Itís a pleasure to be back in Seattle to participate in this seminar. Iím a native of California currently trapped in Washington, D.C. You might be gratified to know that I have no plans to move here. I understand you nice folks are sick to death of Californians coming up here to pollute your placid, caffeine-charged existence. But I understand why they do.
I went to law school in San Francisco and a friend of mine there is originally from here. Just about every time I try to make plans with him, heís up here for the weekend. Itís a beautiful area. I like the layout of the city; the presence of water all around. Youíve got it pretty good.
As I mentioned, I live in Washington and I work in public policy. I moved there about seven years ago and worked my way up on Capitol Hill for a few years. I last served as a counsel with the House Judiciary Committee before starting my own lobbying and consulting firm, and Privacilla.org, which Iíll describe to you in a little detail.
Privacilla is a Web-based think-tank devoted exclusively to privacy as a public policy issue. While I was working on the Hill, I was not satisfied that Congress and state legislatures understood what interests they were pursuing with various laws and regulations nominally aimed at "privacy." While I was mulling over these concerns, this neato thing called the Internet was spawning a lot of new and interesting business ideas.
The public policy arena is a business, like any other, and I thought that perhaps capturing an entire public policy issue and slapping it up on the Web could change the way the issue is handled in Washington and around the country. So this is something of an experiment in its early stages.
Privacilla attempts to capture privacy as a public policy issue from top to bottom. It has a couple hundred pages of material that break out privacy from government and privacy in the private sector. Within the private sector, we discuss financial privacy, medical privacy, and online privacy. On these pages, we provide summary information and links to additional sources.
A lot of people on the Hill, in the press, in government relations offices, and in lobbying organizations and trade associations have told me that itís a great resource. Iím not satisfied though. There need to be hundreds more pages of material and links before you capture this big issue. Hopefully weíll get there and improve the intellectual quality of the privacy debate in Washington.
People there laugh at me, by the way, for talking about the "intellectual quality" of debates in Washington. There are lots of things to laugh at me about. Perhaps this aspiration is one. But Iíll show Ďem.
On the site you can sign up for e-mail alerts when things happen. I regularly post new material on the site, including the prepared text of talks like this one. I suspect that what I actually say today will have only the remotest correlation to what was in the prepared text, so if my talk leaves you thirsting for more, you can read an excitingly different version of the talk up on the site. And, of course, check out past talks and reports there too.
A few caveats are in order. Privacilla takes a biased view in the debates on privacy. We openly claim a free-market, pro-technology orientation to these issues. There are plenty of other views and you should consider them all.
As I mentioned, I also operate a lobbying and consulting firm. None of my clients has specific privacy issues, but privacy touches nearly every public policy issue in one way or another. None of the material on Privacilla or what I say to you represents the views of any client, but be aware of my potential for bias, as you would any privacy advocate.
Whatís Wrong With This Topic
Now the title of my little segment today is "Why Bother to Regulate Privacy?"
Itís a provocative title. It sounds like Iím going to stand up here and say that thereís no use trying to protect privacy, or that privacy is bad. Those of you who have readied the rotten tomatoes, please put them away. I donít think Iíll be your target. I donít fall into the Scott McNealy camp of "Youíve got no privacy. Get over it." And I donít have some kind of religious devotion to reducing the role of government. There are two points that Iíd like to get across to you today.
The first is not that you shouldnít regulate in pursuit of privacy, but that you canít regulate in pursuit of privacy. This is because of what that thing "privacy" is.
My second point is that plenty of laws exist that are an essential part of privacy protection. Iím glad we have them, we need them to exist, and we would be in a heap of trouble without them. What we donít need are the clear majority of bills put forward in Washington and the states with the word "privacy" in the title. The authors of those bills typically have not identified what they are really pursuing and they end up doing things that they didnít intend, without advancing the cause of true privacy.
So let me get to those two points, and invite you to do some thinking with me on this fascinating topic of privacy.
What is Privacy?
As I said, one of the reasons I started Privacilla is because I was dissatisfied with the way privacy was being handled in legislatures like the U.S. Congress. I did a lot of work on constitutional law when I was in law school, and my training is to start at the very bottom, the substrate, of any issue and build up from there.
To me, the starting point for the privacy issue is to identify what privacy is. Shocker, that idea, isnít it? To think about identifying ó maybe even defining ó the interest you are pursuing around the time you are pursuing it.
Well, so far most discussion of "privacy" doesnít identify what that word means. The result is that all variety of advocates and interest groups get to hang their particular agendas on the word "privacy." Currently, if a politician or interest group can make a plausible case that its legislation was "pro-privacy," that legislation gets a political free-pass. Who wants to be against a bill that gives us privacy?
So what is privacy? Does anyone here know what it is? [pause, wait, pause, wait]
You probably know when you have privacy and when you donít. And that actually is what many privacy advocates base their advocacy on: if a policy fits with their personal preferences, itís not a privacy problem. And if a policy fails their personal views, thatís a privacy problem.
You find advocates doing battle righteously with the Justice Department and completely ignoring privacy-invasive practices at the IRS, SSA, or all the other vegetable-soup agencies. They volunteer support to HHS "privacy" regulations and say nothing of HHS privacy invasions. They treat data in private hands and data in the control of governments as if the circumstances of both were pretty much the same.
Some privacy-advocate groups sign on to letters about detention of illegal aliens and racial or religious discrimination. These are legitimate concerns. I donít want to denigrate them by suggesting that they start to get pretty far afield from "privacy" ó if that word means anything.
I think the word does mean something, and Iíve attempted to give it a definition that we can use in policy-making. I think common usage of the word will remain imprecise, but we rely pretty heavily on properly defined terms when weíre doing law or regulation. Iíll continue to insist on giving definition to the concept of privacy, and point out when people are presenting a slate of policies that cut across numerous fields in the name of "privacy."
Let me discuss some of the issues that popularly fall under the name "privacy" but that should be treated as separate and distinct legal and policy problems.
The first and one of the biggest is "identity fraud." Itís provocatively called "identity theft" by a lot of folks. Thatís nicely misleading. Identity fraud is a group of crimes where people assume the identity of others in order to defraud businesses and credit issuers out of goods or money. The people whose identities have been assumed are victims of the crime too because they suffer shock when they learn this has gone on and they have to spend countless hours cleaning up their credit histories.
That personal suffering doesnít convert this crime problem into a privacy problem. A punch in the stomach is also very personal and very agonizing, but this doesnít make it a privacy problem. Identity fraud is crime and itís already illegal.
Because it is so often referred to as a "privacy" problem, though, identity fraud has given politicians, bureaucrats, and advocates the idea that they need to come up with novel solutions to this Information Age problem. Not so. They need to come up with timeless solutions to this classic problem. Putting the bad guys in jail would be a good start.
But the proposals you see often would curtail uses of Social Security Numbers, as if "privacy" in the Social Security Number would prevent this kind of crime. Social Security Numbers are used across the economy for a huge array of economically beneficial purposes. Iím not a criminologist, but I think cutting off uses of SSNs to prevent identity fraud would be a lot like cutting off uses of automobiles to prevent transportation of stolen goods. The cure is probably worse than the disease.
Spam and telemarketing are also often called "privacy" problems. Some big-time judge said once that privacy is the "right to be let alone" or something. Probably Brandeis or Cardozo or Oliver Wendell Holmes or Lance Ito. When I was in law school, I noticed that Cardozo opinions were a little bit like Bob Dylanís lyrics, or any number of religious texts: if you try hard enough, you can find a line somewhere to justify anything you want to believe.
A lot of people want to believe that their privacy is invaded by unwanted commercial communications. But I think itís better to characterize these things as annoyances. Again, I donít want to denigrate the seriousness of the problem. These things are serious annoyances. But the seriousness of the annoyance may not convert them to privacy problems.
The reason why I am working to see unwanted marketing treated as an annoyance rather than a privacy problem is because it kind of conflicts with the heart of the privacy issue. Privacy is about control of information about ourselves, and the absence of privacy generally comes from the absence of control. But unwanted telemarketing typically happens when marketers donít know anything about their targets. Someone who has a great deal of privacy ó someone about whom information is very scarce ó is likely to get more unwanted marketing than someone about whom information is widely available.
Itís hard to call it a privacy problem when information about a person is too widely available and also when not very much information is available, causing unwanted commercial communications.
So identity fraud and spam tend not to be privacy problems, but rather separate and distinct problems that need to be addressed on their own merits. By lumping them in with privacy, we make it less likely that weíre going to get to the best solutions for these very real problems. Unfortunately, a lot of "privacy" laws, like the Gramm-Leach-Bliley Act have little effect other than to curtail some marketing. They contribute to the idea that privacy is protected when youíre not getting phone calls or spam. But thereís so much more to it than that.
But Iíve gotten a little ahead of myself, talking about what is NOT privacy before talking about what IS privacy. Let me put forward the working definition of privacy that we use on Privacilla. There have been a resounding zero challenges to this definition, and I am growing increasingly confident in it, though Iím always interested in discussion:
Privacy is a subjective condition that exists when two factors are in place. First, one must have legal power to control information about themselves. Second, one must have exercised that power consistent with his or her interests and values.
Iíll parse the whole definition for you, but the most important one for our purposes ó the question of whether itís possible to regulate for privacy ó is the idea that privacy is a subjective condition.
A subjective condition means it is a condition that individuals enjoy based on their own highly personal wants and needs. Through experience, upbringing, culture, what-have-you, we each develop a sense of privacy that is our own. I can not tell you what your sense of privacy should be, and you can not tell me what my sense of privacy should be.
To illustrate this, Iím going to ask you to take a brief privacy quiz:
Question 1: Who do I talk to more about my relationships with women: my parents or my friends?
Question 2: I am an investor in securities. Is my investment philosophy better known to people who are older than me, or to people who are younger than me?
Question 3: Do I more often wear a hat or flip-flops?
Of course, these questions are designed to illustrate that you have no way of knowing my behavior ó and there is no right way to act ó when it comes to revealing information about my personal relationships, my investments, or the appearance of my feet and balding head.
The behavior of consumers in public and in the marketplace runs a wide range, too. For example: Itís easy to say that medical information is some of the most sensitive and private, and some of it is. But some of it is not sensitive. Some of it is not private. Some of it is neither sensitive nor private.
The fact that someone is the victim of a sports injury is not sensitive medical information. People brag about the number of stitches theyíve gotten, or the number of broken bones. No stigma attaches too such things. Itís not sensitive.
Other medical information is not private. Obesity is a pretty good example. Skin conditions affecting the face or hands are rarely private even if they are sometimes sensitive or embarrassing. These types of things are very contextual. People may keep their appearance private in some circumstances for whatever reason ó to enjoy varied relationships online or by telephone, for example.
All kinds of illnesses are neither sensitive nor private. The fact that someone is in the hospital is often widely shared. Itís common in our culture to send cards, gifts, and flowers to people precisely because they have medical conditions.
Though youíll hear it in policy sloganeering, itís impossible to make blanket statements about what kinds of information are rightly kept private, and what are not. Privacy is a highly complex social construct that shifts and changes among people and over time.
This is why attempts to capture "privacy" in law or regulation is such a futile exercise. Law and regulation aimed at privacy represents only the guesses of politicians, bureaucrats, and advocates about what privacy might look like. They usually err by imposing their own interests, and not even a thoroughly considered version of their own interests, rather than allowing for the unique interests of all the different people who are subject to such laws.
The point here is not so much a libertarian one as a legal and sociological one: you canít regulate for privacy. You have to empower people to take control of their lives and make decisions that deliver privacy as they want it.
The Role of Law
The idea that you canít regulate for privacy doesnít mean that you canít have privacy, and it doesnít mean that thereís no role for the law. Though I think itís going to be a long haul, I believe that, thanks in large part to technology, people will have more privacy in the future ó or at least more of what they want. Maybe they want privacy. Maybe they want exposure. I try not to prejudge, as other privacy advocates do.
The thing that we can do to foster this is to protect the decisions people make that affect what happens to information about them.
In the Privacilla definition of privacy, I said that the first factor is power to control information about ourselves. This is essentially legal power, and it doesnít go to the difficulty of exercising that control.
It is difficult to keep some information private in regular commerce. Some markets are too monolithic in their information practices, and they donít offer consumers a wide enough range of choices. Try applying for a loan, for example, without sharing your Social Security Number. Youíll find that itís just about impossible. It could be, of course, that over years these markets have discovered the practices that please the most consumers. Almost everybody shares their Social Security Number so they can enjoy the benefit of having their credit history considered.
If financial services companies donít have the mix of information practices right, the solution is for competitors to eat their lunch. To privacy advocates who say that the banks have got it wrong, I say "Start a bank. Put your money where your mouth is." No new banks have come into existence for this reason yet.
Very often, the reason personal information has to be collected is because it is required by governments. The Bank Secrecy Act, for example, justifies financial regulators in requiring financial institutions to maintain "Know Your Customer" programs that require more information than they would ordinarily collect. As you well know, governments collect information from and about people directly. The IRS, the Census Bureau, the Social Security Administration, and the Department of Health and Human Services collect mounds of information from us. We do not have the legal option to decline these information collections.
Law, regulation, and entitlement programs routinely strip Americans of legal authority over information about themselves. On Privacilla, we characterize this as "anti-privacy" law and regulation.
To foster privacy, future laws and amendments should be designed to minimize the amount of personal information they need. I often say that loss of privacy is a cost of government. And it is true that most government programs have an unidentified toll on Americansí ability to protect privacy.
The other, positive side of lawís role in privacy is to guarantee the privacy-protecting decisions people make. This is done not by legislation with the word "privacy" in the title, but by existing law like contract law and tort law.
Take contract law. If you and I agree as part of a contract that you are not going to reveal a purchase I have made to other people, that is the law of our agreement and I can go to court to enforce it or punish you if you violate the agreement.
The tort law is equally protective of privacy. When I put on my suit this morning, part of what I did was protect privacy in the appearance of my body. Lucky you. Anyone who came up and tried to take the suit off of me without my consent would be violating my right to be free of unconsented touching. They would be committing the tort (and crime) called battery.
There are, of course, torts specific to privacy. Most important is the "exposure of private facts" cause of action. This means that if private information about someone is revealed and it causes humiliation, that person may sue the person who published the information. In other words, anyone who holds sensitive personal information about another person does so under an obligation to protect the privacy of that information.
These types of laws protect privacy, and they do so by enforcing the choices that citizens and consumers make for themselves. There is an essential role for law and regulation in protecting privacy, and this is it.
The second major factor in privacy protection is exercising oneís legal power consistent with oneís interests, and that is largely a subject for another day. We know that others can not determine our privacy interests for us, though some politicians, bureaucrats, and advocates may try.
Slowly but surely, we as a society are coming to grips with the implications of new technologies that seem to threaten our privacy. Some privacy advocates get a little breathless from time to time about the privacy consequences of new technologies. It is their job, though ó and a legitimate one ó to rabble-rouse a little bit. If they can make a privacy charge stick ó and they do from time to time ó they have made the case that a certain practice or technology is unacceptable. If they can only be heard in the halls of Congress or in the state legislatures, however, this tells us nothing about the real interests of real consumers. The place for privacy activists and consumer advocates is out there dealing with real consumers, not talking to politicians.
My guess is that, in something like a generation, kids will understand quite nicely how information moves in the economy and society. The Internet started a worthwhile national conversation about these things, though it did catch quite a few people by surprise. Some individuals have been outraged to discover information practices that have been evolving for decades. Companies have been flat-footed when this issue has cropped up.
As we accommodate our practices to this new era, it is only consumer behavior in the marketplace that can help us figure out exactly what they want in terms of privacy or convenience, low prices, and custom tailoring. No advocate, bureaucrat, or politician can tell us when we have exercised our power over information consistent with our values.
Because privacy is what it is ó a subjective condition that we design for ourselves ó regulation canít effectively reach it. There are a number of interests that are commonly called "privacy," but theyíre not. Identity fraud is a serious group of crimes. Spam and telemarketing is an annoyance premised on the lack of information about consumers.
The laws that protect individual consumer choice protect privacy. Contractual agreements are some of the best, and best-tailored, privacy protections possible. The tort laws protect our autonomy from the invasions of others. These have an essential role in privacy protection.
So there is no reason to throw up our hands and say "Why bother?" There are plenty of reasons to set off in a direction that will actually protect the specific wants and desires of real people.
All content subject to the Privacilla