From: <swp2102@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Thu, 11 May 2006 14:51:24 -0400

Paper 2 - Privacy Protection Regimes - S. Porter

Despite the colloquial, even amicable language—“This is very
important, so please check it out…”—I skipped the
privacy/disclosure agreement when I signed up for my free web-based
email account, possibly because it sounded so familiar and friendly
that I assumed the good faith of its authors, or possibly because
it was very long.  With just a few simple algorithm searches,
Hotmail might be able to peruse all its users’ email contents, both
their in- and out-boxes, for various data-mining purposes.  If it
does, Hotmail may have determined there is a high probability that
I overeat and drink when I’m stressed and that I’m just finishing
up my final exams.

Due to the formal, legalistic language—“Pursuant to the Fair Credit
Reporting Act…”—I skipped the privacy/disclosure agreement when I
signed up for my credit card.  By assembling its cardholders’
purchase information into easily sortable databases, American
Express might have determined there is a high probability I am a
law student who does not smoke regularly but last week purchased
three packs of cigarettes, and that I am currently vacationing
abroad.

Who “owns” this information, me or the companies?  More precisely,
which rights in the property bundle do I have, and which do they
have?  Can American Express tell Philip Morris that I might be at a
smoker’s tipping point?  Can Hotmail go directly to Jenny Craig and
tell her about my eating problem?  Or maybe indirectly by selling
banner space in my inbox at a premium?  Can I tell American Express
and Google that I no longer want them to know anything about me
beyond the bare minimum?

Though I don’t necessarily know the answers to these questions (or
even the accuracy of the structure of the hypotheticals), I have a
strong gut feeling about who ought to be answering them: me.  A
recurring theme in this class has been the trade-offs we make
between convenience and privacy, and we all stake out different
positions on the spectrum.  It’s analogous to the question of how
soon in a relationship we all choose to divulge personal details;
some people tell their sob stories the first time they meet a new
person, and others are much more reserved.  Rather than make value
judgments about something that is ultimately less about principles
and more about individual preference, we ought to reserve in each
individual the capacity to make those decisions.

The hodgepodge of American privacy law attempts to retain a
semblance of autonomy in the individual over how their personal
information is collected and used.  The Privacy Act of 1974
regulates the collection and use of personal data by the
government, the Fair Credit Reporting Act of 1970 regulates the
collection and use of personal data by consumer reporting agencies,
and both incorporate to a certain extent the 1973 Code of Fair
Information Practices issued by the Department of Health, Education
and Welfare.  But the way that positive privacy protections—the 1st
and 4th Amendments, along with the Privacy Act, FCRA and
FIP—interact with one another suggests that the baseline from which
privacy law has developed is not privacy, but rather disclosure.

As an example, consider the consumer databases like Axciom and
ChoicePoint discussed in class: so long as the databases didn’t
qualify as a “consumer reporting agency” under FCRA, they went
unregulated. The government could then purchase information
directly from the database without coming under the restrictions of
the Privacy Act, and 4th Amendment lawsuits were doomed to fail
since the courts had determined that where a third-party (i.e.,
consumer database) collects the information, there is no reasonable
expectation of privacy.  The court’s conclusion here is
irresponsible; only if there were better protections in place
allowing individuals to control which and to what extent third
parties can collect information would this outcome make sense.  
Instead the court did not hesitate to erode privacy.

As gaping holes have developed in our privacy protection regime,
with only a few exceptions such as Social Security Number usage,
disclosure -- not confidentiality -- is the norm.  The baseline
ought to be privacy.  We might attempt to plug the many leaks in
the current regime, and indeed there have been thoughtful proposals
made. [1].  But it seems that a start from scratch will ensure the
greatest protection.

The potential for widespread dissemination of personal information
means that a new privacy protection regime must take account for
the wide variance in probable uses of information and duties owed
the information’s “owner.” There should be at least four different
regimes: one for government, one for purveyors of goods and
services which completely lack contact with the individual in
question (potential purveyors), one for purveyors of goods and
services which have minimal contact with the individual in question
(far purveyors), and one for commercial institutions with frequent
and intimate relations with the individual (close purveyors). 
Close purveyors would be analogous to credit reporting agencies
under the current regime, except we would recognize that this
category of companies with heightened duties toward its clientele
has expanded to include email service providers and other online
portals privy by necessity to delicate information.  The key
additions would be the inclusion in the privacy regime of entities
with limited and no contact with individuals they carry information
on.

Who knows what about me, and what can they do with the information? 
I, like most people, want to be in control.  Rather than
prohibitively long disclosure agreements, I want to see short,
concise, and specific statements about what a company will do with
my information, just like the black box warnings on hazardous
consumer products: “Amazon by default stores your name, address and
purchase history and shares the information with Axciom.”  Fine.
Then I should have the option not only of not sharing the
information with Axciom, but not even with Amazon if I so choose. 
The option of complete erasure is necessary to a system of absolute
privacy.

In sum, the scales should be tipped back in favor of privacy, and
the courts seem incompetent or unwilling to do so.  Industry is
certainly opposed to increased privacy rights as it will cripple
their demographics research and hence their marketing
effectiveness.  But a society that values liberty as much as ours
does ought to empower individuals, so it falls to the democratic
process.  Though mobilizing the masses is the critical barrier to
successfully creating a new privacy regime, perhaps rephrasing the
issue as one of property rights and autonomy will create the creed
that resonates with the general public.

[1] Solove, Daniel J., and Hoofnagle, Chris Jay; A Model Regime of
Privacy Protection, University of Illinois Law Review, Vol. 2006,
page 357.

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list