Itís a pleasure to be speaking to you here at ALEC. Iím a fan of this organization, and to briefly illustrate why, let me tell you a little bit about myself.
I went to Washington, D.C. shortly after I finished law school at Hastings College of the Law in San Francisco. In my final year there, I served as Editor-in-Chief of the Hastings Constitutional Law Quarterly. We published an article that dealt with the Tenth Amendment and Spending Clause limitations on the federal health care proposals pending at the time.
Nothing shocks me anymore, but back then I was shocked by how roughshod all the six or seven health care plans bouncing around Congress ran over state powers and prerogatives. During the latter half of 1994, the leading issues in the Congress were health care and crime. These two issues are quintessential state, local, and ó in many cases ó personal issues.
This was an eye-opener and one of the things that motivated me to come to Washington and see what I could do about federalism. The pithy answer, of course, is that no one can do anything about federalism. I failed, as everyone does when they fight in the political sphere for an abstract concept. But in the course of my failed fight, I became very aware of ALEC and the other organizations that make federalism work all the time.
I think federalism does work and it could work better. One way I like to think of it ó in modern terms ó is that federalism distributes problems the way networked computers do, or the way the Internet does. Almost all issues will be dealt with better by distributing them among governments and allowing states and localities to learn from one another, rather than putting everyone in one federal boat and seeing if it floats. Organizations like ALEC, and meetings like this one, are where that happens.
Iíve made reference to computers and technology, which are fields Iím keenly interested in from a public policy standpoint. I am the founder of what I call an "Information Age" lobbying and consulting firm where I deal with all kinds of technology and telecommunications issues.
The reason Iím here today is because Iím the Editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. Privacilla attempts to capture privacy as a public policy issue from top to bottom. None of my clients have specific privacy concerns, but privacy touches just about every public policy issue, so I always encourage people to watch for bias in what I have to say, as you should with any privacy advocate.
Iím also an Adjunct Fellow with the Progress and Freedom Foundation. They do top-notch work on a variety of telecommunications and high-tech issues, including privacy. PFF is very well known for its Digital State project, focusing on state e-government efforts. They have a number of new efforts focused specifically at states underway so I hope youíll watch for developments coming out of that organization.
Iíd like to touch on two areas that I think you should consider as you address privacy in the near future. Itís one of the most complex issues Iíve seen, so these two only scratch the surface of a very difficult problem.
The first is public opinion surveys about privacy. Surveys and polls have been one of the biggest drivers of the privacy debate. In fact, it often seems like polls are the only rationale that some of the pro-regulation advocates have.
They havenít articulated any harm that is being done to consumers. And they havenít articulated what new theory of privacy they would create with new law and regulation. These things are pretty important if weíre writing laws that are intended to benefit the American people, and I think thatís the idea.
But, because of privacy polls, which sometimes have overwhelming results, the word "privacy" seems to be getting a political free pass these days. If thereís legislation with "privacy" in the title, you as legislators often feel that you canít ask tough questions, like the ones Iíve talked about, because who on earth wants to be "against privacy"? Not me, if these privacy polls are true.
But, it turns out that many of these privacy polls are not true.
I recently co-authored a study of public opinion polls on the privacy issue with Solveig Singleton of the Competitive Enterprise Institute. Solveig did the lionís share of the work and research so sheís the real authority, but we came to some conclusions that are important for you to know.
First, public opinion surveys are very difficult to design well.
Many of them ask leading questions, like "How concerned are you about privacy?" Orson Swindle, a Commissioner with the Federal Trade Commission, is fond of saying that heís worried about the 10% of the people that say theyíre not "concerned" about privacy in some way. Privacy is a good thing. Everyone wants it. A survey question that asks about "concern" with privacy is about the equivalent of a survey question that asks "Do you want money?"
Uh, . . . YES.
Some surveys ask questions that can pretty well be described as push-polling. Questions like "Are you concerned that information about you will be abused?" or "Are you concerned that a company you buy from uses information you provide to send you unwanted information?"
Iím with Commissioner Swindle on these questions, too. Whatís wrong with the person who says No?
These types of questions donít get any answers that reveal consumersí or votersí real-world preferences.
Many surveys ask consumers about a variety of issues, so that what matters to them can be judged on a comparative scale. The clear upshot is that survey questions that ask for privacy concerns usually get privacy concerns. Unprompted surveys do not. Asked to list what worries them, without pointing to privacy, consumers and voters donít mention privacy.
One of the worst defects of privacy surveys is that they donít separate out all the different issues that are being called by the name "privacy." When asked about privacy, a person may be thinking of identity fraud, spam, security, or any number of other concerns.
So when the pollsters ask, "Do you support new laws to protect privacy?" we donít know anything about what they mean.
The better questions ask things like, "Why havenít you shopped online?" These get answers more closely related to crime than privacy. People are worried about credit card fraud and identity fraud much more than exposure of sensitive information about themselves.
Another interesting result we found from our survey of surveys was that consumers sometimes report their own actions incorrectly. You would think that a good way to learn more about consumer interests is to ask them what they do rather than what they think. It turns out that people fib a fair amount even on these surveys.
Thirty-five percent of respondents in one poll said they "always" read Web site privacy policies. Another survey found that 26% always read them.
But the folks who have the Web sites have the numbers, and they know thatís not true. The former Chief Privacy Officer of Excite@Home told a Federal Trade Commission workshop recently that ó on the day after the company was featured in a 60 Minutes segment on privacy ó 100 out of 20 million unique visitors went to that companyís privacy pages. One hundred people out of 20 million.
As another indicator of how consumer surveys compare to consumer behavior, we looked at a macro indicator, the growth of electronic commerce. While people have been wringing their hands about whatís keeping consumers off-line ó "Is it privacy?" ó e-commerce has continued to grow and grow.
In 1999, Jupiter Research predicted two different growth rates for e-commerce: one fairly high rate if Congress passed new privacy laws, and one lower number if it didnít. We found that the growth of e-commerce in the absence of special privacy regulation has outstripped both estimates.
Another thing that polls and surveys fail to do is weigh the costs and benefits of legislation. They donít put consumers in real world situations.
They donít ask "How much of a tax increase would you like to pay for a privacy protection bureaucracy?" They donít ask "How much more would you be willing to pay for goods and services in order to make sure that theyíre not tailored for you or advertised to you?"
And they certainly donít replicate the decisions policy-makers have to make among: different kinds of regulation, increased enforcement of existing law, public education, or leaving responsibility to the companies who will benefit most from having consumer confidence.
Our study is called "With a Grain of Salt: What Consumer Privacy Surveys Donít Tell Us." I have a precious few copies here with me, you can find it online at cei.org, and there are also several links to it from Privacilla.org.
I urge you to look at surveys with a grain of salt. Donít rely on the conclusions. Look at the questions critically and see whether the flaws weíve found are there.
One survey question I would like to see is "Do you feel better knowing that the law in every state gives you a cause of action if your privacy is invaded?"
Let me repeat that: Every consumer today in all 50 states can sue if their privacy is invaded.
The privacy torts, which, as far as I know, have been adopted by statute or common law throughout the U.S., create a cause of action in tort for "unreasonable publicity given to [oneís] private life." This law is not limited as to subject matter or medium. Financial, medical, online privacy? This law applies, and it meets every outrageous revelation of private information with a cause of action. Every single one.
Now, some of the pro-regulation privacy advocates say that thereís no comprehensive privacy protection in the United States, and they suggest that weíre supposed to look to the European bureaucratic model as a guide. They prefer to blanket the information economy with rules ó whether that prevents consumer harm or not.
But if youíre into protecting consumers and, at the same time, fostering innovation, weíve already got it right here, and right now with the privacy torts.
I may give up my summer vacation and go do all the research myself, but Iíd prefer that when you get back home, you look up the law. Find out whether the privacy torts were adopted by statute or by common law in your state. Find a case or two where theyíve been applied in the financial area or the medical area. The law and those cases are going to be worth talking about.
It might be tough to find some of those cases, because itís an ingrained part of our social and business culture that you donít use personal information to hurt people. You only use it to help them.
There arenít a lot of successful privacy tort suits because itís very easy not to violate the privacy torts. Thatís the right thing to do and almost everyone does it. Now, I view that as good law. Itís easy for the good people to obey it, and it picks out the bad actors for punishment. There are only a very small number of successful suits under the privacy torts. And thatís a good thing, too.
Proposals for legislation should be looked at skeptically for the reasons Iíve discussed. First, polls on privacy are consistently flawed. They are not something that serious policy-makers should rely on.
Second, there is already law on the books that prevents harms to Americansí privacy interests. When you look at new legislation, ask what harm it will prevent. A good way to test this is to ask to meet a person who was harmed by the information practices that the legislation will prevent. The U.S. Congress has held hearing after hearing on privacy and not brought forward a single American who has been harmed by uses of information that are legal today.
Privacilla is here to help you sort out these issues. Iím just an e-mail away if you need some clear thinking on these issues when they come up back home. Thanks for hearing me out, and Iíll look forward to your questions.