Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
Two months into her job as chief privacy officer for the Department of Homeland Security Department, Nuala O'Connor Kelly spoke by phone and e-mail with Wired News about her personal experiences with both terrorism and government surveillance, what she really did at Internet advertising firm DoubleClick, and how she's balancing government antiterrorism efforts with the rights of the people whose privacy she's now charged with protecting.
Wired News: You've described yourself a "geek at heart." What is it about technology that interests and excites you?
O'Connor Kelly: What interests me about technology is our ability to develop and discover things that help us, particularly that help us communicate, live, work, and thrive through our own intelligence and ingenuity. I suppose it sounds incredibly corny, but it's one form of making the world a better place.
What excites me is our own power to create; to make something that runs, moves, operates – whether on the screen or elsewhere in our lives – that essentially has a life, or at least a purpose, of its own.
I think the challenge for me, since I am enamored of technological solutions, is to remember that sometimes technology is not the complete fix. It takes a combination of technology, people, policies and practices to ensure that something like privacy, for example, is embedded into the culture of an organization or into a particular program or activity.
WN: How did you become involved in privacy issues? Was it a burning interest of yours or did you just sort of end up here?
O'Connor Kelly: That story is part accidental and part intentional, probably like many people's careers. The accidental part was being fortunate to get a number of different jobs in different places all dealing with phenomenal privacy issues in the online space, in the government space.
But I've been interested particularly in the relationship between government and the individual, and the impact on personal privacy and dignity for a long time. I was born in Northern Ireland and spent a little bit of time there as a child. Living in an environment of terrorism and security issues has an impact on people that goes far beyond even the immediate fear of the terrorist act.
The governmental actions that often flow from anti-terrorism purposes equally affect the individual, and that individual's sense of their personal autonomy and space. We in the United States are learning and evaluating and creating our response to terrorist acts such as those on September 11, and in the process of developing that response, we need to consider the impact that our response will have on the lives and dignity and privacy of our neighbors and our children and ourselves.
WN: What do you think will be the most challenging part of your job?
O'Connor Kelly: I think any time you're trying to have a cross-cultural conversation – between technologists and non-technologists, between government and those outside government, between our country and other countries – the risk of misunderstandings is great.
I see myself as an internal educator – to bring an awareness of privacy and data-protection practices to a new organization – and also as a translator.
But I also I think external education is crucial as well, so that people can form educated opinions about the scope of DHS's activities. Being precise and accurate and complete and clear, particularly when talking about complex technologies, is a challenge.
WN: Any unexpected challenges that have cropped up since you started, things that now appear to be a bit more complicated that you expected?
O'Connor Kelly: I think our impact on non-U.S. citizens is something we need to consider further.
As an immigrant, I've always thought that I've been sensitive to non-citizens living in the States. But the need for our government to understand the flow of people and persons is crucial to making our homeland safe for all of us, citizens and residents alike.
I think having the conversation internationally about how people flow across borders is a hard one, since each country has a different system of accepting visitors, and also wants to protect the rights of its citizens to the greatest extent possible when they travel.
WN: Some people are becoming increasingly spooked over the government's plans to gather private information in the war against terrorism. What is your response to people who are skeptical about the need and effectiveness (against terror) of the new surveillance plans?
O'Connor Kelly: I have frequently said (both before and since joining the government) that a healthy skepticism about the government is a good thing, and part of our right as Americans.
I think the idea of "mission creep" is something we should be constantly vigilant about, not only to protect the rights of people who are affected by these programs, but also because I want DHS to succeed as an organization, and part of that means defining and achieving its mission.
WN: Some have suggested that your primary job is to provide good PR for homeland defense, not to make real changes in how the government handles private data. Your response to that?
O'Connor Kelly: I've heard that comment (I think I read it in Wired, in fact), and I have to confess to being quite baffled by it.
I have no background in PR, and I haven't been in Washington long enough to know how to "spin" things. People who know me know how hard I work now, and how hard I worked at DoubleClick to make good decisions internally for the organization. Perhaps I should have demanded more credit externally, but that part of the job never occurred to me.
I do think it's incredibly important to be transparent and accountable and accessible. We owe it our citizens, our customers, our clients, to explain what it is we're doing.
If that's PR, then I suppose it's part of the job. But I don't think of it as PR; I think of it as communicating accurately and responsibly to citizens so that they are aware of what their government is up to ... so that they can make informed judgments about those activities. Apparently, I've done a really poor job of PR on my own behalf, as I think that most of my work was internal to the organizations I've been a part of, and apparently those on the outside didn't know the scope of it.
WN: Can you bring me up to date with what's happening with CAPPS II (Computer Assisted Passenger Prescreening System)?
O'Connor Kelly: I think the CAPPS II program has come a tremendously long way from a privacy perspective since people first started talking about it.
In the few weeks I've been here, I've learned about some important, and even impressive, privacy protections that the CAPPS II team has put in place based on feedback received formally and informally through responses to the first Federal Register notice announcing the system, through open meetings with the public, with advocacy groups, with members of Congress.
Where it stands now is that the department will be issuing shortly a new Privacy Act notice that details what the system plan is, what it would do, what information is collected, used, and stored, and for what purpose. I think the notice will answer many of the questions and address many of the concerns that people have about the system.
The notice may also raise some more questions, and that's OK. We still have questions, too, about CAPPS II and that's why we're going to test the technologies, put the system through its paces, over the summer and into the fall, to see if it can work. That's another reason for the test – while it won't be making decisions affecting traveling passengers, the system will contain personal information for a time, and people have a right to know that.
Wired News: Will you develop ways to check the accuracy of the data that CAPPS II accesses, limit the information that is collected, and also enable ways for people to easily correct captured data?
O'Connor Kelly: Those are pretty much all the key questions, from a policy side, that we're in the process of answering on CAPPS II. We've built some good protocols on data accuracy and on minimizing what data will be collected and what data will be retained, and for how long.
I think the harder question is the timely correction of data. We're in the process of building a system where people can complain about problems to a passenger advocate, but eventually DHS will have a process through which individuals can complain to a passenger advocate, an ombudsman, and eventually to me and my office.
I'm confident that we will figure out a way to resolve issues in the long term but I want to, in the short term, minimize travelers' delays, and I believe that the greater accuracy that new technologies will bring in this system, versus the current system, will allow us to minimize the incidence of incorrect data.
WN: What else is on your immediate to-do list?
O'Connor Kelly: We want to create an educational structure across the department, where the privacy office works with and teaches fair information principles in a formal and informal way. And we're working on creating procedural frameworks where privacy is considered at the beginning of the development of any new policy or product or procedure, so that privacy becomes core to the development, rather than an afterthought.
Plus, making sure we're being brought into all DHS programs that use personal data. It's a big department – 182,000 employees – so that's a lot of ground to cover.
WN: Are you meeting any resistance within the DHS when you promote privacy concerns?
O'Connor Kelly: In general, I have met with great support from my colleagues. The tension in providing access and transparency is particularly striking, however, in the most highly sensitive, classified information and information about law enforcement activities.
We have some forms of information which are essential to ongoing investigations, for example, which, if revealed, might imperil a legitimate law enforcement activity ... while the investigation is ongoing.
In these cases, we need to devise ways of providing redress mechanisms for people who feel that they've been wrongly singled out, or who believe that the wrong information might be somehow associated with them, while still protecting the data for legitimate purposes. That's something I will be working on, and that I already am working on.
WN: How do you balance the needs of your employer (the government) with the needs of the people whose privacy you're charged with protecting?
O'Connor Kelly: I think of citizens and the people affected by DHS's activities as our ultimate client, or boss, or stakeholder, whatever word you want to use. I actually find it much easier – perhaps this is my legal training or just a personal trait – to aggressively protect the needs of others rather than my own personal needs.
Ultimately I don't see a tension or a balancing act between the needs of the government and the people. The mission of the government should be to meet the needs of the people. In DHS's case, the need is to create a secure homeland, but that means not only securing the people and the places, but also the lifestyles and the liberties of Americans and our visitors.
And just as being safe from terror is one of those liberties; so is the ability to safeguard one's privacy.
