Who are these “Chief Privacy Officers” and why didn’t they blow the whistle on the NSA?

toothless-dogBy Simon Davies

The US government has a lot of explaining to do about the role of its oversight Privacy Officers in the NSA affair. In short, these watchdogs appear to have done nothing, but have entirely escaped media and political scrutiny.

In theory, privacy oversight over NSA-related matters rests with the CPO’s of the Department of Defense (DoD) and the Office of the Director of National Intelligence (ODNI) but it’s as if those roles never existed. Not a word has been heard from either of them.

Where were the privacy staff in private sector companies such as Verizon throughout this entire affair?

But it’s not just the government privacy officers who need to be put under the microscope. Where were the privacy staff in private sector companies such as Verizon throughout this entire affair? To at least some extent these officials are supposed to protect the organisation by protecting the consumer, and yet increasingly it seems their role is cosmetic.

The situation offers two possible scenarios. Either privacy officers are subjected to the Mushroom Syndrome (fed on shit and kept in the dark) or they might indeed have known what was going on and said nothing (or been told to say nothing). Neither is a healthy state of affairs.

This issue is particularly relevant given that the NSA has called for applicants for the post of Civil Liberties & Privacy Officer, a role which seems somewhat pointless in the light of the silence from existing oversight privacy officers. I suggested in a previous post that the agency appears to be dragging its feet over this appointment and has given the role scant autonomy or resources.

In a rare moment of public reflection on this topic Alex Fowler, CPO of Mozilla, wrote an opinion piece for the International Association of Privacy Professionals (IAPP) urging his colleagues to consider the wider ethical obligations on privacy officers.

“All of the companies caught up in the news that complied with secret court orders to hand over bulk user data have privacy officers and dedicated teams of privacy professionals. Yet the extent to which any of these privacy teams were involved or were aware of these orders is unclear. This simple irony provokes reflection on the role of privacy professionals and our associated ethical and social responsibilities.”

Alex Fowler of Mozilla

Alex Fowler of Mozilla

These points are relevant to more than just an arcane professional sector. IAPP has 14,000 members in 83 countries, and these people – at the policy and at the operational level –  collectively represent the credibility of the privacy field. And yet Fowler raises foundation questions that should have been resolved long before the current crisis forced that debate:

“As privacy professionals, do we have ethical obligations to the people whose data is our professional responsibility, or only to our employers? How do we handle conflicts of loyalty that arise? Does public safety trump privacy in every case and in any circumstances? Do we have obligations to report – even secretly, under legal requirements – our objections?”

At the moment there are few answers, but it’s a certainty that over the next few months more attention will be paid to privacy professionals. It is in their – and the public’s – interest to resolve those questions swiftly and courageously.