Postal Service privacy chief focused on maintaining public trust

Few people appreciate how much Zoe Strickland protects.

As the U.S. Postal Service's chief privacy officer, she's in charge of all the information the agency collects-home addresses, credit card numbers, stop-mail orders, change of address forms, and more-plus the information the agency could collect but doesn't-for example, the magazines people read and the catalogs from which they order.

"The Postal Service could compile a very detailed picture of your associations and your interests-everything from your religion to your political affiliations," says James Dempsey, executive director of the Center for Democracy and Technology, a Washington civil liberties group. Strickland must make sure that all projects and departments within the vast 700,000-employee organization meet the requirements of the 1974 Privacy Act, the 2002 Electronic Government Act, and the privacy provisions in Postal Service statutes.

Strickland guards Postal Service customers against privacy lapses due to unwanted marketing, criminal activities such as identity theft, and inappropriate government surveillance. Other privacy experts describe her as cerebral, and one could easily spend an entire afternoon in her modest office in the consumer advocate department, listening to her expound on her favorite topics: the meaning of privacy, the similarities and differences between business and government, the latest trends and issues in privacy policy, and the relationship between privacy and information security. When she became CPO in November 2000, the field of government privacy policy was terra incognita. She drew the road map.

"If the Homeland Security Department comes knocking on your door, what do you do?" she says, posing one of the big questions she loves to ponder. It's one that privacy advocates and national security hawks debate. Attorney General John Ashcroft's proposed Terrorism Information and Prevention System would have trained letter carriers to report anything suspicious they might see while delivering mail. The Postal Service declined to participate, and public outrage squashed the idea. A July 2003 report by a presidential commission recommended that the Postal Service require sender identification so mail can be traced. That's just not practical, Strickland says, and besides, the Postal Service wants to preserve people's ability to send mail anonymously.

Companies began creating chief privacy officers in the 1990s in order to address issues raised by increased use of databases, the Internet and electronic commerce. Today, about half of Fortune 500 companies have CPOs, estimates Larry Ponemon, who heads the Ponemon Institute, an information ethics think tank in Tucson, Ariz. CPOs are less common in government than in the private sector, despite the heightened privacy concerns associated with the push for information sharing. Government should view creating privacy protections as the "flip side" of speeding up information sharing, says Peter Swire, who served as the Clinton administration's privacy czar and now teaches law at Ohio State University. "Having an accelerator with no brake is a bad idea," he adds. Privacy officers are scattered across agencies including the Internal Revenue Service, the Census Bureau, the Commerce Department and, since April 2003, the Homeland Security Department.

Strickland arrived at the Postal Service in 1991, straight from law school at the University of North Carolina. The petite 37-year-old is formidable. "She's clearly a person you'd want to go into battle with on your side," says Robert Otto, the Postal Service's chief information officer. When she visited the Postal Service for a job interview, she saw opportunity. "They had every kind of law you could imagine," she says. "And they said there's a lot of responsibility right out of the gate. I said, 'Sounds fun to me.' " She began working in privacy and Freedom of Information Act law, then moved on to other areas in the legal department, including information technology. Her background in these three fields made her a strong candidate for CPO, as did her natural aptitude for business and passion for privacy. "It's very interesting, isn't it, where folks end up in their careers," Strickland says. "I'm actually a very private person."

She relishes her responsibilities, though they have grown immensely over 13 years. "I love conceptual thinking," she says. "I love policy. I love to figure [things] out: How do we make sense of the existing requirements? Where's it going in the future? Where's a good place for it to go in the future?" Strickland sprinkles insights throughout conversations, such as: "Security is deeper than privacy, and privacy is broader." Privacy policy involves setting security levels for different types of information, she says. But it also includes deciding what information to collect in the first place, under what circumstances the agency might share it, and how to notify customers that the data is being collected. Privacy also requires that customers be permitted to revise information collected about them. Strickland's colleague, Peter Myo Khin, manages corporate information security. He must wrestle with the technical details of securing information.

Trust Fund

Strickland holds a job that didn't even exist until very recently. The number of CPOs in business and government has grown right along with Americans' concerns about privacy. In 1995, Privacy and American Business, a New Jersey think tank, began tracking people's attitudes toward privacy. The group, headed by Alan Westin, a professor of public law at Columbia University in New York, divided the public into three categories of concern about privacy: high, medium and low. To understand how the three groups differ, consider Internet "cookies." Web sites use these strings of code to remember something about their visitors, such as which books or CDs each user browses. A typical person of high privacy concern would object to cookies, not wanting any data collected during Web surfing. A person of medium concern might want to know that the data collected is secured and won't be shared or sold, while appreciating a site's ability to remember a preference for John Grisham novels or Latin jazz. The low-concern person wouldn't worry about cookies and might not know they exist.

Studies by Privacy and American Business show that many organizations are losing the public's trust. The majority of Americans have medium-level concerns about privacy. But between 2000 and 2003, Westin saw significant numbers of medium-concern people move to the high-concern category, which grew from 25 percent to 36 percent. People who had been willing to give up some privacy to help organizations function were changing their minds. "Business leaders will ignore this shift at their peril," Westin wrote in his group's September 2003 newsletter. In response to the trend, businesses and government agencies have been catering more to those with high privacy concerns. They have re-examined privacy policies, added security features, and launched ad campaigns touting themselves as privacy friendly. And they have installed chief privacy officers.

To Strickland, privacy is a business opportunity. The Postal Service voluntarily meets private-sector privacy regulations to keep up with other delivery companies. "We don't want to be at a competitive disadvantage," she says. Her approach runs counter to the view that privacy provisions restrict organizations, requiring tradeoffs in cost, efficiency or innovation. While government agencies don't compete for revenue, Strickland says they should focus on building trust so that citizens willingly provide accurate information about themselves.

If agencies want citizens to use e-government programs, for example, they must have robust privacy protections. "Certain agencies are trusted a whole lot more than others, and there's a reason for that-the privacy programs and the brands they build," Strickland says. Rather than focusing on enforcement, as some CPOs do, Strickland gets involved with projects early in a collaborative role and makes a bottom-line argument for privacy protections. "It's not a combative thing," she says. In one instance, the Postal Service considered collecting Social Security numbers for one of its systems. Instead of objecting, Strickland described the level of security needed for such sensitive data. When they learned the cost, agency officials opted instead to collect just the last four digits, reducing both the need for security and the privacy risks.

Brand Loyalty

In a recent television commercial, a letter carrier struggles through hurricane conditions. Debris swirls everywhere as he fights his way from mailbox to mailbox. Interestingly, this is not an ad for the Postal Service. At the very last moment, a familiar pink bunny appears, banging on a large drum. The message becomes clear: Buy Energizer batteries because they're reliable, just like the Postal Service. Energizer's decision to tie its image to the Postal Service says a lot about the agency's reputation. People see USPS as dependable, a familiar face in an uncertain world.

And they trust the Postal Service. A study by the Ponemon Institute shows that Americans have more faith in the Postal Service to safeguard their personal information than any other federal agency, and more than other major delivery companies. In fact, the gap between the Postal Service and its competitors was the largest of any industry. Strickland works to preserve this trust as the agency incorporates new processes and products and especially new technologies. She knows that just one highly publicized breach-say, for example, the release of the country's most complete list of mailing addresses-would inflict serious casualties on the Postal Service, which operates on a break-even business model and already has lost substantial revenue to electronic communications and private-sector competition.

Earlier this year, the Postal Service decided to explore the use of commercial databases, huge collections of information about people collected and sold by companies. The Postal Service's own database does not link addresses to names or phone numbers. Postal officials saw two potential uses for commercial databases-first, as part of a data quality initiative that would link scanners at mail processing facilities to a database to fill in missing or unreadable information on address labels, and second, in call centers to speed the processing of telephone requests for changes of address, by bringing up an existing address associated with the caller's home phone number much as pizza delivery companies do.

Strickland was involved from the beginning. She decided to put the project for call centers on hold until the agency had tackled the use of databases in mail sorting. She and her team then addressed the privacy issues: How much information would the database contain? Names and addresses only. Where and when could it be used? In the processing equipment only. Would the Postal Service share it with other agencies? It won't. Would the agency send information back to the database provider? No.

As plans were made, Strickland reached out to privacy advocates, says Chris Hoofnagle, associate director of the Electronic Privacy Information Center, a Washington public interest group. "Every decision that was made was cut in favor of protecting privacy," he says. By explaining the project to the people likely to object, Strickland disarmed them and avoided a public debate that would have called extra attention to the issue. If she hadn't explained the system so well, "it would have risked the program," Hoofnagle says. "She is the perfect lobbyist."

Strickland's team took up the telephone change-of-address project again in September. The data quality initiative already was under way, and since it had gone over so well with the public, Strickland felt comfortable moving ahead with another database project, again sketching out scenarios in which the team would need to protect customers' privacy. If Homeland Security were to request access to the database, for example, USPS would refuse. "I think what we want to say is, 'That's not appropriate, Homeland Security. Go to the commercial database yourself,' " Strickland said. The Postal Service has never shared its own address list with the Homeland Security Department.

Private Business

Strickland and two colleagues held a conference call with Larry Ponemon this fall. He shared with them the results of a survey on "identity management" that he had not yet released publicly. Ponemon asked people whether they would want "one private and secure verification credential accepted by all organizations," rather than the current patchwork of identity cards, passwords and other verification methods used for everything from entering federal buildings to accessing bank accounts. Seventy-four percent said yes, and Ponemon asked those participants to select from a list the three organizations they would trust to issue the credential. The Postal Service was the most popular choice, chosen by 68 percent of the group.

Strickland and her colleagues saw the study as a potential marketing tool, a way to leverage the public's trust in the organization as the Postal Service pursues a potential new line of business-producing secure badges for federal employees and contractors. The badges would help other agencies comply with a security order issued by President Bush in late August. Homeland Security Presidential Directive 12 calls for "a mandatory, governmentwide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors." Though the specific requirements had not yet been outlined by September, the Postal Service already was in preliminary discussions with at least two other agencies about providing the badges.

The Postal Service believes it has an edge in the badge-making stakes because it has locations throughout the country and has experience verifying identities when it accepts passport applications. Ponemon's finding about the public's trust in USPS provided a third argument favoring the agency. Strickland and her colleagues worried about capitalizing on customers' trust without jeopardizing it, but still considered themselves prime candidates. "I want to make sure the right protections get into place," said Chuck Chamberlain, the agency's manager of business development. "Unless we start getting involved, this ship's going to sail, and it's going to be hard to turn it." Chamberlain is a member of a privacy board that Strickland established, and admits to becoming "a minor conspiracy theorist" as he became more aware of privacy issues.

After the conference call, Strickland discussed whether the Postal Service should pursue the initiative. "There are risks," she said. "We have to think about how we're going to be perceived." But she saw a business opportunity worth pursuing. That's how Strickland works.

Though EPIC's Hoofnagle says Strickland is a "model CPO," there's one project he hasn't been able to get her to pursue-a Do Not Mail list, similar to the Federal Trade Commission's Do Not Call list, which bars marketers from contacting citizens who sign up. Strickland says focus groups show that Americans don't feel as burdened by mail marketing as by telemarketing, and don't like the idea of an off-limits list. Even if this weren't the case, though, it's hard to imagine her pursuing the idea. Privacy is important, but the mail is Strickland's business.