5
The Politics of Privacy Policy in the United States

Privacy policies are formulated in response to problems in the management of access to information about persons or their effects, or to images or impressions of people as may be derived from the analysis of data. But many factors affect the formulation of policy.

5.1
THE FORMULATION OF PUBLIC POLICY

Protection of privacy has been an objective of public policy for at least a century, especially for the legislative branch. When New York state’s highest court declined, in 1902, to create a cause of action for invasions of privacy, the legislature promptly intervened. The result of that intervention was, at that time, the most rigorous and far-reaching of state privacy statutes, and remains among the strongest even to this day. New York has hardly been alone in responding to concerns about the status of personal privacy, and nearly all states provide such protection today, either by statute or by court decision. By the 1920s, protecting privacy had become a matter of federal policy as Congress focused first on making wiretapping unlawful.1

Although legislators have addressed privacy to a considerable extent, it is less clear that the legal safeguards for privacy that they have enacted

1

It is unclear today whether the legislation of the time reflected more a concern about the integrity of the burgeoning telecommunications system rather than a fear that wiretapping would imperil the privacy of individual conversations.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age 5 The Politics of Privacy Policy in the United States Privacy policies are formulated in response to problems in the management of access to information about persons or their effects, or to images or impressions of people as may be derived from the analysis of data. But many factors affect the formulation of policy. 5.1 THE FORMULATION OF PUBLIC POLICY Protection of privacy has been an objective of public policy for at least a century, especially for the legislative branch. When New York state’s highest court declined, in 1902, to create a cause of action for invasions of privacy, the legislature promptly intervened. The result of that intervention was, at that time, the most rigorous and far-reaching of state privacy statutes, and remains among the strongest even to this day. New York has hardly been alone in responding to concerns about the status of personal privacy, and nearly all states provide such protection today, either by statute or by court decision. By the 1920s, protecting privacy had become a matter of federal policy as Congress focused first on making wiretapping unlawful.1 Although legislators have addressed privacy to a considerable extent, it is less clear that the legal safeguards for privacy that they have enacted 1 It is unclear today whether the legislation of the time reflected more a concern about the integrity of the burgeoning telecommunications system rather than a fear that wiretapping would imperil the privacy of individual conversations.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age reflect political pressure from a public distressed in general about unwelcome exposure of their private lives. Public concerns about privacy, and pressures for its protection, seem closely related to episodic “horror stories” about violations of privacy (at least violations perceived to be egregious). On an ongoing basis, scholars of public policy often view the development of policy as a struggle between interests, and the history of policy regarding privacy illustrates this point clearly. Privacy is not pursued or defended by public policy makers in the United States as a fundamental right to be protected. Instead it is framed as one of a number of interests that have to be weighed on the scales of social worth. As a result, the scope of privacy concerns has been narrowed to a limited array of individual and personal interests. For example, Priscilla Regan notes that public policy regulation can serve the interests of the nation or the society for the collective good. She underscores the distinction between privacy policy as a struggle over ideas and privacy policy as a struggle between interests.2 Because the idea of privacy is so broad and complex as to defy specification, privacy policy has rarely been pursued on the basis of privacy as a fundamental value. Unlike the values of “competition” and “efficiency” that have emerged as compelling rationales for the pursuit of a broad range of policy outcomes, privacy policies have been far more narrowly drawn. Some of those opposed to the extension or reinforcement of privacy rights have tended to argue that privacy was the enemy of efficiency; respecting privacy imposed costs on actors and agents in ways that could not be justified in economic terms. This was nearly always the case when opponents of privacy restraint sought to justify the use of some new technology of surveillance that was supposed to enhance security and reduce fraud, waste, and abuse in the delivery of goods and services.3 From the perspective of business, opposition to measures to enhance individual privacy was often cast in terms of unnecessarily increasing the regulatory burden of compliance. Because the value of economic efficiency had emerged as the dominant rationale for policy choice in the decade between 1974 and 1984,4 much of the legislation that was presented as preserving privacy interests actually helped to normalize a set of routine institutional practices that narrowed the scope of privacy’s reach.5 One way of framing the interests at stake is according to the distribu- 2 Priscilla M. Regan, Legislating Privacy: Technology, Social Values, and Public Policy, University of North Carolina Press, 1995. 3 David Lyon, Surveillance Society: Monitoring Everyday Life, Open University Press, 2001. 4 Regan identified seven bills passed in this decade that explicitly traded privacy interests against expected gains in efficiency. See Regan, Legislating Privacy, 1995, p. 88. 5 See Oscar H. Gandy, Jr., The Panoptic Sort: A Political Economy of Personal Information, Westview Press, 1994, pp. 209-211, for a discussion of the Video Privacy Protection Act of 1998.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age tions of costs and benefits among the stakeholders involved in any policy issue. For example, James Q. Wilson distinguishes between “majoritarian,” “entrepreneurial,” “client,” and “interest group” politics in terms of whether the costs and benefits are broadly or narrowly distributed.6 In this framework, majoritarian politics describes outcomes in which both the costs and the benefits are widely distributed. Entrepreneurial politics describes outcomes in which the costs are concentrated, while the benefits are widely distributed. In the case of client politics, the benefits are concentrated while the costs are widely distributed. Finally, in the case of interest group politics, both the costs and the benefits are narrowly concentrated.7 Expectations regarding the distribution of costs and benefits help to determine the level of interest and involvement of stakeholders in the policy process. The mass media play a critical role in shaping the expectations of the general public about the ways in which the policies will affect their well-being. It is only in the case of interest group politics, where the benefits and the costs are narrowly distributed, that public concerns about a particular policy outcome are dormant. Theorists of policy change such as Baumgartner and Jones associate changes in U.S. political agendas within shifts in the legislative venues and evaluative orientations of policy entrepreneurs concerned about emergent and maturing technologies.8 Understanding cyclical and even irregular patterns of change in public policy requires considerable attention to the role of organized interests that are able to focus their resources on committees and in other venues where their chance of success is higher. Organized interests, especially those with a long-standing institutional claim on resources derived from existing government practice, tend to prefer to keep the discussion private, or limited to a manageable group of insiders. Multiple jurisdictions also provide many venues for different stakeholders to pursue their interests. Government policies affecting privacy are established at the administrative, legislative, and judicial levels in states, nations, and economic regions like the European Union, as well as at the international level.9 The fact that these policies can vary quite substantially from jurisdiction to jurisdiction means that information-inten- 6 James Q. Wilson, “The Politics of Regulation,” pp. 357-94 in James Q. Wilson, ed., The Politics of Regulation, Basic Books, New York, 1980. 7 Elizabeth E. Bailey, “The Evolving Politics of Telecommunications Regulation,” pp. 379-399 in Roger Noll and Monroe Price, eds., A Communications Cornucopia, Brookings Institution Press, Washington, D.C., 1998. 8 Frank Baumgartner and Bryan Jones, Agendas and Instability in American Politics, University of Chicago Press, 1993. 9 Colin J. Bennett and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective, Ashgate Publishing, 2003.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age sive businesses and their trade associations have to invest considerable time, effort, and economic resources to ensure that their standards and practices conform to local regulations. They are also likely to be involved in coordinated attempts at modifying those policies, or negotiating special exceptions.10 The large number of stakeholders leads to a proliferation of voices speaking on privacy issues in national and state councils. Lawmakers not only hear from both sides of almost any privacy proposal but also receive potentially conflicting counsel from organizations with nearly indistinguishable titles. While such a cacophony complicates the lawmaking process in almost any contentious area of public policy, the range of the dissonance in the privacy area adds a new dimension to the process. Consistent with the view of privacy policy as a struggle between competing interests, efforts to protect privacy have not had much resonance with lawmakers seeking to broaden their electoral appeal. As recently as 1995, Priscilla Regan, drawing on her Capitol Hill experience as well as her extensive scholarship, concluded that “privacy issues do not provoke great electoral support” and so members of Congress are “unlikely to champion or adopt these issues because they believe there will be an electoral payoff.”11 Indeed, noting that “privacy has not been an issue in the electoral arena at either the national or the state level,” Regan finds no obvious “explanation for why a member of Congress chooses to champion privacy issues.” Politicians, especially members of the House of Representatives, who are almost continually in search of support for re-election, are careful to select issues that can attract press coverage. As an issue, privacy does not usually generate support and opposition along party lines, but instead finds bipartisan agreement through compromise and negotiation after extended periods of debate.12 Indeed, in her review of the legislative history of major privacy bills passed before 1992, Regan suggests that these issues were “on the congressional agenda for years, if not decades, before Congress passed legislation.”13 Indeed, the candidate who runs on a privacy protection platform is a rarity, and the evidence is scarce at best that voters care enough to make elections turn on which candidate offers the boldest privacy-protective platform. 10 Priscilla M. Regan, “American Business and the European Data Protection Directorate: Lobbying Strategies and Tactics,” pp. 217-228 in C.J. Bennett and R. Grant, eds., Visions of Privacy: Policy Choices for the Digital Age, University of Toronto Press, 1999. 11 Regan, Legislating Privacy, 1995. 12 Bipartisanship, of course, does not mean that support is unanimous throughout the membership of each party. Rather, it means that any given measure can appeal to a substantial number of members from both sides of the aisle. 13 Regan, Legislating Privacy, 1995.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age This is not to say that legislators have never taken the lead in fighting for privacy protection. For example, a number of such leaders can be identified, including former Senator Sam Ervin and former Representative Robert Kastenmeier. Senator Ervin was especially dogged in his pursuit of the kind of statutory restraints on government data gathering that eventually became the Privacy Act of 1974.14 Concerns about the excesses of the McCarthy era and the emergence of a “national security state” attracted the interest of Representative Kastenmeier to problems of surveillance.15 More recently, Representatives Ed Markey (D-Mass.) and Joe Barton (R-Tex.) cooperated in 2001 to provide privacy protections in the Gramm-Leach-Bliley Act, discussed further in Chapter 6. The lack of abiding electoral concern about privacy can be explained in part by a deep-seated popular ambivalence about just how—and how far—privacy should be protected. David Brin aptly observes that “whenever a conflict arises between privacy and accountability, people demand the former for themselves and the latter for everybody else.”16 Such paradoxical views exist “in almost every realm of modern life, from special prosecutors investigating the finances of political figures to worried parents demanding that lists of sex offenders be made public.” The framing and passage of broadly acceptable privacy-enabling legislation have undoubtedly been impeded by the existence of such ambivalent views, and by the imposition of irreconcilable demands by constituents who are often unaware of the conflict they create by insisting that privacy be protected as far, but only as far, as necessary to serve subjective needs and interests. When privacy concerns do emerge on the public agenda, the development of privacy policy almost inevitably involves some conflict over the “balancing” of competing interests and values.17 While privacy is not weightless, considerations of efficiency, security, and global competitiveness hold considerable sway in the policy debate. Moreover, contemporaneously with the rise of the Internet as a pervasive technological substrate for much of society, policy makers have demonstrated in recent years an increasing tendency to think about pri- 14 David F. Linowes, Privacy in America: Is Your Private Life in the Public Eye?, University of Illinois Press, 1989, p. 2. Regan suggests that Ervin actually resisted labeling his concerns about government surveillance as “privacy” concerns, preferring instead to emphasize the value of “due process.” 15 Regan, Legislating Privacy, 1995, p. 202. 16 David Brin, The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?, Addison-Wesley, 1998. 17 Charles D. Raab, “From Balancing to Steering: New Directions for Data Protection,” pp. 68-93 in Colin Bennett and Rebecca Grant, eds., Visions of Privacy: Policy Choices in the Digital Age, University of Toronto Press, 1999.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age vacy in terms of technological systems, marketplace incentives, and even self-regulation rather than government regulation. Such perspectives are consistent with growing skepticism among many elected representatives about government as a meaningful and positive influence on the lives of citizens. Among the most common criticisms of U.S. privacy policy making is its eclectic and piecemeal quality. Instead of regulating from the top down after a comprehensive overview of privacy needs and concerns, as do most other Western nations, the United States tends to address particular problems as they arise, thus moving from the bottom up.18 The resulting patchwork reflects little broad policy making, and much intuitive response to momentary concerns. There is little correlation, in consequence, between the importance or value of protecting certain elements of privacy (as might be determined with the benefit of a comprehensive framework to prioritize different privacy concerns) and the degree to which U.S. laws do in fact protect those interests. A classic example of this patchwork is the Video Privacy Protection Act of 1998. During confirmation hearings over the eventually thwarted Supreme Court nomination of appeals court judge Robert H. Bork, a Washington, D.C., weekly (The City Paper) published a list of videotape titles the judge had recently borrowed from video rental stores. In the wave of popular indignation that followed the defeat of the nomination, Congress easily enacted the Video Privacy Protection Act (VPPA) of 1988, which bars retailers from selling or disclosing video rental records without a customer’s permission or a court order. As a result of this eclectic and selective response to a special perceived need, video borrower records have for nearly a decade been better protected than a wide range of arguably more sensitive and vital data, such as personal medical information. Much the same could be said of the so-called Buckley Amendment (more formally the Family Educational Rights and Privacy Act), adopted in the mid-1970s in response to similar pressure. In that case, a few lessthan-fully-satisfied recent university graduates found themselves in powerful staff positions on Capitol Hill and seized an opportunity to bar forever any dissemination of all but minimal information about college students to the news media, or for that matter to any but a tiny group of academic officials with an urgent need for access to such data. The result of legislative forays like those that produced the Buckley 18 Appendix B addresses the point from a comparative perspective. In addition, the National Research Council report Global Networks and Local Values (National Academy Press, Washington, D.C., 2001) elaborates on the difference between U.S. and German perspectives on privacy regulation.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age Amendment and VPPA is that certain types of information—specifically college student records and video rental profiles—enjoy a highly elevated, though not altogether logical, level of protection, whereas much highly sensitive information remains far more vulnerable. Regardless of the desirability or undesirability of these specific statutes, few features of the U.S. network of privacy protection could more fairly be faulted than its patchwork or piecemeal quality. As noted in the National Research Council report Global Networks and Local Values, “In practice, the U.S. norm [of privacy protection] is a patchwork of legislation and court decisions arising from episodic scandals and political pressures from both industry and privacy advocates.”19 As a result, the report continues, “highly specialized solutions have been crafted for different technologies (e.g., statutory regimes specific to the protection of postal mail, e-mail, and other Internet communications) and for different subject areas.” Although the United States might be credited with the development of privacy as an individual right,20 the legislative approach to the specification of this right, especially as it relates to the behavior of private firms, has been sectoral and piecemeal, rather than comprehensive.21 Critics suggest that as a result of this sectoral emphasis, the interests of data users will be more clearly understood and appreciated than the interests of individuals or groups of data subjects.22 The patchwork is further complicated by the fact that states are allowed to set higher standards for protecting privacy and may be more protective than national policy requires—at least as long as doing so does not abridge due process or equal protection or violate any other federal constitutional guarantee. To phrase the point quite simply, the U.S. constitution and federal laws generally set a floor but not a ceiling, so that state actions cannot fall below the floor but may surpass the ceiling. A recent and quite apt example of this dynamic comes from the regulation of the ways in which financial service providers secure the consent of their customers for the use and possible dissemination of certain personal information. Federal law, for the most part, adopts an “opt-out” approach, under which banks and other providers must inform their customers of potential data-sharing practices and can assume acquiescence from a customer’s silence—that is, from the customer’s refusal to 19 National Research Council, Global Networks and Local Values, National Academy Press, Washington, D.C., 2001, p. 141. 20 Irwin R. Kramer, “The Birth of Privacy Law: A Century Since Warren and Brandeis,” Catholic University Law Review 39:703-724, 1990. 21 David H. Flaherty, Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989. 22 Charles D. Raab and Colin J. Bennett, “The Distribution of Privacy Risks: Who Needs Protection?,” The Information Society 14:263-274, 1998.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age opt out by so informing the provider, as only 2 or 3 percent of customers have in fact done in response to such an invitation. If a single state wishes, however, to empower customers to a higher degree by requiring that they must affirmatively opt in before their consent to data sharing may be inferred, that is an option open to any state. To date, a number of states (Alaska, California, Vermont, Connecticut, Florida, Illinois, North Dakota) have required that banking and financial services customers be invited to opt in. But even if only one state takes such a position, it effectively requires financial service providers to treat their customers in that state very differently, and to make certain that they have evidence of opting in before any personal data are shared. Such state action may, of course, be challenged on grounds other than due process—for example, as a burden on interstate commerce or invasion of an area in which uniformity is essential even though Congress has not so mandated—but such challenges rarely succeed, since the federal courts often (or even mostly) defer to the judgment of state legislatures on the needs of their citizens. 5.2 PUBLIC OPINION AND THE ROLE OF PRIVACY ADVOCATES Public opinion is one obvious and important influence on the legislative formulation of many aspects of public policy, and privacy is no exception. A review of public opinion over the last decade performed for the committee suggests the following generalizations:23 The public expresses considerable concern over privacy; this concern appears to have increased over time. Moreover, much of the U.S. public appears to believe that privacy is a fundamental right that they ought to enjoy, and this belief seems to be independent of perceptions of threat. People are not concerned about privacy in general; they are concerned about protecting the privacy of sensitive information about themselves. Thus, for example, they are quite willing to agree to contact tracing in the case of AIDS patients, and they are ready to define AIDS as a community health rather than a privacy issue. Most people are not HIV-positive, and they are more concerned about the risks of being infected than about the privacy interests of patients. At the same time, most people are unwilling to have medical information about themselves disclosed without their permission, even when the information does not identify them 23 Amy Corning and Eleanor Singer, “Survey of U.S. Privacy Attitudes,” Survey Research Center, University of Michigan, 2003, a paper written under contract to the National Research Council for this project.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age by name. In that situation, the privacy value of the information outweighs the juxtaposed social value of “research.” Public opinion about privacy is not well crystallized; people tend to be highly responsive to the way questions are framed. For example, public support for individual monitoring or surveillance measures can be very high, particularly when questions emphasize the need to combat terrorism. Respondents also generally believe that government will use its powers appropriately. Yet when respondents are reminded that government powers may be abused, or that even properly used powers may reduce the rights and freedoms people enjoy, they appear to be quite concerned about such possibilities. Public opinion is responsive to salient events. For example, Alan Westin and others have explored the ways in which public attention to privacy concerns has tended to rise and fall in response to a number of changes in the policy environment.24 These changes included both long-term trends in the organization of the economy as well as short-term disruptions marked by critical events, such as those on September 11, 2001. Immediately after the September 11 attacks, the U.S. public expressed an increase in support for public policy measures with negative implications for privacy. However, this support has gradually waned in the attack-free years afterward. Similarly, public concerns about privacy jumped in the mid-1970s in the wake of the Watergate scandal and the Church Committee report, but tended downward in subsequent years.25 Public opinion is also responsive to technological developments. For example, concerns have risen with technology developments that make it easier, faster, and cheaper to store, process, and exchange vast amounts of individual-level data, and with the advent of new and expanding techniques for acquiring information about individuals such as data mining to link consumer purchases with demographic information and new techniques of surveillance. Despite manifest concerns about privacy, public opinion about privacy is generally not well informed. Because of this, and perhaps for other reasons, individuals do not generally take actions to protect their privacy even though they are highly concerned about personal privacy (e.g., they return warranty cards filled out with personal information even though such information is not needed to validate the warranty). Nevertheless, 24 Alan Westin, “Social and Political Dimensions of Privacy,” Journal of Social Issues 59(1):431-453, 2003. 25 Warrantless FBI Electronic Surveillance, Book III of the Final Report of the Select Committee to Study Governmental Operations with Respect to Intelligence Activities, United States Senate, U.S. Government Printing Office, Washington, D.C., April 23, 1976. (The Select Committee is popularly known as the Church Committee, after its chair, Frank Church, senator from Idaho.)

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age their perspectives on privacy may well influence their opinions in other domains and even possibly their behavior. Concerns about privacy and confidentiality do affect people’s participation in surveys, and in particular the U.S. decennial census. Specifically, Singer et al. found that concerns about privacy and confidentiality have a small but statistically significant effect on response rates.26 Consumers are often willing to trade away their control over their personal information in return for some benefit, which may be small in absolute terms. Some analysts believe that such behavior is the result of a rational approach on the part of the public to privacy issues, which allegedly weighs the privacy risks against the potential benefits of providing information. Others believe that such behavior results from the average consumer being simply unaware of the ways in which transaction-generated information is gathered and used by businesses on the Web and in other places.27 Although public opinion about privacy is shaped by myriad actors that affect the policy-making process (including in particular organized interest groups and policy entrepreneurs),28 privacy advocacy groups and the mass media are among the most important. Westin’s analysis of change in the privacy agenda notes the very important role that publicity or media coverage has played in the policy process, and emergent theory suggests that it is when the policy debate moves into the public sphere that the outcomes of the process are less certain.29 Public concern and a legislative response are often activated in response to the efforts of activist organizations concerned with technology, media, and civil liberties more generally.30 The press and these activist organizations help to raise public awareness about the extent to which many of the business practices that the public assumed were against the 26 Eleanor Singer, Nancy A. Mathiowetz, and Mick P. Couper, “The Role of Privacy and Confidentiality as Factors in Response to the 1990 Census,” Public Opinion Quarterly 57(4):465-482; and Corning and Singer, “Survey of U.S. Privacy Attitudes,” 2003. 27 Oscar H. Gandy, “Public Opinion Surveys and the Formation of Privacy Policy,” Journal of Social Issues 59(2):283-299, 2003; Priscilla M. Regan, “From Privacy Rights to Privacy Protection: Congressional Formulation of Online Privacy Policy,” in C.C. Campbell and J.F. Stack, Jr., eds., Congress and the Politics of Emerging Rights, Blackwell Publishing, Lanham, Md., 2002; and Corning and Singer, “Survey of U.S. Privacy Attitudes,” 2003. 28 Bennett and Raab, The Governance of Privacy, 2003, pp. 171-183. 29 Bruce Berger, “Private Issues and Public Policy: Locating the Corporate Agenda in Agenda-Setting Theory,” Journal of Public Relations Research 13(2):91-126, 2001. 30 Alan F. Westin, “Social and Political Dimensions of Privacy,” Journal of Social Issues 59(2):431-453, 2003; see also Gandy, “Public Opinion Surveys and the Formation of Privacy Policy,” 2003.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age law are in fact the behavioral norm31 and alert citizens to the fact that their privacy rights (e.g., those granted under the Privacy Act) may have been infringed. Members of public interest groups, or outsiders to the debate, play a key role in “taking the discussion public” by amplifying public concerns about institutional practices that they oppose. A number of public interest organizations have established a significant presence within the policy environment as supporters of what they define as the public interest in privacy, and a reasonable argument can be made to suggest that very little in the way of regulatory pro-privacy policy would exist if it were not for the efforts of privacy advocates.32 General organizations like the American Civil Liberties Union (ACLU) have long been active in pressing both in court and in lawmaking and regulatory bodies for protection of a range of personal freedoms, privacy among them. The ACLU’s concerns continue unabated, indeed intensified, especially in the period after September 11, 2001, and other broad mission organizations have now entered the fray, including some that have found common ground with the ACLU on privacy issues regarding government access to personal information despite being in opposite corners in many other areas. The most dramatic change in public advocacy groups is that, within the past decade or less, the field has now become far more crowded by the entry of a host of influential specialized groups, such as the Electronic Frontier Foundation, the Electronic Privacy Information Center, Americans for Computer Privacy, the Online Privacy Alliance, the Center for Democracy and Technology, and the Privacy Rights Clearinghouse. A number of these organizations emerged into prominence during what Alan Westin identifies as the “third era of privacy development.” These organizations attempt to influence the policy process through a variety of means, including the mobilization of public opinion. Policy advocates attempt to raise public awareness and concern about privacy by supplying sympathetic reporters and columnists with examples of corporate or government malfeasance, or with references to the “horror stories” of individuals who have been the direct or indirect victims of privacy invasion.33 These stories help to raise the level of concern that is then reflected in the periodic surveys of public opinion that get reported 31 Joseph Turow, “Americans and Online Privacy: The System Is Broken,” a report from the Annenberg Public Policy Center of the University of Pennsylvania, Philadelphia, 2003. 32 Bennett and Raab, The Governance of Privacy, 2003, pp. 42-43. 33 Timothy E. Cook, Making Laws and Making News: Media Strategies in the U.S. House of Representatives, Brookings Institution, Washington, D.C., 1989.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age in the press34 and referred to in testimony in legislative hearings on privacy policy.35 Privacy advocates play an important role in the framing of privacy issues. This framing is a strategic activity oriented toward finding the best way to mobilize support or opposition. Privacy advocates have followed the general trend in policy rhetoric away from a discourse of “rights” toward a more instrumentalist framework in support of developing protections for valued interests, and the avoidance of measurable harm.36 Some argue that this shift from rights to interests reflects a larger shift in policy discourse from talk about citizens and moral rights to talk about consumers and the performance of markets.37 Corporate strategies for addressing public opinion differ somewhat from those of public interest organizations in that firms within information-intensive industries can afford to sponsor opinion surveys that are directly relevant to emerging policy deliberations. For example, privacy-related surveys sponsored by Equifax not only enjoyed a high degree of visibility in the press but also were cited in legislative testimony more often than surveys by any other sources.38 Finally, surveys by independent sources, such as the Pew Internet and American Life Project, reinforce the general conclusion that the public would prefer the presumption of privacy online at the same time that they express a concern about business practices that challenge that presumption.39 5.3 THE ROLE OF REPORTS The position of privacy on the legislative agenda is often established in response to the release of a special investigative report by a government 34 Timothy E. Cook, Governing with the News: The News Media as a Political Institution, University of Chicago Press, 1998. 35 Gandy, “Public Opinion Surveys and the Formation of Privacy Policy,” 2003. 36 Priscilla M. Regan, “From Privacy Rights to Privacy Protection: Congressional Formulation of Online Privacy Policy,” pp. 45-63 in Colton Campbell and John Stack, eds., Congress and the Politics of Emerging Rights, Rowman and Littlefield Publishers, 2002. 37 Oscar H. Gandy, Jr., with the assistance of Francesca Wellings, “The Great Frame Robbery: The Strategic Use of Public Opinion in the Formation of Media Policy,” report to the Ford Foundation, 2003. See also Simon G. Davies, “Re-engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity,” pp. 143-165 in Philip Agre and Marc Rotenberg, eds., Technology and Privacy: The New Landscape, MIT Press, Cambridge, Mass.,1997. 38 Gandy, “Public Opinion Surveys and the Formation of Privacy Policy,” 2003, p. 292. 39 Gandy, “Public Opinion Surveys and the Formation of Privacy Policy,” 2003; Regan, “From Privacy Rights to Privacy Protection,” 2002; and Corning and Singer, “Survey of U.S. Privacy Attitudes,” 2003.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age agency, a special task force, a policy center, or an independent commission established with support from foundations or private sector coalitions. A substantial increase in apparent public concern occurred during the 1960s, driven in part by the appearance of such ominous studies as Alan Westin’s Privacy and Freedom (1969), Jerry Rosenberg’s The Death of Privacy (1969), and Arthur Miller’s The Assault on Privacy (1971). Reports can lay the groundwork for the passage of legislation. In each of the three policy phases identified by Westin, an influential report established the basis for a significant policy response. In the first phase, between 1960 and 1980, a report from the National Academy of Sciences titled Databanks in a Free Society: Computers, Record-Keeping and Privacy (Box 5.1) was followed by a report from an advisory committee to the Department of Health, Education, and Welfare that proposed the very influential framework on Fair Information Practices (FIP) that was later adopted by the Organisation for Economic Co-operation and Development.40 The Watergate scandal and related concerns about the abuses of civil liberties by elements within the intelligence community led to the establishment of a special Senate committee headed by Frank Church. The report generated by the far-ranging investigation of this committee41 helped to support the passage of the Foreign Intelligence Surveillance Act (1978),42 the Right to Financial Privacy Act (1978), and the Privacy Protection Act (1980) as an effort to establish more meaningful boundaries around the government’s intelligence activities. Although Westin describes the years between 1980 and 1989 as a period of relative calm, a series of reports by the Office of Technology Assessment and the General Accounting Office focused on the use of computers and information technology within the federal government that raised important privacy concerns. The Computer Matching and Privacy Protection Act and the Employee Polygraph Protection Act of 1988 were the results of those studies.43 In the third phase (1990-2002) described by Westin it was not a single investigation or comprehensive report that sparked a legislative response but instead what Westin characterizes as a “stream of national surveys” that focused on a rise in privacy concerns among the public.44 For example, content analyses designed to assess the presence and quality of the privacy notices of firms engaged in e-commerce were the result of a 40 Regan, Legislating Privacy, 1995. 41 Warrantless FBI Electronic Surveillance, Select Committee to Study Governmental Operations with Respect to Intelligence Activities, 1976. 42 Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, MIT Press, Cambridge, Mass., 1998. 43 Regan, Legislating Privacy, 1995. 44 Westin, “Social and Political Dimensions of Privacy,” 2003, p. 444.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age BOX 5.1 Databanks in a Free Society In the early 1970s, professors Alan Westin and Michael Baker directed a study investigating how the increasing use of computers was affecting U.S. record-keeping processes and what impact the resulting large-scale collections of data (or databanks) might have on privacy, civil liberties, and due process. Conducted under the aegis of the National Academy of Sciences’ Computer Science and Engineering Board, the study was prompted by—among other things—growing concerns about the increasing feasibility and efficiency of collecting and sharing large volumes of personal information, things made much simpler by the use of computer technology. The study, which included more than 50 project staff site visits to organizations with record-keeping operations, culminated in a final report written by Westin and Baker, Databanks in a Free Society: Computers, Record-Keeping and Privacy.1 The report had five major sections: (1) a brief context-setting discussion of computers and privacy concepts; (2) profiles of the record-keeping practices of 14 organizations from both the public and the private sector, including descriptions of organizational record-keeping practices before the application of computer technology, as well as information on the ways that computers were affecting or changing their record-keeping practices at that time; (3) presentation of the principal findings from the site visits; (4) a discussion of how organizational, legal, and socio-political factors affect the deployment of computer technology; and (5) a discussion of public policy issues in light of the report’s findings and forecasts, including several priority areas for civic action. The report described a “profound public misunderstanding” about the effects of using computers in large-scale record-keeping systems and suggested that U.S. public policy, legislation, and regulation (at that time) had not kept pace with the rapid spread of computer technology and growing public concern. The report also identified a number of policy areas deserving of higher priority by courts and legislatures—for example, citizens’ rights to see and contest the contents of their own records; rules for confidentiality and data sharing; limitations on the unnecessary collection of data; technological safeguards for information systems; and the use of Social Security numbers as universal identifiers. The report went on to suggest that the then-present 1970s was the right time for lawmakers to address many of the public policy, civil liberties, and due process issues being brought to light by changing record-keeping technology. The report has influenced much of the privacy work that has followed it and has been cited extensively, no doubt also informing the policy debate leading up to the passage of the Privacy Act of 1974 (5 U.S.C. Section 552a).    1Alan F. Westin and Michael A. Baker, Databanks in a Free Society: Computers, Record-Keeping and Privacy, Quadrangle Books, New York, 1972. Additional commentary can be found in Alan F. Westin and Michael A. Baker, “Databanks in a Free Society,” ACM SIGCAS Computers and Society 4(1):25-29, 1973.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age renewed activism at the Federal Trade Commission (FTC). The Children’s Online Privacy Protection Act of 1998 was the major legislative result of this assessment. Regan suggests that the bill received overwhelming legislative support because of the unusual strength of a broad-based privacy coalition, sustained attention to the issue in the press, and a well-received report from the FTC on the inadequacy of business efforts at self-regulation.45 Finally, the discontinuity in the privacy policy environment since September 11, 2001, has been evident in the nature and tone of a number of influential reports released in the aftermath. A primary focus of these reports has been the inability of the U.S. government to “connect the dots” that might indicate a terrorist operation in planning or preparation, and it is not surprising that they have emphasized the importance of improving the government’s information collection and analytic capabilities. For example, a special task force organized by the Markle Foundation argued forcefully for the accelerated development of the government’s capacity to gather, process, and interpret information from sources and with means that had previously been barred by law.46 The 9-11 Commission emphasized the key role of information and intelligence in preventing future terrorist actions in the United States and the importance of sharing information among appropriate agencies.47 Though the ultimate outcomes remain to be seen, reports cast in such terms may well help to tip the scales toward greater collection, consolidation, and sharing of personal information than had been considered reasonable, appropriate, or just in the past. Indeed, the core fundamentals of the fair information practices that emphasize the minimization of information gathering and limitation of the use of information to the purposes for which it was originally gathered are largely incompatible with the fundamental principles of intelligence analysis, which include notions of collecting everything just in case something might be useful and using any information that might be available. 45 Regan, “From Privacy Rights to Privacy Protection,” 2002, p. 58. 46 Freedom in the Information Age, a Report of the Markle Foundation Task Force, October 2002; Creating a Trusted Network for Homeland Security, Second Report of the Markle Foundation Task Force, December 2003; Mobilizing Information to Prevent Terrorism: Accelerating Development of a Trusted Information Sharing Environment, third report of the Markle Foundation Task Force, July 2006. 47 National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report, 2004, available at http://www.9-11commission.gov/report/911Report.pdf.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age 5.4 JUDICIAL DECISIONS Periodically we are reminded of the special benefit we expect to derive from the separation of legislative, administrative, and judicial powers.48 Yet it is clear that the independent decisions and pronouncements of jurists have an enormous influence on the nature of statutory bars and constitutional limits on the actions of public and private actors. It is difficult to characterize the development of privacy policies through the courts as the same sort of process that is seen with regard to federal and state legislatures. Still, the courts have been the focus of political action involving privacy advocates as well as organized interests in search of relief from a statutorily enforced constraint. Public opinion can be expressed in many different ways, ranging from demonstrations in front of the Supreme Court to “friends of the court” amicus briefs, although the U.S. judiciary has long enjoyed relative independence from the vagaries of public opinion. Nevertheless, some believe that public opinion can at the very least pressure members of the judiciary to provide extended rationales for decisions that appear to conflict with popular views.49 It is also difficult to characterize the interactions between legal scholars who engage in extended debates over the meaning and importance of legislative and judicial activities that help to determine the legal status of privacy as a right and abuses as actionable torts. This difficulty extends to the efforts of authoritative bodies, such as the American Law Institute, that have codified the “right of privacy” in successive Restatement(s) of Torts.50 The action of the courts is also important to consider because of their corrective function in the face of executive branch opposition or indifference to the privacy agenda. Such opposition or indifference is rarely manifested in declaratory policy by responsible administration officials but can be seen in a lack of compliance with fair information practices. Under such circumstances, it is generally only the courts that can induce the agency or agencies involved to comply, and individual citizens and privacy advocates have had to sue government agencies in order to ensure that the rights of privacy established under the Privacy Act have meaning in practice.51 48 Jurgen Habermas, Between Facts and Norms: Contributions to a Discourse Theory of Law and Democracy, translated by William Rehg, MIT Press, Cambridge, Mass., 1998. 49 Habermas, Between Facts and Norms, 1998, p. 442. 50 An initial Restatement was published in 1937, but the identification of four separate but ultimately unequal torts was published in 1977, adding weight to the suggestions along these lines offered by William Prosser in 1960 (Cal. L. Rev. 48:383). 51 Flaherty, Protecting Privacy in Surveillance Societies, 1989, p. 315.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age Individual petitioners in search of relief or compensation for the harms visited upon them by others contribute to the development of the body of laws that are recognized as the torts of privacy. Individuals in pursuit of their own interests have been joined from time to time by “friends of the court” who argue in support of more general principles of law. These advocates may also intervene in the development of case law through their active pursuit of the interests of a broad class of citizens whom they claim to represent. They may act as members of a special interest coalition to challenge the actions of an administrative agency. It is when those decisions reach the Supreme Court that the political nature of the process becomes more clear. Because there are few restraints on the power of the justices to pursue their own ideological perspectives in supporting or opposing the decisions of their colleagues on the Court, the appointment of judges to the Supreme Court is a highly political act. For example, privacy advocate Robert Ellis Smith has argued that the appointment of William Rehnquist to the Court came just in time for him to demonstrate the extent of his opposition to a privacy agenda that had only been hinted at by his testimony before the Senate on presidential powers.52 Somewhat ironically, concerns about the private lives of some nominees to the Court have figured prominently in their review.53 Although political debate addresses one or another competing values, it is rare that the political debate explicitly addresses tradeoffs. Explicit discussion of tradeoffs does often take place during judicial review, where tensions between competing values, such as those between privacy and the freedom of speech, can be made explicit. It is also here that the almost metaphysical “balancing” among incommensurable values is thought to take place.54 5.5 THE FORMULATION OF CORPORATE POLICY While administrative, legislative, and judicial processes are largely open to public scrutiny, the deliberations of business and other private organizations tend to be more hidden behind a wall of proprietary interest.55 As a result, most individuals are relatively uninformed about the 52 Rehnquist’s testimony before the Senate Judiciary Subcommittee on Constitutional Rights is discussed by Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet, Privacy Journal, Providence, R.I., 2000, pp. 263-275. 53 The cases of Robert Bork and Clarence Thomas are especially relevant because of the privacy concerns that were raised during their consideration. 54 Cass Sunstein, “Incommensurability and Valuation in Law,” pp. 70-107 in C. Sunstein, ed., Free Markets and Social Justice, Oxford University Press, 1997. 55 H. Jeff Smith, Managing Privacy: Information Technology and Corporate America, University of North Carolina Press, 1994.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age ways in which corporate policies affecting privacy are brought into being. Private firms, especially those that do business with individual consumers, have always had a privacy policy of one sort or another, even if the policy was implied by routine practice rather than explicitly stated. However, in recent years more firms are establishing formal policies and informing consumers of the nature of those policies than was common in the past. Firms within information-intensive (and therefore privacy-sensitive) businesses such as insurance, health care, finance, telecommunications, and direct marketing to consumers are more likely than other firms to establish a set of formal policies governing the collection and use of personal information.56 The establishment and posting of privacy policies by firms doing business over the Internet has become a standard business practice, and the lack of a published policy has become an exception. These policies are often based on guidelines developed by membership associations representing the sectoral interests of firms within a particular industry. Trade associations, such as the Direct Marketing Association, often develop and publish a set of standard practices or codes of ethics that members are expected to honor. Two privacy-related organizations are also influential in shaping corporate privacy policies. One organization is Privacy & American Business, which is an activity of the non-profit Center for Social & Legal Research, a non-profit, non-partisan public policy think tank exploring U.S. and global issues of consumer and employee privacy and data protection. Launched by Alan Westin in 1993 as a “privacy-sensitive but business-friendly” organization to provide information useful to businesses about privacy,57 it began training and certifying corporate privacy officers in 2000. A second organization, the International Association of Privacy Professionals, offers the Certified Information Privacy Professional credentialing program and a variety of information resources (newsletters, conferences, discussion forums, and so on).58 Firms within industrial sectors that have traditionally been the target of government oversight are more likely than firms in other sectors to have established their own privacy policies—financial services and health care are two of the most obvious, and privacy efforts in these areas have been driven legislatively with the Gramm-Leach-Bliley Act of 1999 for the former and the Health Insurance Portability and Accountability Act of 1996 for the latter. Firms in other business sectors tend not to develop 56 Gandy, The Panoptic Sort, 1993. 57 Westin, “Social and Political Dimensions of Privacy,” 2003, p. 443. More information on privacy and U.S. business can be found at http://www.pandab.org/. 58 For more information on the IAPP, see http://www.privacyassociation.org.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age privacy policies until the weight of public opinion demands a response, either from them or from the government.59 The threat of government regulation of information practices that have aroused public anger and concern often provides an especially powerful incentive for firms to develop their own versions of “fair information practices.” On the basis of his study of a number of firms within privacy-intensive lines of business, Smith identified a characteristic “policy-making cycle” that moves through a period of rudderless “drift” that is disrupted by some form of “external threat” that activates a number of “reactive responses” at different levels of the organization.60 On occasion, the external threat that an information-intensive firm is forced to respond to is a class action suit, such as the one filed against DoubleClick for its use of cookies to develop profiles of individuals’ navigation of the Web.61 On other occasions the threat to current or proposed business practices comes from competitors that claim proprietary rights to customer information. On a number of occasions retailers and direct marketers have challenged the right of telephone companies or credit card firms to make use of transaction-generated customer information for their own business purposes.62 Conflicts within the corporate policy environment reflect both strategic interests as well as concerns about ethical standards of good business practice. These conflicts represent constraints on the ability of corporate actors to develop a comprehensive position on the privacy rights of employees, consumers, and members of the public at large.63 59 Smith, Managing Privacy, 1994. 60 Smith, Managing Privacy, 1994, pp. 83-85. 61 DoubleClick Inc. Privacy Litigation, Case No. 00-CIV-0641, 154 F. Supp. 2d 497 (S.D. N.Y. 2001). 62 Smith, Managing Privacy, 1994, pp. 184-204. 63 Oscar H. Gandy, Jr., “Dividing Practices: Segmentation and Targeting in the Emerging Public Sphere,” pp. 141-159 in W. Bennett and R. Entman, eds., Mediated Politics: Communication in the Future of Democracy, Cambridge University Press, 2001.

OCR for page 155
Engaging Privacy and Information Technology in a Digital Age This page intentionally left blank.