It’s a delight to be back here in Denver. I’ve been lucky enough to have many trips here in the recent past. And I’m looking forward to coming out here again next month when The Progress & Freedom Foundation has its annual Aspen summit.
I was talking with a friend and colleague about Aspen the other day, and we agreed that sorting out all these policy issues can wear you down. But Aspen is both enlightening and inspiring. They get deeper into the issues there but it has none of the feel of a grueling public policy marathon, like . . . maybe I’m going to give you today. So if there’s any room left at the Aspen Summit in August, I recommend it highly.
Before I get to the heart of the subject briefly, let me introduce myself. I am an Adjunct Fellow at The Progress & Freedom Foundation — my comments a moment ago were not paid for or forced on me — and also the Editor of a Web-based think-tank devoted to privacy called Privacilla.org. In addition, I have a lobbying and consulting firm called PolicyCounsel.Com. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla and none of what I say to you represents the views of any client, but be aware of my potential for bias, as you would be with any privacy advocate.
Let me discuss Privacilla in a bit more detail. It is a Web-based think-tank devoted exclusively to privacy as a public policy issue. While I was working on Capitol Hill, I was not satisfied that Congress and state legislatures understood what interests they were pursuing with various laws and regulations nominally aimed at "privacy." When I left, I decided to start Privacilla to sort things out — single-handedly . . . .
Privacilla attempts to capture privacy as a public policy issue from top to bottom. It has a couple hundred pages of material that break out privacy from government and privacy in the private sector. Within the private sector, we discuss financial privacy, medical privacy, and online privacy. On these pages, we provide summary information and links to additional sources.
Earlier this week, we introduced a report about the state privacy torts and their role in privacy protection. That’s far from the last word, but more needs to be said about the privacy torts and all kinds of other state laws that protect privacy in various ways. I’m talking about state contract law, trespass, battery, and so on. The law of battery means that no one can come up here and rip my coat and shirt off, exposing the appearance of my body. And that benefits YOU a great deal, let me assure you.
A lot of people on the Hill, in the press, in government relations offices, and in lobbying organizations and trade associations have told me that it’s a great resource. I’m not satisfied though. There need to be hundreds more pages of material and links before you capture this big issue.
On the site you can sign up for e-mail alerts when things happen. I regularly post new material on the site, including the prepared text of talks like this one. I suspect that what I actually say today will have only the remotest correlation to what was in the prepared text, so if my talk leaves you thirsting for more, you can read an excitingly different version of the talk up on the site. And, of course, check out past talks and reports there too.
Privacilla takes a biased view in the debates on privacy. We openly claim a free-market, pro-technology orientation to these issues. There are plenty of other views and you should consider them all.
Let me describe just a bit what I mean by straightening out the privacy issue.
The word “privacy” has come to be used to describe just about every concern with the modern world. That’s fine for regular people, but when we as policy-makers address these concerns, we need to be a little more precise.
Identity fraud, for example, is widely perceived as a "privacy" problem. But it is better understood as a group of crimes that thrive on the use of personal identification and financial information. Because of this widespread misperception, the crimes that constitute identity fraud go poorly enforced while Congress and many states consider things like banning many uses of Social Security Numbers in the name of "privacy." Limiting SSN use would benefits that the consuming public enjoys without effectively preventing crimes.
“Security” and “privacy” are often used interchangeably. Security is closely related to privacy, but they are very different concepts. Privacy has to do with a certain state of affairs in personal information. Security has to do with all the steps a business or government takes to protect its operations, data, and possessions. Security affects the ability to protect privacy, but it’s just as relevant to discuss “security and trade secrets” or “security and payroll” as it is to talk about “security and privacy.”
Likewise, unwanted commercial e-mail, or "spam," is an intrusion into electronic communications and a serious annoyance that is often called a "privacy" problem. Spam exists in large part because e-mail marketers know little or nothing about the interests of potential customers. It is difficult to reconcile spam — e-mails broadcast to unknown people nearly at random — with the heart of the privacy concept, which is too much personal information being available too widely.
At Privacilla, we have developed a working definition of privacy that we believe should form the basis of policy discussions on the topic: Privacy is a subjective condition that individuals enjoy when two factors are in place — legal ability to control information about oneself, and exercise of that control consistent with one's interests and values.
Most importantly, privacy is a personal, subjective condition. It is a state of affairs individuals enjoy based on sharing or retention of information about themselves consistent with their own preferences. These preferences are a product of such things as culture, upbringing, and experience. Because privacy is subjective, I can’t decide for you what your sense of privacy should be. And you can not tell me, either by giving your opinion or by passing a law, that my privacy is protected when I think it is not.
As policy-makers, we should not presuppose that a certain amount or type of privacy serves consumers' interests in the marketplace, and Privacilla's definition of privacy does not do this. Advocates who claim to know what consumers want in terms of privacy prove their ignorance by making the claim.
Some consumers may avoid many transactions to protect privacy. Other consumers may rationally determine that they are safe from harmful uses of information when dealing with certain companies and leave it at that. The fact that hundreds or even thousands of mundane facts about themselves are in the hands of businesses may be a matter of indifference to reasonable people. Aware, empowered, and responsible consumers can demand of businesses what options they want in terms of information sharing or withholding. They can also demand, if they prefer, lower prices, customized service, combined offerings, and so on.
Unless Congress and state legislators are going to guess at consumers' true preferences and impose them from the top down, only consumer education will deliver privacy on the terms consumers want it in the commercial world. Governments cannot protect privacy directly; they can only foster or destroy people's ability to protect their own privacy.
As you can see, I do a lot of work on the very basics of privacy. The question today: “Should there be a national standard for Internet privacy?” is many steps down the road, but let me give some brief comments on that topic.
I have three answers to the question about a national standard: “You can’t. You shouldn’t. And you can’t.” Each of these is aimed at different facets of the question.
First, you can’t: One of the foremost points about privacy I’d like you to take away is that privacy is a personal, subjective condition. Like I said, I can’t tell you when you have privacy, and you can’t tell me when I do. It’s for each of us to decide.
A “national standard” on privacy means that some group of legislators at the federal level says a certain set of information practices are going to deliver privacy. That’s just pretty much nonsensical.
Privacy is a varied and varying concept. If you enact “privacy protections” of any kind into a law, it may be a good guess about what delivers privacy in some respects, and it may roughly correlate to many people’s sense of privacy. But you’ll freeze information practices in one place. Over time, privacy will change, and you’ll have a bunch of law that interferes with innovation while providing little or no benefit to consumers. Indeed, preventing innovation harms consumers because it prevents them from getting the benefits of innovation.
Second, you shouldn’t. The reason why basically boils down to federalism.
Meetings like this one are basically where the rubber hits the road on federalism. You are here to compare notes on laws, policies, and practices across the boards. You are learning from each other what works and what doesn’t work for your citizens. In the case of New State Ice Co. v. Liebman there is some famous language about federalism preserving the states as laboratories of democracy. If one state tries a policy that works, others get to adopt it. If it tries a policy that doesn’t work, other states know to avoid it.
We are presented with an example here today. Minnesota recently passed a law regulating the information practices of Internet Service Providers. That is one approach: rather than relying on general law against doing harm, go industry-by-industry, guess what companies could do wrong, and legislate against it. Here is a chance to see what happens when a state attempts to regulate uses of information from business to business in the name of protecting privacy.
The rest of you get to watch and see how this experiment works. I hope you’ll resist the urge to laugh and point, because I don’t believe that legislative solutions will work. I think the Minnesota approach represents an endless, fruitless enterprise.
A national privacy standard would dumb down our efforts to crack this problem of providing legal protection for privacy, or rather laws that allow us to protect our own privacy.
Finally, you can’t.
The idea of a national standard has gotten the meager support it has because some companies are tempted by the lure of federal preemption. If they sign on to federal legislation, they have been told, they will get preemption of state law. Well, I think they can't.
As we said in our report on the privacy torts, if all of state law is preempted, that would be a huge step backward for privacy protection. Some of the state torts are statutory, so a preemption of statutes would be wrong. If there is to be preemption, it should be of direct regulation of information practices as opposed to law that punishes or interdicts identified harms. Preemption of prescriptive regulation aimed at privacy would not matter much to thoughtful privacy advocates, however, because that kind of law does not protect actual privacy.
But the question is whether industry would even get what it seeks in this bargain. I don’t think it would. The financial services industry didn’t get preemption in the Gramm-Leach-Bliley Act. The health care industry didn’t get preemption in HIPAA. And the industry that never came into existence to serve entertaining and educational content to children — they didn’t get preemption in the Children’s Online Privacy Protection Act either.
In short, the lure of preemption has a mighty sharp hook in it. The folks in industry who understandably want to avoid complying with 50 radically different state laws could easily end up complying with 51 radically different state and federal laws. So, my message to those folks is one of caution.
There is a lot to privacy, and I didn’t cover very much of it at all here. I’m always happy to discuss this with any of you. As I mentioned, we could meet up at The Progress & Freedom Foundation’s Aspen Summit, go hiking, and talk about it. We could hike for days and still not figure it out, but I assure you it will be worth it.
All content subject to the Privacilla