal-Constitution, executives at
data broker ChoicePoint hired DiBattiste for an astounding $900,000
in annual salary and guaranteed bonuses.
DiBattiste, former deputy administrator of the Transportation Security
Administration (TSA) — the people who root through your unmentionables
and confiscate your nail clippers at airport security checkpoints — was
an interesting choice for ChoicePoint, especially at a time when the
company was facing increased scrutiny, including Congressional hearings,
over its lax privacy practices.
ChoicePoint trades in databases full of the private information of
millions of citizens. It claims its databases help law enforcement track
criminals, corporations uncover fraudulent vendors, and help HR
departments avoid hiring scoundrels. Yet, despite its claimed prowess in
fraud detection, ChoicePoint was recently forced to admit it had been
tricked by identity thieves into selling them the private financial data
of more than 140,000 consumers.
Having helped create the world’s first corporate Chief Privacy Officer
position, and as a continued advocate for companies to hire CPOs, my
initial reaction to the ChoicePoint announcement was shock, pride, and —
yes, I’ll admit it — a tinge of jealousy, at the size of the
compensation package. Because she’s not well-known in the privacy field,
I set out to learn more about who Ms. DiBattiste is, and why she could
command such a princely sum. What I found was not encouraging.
DiBattiste’s name surfaced recently in emails obtained through the
Freedom of Information Act by the Electronic Privacy Information Center
(EPIC), a non-profit privacy advocacy group. In their document request,
EPIC sought to uncover information about passenger records that were
released by the airline JetBlue to the Defense Department, in possible
According to the documents, the privacy officer at the Department of
Homeland Security, Nuala O’Connor Kelly, was tasked with investigating
the JetBlue incident, but kept getting the run around. When Ms. Kelly
escalated the problems up the chain of command at TSA, the investigation
continued to hit one brick wall after another.
Frustrated, Kelly sent an email to TSA deputy administrator Carol
DiBattiste in November 2003. ”I had sent my first inquiry to TSA public
affairs, my second to (the agency’s risk assessment office), but
information has not been forthcoming,” Kelly wrote. ”This is
particularly disturbing… We’re getting better information from outside
then we have from our own folks at this time.”
DiBattiste’s helpful response? ”TSA Public Affairs has no information in
response to your request.” Indeed, it would seem that ChoicePoint chose
well, particularly if its goal is to avoid getting to the bottom of
Unfortunately, the reality is that DiBattiste was mostly likely chosen
not for any privacy expertise but for her ability to smooth any feathers
among her former TSA colleagues that ChoicePoint’s recent disasters might
You see, government agencies like the Department of Homeland Security and
the TSA represent a huge market for ChoicePoint’s products, so
whitewashing their privacy problems is clearly going to be a top
priority. And for nearly a million dollars in total compensation, their
new Chief Privacy Officer will be able to afford a lot of paint brushes.
The larger lesson to be learned from comparing these two hires comes from
seeing the contrasting approaches of Google and ChoicePoint. In my
estimation, Google chose somebody who could help them engage deeply in
the thorny issues facing them, while ChoicePoint opted for a government
insider whose recent trip through the revolving door gives them the best
opportunity to wave away past mistakes with the secret handshake.
While I wish both of these folks success in their new positions, you can
probably guess where my money is when it comes to which company will
successfully navigate its way through future privacy-related minefields.