¶26

How is that Larry Lessig, who embraces the Brandeis dissent in Olmstead, agrees with the result in Katz, recognizes the value of anonymity, and is generally skeptical of free market solutions, ends his chapter on privacy supporting a market-based technique that undermines anonymity and privacy, rejects Katz and is contrary to the spirit of the Olmstead dissent? The short answer is that he ignores most of the relevant history and does not consider how Fair Information Practices have, since the time of the Katz decision, enabled the translation of privacy norms into statutes, administrative practices, and ultimately technical standards of the type he terms "code." By ignoring this tradition and substituting in its place a cobbled-together, ahistorical marketing technique, he has done considerable damage to the privacy enterprise and his own call for the development of public code. Much of the problem is that Lessig, like many cyber pundits, imagines that the problem of protecting social values on the Internet of today ("cyberspace," if you must) is a completely new venture, without any historical or legal antecedents. Fortunately the calls for a separate jurisprudence of cyberlaw and the autonomy of cyberspace from the real world are beginning to subside. But Lessig's final settling point in the chapter on privacy is particularly odd, given his frequent invitation in other parts of the book to public participation and government intervention in the evolving architecture of the communications infrastructure.

¶27

Lessig leaves the world of privacy law in 1967with the Katz decision and returns roughly in the present day without any discussion of the intervening events. This is unfortunate because if he traced these developments he would have found considerable support for his larger argument on public code and avoided the rather odd conclusion to his chapter on privacy. Katz, for example, became the cornerstone for the federal wiretap statute adopted in 1968 that set out clear standards for the conduct of electronic surveillance by the government. In effect, a decision of the Supreme Court that wire surveillance should be subjected to a Fourth Amendment requirement was translated into code, of the legal type, that set out the various requirements and conditions when such surveillance could take place. Under the federal wiretap statute law enforcement is required to follow an elaborate warrant procedure, far more detailed than would be required for the search for physical objects. Limitations on scope in time and place are established in statute (read: code) as are requirements to minimize the collection on communications that are not incriminating.

¶28

This translation from a legal norm to a statutory framework is worth understanding in some detail because it becomes a recurring theme in the development of privacy law over the subsequent years. It is not simply that courts extend principles as Brandeis proposed in the Olmstead dissent, but also that legislatures attempt to articulate by means of statute practices that are to be followed. This is the democratic coding of privacy values.

¶29

The effort to extend privacy norms into code did not end with the federal wiretap statute. At about the same time that the Supreme Court was rendering decisions in Berger and Katz, the United States Congress was holding hearings on the automation of personal information maintained by federal agencies. A proposal in 1965 to create a centralized repository of records on US citizens had sparked concerns about Big Brother.29 The outcome of Congressional hearings, combined with the post-Watergate support for government reform, was the Privacy Act of 1974. The law set out a comprehensive regime limiting the collection, use and dissemination of personal information held by government agencies. The Act established penalties for improper disclosure and gave individuals the right to gain access to their personal information held by federal agencies.

¶30	While Congressional findings are typically of minimal value, those contained in the Privacy Act were significant. They said.

'(a) The Congress finds that - (1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies; (2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information; ''(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endangered by the misuse of certain information systems; '(4) the right to privacy is a personal and fundamental right protected by the Constitution of the United States; and (5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies.

¶31	This statement of findings contained in the Privacy Act provides the foundation for a sweeping social goal -- to regulate the use of information technology so as to protect the right of privacy. The statement of purpose then makes clear the key aims.

(b) The purpose of this Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to - (1) permit an individual to determine what records pertaining to him are collected, maintained, used, or disseminated by such agencies; (2) permit an individual to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent; (3) permit an individual to gain access to information pertaining to him in Federal agency records, to have a copy made of all or any portion thereof, and to correct or amend such records; (4) collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information; (5) permit exemptions from the requirements with respect to records provided in this Act only in those cases where there is an important public policy need for such exemption as has been determined by specific statutory authority; and (6) be subject to civil suit for any damages which occur as a result of willful or intentional action which violates any individual's rights under this Act.

¶32

It is not difficult to see in the introduction to the Privacy Act of 1974 a set of instructions for the protection of privacy that would enable the development of future privacy code. The Privacy Act principles apply with equal force to different data, in different jurisdictions, and at different points in time. The concepts underlying the Privacy Act came to be known as Fair Information Practices, the principles that articulate the rights of data collectors, such as the federal government, and data subjects, in this instance US citizens.30 More broadly, the Fair Information Practices set out an approach to the design of information systems that embeds certain normative political views. It is a very relevant example of the interplay between law and code and social organization, the focus of Lessig's book. Fair Information Practices are also technologically independent. There are no references in the Privacy Act to "PDP 11/70s," "VAX 350s" or "Winchester (3030)" disk drives. Fair Information Practices seek to ensure the fair collection and use of personal information, not the open-ended regulation of technology.

¶33

Notably, also the concept of Fair Information Practices, like the development of a legal right of privacy, is very much an American creation. While those who have favored self-regulation and promoted market-based solutions to the privacy problem over the last few years have tried to ignore this history, it is a hardly a satisfactory basis for public policy decisions or legal analysis. Critics of privacy legislation or Fair Information Practices are of course welcome to find shortcomings in legal regimes or try to demonstrate the benefits of alternative approaches, but to ignore history, as industry lobbyists have done purposefully, and I believe Lessig has done inadvertently, is to avoid engagement in a critical and necessary debate.

¶34

Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection.31 The most well-known of these international guidelines are the OECD Recommendations Concerning and Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.32 The OECD Privacy Guidelines set out eight principles for data protection that are still the benchmark for assessing privacy policy and legislation. These are Collection Limitation; Data Quality; Purpose Specification; Use Limitation; Security Safeguards; Openness; Individual Participation; and Accountability.33 The principles articulate in only a couple of pages a set of rules that have guided the development of national law and increasingly the design of information systems.

¶35

Commentators have also noted a remarkable convergence around privacy policies, which is that countries around the world, with very distinct cultural backgrounds and systems of governance, nonetheless have adopted roughly similar approaches to privacy protection.34 Perhaps this is not so surprising. The original OECD Guidelines were drafted by representatives from North America, Europe, and Asia. They reflect a broad consensus about how to safeguard the control and use of personal information in a world where data can flow freely across national borders.

¶36

Viewed against this background, the problem of privacy protection in the United States in the early 1990s was fairly well understood. The coverage of US law was uneven: Fair Information Practices were in force in some sectors and not others. There was inadequate enforcement and oversight. Technology continued to outpace the law. And the failure to adopt a comprehensive legal framework to safeguard privacy rights could jeopardize transborder data flows with Europe and other regions.

¶37

It is generally understood that the challenge of privacy protection in the information age is the application and enforcement of Fair Information Practices. While some recommendations for improvement have been made, the level of consensus, at least outside of the United States, about the viability of Fair Information Practices as a general solution to the problem of privacy protection is remarkable. As recently as last year the OECD reaffirmed support for the 1980 guidelines, and countries that are adopting privacy legislation have generally done so in the tradition of Fair Information Practices.

¶38

As has already been noted above, one of Lessig's first missteps was his claim that the US has not generally protected privacy by law. It would be more accurate to say that in the absence of a general privacy law for the private sector, the US has routinely protected privacy in law as new technologies have emerged. This raises the question of why such laws have not yet been developed for the Internet. I am prepared to argue elsewhere that the explanation can be found in the rise of private power and the weakening of democratic institutions. There are associated problems of agency capture and the role of money in politics. These are developments that should be genuine cause for concern particularly for Lessig because they suggest that as new issues arise for the Internet public conceptions about code in the legal sense will be pushed aside by private conceptions of code in the architectural sense. But that is not my argument here. I am more concerned about the absence of the history of public code in Lessig's discussion of privacy.

¶39

Given this tradition of a legal right to privacy in the United States, the significance of Fair Information Practices in the structuring of privacy statutes, and the growth of privacy laws specifically to address monitoring by new technologies, it would seem that Lessig had at least some responsibility to address the question of whether privacy law would be up to the challenge of "cyberspace." Certainly his throwaway line that the U.S. has turned to law less often than the Europeans does not answer the question. Before addressing whether Lessig's proposal for a technique to negotiate privacy preferences does, it is worth filling in another part of the history -- the development of technologies to protect privacy.

 

II. Architectures of Privacy

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶40

In a 1992 article in Scientific American, David Chaum outlined a technique, based on encryption, that would enable transactions that were "authenticated but not identifiable." By this Chaum meant that it would be possible for an individual to transfer money (or credentials) over an electronic network and obtain a service without the service provider ever knowing the actual identity of the individual but with assurance that money would be received for the service or that the individual had the appropriate credentials to receive the service.

¶41

Chaum's technique, which is based on a particular cryptographic method called "blind signatures," is complex but real world examples suggest how this method may operate in practice.35 In Washington, D.C. you may purchase a Metro card with cash. The card contains a certain amount of value. Each time you ride on the Metro, the cost of the trip is deducted from the Metro card. When the value in the card is gone, you may choose to either add more value or simply discard the card.

¶42

What is remarkable about the Metro card, from a privacy viewpoint, is that the Washington Metropolitan Transit Authority has no interest in your actual identity. It simply needs to know that the card that you present to ride the Metro has a current value at least equal to the ride. Stored value or "debit cards" play a similar role in transactions for telephone services, photocopy services, even concession stands at the 1996 Olympics. They provide value to a service provider while maintaining the anonymity, that is to say the privacy, of the person who purchases the service.

¶43

Cards with credentials serve similar functions. A movie ticket presented to the ticket taker allows admission to the theatre regardless of one's identity. Even the problem of age verification has presumably been resolved at an earlier stage in the transaction, when the moviegoer has provided credentials to establish, if necessary, an age sufficient to permit admission. And these credentials are of interest to the ticket seller only in that they provide a means of authenticating age. Actual identity continues to be irrelevant.

¶44

Chaum conceived that it would be possible to enable a wide range of activities that would allow individuals to exercise control over the disclosure if personal information. This concept of providing only the elements of personal information necessary to enable transactions is very much in the spirit of privacy law. In effect, it attempts to embed the core principle of limiting the collection and use of personal information, and where possible, eliminating it altogether. Such credentialing schemes, as applied to the Internet, could permit age authentication where appropriate or admission to web sites not open to the general public, all the while preserving the privacy of the individual.

¶45

Chaum's initial Digicash scheme has not proved successful in the marketplace, though it is worth noting that it was better received in countries with well-established privacy laws than those which lacked a comprehensive legal framework. But the Digicash concept has inspired a number of other ventures, such as the Freedom Network, that might genuinely be considered architectures of privacy. Building on the techniques made possible by public key cryptography, these techniques enable not only the exchange of messages that cannot be intercepted but also the conduct of transactions that cannot be traced to a known individual. These designs transfer the physical experience of privacy and anonymity to the online environment.

¶46

These architectures of privacy, in preserving anonymity, also protect an important legal right: the right to express political views anonymously, to vote anonymously, and even to engage in political activities anonymously.36 In some countries, these techniques even protect a legal interest in engaging in anonymous commerce.37

¶47

Lessig addresses the possibility that public key encryption could enable the disclosure of aspects of identity without revealing actual identity in an earlier part of the book that considers architectures of control. But the discussion is not carried forward into the chapter on privacy. Instead, the chapter is the springboard for a separate discussion about business on the Internet. Again, this is unfortunate, because the multiple credential model outlined in chapter 4 would have provided a more robust conclusion to the chapter on privacy.

¶48

There are other efforts to translate the concept of Fair Information Practices into technical standards. Perhaps the most noteworthy is the Canadian Standard Association Model Code for the Protection of Personal Information.38 The CSA builds upon the OECD Privacy Guidelines. The principles in the CSA Model Code are Accountability, Identifying Purpose, Consent, Limiting Collection, Limiting Use, Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance. But whereas it was expected the OECD Privacy Guidelines would be translated into legal code, the CSA Model Code will be translated into architectural systems, i.e. information systems will be designed incorporating the element of the privacy code..

¶49

As applied to a business operating on the Internet it is not too difficult to imagine how such an enterprise might proceed. A company would display a statement that provides specific information about policies and practices relating to the management of personal information in order to comply with the Openness principles. The company could incorporate SSL in credit card processing to address the Safeguards principle. Information about individuals could be made available to them by means of the Internet to further the Individual Access principle. Data collection practices could be designed to comply with the goals of Limiting Collection and Limiting, Use Disclosure and Retention. Where consent is required, it would be done do in accordance with the "knowledge and consent" standard set out in the CSA Model Code.

¶50	The International Standards Organization is currently engaged in a similar enterprise to incorporate Fair Information Practices in the design of information systems. [more]

¶51

More broadly, it is clear that that the Internet enables a variety of techniques that could help code privacy techniques. Apart from anonymous payment systems, there are means to promote access to personal information. Banks, airlines, trading firms, and other online businesses are all providing to customers more information about their practices and activities. This is generally consistent with Fair Information Practices, but the goal would be extended to include the complete profile available to the firm, which means not simply the information that the customer provides, but also the marketing information that the firm uses to make decisions about customers. For individuals to make meaningful choices about the disclosure of personal information and their interaction with various firms access to the profile is particularly important, as the OECD noted almost twenty years ago.

 

III. Privacy Enhancing Technologies and Privacy Invasive Technologies

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶52

The search for an architecture of privacy has prompted a useful discussion of the various privacy techniques. One of the key questions of course is what constitutes an architecture of privacy. When the US government first proposed the Clipper encryption scheme it said that it would protect privacy by enabling the government to apprehend criminals who break into computer systems and violate privacy interests. Even the recent computer security announcement from the White House, which called for expanded government monitoring of computer networks, echoed the theme that greater surveillance would promote greater privacy protection.39

¶53

So, it is necessary to develop analytic tools that make it possible to speak coherently about what constitutes an architecture of privacy. Herbert Burkert did this in part in an article entitled "Privacy Enhancing Technologies: Typology, Critique, Visions."40 Burkert provides a useful taxonomy of PET concepts and then the various strategies for implementation. Burkert notes that PETS are a "technological innovation that attempt to solve a set of socio-economic problems."

¶54

The concept of PETs has resonated in the privacy world. Governments have undertaken studies to explore how Privacy Enhancing Techniques, oftentimes based on pseudonyms, could be implemented in the world of the Internet and e-commerce. PETs typically seek to implement Fair Information Practices and where possible to minimize or eliminate the collection of personally identifiable information.

¶55

To understand the concept of PETs in more detail it is useful to have a contrasting notion. I had proposed "privacy extracting techniques" as the appropriate counterpart to Privacy Enhancing techniques, but Roger Clarke's phrase "privacy intrusive techniques" provides the useful pairing of PETs and PITs.

¶56

It is fairly obvious that techniques that covertly collect personally identifiable information might be considered intrusive.41 Techniques that coerce the collection of personal information might also be considered intrusive. The interesting comparison arises from the voluntary disclosure of personal information. Here the distinctions between PETs and PITs are most apparent.

	PETS	PITS
Central goal	"Control"	"Choice"
Policy Implemented	Fair Imformation Practices	Notice and Choice
Data collection	Data minimization, finality	Data collection, multiple purposes
Key techniques	Anonymity	Persistent identifiers
Allocation of burden	Burden on data collector	Burden on data subjects
Examples	Debit cards, cash

¶57

The key point in this example is that PETs will typically limit or eliminate the collection of personally identifiable information whereas PITs would facilitate it. Below I will discuss in some detail the privacy-negotiating scheme endorsed by Lessig as the solution to Internet privacy. It is worth noting here that P3P ("Platform for Privacy Preferences" would probably not be considered a Privacy Enhancing Technique. At best it is merely a Privacy Technique, neither Enhancing nor Intrusive that enables some consideration of privacy terms in a market-based, microeconomic relationship.

 

IV. Law Becomes Code Becomes Law

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶58

I have outlined above several of the various techniques to protect privacy that flow from Fair Information Practices, as well as a method to evaluate technology-based privacy solutions. It is possible to imagine that at a certain point these techniques could then be reincorporated into a legal regime. This is indeed what happened with the German multi-media law of 1997.42 That statute, which covers a wide range of Internet topics from digital signatures to encryption and network security, also sets out the protection of anonymity as a goal for businesses operating on the internet: "The provider shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable. The user shall be informed of these options."43

¶59

In this instance a legal code attempts to encourage the development of software code that implicates important privacy values. But unlike the Communications Assistance for Law Enforcement Act that was adopted by the US Congress in 1994, the German Law for Information and Communication seeks to embed the value of data protection rather than data surveillance.44 The privacy provision in the German multi-media law is also interesting because it anticipates some of the emerging problems that are arising on the Internet. For example, the recent merger of Doubleclick and Abacus has raised the prospect of highly detailed profiles of individual consumers. German multi-media law says simply that: "user profiles are permissible under the condition that pseudonyms are used. Profiles under pseudonyms shall not be combined with data relating to the bearer of the pseudonym."45

¶60

The German Internet law in effect controls the development of profiling techniques on the Internet. As a result advertising firms, such as Doubleclick, operating in Europe are more careful about their data collection practices. A similar effect has been observed with the use of cookies by commercial firms under the EU Data Directive.46

¶61

My point here is that there has been over the last three decades a useful interaction between the development of legal code and architectural code to protect personal privacy. There is general agreement about aims and now the rise of promising opportunities to embed Fair Information Practices and anonymity in the design of the Internet. Lessig ignores this history and chooses instead to back an open-ended, untested market-based means to protect privacy going forward. It is time now to look at the adequacy of this proposal.

 

V. Critique of P3P

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶62

Lessig concludes the chapter on privacy with a recommendation that the "Platform for Privacy Preferences" (P3P) is a possible way to code privacy. He acknowledges that there may be problems with P3P but he does not actually spend more than a couple of pages pursuing the proposal. P3P remain nonetheless the recommended approach to code privacy. But why? Other than noting that P3P may enable a negotiation over privacy terms, why does Lessig believe this is a solution to privacy?

¶63

P3P was launched with much of the hype that accompanies most commercial services on the Internet. According to the early proponents,47 "Products using P3P will allow users to be informed of site practices, to delegate decisions to their computer when possible, and allow users to tailor their relationship to specific sites. Users will see P3P in action both in the configuration of their client and during their Web browsing."48 Some lobbyists went further and said that P3P would obviate the need for privacy legislation. Even the Vice President himself was brought in by the proponents of self-regulation to offer a product endorsement, which was itself odd since the product didn't actually exist.49

¶64

The Federal Trade Commission endorsed the P3P standard.50 Legislation was introduced to support P3P, another oddity since the standard was supposed to exist independent of legislation, and federal agencies were urged by industry lobbyists to embrace P3P as a method to provide privacy protection for federal web sites on the Internet.51

¶65

Today P3P shows few signs of life. As Professor Joel Reidenberg noted recently, "The World Wide Web Consortium ("W3C"), an influential standards setting body for the Internet, has led the development effort for P3P technology. Yet after three years, W3C has still not obtained sufficient industry agreement to conclude the development phase, let alone find companies willing to implement the technology. In addition, P3P faces a patent licensing problem that jeopardizes its ultimate adoption by industry."52 At the end of 1999 there were only a few pilot projects involving P3P and the working group had announced a new last call working draft with the deadline of April 2000.53

¶66	The problems with P3P have now been widely reported. Privacy experts have argued that P3P must be enforced. Industry analysts have also found shortcomings in the P3P proposal.54

¶67	Jason Catlett, the CEO of Junkbusters and a computer scientist, offered perhaps the most articulate critique of P3P.55 In a recent letter to the P3P developers he wrote:

The concept presumes that privacy is a preference that some technologically advanced minority might be granted an opportunity to avoid having violated on occasions where those people have taken a specific action designated by the companies who wish to exploit personal information. Rather, privacy is a fundamental human right that should be universally expected.

The concept presumes consumers have an extremely diverse range of "privacy preferences" that should be catered to with a correspondingly wide range of options, like flavors of soft drinks. Rather, the core of consumers' desires for privacy are simple and easily stated, but unpalatable for marketers: consumers don't want their personal information sold, shared, or reused for secondary purposes. The fact that some are willing to grant specific consent for certain uses doesn't mean that they wish to make an open offer of their privacy. A bewildering range of options tends to distract consumers and policymakers from the sad fact that what should be standard equipment is hard to find or entirely absent.

The concept's premise promotes the view that personal information is a secondary currency or commodity to be bartered rather than a necessary detail for performing some part of the transaction, such as delivering the ordered goods by mail. Rather than the fake-privacy doctrine of "notice and choice," which in practice means burdening the consumer with understanding complex details and attempting to opt-out of some of them, real privacy consists of limiting the use of information to what is needed, always with the explicit consent and understanding of the consumer.

There is a presumption that access should be focused on a company's policy instead of access by individual consumers to information held by the company about them. Rather, a consumer should be able to assume that the company's policy is to treat her data fairly; what she then needs is to be given access to all her specific data so that she can check that it is being correctly handled in practice. She should be able to check that her understanding of what information the company should have about her corresponds with what is actually held, and amend it if not. Granted, P3P does offer a way for a site to say whether it grants access, but stops there. Standards such as the now-moribund Open Profiling Standard can be quickly recognized as marketing mechanisms rather than privacy standards by the fact that the flow of personal information is unidirectional: from the consumer to the company.

The political environment surrounding the development of P3P promotes the erroneous belief that Internet privacy is something terribly complex and remote from "offline" privacy, and that technology will eventually solve the problem if given time, making legal rights and enforcement mechanisms unnecessary. Rather, the core privacy issues are identical online and offline; online consumers are more aware of the risks, so companies have been forced to give it more attention. Further, no amount of technology can ever make up for the lack of enforceable privacy rights held by the American citizen.

Perhaps the most implausible premise is the view that a high level of privacy will eventually be achieved if software makers and ecommerce sites agree on a standard that (after an even longer time, as software is upgraded) might be adopted by a sufficiently large percentage of consumers, thus expressing through the market and technology an economic demand for privacy. Believing this process will succeed in protecting privacy is as naive as hoping that environmental protection would be well served by having Exxon and GM draw up standards for emission control, and by the auto industry providing consumers the opportunity to vote on these standards by checking boxes on postcards made available to them at gas stations and automobile showrooms. Rather, technologists should take as their point of departure the strong privacy rights that are being mandated by an increasing number of legislatures, and develop technology that will efficiently and effectively serve people exercising those rights.

There is an unspoken assumption that as soon as a highly technical language is provided for codifying privacy policies, then marketers will offer good policies in this language. Rather, a simple argument will prove that P3P will never provide the majority with any real privacy protection or even useful guidance. Under the banner of "policy-neutral language," P3P is simply deferring the difficult decision of what the minimum acceptable standard should be. As a thought-experiment, suppose that some time in the 21st century, the P3P language is finalized and the software ready. A decision will have to be made on the defaults, designating the minimum expectation that surfers should have before the browser raises alerts on visiting a substandard site. (For P3P to have any widespread effect, it would have to be pre-installed in both major browsers, and there would have to be some such default below which an alarm is raised.) This entails a large number of questions to which no consensus answer is ever likely to be found. . . .

As a product to protect the privacy of the average American shopper, P3P is doomed to fail, because such an outcome is not in the commercial interests of the organizations who decide whether and how it will be deployed. P3P has become a mirage in the desert of Internet privacy.

¶68

A different type of analysis was put forward by the privacy working group of the European Commission, established by the EU Data Directive. The Article 29 Working Group had the special obligation to assess the impact of the P3P proposal on the legal rights currently in force under the EU Directive, in other words, to compare the code with the Code. The European expert group observed simply that "A technical platform for privacy protection will not in itself be sufficient to protect privacy on the Web. It must be applied within the context of a framework of enforceable data protection rules, which provide a minimum and non-negotiable level of privacy protection for all individuals." The expert group also said "There is a risk that P3P, once implemented in the next generation of browsing software, could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations (e.g. granting individual users a right of access to their data) if the individual user consents to this as part of the on-line negotiation. In fact those businesses, organisations and individuals established within the EU and providing services over the Internet will in any case be required to follow the rules established in the data protection directive 95/46/EC (as implemented in national law) as regards any personal data that they collect and process."56

¶69

The EU critique of P3P is particularly significant in the context of Lessig's larger call for a public role in the design of code. Here in fact is the public institution with the expertise in the relevant social value reviewing a proposal for code that will regulate the transfer of personal information in cyberspace. The conclusion? The code is flawed. It fails to provide protection comparable to that which is provided in law. It effectively shifts burden in a manner disadvantageous for citizens. It is potentially misleading to users and it could provide a way for institutions to get out from under their obligations to comply with legal code.

¶70

Lessig should be taking careful notes at this point. Either he has to accept the conclusion of the EU expert group and revise his assessment of P3P or he has to reconsider his broader call for public engagement in the structuring of the code that regulates cyberspace. Of course, he may also choose to reject the EU assessment and maintain his attachment to P3P as well as support in theory for public review of code, but this position at the very least requires a reasoned answer. He cannot ask the rest of the world to accept the public regulation of code and then run in the opposite direction when the public regulates his code.

¶71

If Lessig is not persuaded by the history of privacy law or the specific assessment of privacy experts who reviewed the P3P proposal, he might consider also the survey conducted by several of the designers of the P3P protocol. "Beyond Concern: Understanding Net Users' Attitudes About Online Privacy" explored a number of privacy issues, including whether Internet users favored "automatic data transfer techniques." Such techniques could include an auto-fill feature "that users could click on their browsers to have information they had already provided to another Web site automatically filled in to the appropriate fields in a Web form." According to the survey about 61% of respondents use such a browser feature, though the number drops to 51% if no human intervention is required before the transfer takes place.57

¶72

The most interesting results can be found when the researchers asked respondents about a P3P-like feature that would allow the automatic transfer of personal information to sites with acceptable privacy policies. According to the survey, "there was little interest in two features that would automatically send information to Web sites without any user intervention: a feature that notified the user that it had sent the information was of interest to 14% of respondents, and a feature that provided no indication that it had transferred data was of interest to only 6%."

¶73

As the researchers who conducted the survey noted, "Our respondents provided strong comments about automatic data transfer. A large number of respondents made comments about wanting to remain in control over their information and stating that they had no desire for automatic data transfer. Some respondents were concerned with the perils of automatic data transfer in general. For example, one respondent noted that "I want to be in charge of all information sent to other companies. Just because they are similar, doesn't mean I [want] my information shared with them." Another noted the need for updating personal information: "To be able to update or correct the previous info is a good thing." However, most comments revolved around the respondents' desire to maintain control of the process. For example: "Auto[matic] features save time. ...However, I do like to know when information about me is being transmitted," "I want to be in control of what is done. This way I know what was done," and "I don't want anything sent automatically. I want to check out everything I am applying for."

¶74

Perhaps the most significant criticism of the regime is the extent to which it codes the preferences of the P3P designer as opposed to say the general public. Who decides, for example, what basic elements should be made available to others? And why should techniques that ultimately shift burdens to the consumer be adopted? Do consumers really want to negotiate over privacy preferences? Wouldn't consumers prefer to disclose the minimal amount of personal information necessary to a transaction as Fair Information Practices generally?

¶75

It is possible to answer these questions with a general defense that P3P is "a work in progress," and that some of these problems may be resolved over time, though there is in fact little indication that such a process is progressing. But the larger question for Lessig is why should individuals settle for a cyberspace architecture that leaves them isolated in the marketplace to negotiate over privacy protection when there is a rich tradition of Fair Information Practices and an emerging architecture of privacy that seems far more likely to safeguard privacy interests.

¶76

Imagine, for example, a P3P-enabled world after an AOL Time-Warner merger where the merged entity chooses to adopt P3P standards that are generally not privacy respectful. One could easily imagine for example the rise of a company-wide policy that individuals reveal their actual identity and some additional information before they move beyond the home page of a particular web site. The P3P-empowered web users could if they wish simply refuse to visit of the AOL Time-Warner web sites. And if enough other prospective AOL Time-Warner customers acted in similar fashion, presumably AOL Time-Warner would change its policy. Or it might not.

¶77

This result, which probably would not disturb libertarians and those who are generally optimistic about the market's ability to respond to consumer wishes, should disturb Lessig. If his book is intended to build support for the view that cyberspace can be subject to political institutions, then a conclusion that ignores a rich and largely successful tradition of government regulation and chooses instead a socially-isolating marketing scheme designed to facilitate the collection of personal data is deeply flawed. The EU privacy group identified this problem at the outset in its review of P3P. It noted that "Surprisingly, given the intention that P3P be applicable worldwide, the vocabulary has not been developed with reference to the highest known standards of data protection and privacy, but has instead sought to formalise lower common standards."58

¶78	How would the P3P approach work as applied to other social issues? Should consumers negotiate over the level of consumer protection, and what will become of these profiles that contain such detailed articulations of an individuals likes and dislikes?

¶79

Still, the argument over P3P is not simply a debate over the pros and cons of a particular approach to the privacy problem, which not surprisingly attracts participants on both sides. It is rather a battle over public code versus private code, an argument about whether the designers of the communications infrastructure should be accountable to the views of "lawyers, policymakers and especially citizens" (Lessig's phrase) or whether they should be free to pursue whatever architecture provides private advantage. P3P is a form of private code, much like the Windows operating system, that reflect a particular institution's views of how choices and behavior should be constrained in cyberspace. It elevates notice and choice as a preferred method for privacy protection and downplays the role and history of Fair Information Practices. It maps nicely to the anti-regulatory views espoused by industry but not at all to the well-established tradition of privacy protection in law.

¶80

P3P arose at a particular point in time. There was growing support in the United States for comprehensive privacy legislation and the US trading partners favored this outcome as well. But business was reluctant to support this approach and did not want its new practices, its code, to be subject to public regulation. And so an extended architecture of notice and choice was put forward as a privacy solution.59 This was, at the end of the day, little more than the old "opt-out" box offered by the Direct Marketing Association. All of the problems of compliance, burden, enforcement, and effectiveness that were known about the DMA's opt-out program were present in the design of P3P. P3P even added a layer of complexity that was sure to defeat whatever interest might remain to exercise privacy "choices." But there was little interest in addressing these concerns because there was little interest in developing a robust regime to protect privacy.

¶81

Lessig is caught in a bind. Having railed against the libertarian excesses in the world of cyber policy, when confronted with one of the most pressing social issues, he makes a beeline for the free market solution and tosses aside his own calls for the development of code that reflects public values and public interests. Even Lessig's call for a property-based notion of privacy in the context of his other arguments in favor of government regulation seems odd and out of place. Lessig expresses a preference for property regimes over privacy legislation, what he calls liability regimes.60 The preference for a property regime over a liability regime is that it allows individuals to "exercise choice, to negotiate, to obtain value."

¶82

This analysis presupposes that individuals have a general interest in alienating the value of private information in the marketplace. Admittedly this is a popular argument in some corners, but where is the proof? Whereas Lessig analogizes the exercise of property rights in personal information to the sale of a used car, a common commercial transaction, the better analogy may be to vacation photographs or a high school diploma. Both the photographs and the diploma are items personal to the individual. A property regime allows the individual to exercise control over these items, to exclude others from use, but it is hardly intended to facilitate sale. It could well be argued that those items that are most personal to us are those where the disparity between what a willing buyer and a willing seller will pay is the largest. Do we really want to create markets in these circumstances so that individuals are encouraged to disclose their HIV status, their email correspondence with colleagues, or their love letters from high school? Certainly it is a property-based regime that allows individual to exercise control over these items and incidents of private life, but this is not a regime that, generally understood, encourages one to sell these things to others.

¶83

Brandeis and Warren understood the problem with market-based approaches to privacy when they wrote the article on the right to privacy.61 They purposefully distinguished a privacy right from an intellectual property claim, noting that copyright typically protects an interest once publication occurs, privacy protects a right to simply not publish.62 They further noted that copyright preserves values that are based on marketplace determinations, whereas privacy protects values that are unique to each individual.63 Lessig's market-based model, which seeks to facilitate the transfer of control over privacy interests, is clearly at odds with this tradition and his skepticism elsewhere about the copyright regime almost begs the question why he saddles the privacy world with an approach he is uneasy about in the world of intellectual property.

¶84

A regulatory regime brings other benefits. In the privacy field, it will likely mean a government office with the expertise and authority to advocate on privacy matters.64 When for example, a proposal is put forward by law enforcement to develop techniques for wiretapping, governments with privacy agencies, that is to say governments that have a regulatory structure to protect privacy which includes a privacy agency, will have also to contend with the competing claims of citizens privacy interests.65 And indeed this has happened repeatedly in the last few years as countries with privacy regulations and privacy offices have rebuffed calls for expanded police surveillance while those that lack such agencies have remained in control of law enforcement agencies.

¶85

Privacy agencies also provide an effective resource for consumers with privacy concerns and are often times able to respond to privacy complaints without extensive and costly litigation.66 Such agencies also provide a source of expertise and advice for emerging privacy issues. This has been the experience not only of privacy agencies in Europe but also of those in Canada.67

¶86

A property-based regime of the type Lessig describes lacks any commitment to an institutional structure (or more broadly democratic institutions) that could be established to protect an underlying public interest. Privacy interests that cannot be expressed in the marketplace through the exercise of P3P preferences simply do not exist. Again interests of common concern are pushed aside in the name of promoting market-based negotiation. Such an approach implicates not only public values but also public debate and public institutions.

¶87

A regulatory regime also allows the design of an architecture that reflects public values as opposed to simply private market power. Consider, once again, the resolution of the Caller ID debate. What would the result have been in the absence of a regulatory framework? The telephone companies would simply have announced that the new network architecture enables the disclosure of calling numbers to call recipients and the blocking of such numbers by call recipients. The telephone company would have offered services that allowed customers, for a price, to obtain the number of the calling party or, for a price, to withhold disclosure of one's number when calling another person. If ideal market conditions prevailed, it is even conceivable that the telephone company could price such services on a call by call basis. The telephone company would, under this scenario, become a very rich auctioneer, while telephone customers collectively would see the control of disclosure over personal information significantly diminished.

¶88

Now consider again the communications model that results from the AOL Time-Warner merger. Even if this is not in fact a monopoly, there will certainly be monopoly-like practices. Indeed mergers in the hi-tech communications field are predicated on the various barriers that discourage customers from moving between various providers. Would a property-based regime of the type that Lessig proposes or a regulatory regime of the type that limited the telephone company's ability to extract personal information from its customers do a better job in protecting privacy? I leave it to the reader to make this judgement.

¶89

Why does Lessig settle for P3P? It is possible he genuinely believes it will work.68 It may also be, consistent with the somewhat pessimistic conclusion of the book, that he simply assumes that government will not succeed in its efforts to regulate the Internet to protect privacy. But if that is indeed his view, then his own call for action takes on a Sisyphean dimension. Sure, you can roll the rock, but don't expect much to happen.

¶90

I suspect that Lessig is somewhat more circumspect of his support for P3P today than he was when he wrote Code. But I am troubled that the author of Code and Other Laws of Cyberspace who invites us to reconsider the relationship is able to so easily substitute a relatively thin idea without any consideration of a robust pre-existing regime.

 

VI. Economic Analyses

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶91

Since the operation of P3P relies on certain assumptions about the ability of consumers to exercise choice and the nature of markets, it is worth looking closely at some of the comments that Lessig makes about market forces in his discussion of privacy. I am troubled, for example, by Lessig's assertions that the disclosure of individual privacy preferences allows "markets to work more smoothly"69 and that price discrimination is "overall a benefit." While an argument can surely be made that the widespread availability of price and quality information about competing products is a benefit to consumers, it is less clear that information about a consumer's own interests produces similar benefits.

¶92

There is the obvious consideration that marketing does not simply react to demand but is intended also to stimulate demand. It is unlikely that a consumer will at any point in time have a pre-determined disposition to purchase a particular product. Marketers are fond of saying that the benefits of profile-based marketing are that you will learn only about products that are of interest to you, but of course marketers are not simply offering you the same products that you currently possess. They are taking your past purchases and profile information and extrapolating to create a model of new products that you may be persuaded to buy. Moreover, marketers may draw on personal facts to reach these decisions that consumers might well find offensive or intrusive if they were aware of the operation of the marketing industry. Do you really want to purchase a book from an online merchant that, unbeknownst to you, knows not only the books that you have purchased from that company but the web sites you visit, the type of home you own, and the ages and names of your children?

¶93

Lessig is no doubt aware of these criticisms, but he treats them somewhat dismissively. An approach that incorporated Fair Information Practices would quickly show that one solution to the problem of this form of profiling is the requirement that companies make available to the individual all information about the individual that is in the possession of the company.

¶94

But the more interesting economic problem in this discussion is Lessig's implicit endorsement of price discrimination. While he ascribes the view to economists generally and notes a competing interest in equality, he seems unwilling to explore what the implications of price discrimination in Internet commerce may be. This is a topic worth examining since the privacy model proposed by Lessig leads to extensive price discrimination.

¶95

By price discrimination, I mean the sale of differing units of a good or service at price differentials not directly corresponding to differences in supply costs.70 Price discrimination occurs when firms offer discounts to senior citizens and students. It occurs also when an electric utility company charges less for additional units of power consumption. Price discrimination also occurs when a seller alters a price to obtain the maximum amount that the consumer is willing to pay.

¶96

Companies that have access to a personal information about prospective customers can price discriminate more effectively. If for example, the New York Times sells its daily newspaper for $1 but knows that there are some people who are willing to pay 75 cents for the paper and it can produce additional papers for less than 75 cents, it might choose to sell papers to that market segment for only 75 cents. Conversely, it might also choose to sell papers to those who are prepared to pay $1.25 for $1.25. In theory the supplier could take advantage of the reservation price of each potential customer to produce exactly the amount of papers at exactly the price willing consumers are prepared to pay. Economists would describe this production model as "efficient," and the benefit to some consumer can be shown by the availability of some papers at 75 cents that would not otherwise be available if the New York Times could not price discriminate.

¶97	But the conditions that allow price discrimination are not without problems. In the first instance, price discrimination involves a net transfer of rents from consumers to suppliers. This is an equity effect that essentially leaves consumers as a whole less well off.

¶98

There are also market effects. For price discrimination to occur, three conditions must exist. First ,the sellers have some monopoly power. Second, the seller must be able to effectively segregate customers into categories with differing price elasticities. Third, it must be able to control arbitrage, that is to say the resale by low-price customers of the product to high-price customers. Price discrimination is typically easier to achieve in markets for personal services, such as medical care or legal services, than it is for consumer goods.

¶99

Competitive firms may price discriminate to attract new customers; monopolistic firms may price discriminate to defeat competitors or to extract rents from consumers, effectively depriving customers of some of the value that would be available in a competitive market. And where this monopoly power exists, prices to consumers may also rise above what they would be in competitive markets.71

¶100

Price discrimination is only really possible when there is market power, so it happens in precisely those cases where assumptions of perfect competition are violated. When you combine market power, consumer profiling and price discrimination, consumers may be less well off. In bargaining, no one wants to give up their "reservation" price to the other side. With profiling, the consumers give up the privacy of their reservation price, but the seller doesn't. So it changes the power in the bargaining, against consumers. This is an example of information asymmetries that are likely to arise more frequently as consumer profiles are more widely disclosed to sellers.

¶101

Privacy rules that allow individuals to withhold disclosure of actual identity leave consumers in a more effective bargaining position. Consumers always have the ability to disclose actual identity and to take advantage of whatever special price a supplier may offer, but they retain the ability to forego that opportunity if there are others interests to consider. Thus regimes that enable price discrimination by making available personal information of prospective customers to suppliers are likely to support monopoly behavior and to leave consumers, taken as whole, less well off then they might otherwise be. The allocation of goods might still be considered "efficient," but the distributional effects as well as the market effects would be a basis for concern.72

¶102

The problem of price discrimination is interesting in another respect. Under the P3P regime, consumers are effectively required to reveal their privacy "reservation price" as a condition of transacting with a particular web site. Thus consumers transfer the whatever value may be assigned to their privacy preferences to the web site, when under a Fair Information Practices regime, a consumer could interact with the site without revealing a privacy profile. In effect the web site learns more about the consumer than is necessary to enable the transaction and the associated problems of market power and distributional transfer described above are replayed over the value of the privacy profile.

¶103

The Fair Information Practices approach, supported by the architectures of privacy described above, is built on the premise that individuals need only disclose the elements of identity that are necessary to enable the transition, and a preference is established at the outset for transactions that do not disclose actual identity. The Fair Information Practices regime would add the additional consideration that certain types of inquiry, such as race in a housing loan, should simply not be disclosed even if a consumer is willing to do so.

¶104

I do not intend in this section to offer a definitive assessment of whether price discrimination of the type enabled by the collection of information of prospective customers necessarily produces a bad result on economic grounds. I simply wish to point out that the topic deserves far more attention than it received in Code.

 

VII. Code, Privacy and Cyberspace

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶105

There is much to be said for an inquiry that asks us to consider how the Internet is to be regulated. The United States, in particular, has struggled with this question, arguing on the one hand for "self-regulation" and at the same time adopting more legislation for the Internet than any other government in the world.73 In the privacy field in particular there is a great need to understand the interaction between law, the design of information systems, and the political right of privacy, which however difficult to describe still remains one of the central concerns of citizens in the information society.74

¶106

The United States provides a rich history for this examination. From the articulation of a legal theory for a right of privacy in the nineteenth century through the adoption of comprehensive privacy legislation in 1974 and the privacy laws of the 1980s that targeted new technologies, there has been an ongoing effort to bring technological design within the control of the public and to safeguard the right of privacy. But something happened in the '90s that set the United States on a strange course. At roughly the same point in time that Europe and other governments were developing new legal regimes to protect privacy, the United States was pursuing legal and technical measures to enable surveillance.75 While Europe faced the challenge of ensuring compliance by all the member states with the requirements of the Data Directive, the US took on the challenge of trying to enforce compliance with the FBI's technical scheme to enable wire surveillance. And when consumers called for privacy safeguards to address the growing problems with the Internet, the United States government turned to the private sector for self-regulatory measures that offered little in the way of actual privacy protection.

¶107

One cannot escape the conclusion that privacy policy in the United States today reflects what industry is prepared to do rather than what the public wants done. This problem -- a problem that concerns the functioning of democratic institutions -- is a far more serious threat to Lessig's ideal about public control of cyberspace than the rhetoric of libertarians. But it will take determination to ask hard questions about the operation of our political system, a rediscovery of America's own privacy tradition, and a willingness to move beyond the technological fetishism that has seduced even some the nation's most brilliant legal scholars before it will be possible to begin a genuine debate about the future of privacy protection in America. Lessig has not helped this enterprise and may have caused it some harm.

 

VIII. Conclusion

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

¶108

With the publication of Code, Larry Lessig invites readers to begin a long overdue discussion--at least in the United States--about the regulation of cyberspace.76 He implores us to "choose what kind of cyberspace we want and what freedoms we will guarantee." And he reminds us that on the Internet "code is the most significant form of law" and it is up to " . . . especially citizens to decide what values that code embodies." But when confronted with a pressing social concern he turns from the values that citizens have traditionally sought to protect in code and asks us instead to surrender our political rights to market forces. Our ability to act collectively, that is to say to act as citizens, is suddenly no longer important. We are on our own, isolated in a marketplace where the rules are framed by the marketers, trying to buy back our privacy. Thus a titanic legal theory hits an iceberg shortly after it has left the port.

¶109

I have offered in this essay a somewhat sharp critique of Larry Lessig's discussion of privacy in his popular Code and Other Laws of Cyberspace. It is a critique that grows out of great regard for the vision of Code and great disappointment in the application of Code. While I agree with Lessig's recommendation that we need to consider more carefully the relationship between the architecture of cyberspace and the protection of social values, his discussion of privacy is deeply flawed. He fails to identify the relevant policy considerations, ignores all of the relevant history, and proposes an architecture of private ordering at odds with the public interests he otherwise seeks to protect. Lessig owes us a more thoughtful, rigorous discussion of privacy issues than the one presented in Code.

 

IX. Notes

BACK TO TOP | CLOSE THIS DOCUMENT | TABLE OF CONTENTS

Ian Goldberg, David Wagner & Eric Brewer, Privacy-Enhancing Technologies for the Internet [http://www.cs.berkeley.edu/daw/privacy-compcon97-www/privacy-html.html].

EPIC Online Guide to Privacy Resources [http://epic.org/privacy/privacy resources faq.html].

Joel R. Reidenberg 76 Tex. L. Rev. 553, Lex Informatica: The Formulation of Information Policy Rules Through Technology (February, 1998).

Lawrence Lessig 14 Berkeley Tech. L.J. 759, SYMPOSIUM: The Limits in Open Code: Regulatory Standards and the Future of the Net (Spring, 1999).

Marc Rotenberg, "The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments" (EPIC 1999) [hereinafter Sourcebook]

David Chaum, Achieving Electronic Privacy, Scientific American (August 1992).

Bruce Schneier and David Banisar, The Electronic Privacy Papers (Wiley 1997).

Priscilla M. Regan, Legislating Privacy: Technology, Social Values and Public Policy (University of North Carolina Press 1995).

Arthur Miller, The Assault on Privacy

Christopher D. Hunter , Recoding the Architecture of Cyberspace Privacy: Why Self-Regulation and Technology Are Not Enough [http://www.asc.upenn.edu/usr/chunter/p3p.html]

Jason Catlett, Technical Standards and Privacy, Sept 13, 1999 letter to P3P Developers [http://www.junkbusters.com/standards.html]

Peter Swire & Robert Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (Brookings 1998).

Paul Schwartz, Privacy and Democracy in Cyberspace, 52 Vanderbilt Law Review ___ (1999).

Jerry Kang "Information Privacy in Cyberspace Transactions," 50 Stanford Law Review 1193 (1998).

Comments regarding this material may be sent via e-mail to STLR.

Copyright © 2000 Marc Rotenberg and Stanford Technology Law Review. All Rig