Let me say first how impressed I am with the range of issues that have been brought up by me fellow panelists and by Senator Bowen in her introduction of these issues. I know a lot about privacy, but I constantly learn more and just being on this panel has helped me to do that.
I am particularly interested in the subject Senator Bowen raised on the question of public records having to do with citizens’ movements online and in the real world. The question of what happens when databases of electronic toll records are able to reveal the movements of cars, and the records of who surfed where on government Web sites.
I’m also sympathetic to the concerns Professor Kirtley raised about closure of public records after September 11th. Doing so is a threat to our form of democracy, of which openness in government is a hallmark.
Likewise, I’m not sure that increasing the amount of data governments collect is going to be effective terrorism control. There is just as much chance of making the haystack bigger and making it harder to find the needle, than of catching bad guys. There is no substitute for intelligence on the ground in places like Afghanistan, Pakistan, Somalia, or wherever.
Also, I mentioned in a panel on Wednesday that there is a significant public interest in the private lives — particularly any aberrant behavior there — of public officials. I noted that the Federal Video Privacy Protection Act was passed after Judge Bork’s video rental records had been sought by a reporter, and I suggested that there was a strong public interest in learning about nominees and candidates for high office.
It was a little bit of a bombshell, and Senator Kelley from Minnesota just came up before we started to ask me some more hard questions. Well I’m going to have to run out of the room to avoid further discussion because I’m not ready to articulate the full scope and theory of how you all give up privacy when you become public officials.
Now, do you remember how in grade school, the cool kids used to sit at the back of the room and the nerds used to sit in the front? I notice that you all are sitting in the back rows and there’s a panel on insurance regulation competing with this one. I think that all the nerds must be over there, and we’re all the cool people working on the cool issues. I know that the one or two of you up front are only there because the back is full. Privacy is a very cool issue.
The earlier panelists raised so many issues. I know I’m going to be unable to satisfactorily address most of them. But let me get to the beginning.
I am an Adjunct Fellow at The Progress & Freedom Foundation. I mentioned on Wednesday that PFF has a great conference in Aspen every summer to go over issues like these — technology, telecommunications, e-commerce, and privacy. They do not pay me for the ringing endorsement I give the event. If you can attend, you should.
In addition, I am the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy, which I’ll discuss here in a moment.
In addition, I have a lobbying and consulting firm called PolicyCounsel.Com. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla and none of what I say to you represents the views of any client, but be aware of my potential for bias, as you would any privacy advocate.
Let me discuss Privacilla in a bit more detail. It is a Web-based think-tank devoted exclusively to privacy as a public policy issue. While I was working on Capitol Hill, I was not satisfied that Congress and state legislatures understood what interests they were pursuing with various laws and regulations nominally aimed at "privacy." When I left, I decided to start Privacilla to sort things out — single-handedly . . . .
Privacilla attempts to capture privacy as a public policy issue from top to bottom. It has a couple hundred pages of material that break out privacy from government and privacy in the private sector. Within the private sector, we discuss financial privacy, medical privacy, and online privacy. On these pages, we provide summary information and links to additional sources.
Earlier this week, we introduced a report about the state privacy torts and their role in privacy protection. That’s far from the last word, and I imagine my fellow panelist Marc Rotenberg will have something to say about this, but more needs to be said about the privacy torts and all kinds of other state laws that protect privacy in various ways.
I’m talking about state contract law, trespass, battery, and so on. The law of battery means, for example, that no one can come up here and rip my coat and shirt off, exposing the appearance of my body. I mentioned that fact on Wednesday and afterwards it was pointed out that you all would probably have a cause of action for intentional infliction of emotional distress if that were to happen.
A lot of people on the Hill, in the press, in government relations offices, and in lobbying organizations and trade associations have told me that Privacilla is a great resource. I’m not satisfied though. There need to be hundreds more pages of material and links before you capture this big issue.
On the site you can sign up for e-mail alerts when things happen. I regularly post new material on the site, including the prepared text of talks like this one. I suspect that what I actually say today will have only the remotest correlation to what was in the prepared text, so if my talk leaves you thirsting for more, you can read an excitingly different version of the talk up on the site. And, of course, check out past talks and reports there too.
Privacilla takes a biased view in the debates on privacy. We openly claim a free-market, pro-technology orientation to these issues. There are plenty of other views and you should consider them all.
Let me describe just a bit what I mean by straightening out the privacy issue.
The word “privacy” has come to be used to describe just about every concern with the modern world. That’s fine for regular people, but when we as policy-makers address these concerns, we need to be a little more precise.
Identity fraud, for example, is widely perceived as a "privacy" problem. But it is better understood as a group of crimes that thrive on the use of personal identification and financial information. Because of this widespread misperception, the crimes that constitute identity fraud go poorly enforced while Congress and many states consider things like banning many uses of Social Security Numbers in the name of "privacy." Limiting SSN use would benefits that the consuming public enjoys without effectively preventing crimes.
The phrase identity theft is often used to describe identity fraud. I think that’s needlessly provocative. That makes people think that their family members won’t be able to reach them because their identities will be gone. Do you recall at the end of Silence of the Lambs when Hannibal Lecter escaped by tearing the face off one of the guards and putting it over his own? That’s identity theft. That’s a guy who is not going to get a key part of his identity back.
Here’s another one: “Security” and “privacy” are often used interchangeably. Security is closely related to privacy, but they are very different concepts. Privacy has to do with a certain state of affairs in personal information. Security has to do with all the steps a business or government takes to protect its operations, data, and possessions. Security affects the ability to protect privacy, but it’s just as relevant to discuss “security and trade secrets” or “security and payroll” as it is to talk about “security and privacy.”
Likewise, unwanted commercial e-mail, or "spam," is an intrusion into electronic communications and a serious annoyance that is often called a "privacy" problem. Spam exists in large part because e-mail marketers know little or nothing about the interests of potential customers. It is difficult to reconcile spam — e-mails broadcast to unknown people nearly at random — with the heart of the privacy concept, which is too much personal information being available too widely.
At Privacilla, we have developed a working definition of privacy that we believe should form the basis of policy discussions on the topic: Privacy is a subjective condition that individuals enjoy when two factors are in place — legal ability to control information about oneself, and exercise of that control consistent with one's interests and values.
Most importantly, privacy is a personal, subjective condition. It is a state of affairs individuals enjoy based on sharing or retention of information about themselves consistent with their own preferences. These preferences are a product of such things as culture, upbringing, and experience. Because privacy is subjective, I can’t decide for you what your sense of privacy should be. And you can not tell me, either by giving your opinion or by passing a law, that my privacy is protected when I think it is not.
Privacy is a kind of concept like happiness or morality. I’ve often asked audiences if they would feel good knowing that legislation called The Happiness Protection Act of 2002 was introduced. Would they be confident that they’re going to be happier as soon as it passed? Well, it’s the same way with privacy. Of course you can’t deliver it directly. You can only put people in a position to protect if for themselves.
Which brings me to the first factor in privacy: legal power to control information. We intend no slight to the good motives of legislators and public servants when we say that loss of privacy is a significant cost of government. To carry out most government programs, you all need to take information from citizens. To collect taxes, you need to collect a great deal of personal financial information. To carry out benefit programs, you need to know people’s individual financial status or health status, and very often you need to know the health status of the broader community. These programs have to divest many people of control over sensitive personal information.
On the other side of the legal-power coin, though, are the laws you pass that allow people to protect privacy. I talked about the various state laws that protect privacy. The law of trespass means that when we retreat into our homes and shut our curtains, no one can legally see what goes on there. The law of contracts means that we can make arrangements with people to safeguard information and protect privacy in it. There are many others.
The second factor I mentioned is exercise of control consistent with our interests and values. With technology changing so rapidly, this can be very difficult. It takes consumer awareness to get it, and organizations like the Electronic Privacy Information Center play a role in creating that. Every once in a while, they score a hit on a company whose information practices are inconsistent with widely held beliefs about what are right and wrong ways to use information. Other times, they can not generate interest in what they perceive to be a problem. That is a rough measure of the fact that certain information practices are not objectionable to consumers.
I repeat, though, that only educated and aware consumers can deliver privacy on the terms that real consumers want it. It is their actions in the marketplace that determine whether the uses businesses wish to make of information are acceptable.
I have spent far too long on the basics here, but let me get to some observations on our topic here.
First, I want to discuss the point that Senator Bowen raised at the outset. What is the status of records of citizens’ movements on government Web sites and on toll roads? I will add to that list the question of red-light cameras, which are being digitized and which can be networked. With optical character recognition, they can easily be used to generate databases about the movements of particular cars in particular jurisdictions. And why not share that information across jurisdictions?
General surveillance cameras have the same potential, and I know Marc Rotenberg and the Electronic Privacy Information Center have done a good deal of work on that.
I argued before the House Transportation Committee in the U.S. Congress that citizens have a reasonable expectation that their movements will not be monitored by governments as long as they are non-suspects of crime. The traditional view is that you don’t have any expectation of privacy in public places, but it is more complex than this. The argument that you have a Fourth Amendment expectation not to have your movements tracked and databased may be a bit of a stretch, but I think the argument needs to be made.
We need to consider data destruction as an important part of our public information policy. That is anathema to what has traditionally been done; collecting as much information as possible has always been assumed an unqualified good. But with the ability of governments to collect and store information growing by leaps and bounds, we need to consider whether there need to be some new approaches to data warehousing.
Turning to the question of public records and e-mail, I think the takeaway from what the previous speakers said is “Do your work at work, and do your dirt at home.” Most of us first got access to e-mail and the Web through work, so we have a bad habit of using our work computers for personal business.
When you are using your home computer, you have a variety of privacy protections.
The first set of protections is the law of contract and the contract rights that are found in your agreement with your Internet Service Provider. These have privacy protecting clauses, and I believe some privacy protections are assumed or implied into internet access contracts.
The second set of protections are tort rights, like those that were discussed in the paper we released this week. Indiscriminate disclosure of our surfing or our e-mail would almost assuredly be a tortuous violation of privacy, most likely the public disclosure of private facts cause of action.
Finally, you have market power. Consumers can say “No” to ISPs with unsatisfactory information practices, and I think it’s very much in the commercial interest of ISPs not to disclose information about our Internet usage and habits. Doing so, in my opinion, would be commercial suicide.
Senator Kelly’s legislation to prevent ISPs from disclosing information is a fairly good example of legislation that requires companies not to commit commercial suicide. That kind of thing is inherently duplicative of existing incentives, and it will tend to lock in a static regulatory regime rather than allowing market forces to guide businesses to the best way of serving consumers.
If you want to write laws preventing companies from committing commercial suicide, you might as well require department stores to be open on the day after Thanksgiving. It’s already in their interest to do it. They’re going to do it. Any department store that doesn’t do it is probably going to lose business. So why make it a legal requirement? All you do is help prop up businesses that should go bankrupt, making way for others that can better serve consumers.
As I said, I’ve only barely scratched the surface of the variety of issues that are to be found within this topic. I continue to discover how complex the topic of privacy is. As I said on Wednesday, I’d be happy to talk with any of you more about this. Let me recommend that we meet up in Aspen and discuss all this while we hike. We can probably hike for two days straight and still not get privacy all figured out, but I am certain it will be worth it.
All content subject to the Privacilla Public License.