A Brief History of US Data Privacy

While IP networks are new relative to the age of our nation, the concept of privacy isn’t. Consider the Colonial-era postal service – mail carriers were required to swear an oath to keep letters sealed. Today we have somewhat of a web-oath—our privacy policies—which are also mostly based on the honor system.

Even with the postman’s oath in place, the colonial mail system still had enormous security holes. The local postal official often stored the letters in his house or other properties. And by the way, it was not unusual for a postmaster to also run (long pause) a tavern. Matters finally improved when a young sys admin named Benjamin Franklin took over this, ahem, early packet network.

First Franklin ordered that the post office could not be located in a private house. Then he secured the actual packets: local postmasters had to seal letters in sacks, which were to be unsealed only when they reached their final destination. A primitive but functional detective control, and subsequent deterrent.

To bring the history of privacy and communications technology closer to our era, consider the privacy involved in the early telegraph network. By 1848 the “Victorian Internet” had grown to over two thousand miles of line, mostly in the northeastern US; and just prior to the Civil War, the network extended almost sixty thousand miles.

Like the Internet, these early telegraph service providers began to collect all kinds of metadata for accounting purposes, which meant keeping copies of the telegrams. Unlike the postal system, a telegram required a far deeper trust in a third-party–one that could theoretically steal and abuse their confidential data. Consumers, though, were willing to trade the more secure postal system for the speedier high-tech telegram.

Sound familiar?

While there were no federal statutes protecting the privacy of telegrams, under pressure from nervous consumers, telegraph operators had strong business incentives to keep their records confidential. Still, there were limits to this privacy protection.  For instance, operators still had to release telegrams when a court order was issued.

Today in the EU, the right to privacy has a far stronger legal footing (see my last post) than here in the US. However, Congress is considering tightening up consumer privacy rights with the Kerry-McCain sponsored—note the language here—“Commercial Privacy Bill of Rights”.

The Kerry-McCain privacy law—the broadest Federal protection for online privacy to date—is very explicit about what makes up personally identifiable information, or PII. If passed in its current form it will have important security and IT implications for US businesses. I’ll cover both the recently published FTC privacy guidelines and the Privacy Bill of Rights in my next post.

In evaluating these new proposed rules, just remember this isn’t the first time in our history that privacy rules and regulations have been worked out for a complex public communications system.

Get the latest security news in your inbox.