1 In offering this title, I am following the convention that is appropriate for this genre. Responses in the spirit of "What Marc Doesn't Get" are welcome and should be sent to rotenberg@epic.org.| 1 In offering this title, I am following the convention that is appropriate for this genre. Responses in the spirit of "What Marc Doesn't Get" are welcome and should be sent to rotenberg@epic.org. |
| * Executive Director, Electronic Privacy Information Center, Washington, DC; Adjunct Professor, Georgetown University Law Center, 1990-;Co-editor, Technology and Privacy: The New Landscape (MIT Press 1997); Editor, The Privacy Law Sourcebook: United States Law, International Law, and Recent Developments; Former counsel, Senate Judiciary Committee, Subcommittee on Law and Technology. |
| 2 Although action figures and brightly colored lunch boxes have not yet appeared at Toys R Us, we can reasonably expect that law school bookstores will soon offer bumper stickers and T-shirts with the now famous slogan. |
| 3 I believe it was Joseph Weizenbaum, distinguished professor of computer science at MIT and author of the ELIZA program, who first used the term "artificial intelligentsia" in a critique of the then popular punditry on artificial intelligence and its impact on social life. Review of Feigenbaum & McCorduck, The Fifth Generation: Artificial Intelligence and Japan's Computer Challenge to the World, New York Review of Books, circa 1983. |
| 4 Lessig was a special master in the government's case against Microsoft. |
| 5 Even before the recent public protects over architectures of surveillance, philosophers, sociologists and other had observed the relationship between design and methods of social control. Bentham, Foucault, Ellul, Gary Marx, and Oscar Gandy. |
| 6 Laura J. Gurak, Privacy and Persuasion in Cyberspace: The Online Protests Over Lotus Marketplace and the Clipper Chip 19-31 (Yale University Press 1997); Langdon Winner, "A Victory for Computer Populism," Technology Review 66 (May-June 1991). |
| 7 I will use the term "code" throughout this article to mean the design of information systems generally, although I recognize that Lessig probably has in mind the more limited application to the protocols and design choices currently associated with the Internet. |
| 8 Schneier and Banisar, Electronic Privacy Papers ___ (Wiley 1997). Diffie and Landau, Privacy on the Line ____ (MIT Press 1998). |
| 9 Privacy Law Sourcebook, 305-13 (OECD Cryptography Guidelines). |
| 10 In 1970 the federal law was amended to make clear that a communications carrier had to comply with a warrant. Public Law 91-358, Title II, Sec. 211(b), July 29, 1970, 84 Stat. 654. Until 1970 cooperation of the telephone company in the execution of a warrant was optional. The 1970 amendment came about after a telephone company in Nevada refused to comply with a warrant, Lapidus at 123. |
| 11 Edith J. Lapidus, Eavesdropping on Trial, (Hayden 1974). |
| 12 Pub. L. No. 103-414, 108 Stat. 4279 (1994) (codified at 47 U.S.C. 1001-1010 and ___). |
| 13 Brief of EPIC, ACLU, EFF in USTA v. FCC (D.C. Cir. 2000), filed Jan. 20, 2000. |
| 14 Samarajiva article |
| 15 Useful advice about the Caller ID service may be found in Beth Givens, The Privacy Rights Handbook 45-50 (1997). |
| 16 Id., Samarajiva |
| 17 In fairness to Lessig, he has at various times said various things about privacy, some more in line with the view favored in this article than those originally set out in Code. But Code is an influential work and it is important to consider the privacy argument put forward in its pages without regard to extra-textual material. |
| 18 389 U.S. 347 (1967). |
| 19 Lessig 111-118. Brandeis, Olmstead, 277 U.S. 438, 475-76 (1928). |
| 20 Id at 26. |
| 21 Julie E. Cohen, "A Right to Read Anonymously: A Closer Look at "Copyright Management" in Cyberspace," 28 Conn. L. Rev. 981, 1003-38 (1996). |
| 22 Most privacy literature can roughly be divided into those works that present a list of privacy threats brought about by new technologies [Packard, Smith, Burnham, Garfinkel, Walker] and those that seek to articulate a robust conceptual framework for a right of privacy. [Allen, Marx, Gandy, Flaherty, Bennett, Westin] Journalists typically author the first, scholars the second. Lessig, a scholar writing for a general audience, incorporates both traditions. |
| 23 Such concepts generally turn on denying physical access to one's person or controlling personal information held by another. See, generally, Turkington & Allen, Privacy Law: Case & Materials 72-74 (1999). I will argue below that privacy protection in information law is generally understood as the enforcement of Fair Information Practices. |
| 24 P. 158. |
| 25 William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 389 (1960). The John Marshall Law Review, Summer, 1994, 27 J. Marshall L. Rev. 989, NOTES: PC PEEP SHOW: COMPUTERS, PRIVACY, AND CHILD PORNOGRAPHY, John C. Scheller, n. 97. See., e.g., Invasion of Privacy and Charter Values: John D.R. Craig , "The Common-Law Tort Awakens, 42 McGill L.J. 355, 382 (1997) ("In fact, such an approach would be preferable to the simple importation of the American tort of invasion of privacy."). |
| 26 See generally Robert Elllis Smith, A Compilation of Federal and State Privacy Law (Privacy Journal 1999). A particularly interesting example of a state privacy law is the recently enacted California statute that attempts to address the problem of the Papparrazi. The statute is noteworthy because it appears to indirectly the conduct of the media, even though the strong First Amendment tradition of the United States has typically disfavored such legislation. At this time, there is no comparable law in either England or France, even though it was the death of Princess Diana, chased by journalists on the streets of Paris, that was the catalyst for the California legislation. |
| 27 The concept of "notice and choice" was vigorously promoted by the Direct Marketing Association at a June 4, 1996 hearing held by the Federal Trade Commission. The DMA was seeking to avoid privacy legislation and recommended instead a self-regulatory model based on "notice and choice." Prior to the DMA's announcement hardly any references to this formulation of privacy can be found in the popular literature or legal scholarship. There is a mention of the phrase in a 1992 law review article on drug testing that discusses a footnote in a Supreme Court decision on drug testing, Van Raab at 1198. George Washington Law Review, Drug Testing: Weighing the Factors of Drug Testing for Fourth Amendment Balancing,60 Geo. Wash. L. Rev. 1151 (June 1992). |
| 28 In Condon v. Reno, __ US ____ (US 2000), the Court rejected a challenge to the Drivers Privacy Protection Act of 1994, reversed decisions of two federal appeals courts, and upheld Congress's authority to regulate the sale of drivers record information held by state agencies. |
28 In Condon v. Reno, __ US ____ (US 2000), the Court rejected a challenge to the Drivers Privacy Protection Act of 1994, reversed decisions of two federal appeals courts, and upheld Congress's authority to regulate the sale of drivers record information held by state agencies.
| 29 National Data Center. |
| 30 The concept of Fair Information Practices was first explicitly articulated in Records, Computers and the Rights of Citizens, report of the Secretary's Advisory Committee on Automated Personal Data Systems (1973). The report from the Department of Health, Education and Welfare provided the conceptual framework that gave rise to the Privacy Act the following year. |
| 31 David Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada, and the United States ___, ___ (University of North Carolina Press 1989). |
| 32 Privacy Law Sourcebook at 179-205 [http://www.oecd.org/dsti/sti/it/secur/index.htm] |
| 33 Sourcebeook at 181-82. |
| 34 Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press 1992), Colin J. Bennett, "Convergence Revisited: Toward a Global Policy for the protection of Personal Data" in Agre and Rotenberg. |
| 35 Bruce Schneier, Applied Cryptography 112-15 (2d. ed. 1996) (blind signatures); Peter Wayner, Digital Cash: Commerce on the Net 189-97 (2d ed. 1997) (Digicash). |
| 36 McIntyre v. Ohio Election Commission, 514 U.S. 334, 115 S. Ct. 1511 (1995); Buckley v. American Constitutional Law Found., 525 U.S. 182, 1999. Michael Froomkin, Anonymity and Its Enmities, 1995 J. Online L. art. 4 (1995). |
| 37 German Law for Information and Communication, Privacy Law Sourcebook at 368. |
| 38 Privacy Law Sourcebook at 387-88. |
| 39 "National Plan for Information Systems Protection," pp. 2-3, Jan. __ 2000, Press announcements, www.whitehouse.gov. |
| 40 In Agre & Rotenberg, Technology and Privacy: The New Landscape 125-42 (MIT Press 1997). |
| 41 Marc Rotenberg, presentation, Standards Council of Canada International Meeting on Privacy and Data Protection, Hong Kong SAR, Sept. 16, 1999. |
| 42 Privacy Law Sourcebook at 368. |
| 43 Art. , sec. 4, par, (1). Privacy Law Sourcebook at 371. |
| 44 Privacy Law Sourcebook at 368-86. |
| 45 Art. , sec. 4, par, (4). Privacy Law Sourcebook at 371. |
| 46 Viktor Mayer-Schönberger, "The Internet and Privacy Legislation: Cookies for a Treat?" ___ West Virginia Journal of Law and Technology ___ [http://www.wvjolt.wvu.edu/wvjolt/current/issue1/articles/mayer/mayer.htm] |
| 47 Even the FTC fell for the ruse:
|
|
In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.
|
|
n. 44 Indeed, technological innovations soon may allow consumers and collectors of information to engage in "electronic negotiation" regarding the scope of information disclosure and use. Such "negotiation" would be based on electronic matching of pre-programmed consumer preferences with Web sites' information practices. The World Wide Web Consortium ("W3C") is currently in the final stages of developing its Platform for Privacy Preferences Project ("P3P"), which will allow implementation of such technology. Consumers may have access to P3P by early 1999. For general information on P3P, see the W3C's Web site (http://www.w3.org/P3P).
|
|
n. 45 A system requiring consumers to specify privacy preferences before visiting any Web sites can be built into Internet browsers. See supra note 44 (discussing technological developments). The absence of default rules, and the concomitant requirement that consumers decide how they want their personal information used, help ensure that consumers in fact exercise choice.
|
| [http://www.ftc.gov/reports/privacy3/priv-23.htm] |
| 48 http://www.w3.org/Press/1998/P3P. |
| 49 "I welcome this important new tool for privacy protection," Gore said when the working draft was released last week. "It will empower individuals to maintain control over their personal information while using the World Wide Web." CyberTimes, "Proposed Standards Fails to Please Advocates of Online Privacy," June 2, 1998. A whole range of testimonials for the non-existent product may be found at "W3C Publishes First Public Working Draft of P3P 1.0, Testimonials," http://www.w3.org/Press/1998/P3P-test.html. |
| 50 "A second task force will address how incentives can be created to encourage the development of privacy-enhancing technologies, such as the World Wide Web Consortium's Platform for Privacy Preferences (P3P)." Statement of FTC Chairman Robert Pitofsky, Hearing before the Subcommittee on Telecommunications, Trade, and Consumer Protection of the Committee on Commerce United States House of Representatives, July 13, 1999 [http://www.ftc.gov/os/1999/9907/pt071399.htm] |
| 51 At a Congressional hearing, I pointed out the absurdity of a citizen negotiating with a federal agency over privacy preferences. Could the agency really adopt privacy rules that fell below the legal requirements of the Privacy Act? Could a citizen really be denied access to a federal web site because of a privacy preference? What are the market options to the IRS? |
| 52 Spring, 1999, 14 Berkeley Tech. L.J. 771, 779, SYMPOSIUM: Restoring Americans' Privacy in Electronic Commerce, By Joel R. Reidenberg* |
| 53 Cranor, Nov 30, 1999 presentation. |
| 54 Kenneth Lee, Gabriel Speyer, Citibank Advanced Development Group [http://www13.w3.org/P3P/Lee_Speyer.html]
1.From a consumer standpoint using P3P may be quite confusing, as the user may feel inundated with
"legalese" and too many choices.
2.Implementing P3P might limit the amount of marketing information, commerce and cross-selling a
company can conduct online.
3.P3P is just one component of what should be a full framework for online privacy. For P3P to be widely deployed and properly used, other (perhaps costly) measures must be bundled with P3P implementation to reconcile consumers' and companies' preferences. Such measures would include: self-auditing, a process of recourse for users, education/enforcement and authentication. |
| 55 Open letter to P3P Developers, Sept. 13, 1999 [http://www.junkbusters.com/standards.html] |
| 56 [European Commission, Directorate General XV, Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, Opinion 1/98: Plat form for Privacy Preferences (P3P) and the Open Profiling Standard (OPS), XV D/5032/98, adopted on June 16, 1998. http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm] |
| 57 http://www.research.att.com/library/trs/TRs/99/99.4/99.4.3/report.htm |
| 58 http://www.europa.eu.int/comm/dg15/en/media/dataprot/wpdocs/wp11en.htm |
| 59 It is hardly coincidental that industry latched onto the Platform for Internet Content Selection (PICS), another technical standard put forward by the W3C that would reduce the likelihood of government regulation of Internet business. Interestingly, Lessig was one of the sharpest critics of PICS, arguing that "____" PICS is the Devil, Wired. I suggest that the reason Lessig was so critical of a technical standard that "coded" speech interests, but far less critical of a technical standard that coded privacy interests is simply that Lessig is far more familiar with the values underlying First Amendment interests that those underlying privacy interests. |
| 60 160-61. |
| 61 4 Harv. L.Rev. 193, ___ (1890). |
| 62 Professor Arthur Miller provides further commentary in this point in his Assault on Privacy: Computers, Databanks, and Dossiers (University of Michigan Press 1970). Miller notes that Warren and Brandeis rejected the property theory and then comments, "The property rationale is inappropriate for other reasons. In contexts such as the sale of information by credit bureaus or mailing list organizations, it is not the subject of the data but a third party who created the commercially valuable record." Miller further observes that, "Reliance on the recognition of a property right also would have the undesirable effect of placing responsibility on each individual to protect his own interests, rather than imposing clear duties of care or restrictions on those organizations that want the data, and usually have the leverage to extract them from the people. Credit bureaus, for example, probably would be no less successful in convincing data subjects to give up their 'property rights' by holding out the carrot of access to the credit economy than they presently are obtaining voluntary consents to credit investigations. The unequal bargaining power of an individual dealing with a government agency or an employer could lead to a similar result." Professor Miller concludes, presciently, "These considerations indicate that recognition of property rights in personal information is much too artificial a method of regulating important phases of a technology that is still in its infancy." |
| 63 The opinion of the Minnesota supreme court in the recent case of Lake v. Wal Mart provides an excellent illustration of these points. (Minn, 1998) In Lake a young woman brought several rolls of film from a vacation to a Wal-Mart to be developed. On one of the rolls of film was a picture, taken by Lake's sister, of Lake and a friend naked in a shower. When Lake received the developed photographs along with the negatives, an enclosed written notice stated that one or more of the photographs had not been printed because of their "nature." But Lake subsequently learned a Wal-Mart employee had printed the negative and that the picture of her naked in the shower was circulating in the community. Lake brought a claim against Wal-Mart under common law tort theory and the Minnesota supreme court was asked to determine whether the state would recognize the privacy clam. The court concluded "One's naked body is a very private part of one's person and generally known to others only by choice. This is a type of privacy interest worthy of protection. Therefore, without consideration of the merits of Lake and Weber's claims, we recognize the torts of intrusion upon seclusion, appropriation, and publication of private facts." |
| 64 Privacy commissioners have also sponsored an annual conference to promote research and understanding of emreging privacy issues. The 21st annual meeting of the International Privacy Protection and Data Protection Commissioners was held in September 1999 in Hong Kong SAR. The conference web site provides an extensive resource on privacy issues. [___] The United States sponsors no similar event. Even where the Federal Trade Commission has sponsored workshops on privacy topics, the events have typically been open-ended fact-finding exercises, dominated by industry lobbyists, with little interest in privacy research or scholarship. |
| 65 Privacy officials from Europe and Canada played a significant role in the decision of the Organization for Economic Cooperation and Development to reject the US-backed key escrow regime. The privacy commissioner in Italy has recently undertaken an inquiry into illegal wiretapping. |
| 66 David H. Flaherty, "Controlling Surveillance: Can Privacy Protection Be Made Effective?" in Agre and Rotenberg. [Web site of the privacy commission of British Columbia] |
| 67 A good summary of the activities in Europe may be found in the Second Annual Report of the Article 29 Working Group, Privacy Law Sourcebook at 466-500. Annual reports are also published by privacy agencies around the world including those in the European Union as well as Canada, New Zealand, Australia, Hungary, Hong Kong, and elsewhere. No similar report is published in the United States because there is no agency tasked with the protection of privacy. |
| 68 "A world without P3P is a world with less control over privacy; a world with P3P is a world with more control over privacy." Lawrence Lessig, "The Limits in Open Code: Regulatory Standards and the Future of the Net," 14 Berkeley Tech. L.J. 759, 762 (Spring, 1999). |
| 69 "Products are matched to people, and interests to people, in a way that is better targeted and less intrusive than what we have today." Lessig at 153, 155. |
| 70 F.M. Scherer, Industrial Market structure and Economic Performance 315. |
| 71 (CALPIRG has some research showing that shoppers' cards don't lower prices on average.). |
| 72 In some cases, evidence of price discrimination can be the basis for anti-trust action. |
| 73 Digital Millennium Copyright Act, 105-304; No Electronic Theft Act, 105-147; Computer Fraud and Abuse Act, ___; Communications Decency Act, ___; Children's Online Protection Act, ___; Children's Online Privacy Protection Act, ___; ___, etc/ |
| 74 A recent poll from the Wall street Journal suggests that "the loss of personal privacy" is top of concern of Americans in the twenty-first century, Sept. ___, 1999. |
| 75 EPIC and Privacy International, Privacy & Human Rights: An International Survey of Privacy Laws and Developments 1999. |
| 76 Conferences about the regulation of cyberspace are routinely held by governments around the world. See, e.g "IST99: Information Society Technologies Conference: Exploring the Information Society: People, Business, Technology" [http://www.ist99.fi]; "Political institutions and democracy in an Information Society: an historic opportunity to advance the essential interests of citizens and consumers in Europe" (EU Rome Conference, March 1999] [___]. |
|
Comments regarding this material may be sent via e-mail to STLR. |
| Copyright © 2000 Marc Rotenberg and Stanford Technology Law Review. All Rights Reserved. |