Privacy Advisor

The Privacy (and Security) Pro in the White House

July 19, 2013

By Sam Pfeifle
Publications Director

Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. (And, actually, there is another with privacy in his title in the White House: R. David Edelman, Senior Advisor for Internet, Innovation, and Privacy.)

Serving under Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, Schwartz is on something of a parallel track to Wong’s. While Wong works on a wide range of privacy issues, similar to the role that Danny Weitzner played while in the White House, “I’m much more focused on the security space,” Schwartz said in an interview with The Privacy Advisor, “working directly with the security agencies and the security staff.”

Private industry, too. Schwartz said public outreach is an integral part of his position. “They can approach me,” he said of private-industry CPOs. “If they have good ideas in the space, we definitely want to hear them.”

There are a lot of security standards out there; when a new problem comes up, and it gets solved, security ends up with a technical standard really quickly. You don’t see that in privacy.
Ari Schwartz

In fact, that’s part of why he got the job in the first place. “I used to go to the IAPP meetings when there were 200 people in the room,” he said of his privacy background, which has included recent stops at NIST and the Center for Democracy & Technology. “So the fact that people in the IAPP know me means that [my position] will be more high profile in that way, and Michael Daniel understood that when they asked me to come and take it.”

Maybe you’d like to chime in on the cybersecurity bill for which a draft proposal is circulating (see accompanying story). The bill is part of a line of work that began with the cybersecurity initiative announced in 2009 by President Obama that also created Schwartz’ position. Schwartz’s previous work with NIST as part of the Internet Policy Taskforce also played a major role in the public policy formulation in this area.

“We spent a lot of time over the last few years on the legislative side,” said Schwartz, “particularly around information sharing. Even in my short time here, I’ve been on information sharing: How do you go about making sure that PII is not mixed up in what is being shared with the government, and to private sector agencies, and between two government agencies when it’s not needed to figure out what the problem is? That is a key point.”

Schwartz also highlighted one of the key discussions held by the Privacy and Civil Liberties Oversight Board in last week’s public meeting: Is government oversight easier when the PII stays in the hands of private firms rather than government intelligence agencies? “And looking at privacy laws,” he said, “as we do liability protection for companies that do want to share some information, how do we do that in a way that still considers privacy … [and] have a discussion about how that can work in a way that helps share information without impinging on privacy.”

Not surprisingly, he sees frequent collaboration with the PCLOB in his future. “If you look at the cybersecurity legislation,” he noted, “in the administration’s first draft from May 2011, we call for the PCLOB to be part of the review process, and moving forward, the PCLOB will be very busy. We’re hoping they work on some of the direct cybersecurity pieces as well.”

For example, Schwartz said he’s looking closely at DDoS and botnet attacks. “One thing we’ve heard is that the entire Internet ecosystem should be working on botnet attacks,” he said, “and that means going to some companies that might not think of themselves as one the front lines with botnets, and do that in a way that protects privacy and gives notice to individuals who had their computers taken over.”

Further, Schwartz said it’s incumbent upon CPOs to know what he’s talking about when he talks about things like DDoS attacks and botnets. “Having people who are technically astute on your staff and having technical understanding is very helpful” for CPOs, he said. Maybe even make sure you’ve got an IT person dedicated to your privacy staff. At the very least, he said, liaising with the data security staff is crucial.

“There are some things that privacy could learn from the security world,” he said. “For instance, security uses standards a lot better than privacy. There are a lot of security standards out there; when a new problem comes up, and it gets solved, security ends up with a technical standard really quickly. You don’t see that in privacy.”

However, he said, “privacy has the principles laid out really well, as everyone who’s taken the CIPP knows well … I think this framework that NIST is putting together will help develop those principles a lot more clearly.

“I hope there is learning back and forth on both sides, and we can make both better.”

Read More By Sam Pfeifle:
Harris To Step Down at CDT, Looks To Continue Global Growth, Legislative Progress
First PCLOB Meeting’s Ideas for USA PATRIOT Act; FISA Improvements May Affect Interaction with Private Industry
The Future of Data Dealer Is in the Balance
How UI and UX can KO privacy