by dylan tweney
published 2 may 2001

The topic of my talk was the current state of online privacy. What follows is an edited, abridged version of that presentation.

The state of privacy on the Internet is almost as confused as the state of online copyright. Actually, it's worse. Copyright law has only begun to feel the foundation-shattering effects of Internet technology (of which Napster is merely the first wave). But copyright, at least, has at least several hundred years of solid legal and cultural precedent to fall back on, even if that precedent continues to be eroded or modified.

Privacy, by contrast, has barely even begun to exist as a real-world legal concept. The issues in the physical, offline world are themselves muddled -- let alone trying to apply them online.

In the United States, the Fourth Amendment guarantees people the right "to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures." But the Bill of Rights says nothing about the inviolability of your mailing address, purchasing preferences, medical records, or conversations that you have at the water cooler while at work. Generally speaking, the Fourth Amendment is a weak foundation for a comprehensive right to privacy.

Where privacy laws do exist -- as in the Privacy Act of 1974, which discourages the government from collecting data on law-abiding citizens -- the laws are fairly limited in scope, and fall short of defining a fundamental right to privacy.

Contributing to the problem is the fact that the word "privacy," in and of itself, is difficult to define -- yet impossible to oppose. No one in their right mind wants to come out against privacy rights. Privacy advocates and the media can often whip the public into a frenzy over "invasions of privacy" that are no more than annoyances, such as the shenanigans of the Direct Marketing Association. Meanwhile, truly serious invasions of privacy -- ones that impinge on our everyday civil rights, such as collusion between DEA and Amtrak (see below) -- escape scrutiny.

Despite some high-profile cases of privacy invasions, most consumers still don't seem particularly concerned when it comes to online privacy. According to a recent survey by the Pew Internet & American Life project, 90 percent of Americans worry about their credit card numbers being stolen online, and 62 percent favor online privacy laws. But at the same time, more than half -- 54 percent -- are in favor of allowing the government to snoop on private email as a way of curbing crime. [2]

A Pew survey conducted last summer found that most American consumers feel strongly about protecting their privacy online -- but are woefully ignorant about the means to do so. 56 percent did not know anything about cookies -- the data files that advertisers and marketers can place on your computer in order to track your movements through their web sites. And, while it is easy to block cookies, fewer than 10 percent had actually done so. [3]

In other words, there's a lot of lip service given to privacy. And granted, the Internet does make certain privacy issues much more urgent. But people's actions, and their knowledge about the matter, lag far behind the hype.

INFORMATION WANTS TO BE PUBLIC

To understand why the Internet is precipitating this crisis in privacy, it helps to take a look at how the Internet works.

The Internet is, at bottom, a collection of networks designed to facilitate the easy moving of data from place to place. Moving data online means, of course, copying it, as I discussed in the last edition of the tweney report. And the Internet is nothing if not a gigantic copy machine. [4]

As a result, private information, once digitized, is easily "turned loose" onto the public Internet. That's the origin of the term "Information wants to be free," which was thrown about a lot during the latter part of the last century, in the pages of Wired and similar magazines. This slogan doesn't mean, necessarily, "I want information to be free of charge" (although many have used it that way). Rather, it means that information -- of itself -- has a tendency to break out of whatever constraints are holding it.

Technical issues aside, there are powerful incentives for companies to share, trade, or sell data they have about their customers. This data is a valuable corporate asset. In fact, a company's commitment to enhancing its shareholders' value actually requires it, ethically, to capitalize on that asset. It's unrealistic -- and bordering on the ridiculous -- to expect companies to forego using data about purchases that their customers make from them. I would not be a very good businessman at all if I didn't learn my customer's names, likes, and dislikes -- and use that information to give them better treatment.

The Internet's power is that it enables companies to automate this principle. Hence, the most successful online retailers use a great deal of information about their customers -- and always will.

These technical and market forces combine on the Internet to create an environment where information of the most private nature can quickly be disseminated worldwide, in seconds. In other words, "Information wants to be public."

But if you're concerned about online privacy now, just wait. You ain't seen nothing yet:

It's entirely possible that within the next few years, the FBI will read every single unencrypted email sent in the U.S. (the FBI's controversial "Carnivore" technology already comes close to doing this).

Or -- imagine a world where webcams are everywhere. With a $99 digital video camera, a computer, and an Internet connection, I can broadcast images of my street 24 hours a day. The result: Big Brother isn't watching you, the neighbors are.

Or -- combine the availability of detailed, real-time direct marketing databases with interactive television technologies. It won't be too long before a commercial comes on the television and addresses you by name: Hello, Mr. Tweney -- congratulations on your new baby girl! Can we interest you in a year's supply of Pampers, delivered right to your door every week? ....

SPHERES OF PRIVACY

However, before we can truly engage the debate, we need to recognize that privacy issues are different in different domains -- something which is not often properly considered in the media or elsewhere. In other words, your expectations of privacy depend on the nature of the relationship and the circumstances.

Privacy incursions by marketers are annoying, but fundamentally the harm caused by spam and junk mail is minimal. However, privacy incursions by the government could be a serious civil rights problem.

"Slippery slope" arguments that equate the practices of the Direct Marketing Association with the tactics of repressive police states confuse the two spheres and assume all privacy violations are equivalent. This does an injustice to the real issues.

However, it is clear that the boundaries between these "privacy spheres" are blurring -- and that is cause for concern.

For example, as the Wall Street Journal reported last month, the FBI uses a marketing database from ChoicePoint Inc. to help identify felons, track down people who skip bail, and the like. The problem is that ChoicePoint's database, assembled from a variety of sources (including credit card history databases), is probably only about 98% accurate at best. That's just fine for marketers -- after all, direct marketing is a numbers game. But for civil issues, anything short of perfect is appalling.

In fact, it was by using ChoicePoint data that hundreds of Florida voters were misidentified as convicted felons last fall -- and thus deprived of their right to vote in what turned out to be a very close election. [5]

Similarly, it turned out recently that the Drug Enforcement Agency is using Amtrak purchasing data to profile possible drug traffickers. Whenever you buy a train ticket, the DEA knows where you're going, whether you paid with cash or by credit card, and perhaps more. In return for providing access to this data, Amtrak gets a kickback of 10% of any goods confiscated from their trains. I can hardly believe that this story didn't generate more coverage, or more outrage, but there it is. [6]

I propose that the only way to resolve these problems is to differentiate how privacy works in different spheres. In other words, we need different standards for the commercial use of information and for the governmental use of information -- for starters.

Where professional or ethical standards already exist (for instance, medical records, or attorney-client privilege), we should use those standards as guidelines.

Where guidelines don't exist or are ambiguous, we should focus on the actual harm done by privacy incursions.

And we need to make sure that these spheres are kept distinct. For instance, it shouldn't be possible for the government to bypass warrant and wiretap requirements by outsourcing its intelligence research to private firms, as the DEA and FBI appear to be doing.

Ultimately, however, online privacy won't make much headway without establishing a basic right of individuals to have privacy. I think it is imperative that we build a strong and nuanced defense of the right to privacy.

This may take a while, and I don't expect to see anything really conclusive for several years at the earliest. But I do think it's possible.

And, when we finally do come up with a strong right to privacy, we can thank the Internet for helping to crystallize the issues and for lending urgency to the debate.

(for additional resources, see links [7-10])

[1] RLG meeting: Privacy, Secrecy, and Responsibility (agenda)

[2] Fear of Online Crime (report)

[3] Trust and Privacy Online (report)

[4] The real Slim Shady

[5] FBI's Reliance on the Private Sector Has Raised Some Privacy Concerns (April 13)
(paid subscription required)

[6] Amtrak 'Sharing' Information With D.E.A. (April 15)
(free registration required)

There are a bunch of additional resources for information on privacy issues, privacy protection tools, and guidelines for companies and individuals concerned about privacy. Here are a few excellent sites I have found useful:

[7] EPIC: the Electronic Privacy Information Center
legislative & policy advocacy group; lots of resources on site

[8] Junkbusters consumer advocate Jason Catlett's site; takes a very practical approach to privacy protection

[9] Privacy Rights Clearinghouse
handy "fact sheets" for a variety of online & offline privacy issues

[10] Yahoo Full Coverage - Internet Privacy
latest privacy news, plus lots of link