Most people seem to agree that individuals have too little privacy, and most proposals to address that problem focus on ways to give those users more information about, and more control over, how information about them is used. Yet in nearly all cases, information subjects are not the parties who make decisions about how information is collected, used, and disseminated; instead, outsiders make unilateral decisions to collect, use, and disseminate information about others. These potential privacy invaders, acting without input from information subjects, are the parties to whom proposals to protect privacy must be directed.
This Article develops a theory of unilateral invasions of privacy rooted in the incentives of potential outside invaders. It first briefly describes the different kinds of information flows that can result in losses of privacy and the private costs and benefits to the participants in these information flows. It argues that in many cases the relevant costs and benefits are those of an outsider deciding whether certain information flows occur. These outside invaders are more likely to act when their own private costs and benefits make particular information flows worthwhile, regardless of the effects on information subjects or on social welfare. And potential privacy invaders are quite sensitive to changes in these costs and benefits, unlike information subjects, for whom transaction costs can overwhelm incentives to make information more or less private.
The Article then turns to privacy regulation, arguing that this unilateral-invasion theory sheds light on how effective privacy regulations should be designed. Effective regulations are those that help match the costs and benefits faced by a potential privacy invader with the costs and benefits to society of a given information flow. Law can help do so by raising or lowering the costs or benefits of a privacy invasion, but only after taking account of other costs and benefits faced by the potential privacy invader.
Shortly before Thanksgiving in 2011, shopping mall operator Forest City Commercial Management announced that it would begin tracking shoppers' movements in two of their malls, using the signals from cell phones to trace individual paths from store to store. (1) The malls would use a technology called FootPath that, as its maker, Path Intelligence, explained, could help an operator understand shoppers' behavior and use this information to make "[d]ecisions that optimize tenant performance, protect and drive lease values, maximize operating income, and ultimately, drive asset value." (2)
Tracking shoppers' movements was not a new phenomenon; malls and other retailers have long looked to see where customers linger, what areas they avoid, and what stores attract like-minded shoppers. (3) Nor was the FootPath system itself new; even before the Thanksgiving announcement, the Path Intelligence technology was used by malls in Australia and the United Kingdom. (4) Yet Forest City's tracking lasted just one day before the backlash from regulators and others raising privacy concerns. (5) In letters to Path Intelligence and to the Federal Trade Commission, Senator Charles Schumer objected that shoppers would be tracked without their consent and could only opt out by turning off their cell phones or avoiding shopping malls, burdens he argued were unreasonable. (6) Faced with this scrutiny, Forest City pulled the plug on the automated tracking. (7) So rather than tracking shoppers via cell phone, the Forest City malls will have to adopt more costly means of tracking shoppers or forswear the benefits that FootPath promised. (8)
The FootPath story is typical of a recurring scenario in information-privacy law: a new practice that seems creepy and invasive, even though it results in many of the same information flows that existed before the practice. Privacy law has struggled with such developments. Under the dominant legal view, there is no privacy problem with what Forest City aimed to do. The system collected information about shoppers' visible movements in a public place--information that seems public, in some sense, and can freely be collected by any number of observers. The information did not concern shoppers' sensitive, personal, or intimate lives; none of it was inherently "private," in that sense. Yet shoppers, and Senator Schumer, had an immediate and visceral reaction that the system would compromise their privacy. It mattered to them that information about more shoppers would be collected and used, even if there was nothing especially sensitive about the specific information collected.
This scenario also occurs in Fourth Amendment law. For decades, it was axiomatic that a criminal defendant cannot expect privacy in his or her activities in public. (9) As the Court explained in United States v. Knotts, such activities are inherently and inevitably revealed to the world:
A person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another. When [the defendant] traveled over the public streets he voluntarily conveyed to anyone who wanted to look the fact that he was traveling over particular roads in a particular direction, the fact of whatever stops he made, and the fact of his final destination when he exited from public roads onto private property. (10) Since a defendant voluntarily revealed his movements to the world simply by moving around in public, an officer gathering that public information did not conduct a "search" for purposes of the Fourth Amendment.
Yet in 2012, the Court unanimously reversed course, concluding in United States v. Jones that using a GPS device to monitor a defendant's movements in public is a search for which a police officer might have to obtain a warrant. (11) The Court divided on its reasoning, but five Justices recognized that GPS monitoring presented new and unique privacy concerns even if the devices only collected information that could otherwise be obtained by conventional police techniques. By removing obstacles to such full-time surveillance, the Justices reasoned, GPS technologies made it likely that many more defendants would be tracked, a distinction that mattered for privacy. (12)
Criminal defendants are hardly alone: more information is being collected, used, and disseminated today than at any point in history, a trend that shows no signs of slowing. Several factors have contributed to this trend, including changes in laws, social norms, and incentives. The main driver, however, is evolving technology, which has made it easier and cheaper for people to collect, use, and disseminate information about others. It's not inevitable that technology would have this effect; individual technology changes can make information flows more or less common. Yet the net effect has been a striking increase in the amount of information collected, used, and disseminated to others.
The dominant response to this increase in information flows has differed between the private and public sectors. In the public sector, courts and legislatures have used the Fourth Amendment and new statutes to limit the ability of law-enforcement agencies to collect and use information. (13) These laws have generally worked by regulating the outsider--the entity collecting, using, or disseminating information about someone else--rather than the information subject. In the private sector, however, the focus has been different. Most responses to privacy concerns in the private sector have aimed to inform information subjects about how personal information is used and control over that use. Thus, Senator Schumer urged Path Intelligence "to obtain the explicit consent of shoppers' [sic] through an opt-in policy in order to protect their privacy" before deploying the Footpath system. (14) And in numerous enforcement actions against private companies that failed to protect consumers' privacy, government agencies have focused on failures of transparency and control, rather than targeting the underlying behavior. The dominant response, then, has been to focus on the information subject as the relevant decisionmaker, rather than on the outsider collecting, using, or disseminating information. (15)
This focus on information subjects is puzzling because in many cases, information flows happen without the consent, or even the knowledge, of information subjects. Instead, often an outsider like Path Intelligence is the sole decisionmaker determining whether the information flow happens in the first instance. Although these regulatory responses can be thought of as efforts to ensure information subjects also participate in the decision that an information flow goes forward, they usually do so indirectly at best, and they have had little effect in preventing unwanted information flows.
This Article examines the dynamic seen in the FootPath and Jones cases, and in countless other contexts, seeking to understand why more and more information is being collected, used, and disseminated, even as shoppers, Supreme Court Justices, and others find this trend so troublesome. The core contention is that there is a category of information flows for which the party that determines whether the information flow occurs--the decisionmaker--is someone other than the information subject. Such information flows, which I call unilateral invasions, occur when the interests of the potential invader dictate, rather than when the interests of society or the information subject would dictate. (16) This creates a basic asymmetry between the factors that influence how much privacy any given individual has and the benefits of that level of privacy: although privacy offers benefits both to information subjects and to society as a whole, it is often individuals other than the information subjects who determine the amount of privacy that exists. Since these outsiders act...