Privacy Lessons: A Tale of Two Jobs
In just the last two weeks, two high-profile jobs in the worlds of privacy and Internet public policy were filled, and the appointments say a lot.
According to the National Journal, Google announced last week that it was opening a new office in Washington, D.C. It will be devoted to lobbying and public policy. Their choice to head this newly created office, Alan Davidson, is one of Washington's most respected technology policy advocates.
About the same time, ChoicePoint hired Carol DiBattiste to be its new CPO. But we'll get into that in a minute. For now, let's focus on Davidson.
An MIT-educated programmer who developed software for the International Space Station, Davidson also holds a law degree from Yale. As associate director of the non-profit Center for Democracy and Technology (CDT) for much of the last decade, his hands-on technical expertise and top-drawer legal skills have helped Davidson earn a reputation in Washington as an honest broker who deftly balances the realities of business with the needs of sound public policy.
But more than that, I also was very excited for Google, and what their choice says about them as a company.
I have criticize d Google on a number of occasions, mostly for its executives' lack of foresight on many privacy-related matters. From the privacy implications of their search capabilities, to the recent privacy questions arising from spy satellite images in their Google Maps service, company execs seem all too frequently to be caught flat-footed by privacy questions that any good privacy analyst should have told them were inevitable.
I've also defende d Google when I thought the company was being unfairly lambasted. For example, when my own California state senator, Liz Figueroa, proposed privacy legislation that would have crippled Google's Gmail web-based email service, I schlepped to Sacramento on my own time to meet with the senator's staff to discuss my concerns.
These privacy flubs are not unique to Google and are really just a symptom of a chronic problem at many Silicon Valley companies: a lack of appreciation for the importance of being engaged in the public policy process. Google is by no means alone in being so slow to get its footing in the policy arena, but its execs are to be congratulated for making up for lost time by hiring someone of Alan Davidson's caliber.
Meanwhile, another hiring last week in the high-tech world marked a watershed moment in the history of corporate Chief Privacy Officers (CPOs).
According to a report in the Atlanta Journal-Constitution, executives at embattled data broker ChoicePoint hired DiBattiste for an astounding $900,000 in annual salary and guaranteed bonuses.
DiBattiste, former deputy administrator of the Transportation Security Administration (TSA) -- the people who root through your unmentionables and confiscate your nail clippers at airport security checkpoints -- was an interesting choice for ChoicePoint, especially at a time when the company was facing increased scrutiny, including Congressional hearings, over its lax privacy practices.
ChoicePoint trades in databases full of the private information of millions of citizens. It claims its databases help law enforcement track criminals, corporations uncover fraudulent vendors, and help HR departments avoid hiring scoundrels. Yet, despite its claimed prowess in fraud detection, ChoicePoint was recently forced to admit it had been tricked by identity thieves into selling them the private financial data of more than 140,000 consumers.
Having helped create the world's first corporate Chief Privacy Officer position, and as a continued advocate for companies to hire CPOs, my initial reaction to the ChoicePoint announcement was shock, pride, and -- yes, I'll admit it -- a tinge of jealousy, at the size of the compensation package. Because she's not well-known in the privacy field, I set out to learn more about who Ms. DiBattiste is, and why she could command such a princely sum. What I found was not encouraging.
According to the documents, the privacy officer at the Department of Homeland Security, Nuala O'Connor Kelly, was tasked with investigating the JetBlue incident, but kept getting the run around. When Ms. Kelly escalated the problems up the chain of command at TSA, the investigation continued to hit one brick wall after another.
Frustrated, Kelly sent an email to TSA deputy administrator Carol DiBattiste in November 2003. ''I had sent my first inquiry to TSA public affairs, my second to (the agency's risk assessment office), but information has not been forthcoming,'' Kelly wrote. ''This is particularly disturbing... We're getting better information from outside then we have from our own folks at this time.''
DiBattiste's helpful response? ''TSA Public Affairs has no information in response to your request.'' Indeed, it would seem that ChoicePoint chose well, particularly if its goal is to avoid getting to the bottom of privacy problems.
Unfortunately, the reality is that DiBattiste was mostly likely chosen not for any privacy expertise but for her ability to smooth any feathers among her former TSA colleagues that ChoicePoint's recent disasters might have ruffled.
You see, government agencies like the Department of Homeland Security and the TSA represent a huge market for ChoicePoint's products, so whitewashing their privacy problems is clearly going to be a top priority. And for nearly a million dollars in total compensation, their new Chief Privacy Officer will be able to afford a lot of paint brushes.
The larger lesson to be learned from comparing these two hires comes from seeing the contrasting approaches of Google and ChoicePoint. In my estimation, Google chose somebody who could help them engage deeply in the thorny issues facing them, while ChoicePoint opted for a government insider whose recent trip through the revolving door gives them the best opportunity to wave away past mistakes with the secret handshake.
While I wish both of these folks success in their new positions, you can probably guess where my money is when it comes to which company will successfully navigate its way through future privacy-related minefields.