United States: Privacy – The Flavor Of The Week

People obsess about privacy. Fed up with seemingly endless bogus solicitations, telephonic dinner interruptions and that creepy sensation of being watched, Americans had had enough. What began with the concept that there is a Constitutional "right to be left alone," (L. Brandeis, S. Warren, "The Right to Privacy," 4 Harv.L.Rev. 193, 1890) became a crusade to protect individuals from those who seek to learn anything about them. As a consequence, politicians legislated a virtual spiderweb of rules that sound fine in theory, but in practice present substantial and sometimes Constitutional problems. Consider that this is a partial list of the Federal laws that are supposed to protect individual privacy:

• Fair Credit Reporting Act
• Privacy Act
• Family Educational Rights and Privacy Act
• Right to Financial Privacy Act
• Privacy Protection Act
• Electronic Communications Privacy Act
• Video Privacy Protection Act
• Employee Polygraph Protection Act
• Telephone Consumer Protection Act
• Health Insurance Portability and Accountability Act
• Driver’s Privacy Protection Act
• Identity Theft and Assumption Deterrence Act
• Gramm-Leach-Bliley Act (Title V)
• Children’s Online Privacy Protection Act

But has government intervention saved the day? Hardly. In a highly ironic turn of events, the most significant result of this onslaught of new legislation has been the biggest deluge of junk to hit the U.S. Mail since Publisher’s Clearinghouse. Thanks to Gramm-Leach-Bliley, ("GLB"), 15 U.S.C. §6801, et seq., not a day goes by but that Americans’ mailboxes are filled with third-class delivery of documents usually titled "An Important Notice Concerning Our Privacy Policy." Such documents are usually presented in the same attractive style, and written with the same clarity, as the Truth In Lending Act disclosures that accompany credit card bills. No doubt they are thrown away just as quickly without having been read. GLB has imposed substantial costs on financial institutions, created an avalanche of useless paperwork and accomplished exactly nothing in terms of protecting the privacy of ordinary citizens.

Now, with this less-than-sterling record of accomplishments, Congress is turning its attention to privacy in cyberspace.

Cyberspace, the final frontier, has been the focus of great anxiety among privacy-philes. Increasing instances of identity theft by online criminals as well as actual and threatened disclosures of personal and financial information have combined to heighten the tension between the easy availability of information online and the desire to be free from prying eyes. There has been a predictable call for Government to "do something" about such invasions and a very impressive study was performed by a prestigious think tank that did extensive surveying to come to the conclusion that Americans are worried about their privacy on the Internet. Pew; Harris Equifax, http://www.epic.org/privacy/medical/polls.html; January 2000 Ethics Survey. This is hardly surprising: asking Americans if they want more privacy is a little like asking if they want fries with their burger.

Recent developments in the law of online privacy center around how web pages handle information about those who visit them. To understand how these disputes arise, it is important to understand that a web page can, in fact, learn quite a lot about those who click to them, browse through them and interact with them. This can occur even without the knowledge or consent of the visitor to the page. For an explanation of how this happens, and the technology behind it, visit the Consumer Project on Technology’s privacy library online: http://www.cptech.org/privacy. There is also an informative collection of links and resources on this subject at the Electronic Privacy Information Center’s site: http://www.epic.org/.

In response to users’ distaste for such surreptitious intelligence-gathering, web sites began to post "Privacy Policies" that specified what information they gathered and how they handled it. Usually, the policy is accessible on the front page of the site. Creating a Privacy Policy is easy, and there are web resources to help: http://cs3hq.oecd.org/scripts/pwv3/pwhome.htm takes you to the Organization for Economic Cooperation and Development’s Privacy Policy Generator, and http://www.siia.net.govt/toolkit.asp has the Software & Information Industry Association’s Privacy Toolkit.

Using Privacy Policy statements, honorable web pages disclosed to their visitors when and how they collected private information, as well as what was done with the information thereafter. Most commonly, a web page asked for a user’s name, address and e-mail information in exchange for providing something to the user. More than one naïve user has signed up for a "free" goodie by providing his e-mail address to a web page, shortly to find his e-mailbox flooded with unsolicited offers, come-ons and outright cons commonly known as "spam." How does this happen? The web page has sold his e-mail address to a direct-email marketer. As a way of regaining users’ trust, a number of pages went out of their way to promise their visitors that private information would never, ever be disclosed to anyone under any circumstances. Presumably, those web pages thought that they would be able to secure more information from a user who thought that it would go no farther, and was willing to trust the page’s sponsor.

Presumably, the sponsor believed that it could get better information from visitors by making such a promise, and that the rewards to be gained outweighed the value in selling e-mail addresses and other private information.

Not all web pages proved worthy of such trust. Still others faced unanticipated difficulty in keeping the confidentiality promise. Today’s debate about online privacy is framed by some of the most well-known betrayals.

One of the earliest such incidents involved GeoCities, a web site devoted to creating online "communities." In signing up for the privilege of participating, a user was asked for a great deal of information about themselves with the express assurance that they would not be used beyond the GeoCities space. Sadly, it turned out that GeoCities actually did use the information, but in a well-publicized Consent Decree with the Federal Trade Commission they promised they would not do it again. In the Matter of GeoCities, Docket No. C-3849 (Feb. 12, 1999).

Others misbehaved as well. Liberty Financial operated the Young Investors web site, devoted to adolescents and teens. The site included a survey that gathered private information (social security numbers and telephone numbers, for instance), promised prizes for completing it and assured users that "all of your answers will be totally anonymous." In fact, the FTC found that Liberty did not keep the information anonymously and did not even award the prizes it had promised. Liberty entered into a Consent Decree in 1999, promising to (a) stop making false claims about anonymity; (b) post a Privacy Policy; and (c) obtain "verifiable parental consent" before gathering private information from children under 13 years old. In the Matter of Liberty Financial, Docket No. 01-cv-939 (1999).

In the Liberty action, the FTC was foreshadowing the requirements of a law that went into effect the following year – the Children’s Online Privacy Protection Act ("COPPA"), 15 U.S.C. §6501 et seq. Under COPPA, a web site that is principally directed towards children under 13 years old must abide by some very strict rules before gathering personal information from users. COPPA requires a much more detailed Privacy Policy and goes further to require a direct notice to the parents, and that the web site operator has "verifiable parental consent" as was done in the Consent Decree with Liberty Mutual. According to the FTC, to be "verifiable" the site must get the parent to send a signed form by mail or fax, a valid credit card, a phone call to "a toll-free telephone number staffed by trained personnel" or an e-mail that contains a digital signature.

In an effort to assist web site operators trying to comply with these rules, the Act helpfully established a "safe harbor" provision. If a web site follows a self-regulation program, approved in advance by the FTC, the web site operator is protected in any FTC enforcement proceeding. The Children's Advertising Review Unit of the Council of Better Business Bureaus (CARU), the Entertainment Software Rating Board and TRUSTe have all had programs approved for such a safe harbor status.

A very different kind of dilemma faced Toysmart.com, a web-only toy retailer that had attracted many customers and collected personal information and created an extensive customer list under an iron-clad privacy policy that promised not to share that information with anyone, ever. As with many dot-com businesses, Toysmart encountered financial difficulties and sought to raise cash from the company’s assets. One of those assets was the customer list, which could be very valuable to a marketer seeking direct access to toy-buyers. The FTC stepped in to protect the customers who were about to be the victims of a broken privacy promise, filed a lawsuit and quickly negotiated a settlement agreement. Under the terms of the settlement, the bankrupt entity could only sell the list along with the remainder of the business, and only to a "Qualified Buyer"-- an entity that was in a related market and that expressly agreed to be Toysmart's successor-in-interest as to the customer information. Moreover, the Qualified Buyer had to agree to abide by the terms of the Toysmart privacy statement. FTC v. Toysmart.com, Civil Action No. 00-11341-RGS, (D. Mass. 2000) and In Re Toysmart.com, Debtor, Case No. 00-13995-CJK (D. Mass. Bkcy. 2000).

The Qualified Buyer turned out to be the Disney company, which proceeded to acquire the customer lists and immediately destroy them in an action that could be described as "Disney ex machina."

One of the few civil privacy actions to be litigated concerns how banner ads get onto web pages. One of the leading web advertising companies, Doubleclick, places banner ads onto a user’s screen when the user browses a particular web site that has sold advertising space. While the user sees what appears to be a single screen, in reality that screen is composed of elements that come from a variety of origins. Doubleclick’s service is to place the right ad at the right spot, but it does more than that – it keeps track of what ads a user has already been presented with and the user’s responses to those ads by placing a software "cookie" on the user’s computer. It therefore builds a database of user profiles and uses them to sell targeted ads. Doubleclick was sued by a purported class of individuals who claimed that Doubleclick invaded their privacy, violated the Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. § 2701 et seq., and the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, et seq., as well.

In a very thorough analysis, Judge Naomi Reice Buchwald granted Doubleclick’s Rule 12(b)(6) Motion to Dismiss. In Re Doubleclick Inc. Privacy Litigation, 2001 U.S.Dist. LEXIS 3498 (S.D.N.Y. 2001). The ECPA claims were dismissed because, the court found, it only protects "users," a word which the statute defines as "any person or entity who (A) uses an electronic communication service and (B) is duly authorized by the provider of such service to engage in such use." (p. 30, citing 18 U.S.C. § 2510 (13)). Under these facts, the plaintiffs were not the "users" of internet access – the web sites that hired Doubleclick were, and they of course consented. The court noted that "in every practical sense, the cookies identification numbers are internal Doubleclick communications – both "of" and "intended for" Doubleclick….In this sense, cookie identification numbers are much akin to computer bar-codes or identification numbers placed on "business reply cards" found in magazines. These bar-codes and identification numbers are meaningless to consumers, but are valuable to companies in compiling data on consumer responses (e.g. from which magazine did the customer get the card?)." (pp. 44-45) The court therefore found that Doubleclick did not violate the ECPA. In a memorable critique of this reasoning, Professor Paul Schwartz asked "so what are the individual consumers, chopped liver?" (http://www.nytimes.com/2001/04/06/technology/06CYBERLAW.html.)

Plaintiffs fared no better with their claims under the Computer Fraud and Abuse Act. As the court correctly observed, one of the essential elements for civil recovery under the CFAA is that plaintiffs suffer "damage or loss" in excess of $5,000. (18 U.S.C. § 1030(g) and (e)(8)), consistent with congressional intent to "limit the CFAA to major crimes." (p. 75). Plaintiffs’ alleged "damage or loss" included "(1) their cost in remedying their computers after Doubleclick’s access and (2) the economic value of their attention (to Doubleclick’s advertisements) and demographic information." (p. 78) Neither, in the court’s view, was sufficient to meet the statutory threshold. For a different approach to what constitutes "damage or loss" under the CFAA, see Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F.Supp.2d 1121 (W.D. Wash. 2000) (unauthorized access to private information constitutes "loss" because integrity of data is diminished).

It is clear that the Court’s analysis was influenced by the view that users could easily and completely protect themselves from the cookie monster (by changing the settings on the browser or e-mailing an opt-out request to Doubleclick). Moreover, the cookies only tracked the user’s interaction with other Doubleclick content. The court found that there was no suggestion that Doubleclick had accessed any "files, programs or other information on users’ hard drives." Common law privacy claims were therefore dismissed as well.

Paradoxically, privacy may become one of the most clear and present dangers to the First Amendment since the Nixon administration. What may be an asserted privacy right to one person could, simultaneously, be a new legal weapon to restrict the free-flow of ideas and comment. This tension was explored in detail in a recent law review article entitled Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People From Speaking About You, Eugene Volokh, 52 Stanford L. Rev. 1049 (2000):

Similarly, scholars are now exploring the societal costs imposed in the name of "privacy." In their article Putting People First: Consumer Benefits of Information-Sharing, Professors Fred H. Cate and Michael E. Staten (published by the National Retail Federation as part of its Protecting Privacy in the New Millennium series, available online at http://www.privacyalliance.org/resources/consumerbenies.pdf) posit that a reasonable balance between privacy interests and individual preferences is the best approach. "Information-sharing plays a significant role in reducing the prices that consumers pay for goods and services and in expanding the range and affordability of methods of paying for them…. Widespread information-sharing provides consumers with unprecedented convenience, and greatly enhances the speed with which decisions can be made and services provided….we tend to take the information infrastructure for granted, until we are faced with the daunting prospect of learning to live without the many benefits that flow from it."

And history teaches that the cause of privacy can quickly be redirected into repression. Ominously, that lesson is being learned again under the banner of the European Union’s 1995 Data Protection Directive, which declared privacy to be "a fundamental human right." As reported in by Bruce Johnson in The Battle over Internet Privacy and the First Amendment, The Computer & Internet Lawyer, Volume 18, No. 4 (April 2001), the Spanish Ministry of Justice shut down the web site of the Association Against Torture in March, 2000, on the grounds that it named the government agents who had been accused of torture or brutality. Spain had passed a broad privacy law, making it a crime to disclose information about someone without their consent. It does not require much imagination to realize how public figures would make use of such "protection" in the absence of the First Amendment.

Privacy is a mercurial issue, and it is too simplistic to expect that legislation will adequately address the many interests involved. Instead, it seems that the best approach would be to put the right technology tools into the hands of individual internet users. This would allow each user to make his or her own judgment about what to keep private, and what to stop worrying about. Fortunately, such tools are increasingly available and effective. With the forthcoming version of Microsoft Windows XP, for instance, users will have greater control than ever over how much of their personal information to share, and under what circumstances. The web site http://www.microsoft.com/net/hailstorm.asp has more details. In the end, the one-size-fits-all method of governmental privacy "protections" create more problems than they solve, and they are never be nimble enough to keep pace with developing technology. Individuals should be free to choose how much to reveal about themselves – just as they are in real life.