I’m impressed by the dedication you all have shown to this issue. Getting up for a meeting at 8:00 am on a Sunday is more than I could usually muster. I always learn a lot by appearing on panels like this, and I must say that I’ve already learned more than I ever want to know about the application of the Gramm-Leach-Bliley law to attorneys and law firms. Joan said you would get an eclectic panel, and I think I provide the eclectic part, and maybe some comic relief.
As Joan said, I am the Editor of Privacilla.org, which is a Web-based think-tank devoted to privacy. I am also an Adjunct Fellow at The Progress & Freedom Foundation. And, in addition, I have a lobbying and consulting firm called PolicyCounsel.Com. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla and none of what I say to you represents the views of any client, but be aware of my potential for bias, as you would be with any privacy advocate.
At Privacilla, we try to sort out the issues that, in public debate, go under the name of “privacy.” We have put forward a definition of privacy so that policymakers can better address the issue directly and determine what interests they are pursuing with various proposals.
The word “privacy” has come to be used to describe just about every concern with the modern world. That’s fine for regular people, but when we as policymakers address these concerns, we need to be a little more precise and a little more serious.
At Privacilla, we have developed a working definition of privacy that we believe should form the basis of policy discussions on the topic: Privacy is a subjective condition that individuals enjoy when two factors are in place — legal ability to control information about oneself, and exercise of that control consistent with one's interests and values.
Most importantly, privacy is a personal, subjective condition. I know that in a roomful of lawyers, I don’t have to tell you what “subjective” means. It means that my sense of privacy is my own, and yours is yours. Legislators and regulators can’t pass laws to tell us we have privacy when we think we don’t. Those laws can only represent guesses about what privacy might look like.
I often ask audiences if they would feel better if a bill were introduced called the Happiness Protection Act of 2002. One would think that they would get giddy with the anticipation of being happier once the new law was passed. Well, of course, no one thinks you can pass laws that make people happier. Laws can only create the conditions in which people are able to seek happiness. It’s the same with privacy.
The first factor I mentioned is the legal power to control information. This essentially asks whether people have been deprived of power to control information in some way. Many of you, I’m sure, know about the Bank Secrecy Act, which requires financial institutions to share customer information with the government. It is one of thousands of laws and regulations that deprive people of power over information about themselves. Let there be no mistake about the good intentions of these laws. Unfortunately, the more helpful the law, the more privacy-invasive it often is.
The second factor I mentioned is exercise of control consistent with our interests and values. Ultimately, the only thing that can deliver privacy on the terms consumers want it is consumer awareness and education. If you don’t know how information moves in the Information Economy, you can’t reject practices that you disapprove of. It is the actions of educated and aware consumers in the marketplace that determine whether the uses businesses wish to make of information are acceptable.
Along with giving definition to the term “privacy,” we are trying to move issues that are not properly regarded as privacy into other boxes. This is part of our . . . vain effort to improve the work that policymakers do.
We’ve discussed the Federal Trade Commission’s security rule here this morning, and particularly its application to attorneys. “Security” and “privacy” are often used interchangeably, and they are closely related, but I want you to be clear that they are two very different concepts. I roughly define security as all the steps a business or government might take to protect its functions and assets. The phrase “privacy and security” is heard very often, but it makes just as much sense to talk about “payroll and security” or “trade secrets and security” or “client retention and security.”
Security has to do with all the steps a business or government takes to protect its operations, data, and possessions. Privacy is just one promise that governments and businesses make to citizens and consumers. Security allows privacy promises to be carried out, but the two are not the same.
Identity fraud is another example. It is widely perceived as a "privacy" problem. But it is better understood as a group of crimes that thrive on the use of personal identification and financial information. Because of this widespread misperception, the crimes that constitute identity fraud go poorly enforced while Congress and many states consider things like banning many uses of Social Security Numbers. My suggestion is that the cure for the problem of identity fraud is to start putting some bad people in jail.
Likewise, unwanted commercial e-mail, or "spam," is an offensive intrusion into electronic communications and a serious annoyance that is often called a "privacy" problem. Spam exists in large part because e-mail marketers know little or nothing about the interests of potential customers. It is difficult to reconcile spam — e-mails broadcast to unknown people nearly at random — with the heart of the privacy concept, which is too much personal information being available too widely.
As Joan mentioned, we recently issued a report about the state privacy torts and their role in privacy protection. We found that, through a series of privacy torts, most states provide baseline privacy protections. There’s plenty of variation among states: some have adopted only some of the privacy torts; one or two may not have adopted them at all. But the privacy torts exist and are real. Our report is far from the last word. More needs to be said about the privacy torts and all kinds of other state laws that protect privacy in various ways.
Especially, we don’t want the federal or state legislatures to think that there is NO privacy protection and that they have to invent it from whole cloth. Experience is showing that this is not the path to success.
There are lots of other laws that protect privacy without having the word “privacy” in the name. The law of contract, for example, means that we can enter into enforceable agreements about whether information will be shared or not. The law of trespass means that you can go into your house, shut the doors and blinds, and what you do remains private from any other private sector actor. The law of battery means that no one can come up here and rip my shirt off, revealing the appearance of my body. A wag at a recent conference where I used this example pointed out that you all would probably have a cause of action for intentional infliction of emotional distress if that happened, so there is a double protection against such an unfortunate thing happening.
Let me compare the state laws that protect privacy to the approach taken of late at the federal level. The Gramm-Leach-Bliley law, for example, when you boil it all down, amounts to a protection from accurate marketing. You all know the details better than I do, I’m sure, but there are more exceptions to the ‘protections’ of the Act than there are prohibitions. And this is because there are lots of good purposes for which information is used in our economy.
To be clear about GLB, let me also point out that it’s freedom from accurate marketing, not just freedom from marketing. Under Gramm-Leach-Bliley, we can return to lots of junk mail addressed to “occupant.” Poor people like me will get offers for offshore private banking services. And teenagers or people in their early twenties might be offered annuities. We’re no more empowered. The federal statutory approach just doesn’t add up to privacy.
The Federal Trade Commission’s consent agreement with Microsoft this past week also doesn’t really deliver real privacy to real people. One of the security counts, for example, seems to amount to a ban on commercial puffery. Microsoft roughly said, “We’ve got really, really good security,” and the FTC hit them because their security was allegedly only “pretty, pretty good.” Microsoft didn’t suffer a security breach of any kind, so this is all a legal exercise in parsing a security statement rather than delivering actual security, at the level it’s needed, to the public.
One of the privacy charges against Microsoft was that they kept information about users' Web surfing for a limited amount of time and made it available to their customer service representatives without making a note of that in their privacy policies. This exposes a very important point in the current privacy debate: that lots of this customer information is being collected precisely for the purpose of helping customers.
Though many companies may act like it is, I want you to know today, ladies and gentlemen, that customer service is not a crime! Information is being collected to provide customer service, customized products, and accurately targeted marketing. This is a good thing for many people.
In conclusion, I want all of you to be proud of the work you do, but I’m sorry to report that federal “privacy” statutes and enforcements have little to do with delivering real privacy to real consumers at this point. You’re getting lots of work out of it, of course, and congratulations on that. But we’ll have to get to privacy later, in some other way.
All content subject to the Privacilla Public License.