The death of privacy?

• Author: Froomkin, A. Michael

INTRODUCTION

Information, as we all know, is power. Both collecting and collating personal information are means of acquiring power, usually at the expense of the data subject. Whether this is desirable depends upon who the viewer and subject are and who is weighing the balance. It has long been believed, for example, that the citizen's ability to monitor the state tends to promote honest government, that "[s]unlight is ... the best of disinfectants."(2) One need look no further than the First Amendment of the United States Constitution to be reminded that protecting the acquisition and dissemination of information is an essential means of empowering citizens in a democracy. Conversely, at least since George Orwell's 1984, if not Bentham's Panopticon, the image of the all-seeing eye, the Argus state, has been synonymous with the power to exercise repression. Today, the all-seeing eye need not necessarily belong to the government, as many in the private sector find it valuable to conduct various forms of surveillance or to "mine" data collected by others. For example, employers continually seek new ways to monitor employees for efficiency and honesty; firms trawl databases for preference information in the search for new customers. Even an infrequently exercised capability to collect information confers power on the potential observer at the expense of the visible: Knowing you may be watched affects behavior. Modern social science confirms our intuition that people act differently when they know they are on Candid Camera--or Big Brother Cam.(3)

In this article, I will use "informational privacy" as shorthand for the ability to control the acquisition or release of information about oneself.(4) I will argue that both the state and the private sector now enjoy unprecedented abilities to collect personal data, and that technological developments suggest that costs of data collection and surveillance will decrease, while the quantity and quality of data will increase. I will also argue that, when possible, the law should facilitate informational privacy because the most effective way of controlling information about oneself is not to share it in the first place.

Most of this article focuses on issues relating to data collection and not data collation. Much of the best work on privacy, and the most comprehensive legislation,(5) while not ignoring issues of data collection nonetheless focuses on issues relating to the storage and reuse of data. Privacy-enhancing legal and policy analysis often proceeds on the reasonable theory that because the most serious privacy-related consequences of data acquisition happen after the fact, and require a database, the use and abuse of databases is the appropriate focus for regulation. This article concentrates on the logically prior issue of data collection. Issues of data use and re-use cannot be avoided, however, because one of the ways to reduce data collection is to impose limits on the use of improperly collected data. Conversely, if limits on initial data collection are constitutional, then it is more likely that efforts to prohibit the retransmission or republishing of illicitly collected data would be held to be constitutional as well.

A data subject has significantly less control over personal data once information is in a database. The easiest way to control databases, therefore, is to keep information to oneself: If information never gets collected in the first place, database issues need never arise. It may be that "[t]hree can keep a secret--if two of them are dead,"(6) but in the world of the living we must find kinder, gentler solutions. Although privacy-enhancing technologies such as encryption provide a limited ability to protect some data and communications from prying eyes and ears, it seems obvious that total secrecy of this sort is rarely a practical possibility today unless one lives alone in a cabin in the woods. One must be photographed and fill out a questionnaire to get a driver's license, show ID to get a job.(7) Our homes are permeable to sense-enhanced snooping; our medical and financial data is strewn around the datasphere; our communications are easily monitored; our lives are an open book to a mildly determined detective. Personal lives are becoming increasingly transparent to governments, interested corporations, and even to one another--as demonstrated by notorious incidents of phone eavesdropping or taping involving diverse individuals such as Britain's Prince Charles, House Speaker Newt Gingrich, and White House Intern Monica Lewinsky.(8) This general trend is driven by technological innovation and by economic and social forces creating a demand for privacy-destroying technologies. When solitude is not an option, personal data will be disclosed `voluntarily' for transactions or emitted by means beyond our control. What remains to be determined is which legal roles should govern the collection as well as the use of this information.

In light of the rapid growth of privacy-destroying technologies, it is increasingly unclear whether informational privacy can be protected at a bearable cost, or whether we are approaching an era of zero informational privacy, a world of what Roger Clarke calls "dataveillance."(9) Part I of this article describes a number of illustrative technological developments that facilitate the collection of personal data. Collectively these and other developments provide the means for the most overwhelming assault on informational privacy in the recorded history of humankind. That surveillance technologies threaten privacy may not be breaking news, but the extent to which these technologies will soon allow watchers to permeate modern life still has the power to shock. Nor is it news that the potential effect of citizen profiling is vastly increased by the power of information processing and the linking of distributed databases. We are still in the early days of data mining, consumer profiling, and DNA databasing, to name only a few. The cumulative and accelerating effect of these developments, however, has the potential to transform modern life in all industrialized countries. Unless something happens to counter these developments, it seems likely that soon all but the most radical privacy freaks may live in the informational equivalent of a goldfish bowl.(10)

If the pace at which privacy-destroying technologies are being devised and deployed is accelerating, the basic phenomenon is nevertheless old enough already to have spawned a number of laws and proposed legal or social solutions designed to protect or enhance privacy in various ways. Part II of this article examines several of these proposed privacy enhancing policies in light of the technologies discussed in Part I. It suggests that some will be ineffective, that others will have undesirable or unconstitutional effects, and that even the best will protect only a narrow range of privacy on their own.

The relative weakness of current privacy-enhancing strategies sets the stage for the conclusion of the article, which challenges the latest entry to the privacy debate--the counsel of despair epitomized by Scott McNealy's suggestion that the battle for privacy was lost almost before it was waged. Although there is a disturbingly strong case supporting this view, a case made trenchantly by David Brin's The Transparent Society,(11) I conclude by suggesting that all is not yet lost. While there may be no single tactic that suffices to preserve the status quo, much less regain lost privacy, a smorgasbord of creative technical and legal approaches could make a meaningful stand against what otherwise seems inevitable.

A focus on informational privacy may seem somewhat crabbed and limited. Privacy, after all, encompasses much more than just control over a data trail, or even a set of data. It encompasses ideas of bodily and social autonomy, of self-determination, and of the ability to create zones of intimacy and inclusion that define and shape our relationships with each other. Control over personal information is a key aspect of some of these ideas of privacy, and is alien to none of them. On the other hand, given that we live in an age of ubiquitous social security numbers,(12) not to mention televised public talk-show confessionals and other forms of media-sanctioned exhibitionism and voyeurism,(13) it may seem reactionary to worry about informational privacy. It also may be that mass privacy is a recent invention, rarely experienced before the nineteenth century save in the hermitage or on the frontier.(14) Perhaps privacy is a luxury good by world standards, and right-thinking people should concentrate their energies on more pressing matters, such as war, famine, or pestilence. And perhaps it really is better to be watched, and the benefits of mass surveillance and profiling outweigh the costs. Nevertheless, in this article I will assume that informational privacy is a good in itself,(15) and a value worth protecting,(16) although not at all costs.(17)

1. PRIVACY-DESTROYING TECHNOLOGIES

   Privacy-destroying technologies can be divided into two categories: those that facilitate the acquisition of raw data and those that allow one to process and collate that data in interesting ways. Although both real and useful, the distinction can be overstated because improvements in information processing also make new forms of data collection possible. Cheap computation makes it easy to collect and process data on the keystrokes per minute of clerks, secretaries, and even executives. It also makes it possible to monitor their web browsing habits.(18) Cheap data storage and computation also makes it possible to mine the flood of new data, creating new information by the clever organization of existing data.

   Another useful taxonomy would organize privacy-destroying technologies by their social context. One could focus on the characteristics of individuals about whom data is...