The Death of Privacy

Stanford Law Review
The Death of Privacy? Author(s): A. Michael Froomkin Source: Stanford Law Review, Vol. 52, No. 5, Symposium: Cyberspace and Privacy: A New Legal Paradigm? (May, 2000), pp. 1461-1543 Published by: Stanford Law Review Stable URL: http://www.jstor.org/stable/1229519 . Accessed: 21/09/2013 15:16
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at . http://www.jstor.org/page/info/about/policies/terms.jsp
.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Stanford Law Review is collaborating with JSTOR to digitize, preserve and extend access to Stanford Law Review.
http://www.jstor.org
This content downloaded from 14.139.58.146 on Sat, 21 Sep 2013 15:16:41 PM All use subject to JSTOR Terms and Conditions
TheDeathofPrivacy?
A. MichaelFroomkin*
Therapiddeployment ofprivacy-destroying technologies bygovernments obsolete.The threatens tomake andbusinesses informational privacy first part thelawhasyet a range towhich article describes ofthis ofcurrent technologies These collection torespond effectively. include.routine oftransactional data, growing automated surveillance inpublic places,deployment offacial recognivehicle sattion andother technology biometrics, cell-phone tracking, tracking, Internet ellitemonitoring, workplace surveillance, tracking fromcookiesto hardware-based intellectual "clicktrails," property-protecting identifiers, to see "snitchware," and sense-enhanced searchesthatallow observers andreinforcing wallstoclothes. Thecumulative through everything from effect modern visible andpermeable ofthese technologies maymake lifecompletely to observers; there couldbe nowhere to hide. Thesecond article partofthis discusses to craft to theassaultonprivacyleading attempts legalresponses including self-regulation, privacy-enhancing technologies, data-protection law, the andproperty-rights basedsolutions-in context structural obstacles ofthree toprivacy First Amendenhancement: consumers' privacy important myopia; ment to collect and repeat andfear ofwhat protection ofrights information; other Thearticle that peoplemaydo ifnotmonitored. concludes the despite warnings ofinformation privacy pessimists, all is not lost-yet. INTRODUCTION ......... PRIVACY-DESTROYING TECHNOLOGIES . . . .1468 I. A. Routinized LowTechData Collection . . .1472 1. By theUnited StatesGovernment . .1472 2. Transactional data . .1473 . . B. Ubiquitous Surveillance .1475 1. Publicspaces . .1476 a. Cameras .1476 b. Cellphonemonitoring .1479 c. Vehicle .1480 monitoring 1462
* Professor of Law, University of Miami School of Law. B.A. Yale, M.Phil Cambridge, J.D. Yale. Email: froomklin@law.tm.I am grateful foradvice fromCaroline Bradley,PatrickGudridge,and Eugene Volokh, forresearchassistancefromSueAnn Campbel and JulieDixson, and secretarialassistance fromRosalia Lliraldi. The errorsthat surviveare my own. extraordinary Unless otherwise noted,thisarticleseeks to reflect legal and technicaldevelopments as of Feb. 1,
NATION
(2000), whichexploresmanyof thethemesdiscussed in thisarticle.I recommend it anyin theseissues. All Internet one interested citations were current as of May 22, 2000. ? Copyright 2000 by A. Michael Froomkin and theBoard of Trustees of theLeland Stanford Junior University.
2000. After I had a chanceto read SIMPSON completing thisarticle
GARFINKEL, DATABASE
1461
1462
STANFORD LAWREVIEW
[Vol. 52:1461
2. Monitoring inthehome and office . 1481 .............................. a. Workplace surveillance ..................................... .......... 1481 b. Electronic communications 1482 ................................. monitoring c. Onlinetracking ................. ............................... 1486 d. Hardware ................................................ 1490 3. Biometrics ................................................. 1494 4. Sense-enhanced searches ...................................... 1496 a. Looking down:satellite ....................................... 1496 monitoring b. Seeingthrough walls........................... .................... 1498 c. Seeingthrough clothes ............................................... 1499 d. Seeingeverything: smart dust 1500 ...............................................
II.
A. TheConstraints 1501 ................................................. 1. Theeconomics . 1501 ............................... ofprivacy myopia 2. First Amendment 1506 ............................................. a. TheFirst Amendment inpublicplaces .................................. 1506 b. TheFirst Amendment and transactional data ............. .......... 1521 3. Fear................................................ 1523 B. Making Rules Within Privacy theConstraints 1523 ..................................... 1. Nonlegalproposals 1524 ........................................... a. "Self-regulation. ............................................... 1524 b. PETs and other self-help ............................................... 1528 2. Usinglaw to changethedefaults ...............................................1533 a. Transactional data-oriented solutions 1533 ................................... b. Tort law and other approaches topublicdata collection ...... 1535 c. Classicdataprotection law............................................... 1538
III. IS INFORMATION PRIVACY DEAD? .... 1538
RESPONDING TO PRIVACY-DESTROYING TECHNOLOGIES ............................
1501
"You havezeroprivacy. Getover it." -Sun Microsystems, Inc.,CEO Scott McNealyI INTRODUCTION
as we all know,is power. Both collecting Information, and collating personal information aremeansofacquiring power, usually at theexpense of thedatasubject.Whether thisis desirable depends uponwhotheviewer and are and who is weighing subject thebalance. It has longbeenbelieved, for that thecitizen'sability example, to monitor thestate tends to promote hon1. Deborah Radcliff, A Cryfor Privacy,COMPUTER WORLD, May 17, 1999 <http://www. computerworld.com/home/print.nsf/all/990517privacy>. Thecomment was in response to a questionat a product launch.See also Edward C. Baig,MarciaStepanek & Neil Gross, Privacy: The Internet WantsYourPersonal Info.,What'sin Itfor You?, BUS. WK.,Apr. 5, 1999, at 84 (quoting McNealy as saying, "You already havezeroprivacy. Getover it.").
May2000]
THEDEATHOF PRIVACY?
1463
estgovernment, that is . . . thebestof disinfectants."2 "[s]unlight One need look no further thantheFirst Amendment of theUnitedStatesConstitution to be reminded that theacquisition protecting and dissemination of information is an essential meansof empowering citizensin a democracy. Conversely, at leastsinceGeorgeOrwell's1984, if notBentham's Panopticon, theimageof theall-seeing eye,theArgusstate, has been synonymous with thepowerto exercise repression. Today,theall-seeing eye neednotnecessarily belongtothegovernment, as many intheprivate sector find itvaluable to conduct variousforms of surveillance or to "mine"datacollected by others. For example, employers seeknewwaysto monitor continually employees for efficiency and honesty;firmstrawl databases for preference information in thesearch newcustomers. for Evenan infrequently exercised to collectinformation capability confers poweron thepotential observer at theexpenseof thevisible: Knowing you maybe watched affects behavior. Modern socialscienceconfirms ourintuition that peopleactdifferently when they knowthey areon CandidCamera-or Big Brother Cam.3 In thisarticle, I will use "informational privacy" as shorthand forthe to control ability theacquisition or releaseof information aboutoneself.4I will arguethat boththestate andtheprivate sector nowenjoyunprecedented abilities to collectpersonal data,and thattechnological developments suggest thatcosts of data collection and surveillance will decrease, whilethe andquality quantity ofdatawillincrease.I willalso arguethat, whenpossible, thelaw shouldfacilitate informational privacy because themosteffectivewayofcontrolling information aboutoneself is notto shareitin thefirst place. Most of thisarticle focuses on issuesrelating to data collection and not datacollation.Muchofthebestworkon privacy, and themostcomprehensive legislation,5 whilenotignoring issuesof datacollection nonetheless foBrandeis actually intended this comment toinclude both public andprivate institutions: "Publicity isjustly commended as a remedy for socialandindustrial diseases.Sunlight is saidtobe the best of disinfectants; electric light the most efficient policeman." Id. 3. See KARL G. HEIDER, ETHNOGRAPHIC FILM 11-15,49-62 (1976) (discussing waysin which theactoffilming maydistort ormisrepresent reality); SHOSHANA ZUBOFF,IN THE AGE OF THE SMARTMACHINE:THE FUTUREOF WORK AND POWER344-45(1988) (describing thephenomenon of "anticipatory conformity" among persons whobelieve arebeingobserved).Cf they Estesv. Texas,381 U.S. 532,545 (1965) (noting that itis "highly probable" that thepresence of cameras inthe courtroom willinfluence jurors). 4. Thedefinition differs from that usedinUnited States constitutional law. Theconstitutional right toprivacy is frequently described as having three components: (1) a right tobe left alone;(2) a right to autonomous choiceregarding intimate matters; and(3) a right to autonomous choiceregarding other personal matters. See LAURENCE H. TRIBE,AMERICAN CONSTITUTIONAL LAW ? 151 (2d ed. 1988);KenGormley, OneHundred Years 1992Wis.L. REV.1335,1340. ofPrivacy, 5. TheEuropean Union's Privacy Directive, Council Directive 95/46 oftheEuropean Parliament andoftheCouncil ontheProtection ofIndividuals With totheProcessing Regard ofPersonal DataandontheFreeMovement ofSuchData,1995O.J.(L 281) 31,is probably themost compre2. Louis D. BRANDEIS, OTHERPEOPLE'SMONEYANDHoW THEBANKERS USE IT 92 (1914).
1464
LAWREVIEW STANFORD
[Vol.52:1461
cuses on issuesrelating to thestorage and reuseof data. Privacy-enhancing legal and policyanalysisoften thatbeproceedson thereasonable theory cause themostserious of dataacquisition privacy-related consequences hapthefact, pen after and require a database, theuse and abuse of databasesis theappropriate focusforregulation. This article concentrates on the logicallyprior issue of datacollection.Issues of datause and re-usecannot be avoided,however, because one of theways to reducedata collection is to imposelimits on theuse of improperly collected data. Conversely, if limits on initial datacollection are constitutional, it is morelikely then that efforts to prohibit theretransmission orrepublishing of illicitly collected datawould be heldtobe constitutional as well. A data subject has significantly less control overpersonal data once information is in a database.The easiest wayto control databases, is therefore, to keepinformation to oneself:Ifinformation never getscollected inthefirst place, databaseissuesneed neverarise. It maybe that"[t]hree can keep a secret-iftwoofthem aredead,"6 butin theworld oftheliving we must find kinder, gentler solutions.Although privacy-enhancing technologies suchas encryption providea limited ability to protect some data and communicationsfrom prying eyes and ears,it seemsobviousthat totalsecrecy of this sortis rarely a practical possibility today unlessone livesalone in a cabinin thewoods. One must be photographed and fillout a questionnaire to geta driver's showID to geta job.7 Our homesare permeable license, to senseenhanced ourmedicaland financial snooping; datais strewn around thedatasphere; our communications are easilymonitored; our lives are an open book to a mildlydetermined detective. Personallives are becomingincreasingly transparent to governments, interested corporations, and even to one another-as demonstrated by notorious incidents of phoneeavesdroppingortaping involving diverse individuals suchas Britain's Prince Charles, House Speaker NewtGingrich, and White House Intern MonicaLewinsky.8
hensiveattempt to protect informational privacy, although experts disagreeabout its domesticand especially extraterritorialeffects. Compare PAUL M. SCHWARTZ & JOEL R. REIDENBERG, DATA PRIVACY LAW: A STUDY OF U.S. DATA PROTECTION (1996), withPETER P. SWIRE & ROBERT E.
LITAN, NONE OF YOUR BUSINESS WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE (1998).
6. BENJAMIN FRANKLIN, POOR RICHARD'S ALMANAC (1735), reprinted in THE OXFORD DICTIONARY OF QUOTATIONS 211 (2d ed. 1959). 7. See 8 U.S.C. ? 1324a(a)(1)(B) (1996) (prohibiting hiring workers without verifyingidentity and authorization to work in the United States). Employers must complete an INS Form 1-9,Employment Eligibility Verification Form, documenting this verification and stating the type of ID they examined. See Verification of Employment Eligibility, 8 C.F.R. ? 274a.2 (1999). 8. See Boehner v. McDermott, 191 F.3d 463, 465 (D.C. Cir. 1999) (describing the taping of a cell phone call including Speaker Gingrich); OFFICE OF THE INDEPENDENT COUNSEL, REFERRAL TO THE UNITED STATES HOUSE OF REPRESENTATIVES PURSUANT TO TITLE 28, UNITED STATES CODE, ? 595(c) ? I.B.3 ("The Starr Report") <http://icreport.loc.gov/icreport/6narrit.htm#L7> (describing recording of Lewinsky calls by Linda Tripp); Paul Vallely, The Queen Brings Down The
May2000]
THEDEATHOF PRIVACY?
1465
This generaltrend is driven innovation and by economic by technological and social forcescreating a demandforprivacy-destroying technologies. Whensolitude is notan option, datawillbe disclosed'voluntarily' personal for transactions oremitted ourcontrol. Whatremains bymeans beyond tobe determined is whichlegal rulesshouldgovern thecollection as well as the use ofthisinformation. In light of therapidgrowth of privacy-destroying it is intechnologies, unclear whether creasingly informational can be protected at a bearprivacy able cost, or whether we are approaching an era of zero informational privacy, a worldof whatRogerClarkecalls "dataveillance."9 PartI of this articledescribesa number of illustrative technological that developments facilitate thecollection ofpersonal data. Collectively theseand other developments themeansforthemostoverwhelming provide assaulton informational privacyin the recorded of humankind.That surveillance history technologies threaten privacy maynotbe breaking news,but theextent to whichthesetechnologies will soon allow watchers to permeate modern life stillhas thepowerto shock. Noris itnewsthat thepotential effect ofcitizen is vastly profiling increased by thepowerof information and the processing of distributed linking databases. We are stillin theearlydaysof datamining,consumer and DNA databasing, profiling, to nameonlya few. The cumulative and accelerating effect of thesedevelopments, however, has the potential to transform modern life in all industrialized countries. Unless something happens to counter thesedevelopments, it seemslikely thatsoon all butthemostradicalprivacy freaks maylive in theinformational equivalentofa goldfish bowl.1O If thepace at whichprivacy-destroying technologies are beingdevised and deployedis accelerating, the basic phenomenon is nevertheless old enough already to havespawned a number of laws andproposed legalor social solutions designed toprotect or enhance privacy in various ways. PartII ofthisarticle examines several ofthese proposed privacy enhancing policies in light ofthetechnologies discussed in PartI. It suggests that somewillbe
Shutters, THE INDEP.,Aug. 19, 1996, availablein 1996WL 10952752 thetaping (noting of intimate conversation ofPrince Charles). Although thephenomenon ofad hocsurveillance andeavesdropping is an interesting one,this article concentrates on more organized corporate andgovernment surveillance andespecially profiling. 9. See Roger Clarke, Information Technology andDataveillance, 31 COMM. ACM 498 (May 1988)(defining dataveillance as "the systematic use ofpersonal datasystems intheinvestigation or monitoring of theactions or communications of one or more persons") <http://www.anu.edu.au/ people/Roger.Clarke/DV/CACM88.html>. 10. So-called"reality" television programming provides a possibleglimpse of thisworld. Thepopularity ofthese shows demonstrates thesupply ofwilling watchers, andthere appear tobe many willing subjects.See, e.g.,Associated Press, Actress BaresAll in SantiagoGlass House, CNN.coM, Jan. 26, 2000 <http://cnn.com/2000/WORLD/americas/0 1/26/chile.glass.house.ap/> (describing actress twoweeks "spending ina house incentral Santiago madeofnothing but glass").
1466
STANFORDLAWREVIEW
[Vol.52:1461
will have undesirable or unconstitutional ineffective, that others and effects, on their own. eventhebestwillprotect ofprivacy that onlya narrow range The relative sets the weaknessof current privacy-enhancing strategies theconclusion ofthearticle, which thelatest to the stagefor challenges entry debate-thecounselof despair privacy epitomized by ScottMcNealy'ssugforprivacy was lostalmost it was waged. Althat thebattle before gestion is a there case this though disturbingly strong supporting view,a case made I concludeby sugtrenchantly by David Brin's The Transparent Society,"1 that all is notyetlost. Whilethere sufthat gesting maybe no singletactic ficesto preserve thestatus less regain lostprivacy, a smorgasbord quo,much of creative technical and legal approaches could make a meaningful stand whatotherwise seemsinevitable. against A focuson informational privacy mayseemsomewhat crabbed and limited. Privacy, after all, encompasses much more than just control overa data or evena setof data. It encompasses trail, ideas ofbodilyand social autonof omy, self-determination, andoftheability to create zonesof intimacy and inclusion thatdefine and shapeour relationships witheach other. Control overpersonal information is a keyaspectof someof theseideas of privacy, and is aliento noneofthem.On theother hand, giventhat we live in an age ofubiquitous social security numbers,12 notto mention televised publictalkshow confessionals and other forms of media-sanctioned exhibitionism and voyeurism,13 it mayseemreactionary to worry aboutinformational privacy.
11. See generallyDAVID BRIN,THE TRANSPARENT SOCIETY(1998). 12. See, e.g., U.S. GAO, GOVERNMENT AND COMMERCIAL USE OF THE SOCIAL SECURITY NUMBERIS WIDESPREAD1 (1999) (LetterReport,GAO/HEHS-99-28) <http://frwebgate.access. gpo.gov/cgi-bin/useftp.cgi?IPaddress= 162.140.64.88&filename=he99028.pdf&directory=/diskb/ wais/data/gao> (noting"the SSN is used fora myriad of non-Social Security purposes,some legal and some illegal"); Flavio L. Komuves, We've Got YourNumber:An OverviewofLegislationand Decisions toControl theUseofSocialSecurity Numbers as Personal 16 J.MARSHALL Identifiers, J.COMPUTER & INFO.L. 529, 535 (1998) ("SSN use is so important to businessand government in thiscountry thata personwho is assertive abouttheir privacy rights in a positionin may findherself whichanother will refuse to do businesswithherunlessshe furnishes herSSN."). 13. The phenomenon is everywhere, from the StarrReportto confessionaltalk shows, from mainstream filmsto the Internet's 24x7 webcams. Cf HERBERTMARCUSE,ONE-DIMENSIONAL
"repressivedesublimation" in which capitalismabsorbs sexuality,stripsit of threatand danger, drainsit of itsoriginalmeaning, repackagesit as a commodity, thensells itback to themasses); see
MAN: STUDIES IN THE IDEOLOGY OF ADVANCED INDUSTRIAL SOCIETY 74-81 (1964) (warning of
racy, 67 GEO. WASH. L. REV. 1165, 1165 (1999) (notingthatpublic servantsnow believe that "what takes place in private, unless dull and routine, is likelyto become public knowledgeanyway");ClayCalvert, TheVoyeurism Value inFirst Amendment 17 CARDOzO Jurisprudence, ARTS & ENT. L.J. 273, 274 (1999) (arguingforFirstAmendment to "to peer and to gaze intoplaces right from whichwe are typically forbidden, and to facilitate our abilityto see and to hear the innermost details of others' lives withoutfear of legal repercussion");Andrew Leonard, Microsoft.orgy, SALON,July21, 1998 <http://www.salon.com/21st/feature/1998/07/cov_21 feature.html> (describing how exhibitionists turned theMicrosoft NetMeeting server, whichprovidesmeans forPC cam video conferencing, into"a 24-hourinternational sex orgy").
also Anita L. Allen, and ThePublicOfficial: Privacy Talking About Sexas a Dilemma ForDemoc-
May2000]
THEDEATHOF PRIVACY?
1467
It also maybe that massprivacy is a recent invention, rarely experienced beforethenineteenth century save in thehermitage or on thefrontier.14 Perhapsprivacy is a luxury good by worldstandards, and right-thinking people shouldconcentrate theirenergies on morepressing matters, such as war, famine, or pestilence.Andperhaps itreally is better to be watched, and the benefits ofmasssurveillance andprofiling thecosts. Nevertheless, outweigh in thisarticle I will assumethatinformational privacy is a good in itself,'5 anda valueworth protecting,16 although notatall costs.'7
JuRGEN THE STRUCTURAL HABERMAS, TRANSFORMATION OF THE PUBLICSPHERE4 (1962), it is
14. Theextent towhich modem ideasofprivacy havehistoric roots is opentodebate.While thedistinction between the"private" home andthe"public" is presumed outside tobe ancient, see
MONLAW43-53, 111-26(1988); James Boyle,A Theory of Law and Information: Copyright, Spleens, Blackmail, and Insider Trading, 80 CAL.L. REV. 1413,1443-57, 1471-77 (1992), and Edward J.Bloustein, Privacy Is Dear at Any Price:A Response toProfessor Posner'sEconomic 12GA.L. REv.429 (1978). Tlheory, 16. Readers needing persuasion onthis point should consult I ofJerry Part Kang, Information inCyberspace Privacy Transactions, 50 STAN. L. REV.1193,1202-20 (1998). "In a WallStreet Journal/NBC Newspolllastfall, Americans weregiven a listofeight concerns that might facethem inthe newcentury andwere askedtorank theonesthat worry them the most. Loss ofpersonal privacy ranked at thetopof thelist, citedby 29%." See also Glenn R. Simpson, E-Commerce Firms Start toRethink Opposition toPrivacy Regulation as Abuses, Anger Rise,WALLST. J., Jan. 6, 2000,atA24. In a recent survey, 80% ofUnited States residents, 68% of Britons, and79% ofGermans polled agreed strongly orsomewhat with theassertion that "consumershavelostall control overhowpersonal information is collected andusedbycompanies"; however,59%, 63%, and 55% of Americans, Britons, and Germans respectively also agreedthat existing lawsandorganization practices inthe their country provide a reasonable levelofconsumer privacy protection.IBM, IBM MULTI-NATIONAL CONSUMER PRIVACY SURVEY 22 (1999) In a different survey, 92% ofCanadi<http://ibm.com/services/files/privacy_survey_oct991.pdf>. ans expressed someconcern, and 52% were"extremely concerned" aboutprivacy.John D.R. Ciaig, Invasion ofPrivacy and Charter Values:TheCommon-Law Tort Awakens, 42 McGILLL.J. 355,357 (1997). 17. Due to limitations ofspace,andofmyknowledge, this article also adopts an artificially United States-centric focus, although the problems discussed here areofglobal importance.
views includeKIM LANE SCHEPPELE, LEGALSECRETS:EQUALITYANDEFFICIENCY IN THE COM-
MOORE 255-56(1998). And, ofcourse, onewould notexpect a concern with informational privacy in itsmodem form to predate theprivacy-destroying massdatastorage, technologies, or modem data-processing towhich itis a reaction. 15. Thisarticle thus doesnotconsider suggestions from law andeconomics arising that privacyis best understood as a mere intermediate good. See Richard A. Posner, TheRight ofPrivacy, 12 GA.L. REv.393,394 (1978). Treating privacy as an intermediate good,then-Professor Posner concluded that personal is generally privacy inefficient, becauseit allowspersons to concealdisreputable facts about themselves andtoshift costsofinformation acquisition (orthecostoffailing to acquire to those information) whoarenottheleast-cost avoiders.Data concealment by businessesis generally efficient, however, sinceallowing businesses toconceal trade secrets andother forms ofintellectual willtend property to spur innovation. See id. Useful correctives to Posner's
relationto the home life of even the modem rich. See PETERACKROYD,THE LIFE OF THOMAS
cleartheconception of thehomehas changed.Peter of thehomeof Sir Ackroyd's description Thomas for Moore, with itsnumbers example, of servants, and evena fool, bearslittle retainers,
1468
LAWREVIEW STANFORD
I. PRIVACY-DESTROYING TECHNOLOGIES
[Vol.52:1461
Privacy-destroying can be divided into two categories: technologies thosethatfacilitate theacquisition of raw data and thosethatallow one to andcollatethat process datain interesting bothrealanduseways. Although in information ful,thedistinction can be overstated because improvements processing also makenew forms of datacollection possible. Cheap computation makesit easyto collectandprocess dataon thekeystrokes perminute of clerks,secretaries, and even executives. It also makes it possible to monitor their web browsing habits.18 Cheap data storage and computation also makesitpossibleto minethefloodof new data,creating new informationbytheclever ofexisting data. organization Another usefultaxonomy wouldorganize technoloprivacy-destroying social context.One couldfocuson thecharacteristics gies by their of individualsaboutwhomdatais beinggathered (e.g., citizen, employee, patient, on thedifferent of obdriver, consumer).Or,one couldfocusinstead types servers law enforcement, tax authorities, (e.g., intelligence insuragencies, ance companies, mall security, e-commerce crazed sites,concerned parents, Atthemostbasiclevel,initial fans, ex-husbands, nosyneighbors). observers can be broadly as either categorized or private, governmental although here too theimportance of thedistinction can be overstated, becauseprivate partiesoften have access to government databases and governments frequently purchase collected data. Thereare some typesof data collection privately thatonlythegovernment can undertake, forexample, thecapture of information on legallymandated forms suchas thecensus,driver's licenses, or taxreturns. Buteventheseexamples illustrate thedanger of beingtoo categorical: somestates makedriver's licensedataand evenphotographs available for sale or search,and manytax returns are filedby commercial preparers (orweb-based forms), giving a third party accesstothedata. Databasesmultiply theeffects of sensors.For example, cameras have a farless intrusive on privacy effect iftheir onlyuse is to be monitored in real timeby operators forcommission watching of crimes.The longer thetapes are archived, thegreater their potential effect.And,themorethat thetapes can be indexed according to whoand whatthey showrather than just where and whentheyweremade,themoreeasilytheimagescan be searched or
18. Employers' concern about"cyberslackers" is fanned by consultants' reports that "employees whosurf the webfrom their office PCs arecosting Corporate America more than $1 billion
a year." Michele Masterson, Cyberveillance at Work:Surfing the Wrong Internet Sites on theJob Could Get You Fired, CNN.coM,Jan.4, 2000 <http://www.cnnfn.com/2000/01/04/technology webspy/>; cf Eugene Volokh, Freedomof Speech, Cyberspace, HarassmentLaw, and the Clinton Administration, LAW & CONTEMP. PROBS. (forthcoming 2000) (arguing that sexualhostile envi-
ronment harassment law is now so pervasive and potentially hair-trigger that prudent employer must carefully monitor workplace, including Internet use,for employee accessofsexually themed materials).
May2000]
THEDEATHOF PRIVACY?
1469
databases integrated makeit posintopersonal profiles.Equallyimportant, sibleto create newinformation datain new and interby combining existing or collected, data is easily sharedand hardto estingways. Once created thedatageniedoes notgo willingly, ifever, eradicate; backinto thebottle. Reamsof dataorganized intoeither centralized or distributed databases can have substantial consequences thesimpleloss ofprivacy beyond caused by theinitial datacollection, especially whensubject to advanced correlative techniques such as data mining.19 Amongthepossibleharmful effects are variousforms of discrimination, ranging from pricediscrimination to more invidious sorts of discrimination.20 Data accumulation enablestheconstructionof personal dataprofiles.21 Whenthedataare availableto others, they can construct personalprofiles fortargeted marketing,22 and even, in rare cases,blackmail.23 For some, just knowing that their activities arebeingre19. See ANNCAVOUKIAN, INFO.ANDPRIVACY DATA MINING:STAKING COMM'R/ONTARIO A CLAIM ON YOUR PRIVACY (1998) <http://www.ipc.on.ca/web_site.eng/matters/sumpap/ PAPERS/datamine.htm>: Data mining is a set of automated used to extract techniques buriedor previously unknown pieces of information from largedatabases. Successful datamining makesitpossible to unearth patterns and relationships, and thenuse this"new" information to makeproactive knowledge-driven business decisions.Data mining then, "centres on theautomated discovery of new factsand relationships in data. The raw material is thebusinessdata,and the data mining algorithm is theexcavator, sifting thevastquantities through of rawdata lookingfor thevaluablenuggets ofbusiness information." Data mining is usually usedforfour mainpurposes:(1) to improve customer acquisition and retention; (2) to reducefraud; (3) to identify internal inefficiencies and thenrevamp operations[;] and (4) to map theunexplored terrain of theInternet. The primary typesof tools usedindatamining are: neural networks, decision ruleinduction, trees, anddatavisualization. Id. (citationsomitted)(quoting JOSEPHP. BIGUS, DATA MININGWITHNEURALNETWORKS9 (1996)). 20. See OSCARH. GANDY,JR., THE PANOPTIC SORT 91 (1993); Oscar H. Gandy,Jr., Legitimate Business Interest: No EndinSight? AnInquiry into theStatus ofPrivacy in Cyberspace, 1996 U. CHI. LEGALF. 77. 21. See Kang,supra note 16, at 1239. 22. See Jeff Sovern,Opting In, Opting Out,or No Options at All: TheFight for Control of Personal 74 WASH.L. REV. 1033, 1033-34(1999): Information, [Y]ou can buylistsof peoplewhohavebought skimpy swimwear; collegestudents sorted by major, class year, and tuition payment; millionaires and their neighbors; peoplewhohave lost lovedones; menwho havebought fashion underwear; womenwhohave bought wigs;callers to a 900-number national dating service;rocket scientists; children who have subscribed to magazines or have sentin rebateforms included withtoys;people who have had their urine tested;medicalmalpractice plaintiffs; workers'compensation claimants; people who have been arrested; impotent middle-aged men;epileptics; people withbladder-control problems; buyersof hairremovalproducts or toothwhiteners; people withbleedinggums; high-risk gamblers; peoplewhohavebeenrejected for bankcards;andtenants whohavesuedlandlords. There arelistsbasedon ethnicity, political opinions, andsexualorientation. 23. See Phil Agre, RRE Notesand Recommendations, RED ROCK EATERNEWS SERVICE, Dec. 26, 1999 <http://commons.somewhere.com/rre/1 14.html>: 999/RRE.notes.and.recommenda Go to a part of townwhere your kindisn'tthought to belongand you'll end up on a list somewhere. a political Attend and endup on another meeting list. Walkintoa ritzy boutique and theclerkwill have yourcredit report and purchase history before even saying hello....
1470
STANFORD LAWREVIEW
[Vol.52:1461
on conduct,24 cordedmayhave a chilling effect and reading.25 Cusspeech, knowstheir tomers to discover thata salesperson may findit discomfiting income orindebtedness, orother personal data. Whenthegovernment has access to thedata,it notonlygainspowerful investigative toolsallowing it to plotthemovements, actions, and financial of suspects,26 fordetecting activities butit also gainsnewtechniques crimes and identifying if data is collectedon everyone's suspects.27 Ultimately, location and on all transactions, it should be possibleto achieveperfect law enforcement, a worldin whichno transgression goes undetected and,perhaps,unpunished.28 At that point, theassumptions of imperfect detection,
Thewhole willundergo culture convulsions as taken-for-granted about the conassumptions inpublic struction ofpersonal become false. identity ... places suddenly radically And that's justthe willarise in"spottings": start. Wait a little anda market ifI while, want toknow where I'll have you've been, outa callonthe Internet tofind my laptop put out whohasspotted you. Spottings willbe bought andsoldinautomated so that I can auctions, build the kind ofspotting I need will history for the lowest cost.Entrepreneurs purchase spotinbulk tosynthesize tings histories for customers. Your spotting routine willbe paying daily known toanyone whowants topayfive bucks for movement willdeterit,andyour history mine your fate as much as your just credit does now.... history Then willreally things get bad. Personal movement records willbe subpoenaed, irreguatfirst, larly justwhen hasbeen but someone then as every kidnapped, divorce lawroutinely, thatsubpoenas yerin thecountry reasons are cheapand not filing them is basically malpractice. Then, justas we're togetused tothis, a couple willget starting ofpeople killed bya nut who[has] been predicting their movements using available movement commercially pattems. 24. Data mining canbe usedtogenerate lists ofpolitical Senator preferences. John McCain and Texas Governor George W. Bush each contracted withAristotle Publishing <http:// www.Aristo.org>, a firm that offered totarget webusers bymatching webbrowsing habits andweb sitesignup datawith voter records.See Lauren registration WebTracking Weinstein, and Data HittheCampaign Matching PRIVACY Trail, FORUM DIGEST,Dec. 24, 1999<http://www.vortex.com/ privacy/priv.08.22>. 25. Ofcourse, disclosure also helps prevent evilsthat canhidebehind theveilofanonymity. See A. Michael Flood Control on the Froomkin, Information Ocean:Living with Anonymity, DigitalCash,andDistributed & COM.395,404-07, 410-11(1996). Databases,15 J.L. 26. See FinancialCrimesEnforcement Network ("FinCEN"), FINCEN FOLLOWS THE <http://www.treas.gov/fincen/followme.pdfP. Approximately 200 staffers plus40 "long-term detailees" from 21 other andlawenforcement regulatory agencies use financial, lawenforcement, and commercial databases to operate FinCEN. See id. at 3. Working with foreign "financial intelliFinCENformed genceunits," the"Egmont an international Group," cooperation designed to exinformation andexpertise. change See id.at6. fincen/follow2.html>; see also FinCEN, supranote26, at 5 (stating that analysts mayprovide information through FinCEN's Artificial Intelligence System on previously undetected possible criminal organizations andactivities so that investigations canbe initiated). 28. See, e.g.,David Cay Johnston, New Tools for theI.R.S. to Sniff Out Tax Cheats, NY TIMES, Jan.3, 2000 <http://www.nytimes.com/00/01/03/news/financial/irs-tax.html> ("The [data mining] technology ... being developed for the I.R.S.... willbe abletofeed datafrom every entry on every taxreturn, orcorporate, personal through filters to identify patterns oftaxpayer conduct. Thosetaxpayers whose returns . . . that suggest arehighly they likely toowe more taxes couldthen be sorted outandtheir quickly taxreturns audited."); see also Steven A. Bercu, Toward Universal
27. See FinCEN, HELPINGINVESTIGATORS USE THE MONEY TRAIL <http://www.treas.gov/ MONEY: A LOCAL APPROACH TO IDENTIFYING & TRACKING CRIMINALPROCEEDS 5 (1999)
May2000]
THEDEATHOF PRIVACY?
1471
on police and prosecutorial and thereliance theneed fordeterrence, discresevere tionon which strain. ourlegalsystem is basedwillcomeunder or others will attempt to use the A further thegovernment danger is that in order or antisoto predict ability to construct personal profiles dangerous the cial activities before whose meet criteria theyhappen. People profiles willbe flagged as dangerous andperhaps to increased subjected surveillance, airline searches, or discrimination. is currently used to identify Profiling who theprofilers riskof being passengers think present an above-average In thewake ofthetragedy terrorists.29 at Colombine, schoolsare turning to profiling to assess children In a worldwheresuch forpotential violence.30 profiling is common, whowilldareto actin a waythat willcauseredflags to fly? In a thorough thatthe collection survey, RogerClarkesuggested and collation of largeamounts of personal datacreate manydangers at boththe individual andsocietal levels, including:
ofPersonal Dangers Dataveillance lackofsubject knowledge ofdataflows blacklisting ofMassDataveillance Dangers To theIndividual witch hunts ex-ante discrimination andguilt prediction selective advertising inversion ofthe onusofproof covert operations unknown accusations andaccusers
Surveillance inan Information AgeEconomy: Can We HandleTreasury 's NewPoliceTechnology?, 34 JURIMETRICS J.383,400-01 (1994)(discussing FinCEN andpossible privacy problems). 29. Airtravelers areprofiled bya $2.8billion that monitoring system usesa secret algorithm tocompare their personal datatoprofiles oflikely terrorists. See DeclanMcCullagh, You?A Terrorist? Yes!,WIRED,Apr. 20, 1999<http://www.wired.com/news/news/politics/story/ 19218.html>: TheCAPS[computer-assisted passenger screening] system operates off the computer reservation systems utilized bythe major United States aircarriers as wellas some smaller carriers. TheCAPSsystem relies solely oninformation that passengers presently provide toaircarriers for reasons unrelated tosecurity. Itdoesnot onthe depend ofany gathering additional information airtravelers, from is itconnected nor toany lawenforcement orintelligence database. of Checked Security Baggageon Flights Within theUnited States, 64 Fed. Reg. 19220,19222 (1999)(tobe codified at 14C.F.R.pt.108)(proposed Apr.19,1999). 30. Examples ofthis inthewakeoftheColumbine profiling shootings include a psychological toolbeing offered bythe FBI toidentify "potentially violent" schoolchildren, see Jon Katz,Take theFBI's GeekProfileTest,SLASHDOT,Nov. 29, 1999 <http://slashdot.org/features/99/11/23/ 1712222.shtml>, andMosaic-2000, a profiling tooldeveloped bytheBureau ofAlcohol, Tobacco, andFirearms, see Frances X. Clines, Computer Project SeekstoAvert Youth N.Y. TIMES, Violence, Oct. 24, 1999. See also Software to Predict"Troubled Youths," SLASHDOT,Oct. 24, 1999 <http://slashdot.org/yro/99/10/24/1147256.shtml> (open discussion of Mosaic-2000);Gavin de Becker Inc.,MOSAIc-2000 (1999)<http://www.gdbinc.com/mosaic2000.htm> ofMosaic(analysis 2000).
1472
STANFORD LAWREVIEW
[Vol.52:1461
Thereis little reasonto believethat thenosiness of neighbors, employers,or governments has changed Whatis changing recently. veryrapidly, however, is thecost and variety of toolsavailableto acquirepersonal data. The law has done sucha poorjob of keeping pace with thesedevelopments that somepeoplehavebegun to suggest that is becoming privacy impossible. A. Routinized Low-Tech Data Collection Large quantities of personal data are routinely collectedin the United States without today anyhigh-tech equipment. include thecollecExamples tionof personal data by theFederalGovernment fortaxesand thecensus, data collected by statesas a condition of issuingdriver's licenses,and the vastamounts of datacollected by theprivate in thecourseof selling sector products andservices. 1. BytheUnited States government. The mostcomprehensive, legallymandated UnitedStatesgovernment datacollections are theannualcollection of personal and corporate taxdata, and thedecennial census. Bothof thesedata collection activities are protected by unusually strict laws designed to prevent thereleaseof personally identifiable data.32Other government datacollection at thefederal and state
denial ofdueprocess To Society prevailing climate ofsuspicion adversarial relationships focus oflawenforcement oneasily detectable andprovable offences inequitable application ofthelaw stultification oforiginality increased tooptoutoftheofficial tendency levelofsociety ofsociety's weakening moral fibre andcohesion repressive for potential a totalitarian government3'
31. Clarke,supra note9. 32. See 13 U.S.C.A. ?? 8-9 (West Supp. 1999) (census); 26 U.S.C.A. ? 6103 (West Supp. 1999) (tax return data). Despite these rules,however,therehave been suggestionsthatbecause census information is detailed,itcould be cross-indexed withother data to identify individuals.For example,if one knowsthatthere is onlyone personin a particular age group,of a particular ethnicity,or withsome otherdistinguishing characteristic within thecensus tract, and one can extract the "aggregate"data forall individualswiththe characteristic in the area, one has individualized the data. Cf.Robert G. Schwartz, Jr., Privacy In German Employment Law, 15 HASTINGSINT'L & COMP. L. REV. 135, 146 (1992) (describing1983 decisionof GermanFederal Constitutional court down censusquestionsthatitbelievedwould allow identification striking of respondents).
May2000]
THEDEATHOFPRIVACY?
1473
levelis either or aimedat subsets formally ofthepopulation.Some optional, ofthesesubsets, arevery however, large.33 Anyone whotakesa newjob must be listedin the"newhiresdirectory" to support designed theFederalParent LocatorService.34 This growing nationaldatabase ofworkers enablescourts to enforce childsupcourt-ordered portagainstworking parents who are not making theirsupport payments. Each state has itsowndatabase, whichis coordinated of Child by theOffice Enforcement within Support the Department of Healthand Human Services.35 Anyonereceiving publicassistance is likelyto be in a statemaintained databaseof aid recipients. and local governments Federal, state, also collectdata from a totalof aboutfifteen million arrestees each year.36The government to collect(andpublish) continues dataaboutsomeconvicts even after they haveserved their sentences.37 License applications are formally optionaldata collections thathave wide application-licenses areoptional, butifone wantsa license, one must answer therequired questions.Perhaps themostwidespread data collection comesfrom driver's licenseapplications, as mostof theUnitedStatesadult population hold driver's licenses, at leastoutsidethefewmajorcitieswith efficient mass transportation networks.In addition to requesting personal datasuchas address, telephone number, andbasicvitalstatistics, somestates collect health-related information, and all requirea (frequently digitized) photograph. 2. Transactional data. Anypersonal transaction involving money, be it working, buying, selling,or investing, tends to create a datasetrelating to thetransaction. Unless thepayment is incash,thedatasetusually includes somepersonal dataabout theindividual(s) involved inthetransaction. Financialdata collection is an interesting exampleof theprivate sector collecting data formixedmotives.A singlefirm, Acxiom,now holdsper33. See generally LillianR. Bevier, Information About Individuals in theHandsofGovernment: SomeReflections on Mechanisms forPrivacy 4 WM.& MARYBILL RTS.J.455 Protection, (1995)(discussing government's useofdataprovided bycitizens). 34. 42 U.S.C. ? 653(1996). 35. See Department of Health and Human Services, What is NECSRS? <http:// ocse.acfdhhs.gov/necsrspub/Navigation/Questions/Ques.htm#NECSRS l> (stating thatthe "National Electronic ChildSupport Resource System . . . is usedto identify and electronically index Federal, State, andlocalresource materials"). 36. See Electronic Privacy Information Center ("EPIC"),RenoProposes National DNA Database, EPIC ALERT, Mar.4, 1999<http://www.epic.org/alert/EPIC_Alert_6.04.html>. 37. See Megan'sLaw,N.J. STAT.ANN. ? 2C:7-1to7-11(West1999)(registration ofsexoffenders); Violent Crime Control andLaw Enforcement Actof 1994, Pub.L. No. 103-322, 108Stat. 2038 (1994) (codified as amended at42 U.S.C.A.? 14071(WestSupp.1999))(federal equivalent ofMegan'sLaw).
1474
LAWREVIEW STANFORD
[Vol.52:1461
sonal and financial about almosteveryUnitedStates,United information andAustralian Kingdom, consumer.38 In many financases,banksandother cial service providers collectinformation abouttheir clients becausethedata has commercial value. In other cases,they record databecausethegovernment requires them to makeroutine to assistlaw enforcement reports efforts. In effect, private banksoften actas agents ofstate datacollection efforts. Untilmachines fortracking bills by their serialnumbers becomemuch morecommon thantoday, cash payment will remain relatively anonymous. In their questto gather personal dataaboutcustomers, merchants haveturned to loyalty reward suchas frequent programs, cardsand grocery shopper club cards. Depending uponthesophistication of thecard,and of thesystem of whichit is a part, theseloyalty programs can allow merchants to amass detailedinformation abouttheir customers. Large amounts of cash trigger reporting which in turn requirements, means thatfinancial intermediaries mustcollectpersonaldata fromtheir customers.Anti-money laws (and sometimes laundering tax laws) require financial service to filereports providers on every suspicious transaction and timea client every or transfers deposits, withdraws, or $10,000 more. Some firms, often chosenbecause of their locationin neighborhoods thought by law enforcement to be highdrugtrading zones,mustreport intransactions volving as little as $750 incash.39 Alternatives to cash,suchas checks, debit and credit cards, cards,create a datatrail that identifies thepurchaser, themerchant, theamount ofthesale, andsometimes thegoodsorservices sold. Whether replacing papercash withelectronic cash wouldmaketransactionsmoresecureand anonymous or create a digital datatraillinking every transaction to theparties involveddependsentirely on how such an electronic cashsystem is designed.Bothextremes arepossible, as areintermediate designsin which, forexample, theidentity of thepayeris notrecorded (or even identifiable), but thepayee is knownto thebank thatissued the electronic cash.40Because there is currently no standard forelectronic cash andrelatively little e-cashin circulation, anything remains possible. Largequantities of medicaldata are generated and recorded during any sustained interaction withtheUnitedStateshealth care system.In addition to beingshared amongvarious health careproviders, theinformation is also
38. See Ian Grayson, PackerSetsup Big Brother Data Store, AUSTRALIAN, Nov. 30, 1999
<http://technology.news.com.au/news/4277059.htm>. 39. See FinancialActionTask Force on Money Laundering, 1997-1998 REPORT ON MONEY LAUNDERING TYPOLOGIES T 28 <http://www.ustreas.gov/fincen/typo97en.html> (notingimposition of GeographicTargetingOrders pursuantto Banking Secrecy Act that requiredcertainmoney transmitters to report all cash transfers to Columbiaof over $750 during 360-dayperiod). 40. See Froomkin, supra note25, at 449-79.
May2000]
THEDEATHOF PRIVACY?
1475
thesystem.41 shared with theentities that administer Under the"Adminisofthe Health Insurance trative andAcSimplification" provision Portability
are being developedto Act of 1996 ("HIPAA"),42standards countability transfer of health-related data. HIPPA refacilitate theelectronic personal be keptin electronic form and thateach quiresthatall healthinformation to indexthedata. individual be givena uniquehealth identifier Thus, even without hightechnology, substantial amounts of personal in thecountry. dataareroutinely collected aboutalmost The introeveryone ductionof new technologies, to raise the quantity and however, promises nature oftheinformation that couldbe collected to new,somewhat dizzying, heights. B. Ubiquitous Surveillance Unless social,legal,or technical it is conceivable forces intervene, that willbe no place on earth there where an ordinary person willbe able to avoid In thispossiblefuture, surveillance. publicplaceswillbe watched by terrestrialcamerasand evenby satellites.Facial and voice recognition software, cell phonepositionmonitoring, smart transport, and otherscience-fictionlike developments will together provide fulland perhaps realtimeinformation on everyone's location. Homes and bodies will be subjectto senseenhanced viewing.All communications, save perhaps someencrypted messages,will be scannable and sortable.Copyright protection "snitchware"43
andInternet-based usertracking willgenerate ofreading fulldossiers and habits.The moveto web-based shopping commerce, combined with the
41. As a result, healthcare relateddata will be partof a giantdistributed database. See gener-
L. REV. 295 (1995); Spiros Simitis,Reviewing Privacy in an Information Society,135 U. PA. L. REV. 707 (1987); see also U.S. GAO, MEDICALRECORDSPRIVACY: ACCESSNEEDED FORHEALTH RESEARCH,BUT OVERSIGHTOF PRIVACYPROTECTIONS IS LIMITED, GAO/HEHS-99-55 (1999) <http://www.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=gao&docid=f:he99055.txt.pdf>. HHS is expectedto issue medicalprivacyregulations by February 21, 2000, defining rulesfor the security and disclosureof healthcare data. The draft regulations allow disclosureof health information without an individual'sauthorization forresearch, public health,oversight, and some otherpurposes;otherwise written authorization is required. Databases mustbe kept secure. Collectorsof medical data mustconform to fairinformation practices, inform people how theirinformationis used and disclosed,and ensurethatpeople can view information being held about them. The draft rules propose thattheirprotections would attachas soon as information is "electronic" and runwiththe information as long as the information is in the hands of a covered entity. The proposedrulesdo not,however, applyto downstream recipients of medical data. See NPRM HHS, StandardsforPrivacyof Individually Identifiable Health Information, 64 Fed. Reg. 59,918 (1999), <http://aspe.hhs.gov/admnsimp/pvcnprm.pdf> (technical corrections available in <http://aspe.hhs.gov/ admnsimp/nprm/99121 Sfr.pdf>). 42. Health InsurancePortability and Accountability Act, Pub. L. No. 104-191, ? 264, 110 Stat. 1936 (1996) (codifiedas amendedat 42 U.S.C. ? 1320d-2). 43. See note 110 infra and accompanying text.
allyPaulM. Schwartz, andthe Privacy Economics ofPersonal HealthCareInformation, 76 TEX. L. REV. 1 (1997); Paul M. Schwartz, TheProtection ofPrivacy inHealthCareReform, 48 VAND.
1476
STANFORD LAWREVIEW
[Vol.52:1461
fight against money and taxevasion, will makeitpossibleto aslaundering semblea complete economicprofile of everyconsumer. All documents, whether electronic, or (perhaps)even privately photocopied, will printed, have invisible markings making itpossibleto tracetheauthor.Workplaces will notonlybe observed by camera, butalso anything involving computer use will be subject to detailed monitoring, analyzedforbothefficiency and inappropriate use. As thecostof storage continues to drop, enormous databases willbe created, or disparate distributed databases data linked, allowing tobe cross-referenced in increasingly sophisticated ways. In thisvery possiblefuture, indeed in ourpresent,44 perhaps there maybe nowhere to hideandlittle that can stay hidden. 1. Publicspaces. Movingaboutin publicis nottruly anonymous:Someoneyou know mayrecognize you,and anyone can write downthelicenseplatenumber of car. Nevertheless, your at leastin largecities, one enjoystheillusion, and to a largeextent thereality, ofbeingable to moveaboutwith anonymity. That freedom is soontobe a thing ofthepast,as the"privacy commons" ofpublic spacesbecomessubject totheenclosure ofprivacy-destroying technology. Fear of crime, and therapidly cost of hardware, declining bandwidth, and storage, are combining to foster therapidspreadof technology forroutinelymonitoring public spaces and identifying individuals. Monitoring technologies include cameras, facialrecognition software, and varioustypes ofvehicleidentification systems. Related technologies, someofwhichhave theeffect of allowing real-time monitoring and tracking of individuals, includecell-phone location technology andvarious types ofbiometric identifiers. a. Cameras. Perhaps themostvisibleway in whichspaces are monitored is theincreasingly ubiquitous deployment of Closed Circuit Television("CCTV") camerasand video recorders. Monitoring occursin bothpublicand private spaces. Generally, private spaces suchas shopping mallsare monitored by privatesecurity, while public spaces are monitored by law enforcement. Although publiccamerasare common in theUnitedStates,45 theyare even
44. Cf.TinaKelley, AnExpert in Computer Security FindsHis LifeIs a Wide-Open Book, N.Y. TIMES,Dec. 13,1999, atC4 (describing howa group of"security experts" were abletodigup vastamounts ofinformation ona self-described "average citizen"). 45. See, e.g.,Timothy Egan, PoliceSurveillance ofStreets Turns to Video Cameras andListening Devices, N.Y. TIMES, Feb.7, 1996, atAl2 (detailing themethods andequipment ofseveral cities' policedepartments).
May2000]
THEDEATHOFPRIVACY?
1477
morewidespread of IRA terrorism, abroad. Perhaps becauseof fears in adto ordinary dition aboutcrime, theUnited concerns has pursued Kingdom a particularly of blanketing aggressiveprogram the nationwith cameras. Camerasoperated "are now a common feature of Britby law enforcement ain's urbanlandscape.... The camerashave also movedbeyondthecity, into villages, schools, hospitalsand even, in Boumemouth, coveringa coastalpath."46Camerasare also commonly used on theroadsto enforce speedlimits ofspeeding bytaking vehicles'licenseplates. Polls sugphotos a substantial gestthat oftheBritish majority of thecameras publicapproves becausethey makethem feelsafer. And indeed, theevidencesuggests that cameras or at leastdisplace, reduce, street crime andperhaps other antisocial behaviors.47 Camerascan also be placed in the office, school,and home. Visible cameras allowparents to keepan eyeonjuniorat daycare. Hiddencameras can be concealed in "clocks, radios,speakers, phones,and many other items"48 to monitor caregivers andothers inthehome. Camerasarealso an example ofhowtechnologies can interact witheach other to multiply privacy-destroying effects.All of the videotapes in the world are of little use unlessthere is someone to monitor them, a useful way to indexthecontents, or a mechanical aid to scan through them. And,pictures alone are onlyusefulif there is a way to identify thepeople in them. Thus,for example, theLondonPoliceobtained excellent quality photographs of allegedparticipants in a violent demonstration in theCityof Londonon June18, 1998,buthadto postthephotographs on theInternet and ask viewersfor helpin identification-it worked in somecases.49 Humanmonitors are expensive and farfrom omniscient.50 In thenear future, however, humanobservers will becomemuchless important as the taskof analyzing stillphotos andvideoswillbe mechanized. In somecases, suchas schools,offices, or prisons, datasubjects can be compelled to wear IDs withbar codes.51In public,however, moresophisticated technologies,
46. NickTaylor, ClosedCircuit Television: TheBritish Experience, 1999 STAN. TECH. L. REV. VS 11,? 1 <http://stlr.stanford.edu/STLR/Symposia/Privacy/99_VS_1 1/article.html>. 47. See id. ?? 12-14.
main.html>.
48. HiddenCamerasSolutions, Catalogue<http://www.concealedcameras.com/catalogue/
49. See City of London Police, Your Help Is Needed..., June 18, 1999 <http:// 18frame.htm>; www.cityoflondon.gov.uk/citypolice/j City ofLondon Police, Identity Parade,June 18, 1999 <http://www.cityoflondon.gov.uk/citypolice/idparade8.htm> (askingviewersto help "identify anyofthese peoplephotographed during theJune 18 incident intheCity ofLondon"; as ofDecember 21, 1999, somephotos were missing, labeled "nowidentified"). 50. They alsobe racist. See Taylor, may 46,??26-27. supranote 51. See,e.g.,Teacher Firedfor Not Making KidsWear IDs, CHARLESTON GAZETTE& DAILY MAIL, Feb. 5, 1999, availablein 1999WL 6710744(stating a teacher that objected to a barcode becausehe believed itto resemble the"mark of thebeast"); Americans United ForSeparation of
1478
STANFORDLAWREVIEW
[Vol.52:1461
suchas facialrecognition are neededto identify technology, people. Facial recognition is becoming better and morereliableeveryyear.52 technology Current arealready in twodifoutpeoplepresent systems capableofpicking ferent evenin large demonstrators pictures, allowing policeto identify repeat a system crowds assembled weeksapart.The Londonpolice installed many called "Mandrake" thatmatches CCTV photostakenfrom144 camerasin shopping centers, parking lots,and railwaystations againstmug shotsof knowncriminals.53 The Israeligovernment plansto use facialrecognition in thehope of creating technology "Basel," an automated border-crossing system.54 The United States Pentagon is also investigating thepossibility of usingfacialrecognition systems to identify potential terrorists outsidemilitary facilities.55 Once mated for a database with, fullofdriver's example, licensephotos, imagesfrom a seriesof ubiquitous cameras couldbe indexed by nameand storedforan indefinite periodof time. (Indeed,the UnitedStatesSecret Serviceand other agencieshave expressed interest in a national databaseof drivers licencephotos, and thegovernment has spentat least $1.5 million helping a private corporation amassthedata.)56 Assuming theindexand the videosare at leastsubject to subpoena (or perhaps theFreedom of InformationAct)or evenroutinely placedon theInternet, alibis,mystery novels,and divorce willnever proceedings be thesame. One's facewillnonetheless become an indexmarker.Devices willbe availablethat warnyou every time an individual convicted of rapeor childmolestation comeswithin 100 feet. Storeswill be able to sendcouponsto windowshoppers who browsed but did notenter wouldn't ("Hi! Nexttime, you like to see whatwe have in-
STATE:AU BULL.,Mar. 1999 <http://www.au.org/cs3991.htm>. 52. See, e.g., VISIONICS, CORP., FACEIT: AN AWARD-WINNING FACIAL RECOGNITION SOFTWAREENGINE <http://www.visionics.comINewsroom/PDFs/Visionics_Techl.pdf> (describing one such system);Taylor, note47, ? 39 (citing TIMES (London),Oct. 15, 1998). supra 53. Alex Richardson, TV Zoomsin on Crooks''Faceprints,' BIRMINGHAM POST, Oct. 15, 1998, available in 1998 WL 21493173. For some reason,thepolice chose to testthesystemin the poorestpartof London. See Taylor, note46. supra 54. See Visionics Corp., Visionics' Face Recognition Chosen Technology For Cutting Edge IsraeliBorder Crossing, Sept. 21, 1999 <http://www.visionics.com/Newsroom/PRs/bazelI .htm>. 55. See Daniel J. Dupont,Seen Before,SCI. AM., Dec. 1999 <http://www.sciam.com/1999/ 1299issue/ 1299techbus5.html>. 56. See IMAGE DATA, LLC, APPLICATION OF IDENTITY VERIFICATION AND PRIVACY PILOT PROJECT3 (1997) <http://www.epic.org/privacy/imagedata/image_data.html> (document submitted to UnitedStatesSecretServiceproposing to "show thetechnical and financial feasibility of usingremotely storeddigitalportrait images to securelyperfonn positiveidentification"); Brian Campbell, SecretServiceAidedLicensePhotoDatabase, CNN.COM, Feb. 18, 1999 <http:// www.cnn.com/US/9902/18/license.photos/>.
ENHANCEMENT TO TREASURY TRANSACTIONS: A MULTIPLE USE IDENTITY CRIME PREVENTION
Church and State, Teacher Who Fears "Mark oftheBeast"Firedin West Virginia, CHURCH&
May2000]
THEDEATHOF PRIVACY?
1479
onceyouenter, thestore side?"). Worsestill, willbe able to determine which merchandise toshow youandhowmuch tocharge.57
b. Cellphonemonitoring.
without theuse of cameras Manypeoplecan be tracked or any today other device.Cellular must communicate their location toa basestaphones inorder tion tocarry orreceive calls. Therefore, whenever a cellphone is in use,or setto receive calls,it effectively identifies thelocation of itsuser few every minutes anareadefined (within tolerance ofthe bythe telephone). and Virginia Recently, Maryland officials unveiled a planto use mobile phone tracking information tomonitor traffic their flows, although plandoes not involve the identities capturing of individual commuters, onlytheir
movements.58
Thefiner the cellphone zone, the more a person's precisely location can be identified. In theUnited a Federal States, Communications Commission ("FCC") regulation due to become effective in 2001 requires all United States cellular carriers to ensure that their telephones andnetworks willbe abletopinpoint a caller's location towithin 400 feet, about half a block, at least sixty-seven percent ofthe time.59 Theoriginal objective ofthe rule was toallowemergency 911callstobe traced, but theside-effect willbe toturn cell phones intoefficient tracking devices. Indeed, in a recent order, the FCC confirmed that wireline, cellular, andbroadband Personal Communications Services (PCS) carriers would be required to disclose to law enforcement with agents wiretap authorization thelocation of a cell siteat the andtermination beginning ofa mobile call. Thiswaslessthan theFBI,the Justice Department, andthe NewYork PoliceDepartment wanted; they had argued that they should be entitled toalllocation information available tothe
carrier.60
57. See generally J.Bradford DeLong& A. Michael Froomkin, Speculative Microeconomics
for Tomorrow 's Economy,in INTERNET ANDBEYOND: THE ECONOMICS PUBLISHING OF DIGITAL INFORMATION ANDINTELLECTUAL PROPERTY (Brian Kahin & Hal Varian eds., forthcoming 2000)
<http://www.law.miami.edu/-froomkin/articles/spec.htm>. 58. See AlanSipress, Tracking byCellPhone:Md.,Va.to Use Transmissions Traffic toPinpoint Congestion, WASH. Dec. 22, 1999, POST, atAl (stating that andVirginia Maryland willtrack "anonymous" callers onhighways tomeasure speed oftraffic). 59. See Compatibility ofWireless Services with Enhanced 911,61 Fed.Reg.40,348, 40,349 (1996) (codified at47 C.F.R.pt.20). TheFCC's approach differs from that adopted bysometelephonemanufacturers whohavedesigned their phones with GlobalPositioning Satellite ("GPS") receivers. Thesereceivers display thephone's precise latitude, longitude, andelevation, which the usercan then relay to the911 operator, butonlyiftheuseris ableto speak. See SteveGinsberg, CellPhonesGeta Homing S.F. BUSINESSTIMES, Device, Sept.28, 1998<http://www.amcity.com/ sanfrancisco/stories/I 998/09/28/focus7.html>. 60. See FCC, Third Report andOrder in theMatter of Communications Assistance for Law Enforcement Act,CC DocketNo. 97-213,?? 12, 21, 22, Aug. 26, 1999 <http://www.fcc.gov/ 1999/fcc99230.wp>. Bureaus/Engineering_Technology/Orders/
1480
LAWREVIEW STANFORD
[Vol.52:1461
peopleare. arenottheonlyoneswhowantto knowwhere Governments they children (or where to locatetheir coulduse cell phonetracking Parents the is in who in are also interested knowing leftthe phone). Merchants is sending"elecA UnitedKingdomcell phonecompany neighborhood. themof "special informing to its six millionsubscribers, vouchers" tronic supare callingand helpfully whichthey pubsin thearea from from offers" address.6' thenearby plying increase of cell phone tracking consequences The privacy-destroying to allow police to is archived.It is one thing whenmovement dramatically the to archive thing in realtime. It is another a fugitive use thedatato track wishto reconstruct in case policeor others evenin perpetuity, data,perhaps revealedthata local someone'smovements.In 1997, a Swiss newspaper of one million the movement recording keptinformation phone company thedatawas and that a fewhundred meters, to within accurate subscribers, thedataas a treasformorethansix months.Swisspolice described stored of cellular phone and retention thecollection Howeveratypical uretrove.62 may be, the Swiss phone company'sactionsare movements subscribers' at least,valuesthislocational notunique.63The Swiss government, clearly itsaccess to it. Reto preserve lengths that itwillgo to great dataso highly of bytheability threatened that theSwisspolicefelt in 1998 suggested ports wouldallow certain phonecardsthat Swiss cell phoneusersto buyprepaid The Swiss government to be used anonymously. of "easy"telephones types "easy" whenacquiring to register be required that citizens therefore proposed whois usinga cell phonewas that beingable to identify cell phones, arguing security.64 "essential" tonational c. Vehicle monitoring. Sosurveillance. of blanket target potential are a separate Automobiles in ("ITS") are beingintroduced systems" transportation called "intelligent and in some speeding, flow,prevent manyurbanareas to managetraffic
Jan. 61. See Watching Me, Watching You,BBC NEWS, 4, 2000 <http://newsvote.bbc.co.uk/ hi/english/uk/newsid_590000/590696.stm>. in Switzerland RevealsLocation 62. See DanielPolak,GSM MobileNetwork of its Users, PRIVACY FORUM DIGEST, Dec. 31, 1997<http://www.vortex.com/privacy/priv.06.18>. NowHear This:Your Moveis BeingTracked, 63. See, e.g.,NicoleKrau, Every HA'ARETZ, Mar. 10, 1999,availablein 1999 WL 17467375 (stating that Israelicellular phonerecords are stored andsoldtoemployers whowishtotrack as wellas bycellular phone companies employees, provided togovernment when ordered bycourt); see also Richard B. Schmitt, Cell-Phone Hazard: Little Privacy inBilling Records, WALL ST. J.,Mar. 16, 1999,at BI (stating that AT&T wireless fields records unit for roughly 15,000 subpoenas phone peryear). OdiloGuntern: de NatelDoitPouvoir 64. See Gabriel Le Detenteur Rester Sigrist, Anonyme, LE TEMPS July 7, 1998<http://www.inetone.com/cypherpunks/dir.98.07.1398.07.19/msgO0O8
May2000]
THEDEATHOFPRIVACY?
1481
cases implement or centralized roadpricing traffic control.65 ITS Ultimately, promise continuous, real-time information as to the locationof all moving vehicles.66 Less complexsystems already createtravel records thatcan be stored and accessedlater.67 Some countries havealso considered bar putting codeson licenseplatesto ease vehicle identification.68 Whileitis possibleto designITS in a manner that thetraveler's preserves thishas not anonymity,69 beenthenorm. 2. Monitoring inthehome and office. homemaybe no defense Staying against and profiling. monitoring Existing technology can monitor every electronic communication, be it a telephonecall, fax,or email. In theUnited States, at least,itsuse by either the government or private snoopsis subject to substantial legal restrictions. As voiceprint, voice recognition, and content-analysis technology continue to thetasksof sorting improve, theever-increasing volumeof communications will be subjectedto increasingly sophisticated automated processing.70 Meanwhile, a number of legal technologies are already beingdeployed to track andarchive many uses oftheweb. a. Workplace surveillance.
Outside ofrestrooms, andthefewlaws banning wiretapping andreading emailduring transmission,71 there are relatively fewprivacy protections applicableto every inthenation.72 workplace Thus,employers mayuse hidden
65. See generally Santa Clara Symposium on Privacyand IVHS, 11 SANTA CLARA COMPUTER & HIGH TECH. L.J. 1 (1995) (dedicated to privacyand "intelligent vehicle highway systems"). 66. See Margaret M. Russell,Privacy andIVHS:A Diversity 11 SANTA ofViewpoints, CLARA COMPUTER & HIGHTECH. L.J. 145, 163 (1995). 67. See id. at 164-65.
72. See Robert G. Boehmer, Monitoring and Surveillance ofEmployees: Artificial theFine LineDividing the Prudently Managed Enterprise from the Modern 41 DEPAUL Sweatshop, L. REV.
68. See AndrewSparrow, Car TaggingMay Help Cut Theft, Says Minister, DAILY TELEGRAPH (London), Oct. 17, 1998, available in 1998 WL 3053349. 69. See,e.g.,ONTARIO INFO.ANDPRIVACY COMM'R,407 ExPREss TOLL ROUTE:How You CAN TRAVEL THIS ROAD ANONYMOUSLY(1998) <http://www.ipc.on.ca/web_site.eng/matters/ ("A significant amountof workwas requiredto ensurethatthe 407 sum_pap/PAPERS/407.htm> ETR tolland billingsystem did notcompromise personalprivacy."). 70. See, e.g.,University of Southern California, Novel Neural NetRecognizes Spoken Words Better ThanHumanListeners, SCI. DAILY MAG., Oct. 1, 1999 <http://www.sciencedaily.com/ releases/1999/10/991001064257.htm.> (announcing advance in machine recognitionof human speech). 71. See Electronic Communications PrivacyAct, 18 U.S.C. ?? 2510-2710 (1968).
739, 739 (1992) ("Except foroutrageousconductand the use of one of a discretegroupof techniques thatCongresshas chosen to regulate, thelaw suppliesemployeeswithpreciouslittle protec-
1482
STANFORD LAWREVIEW
[Vol.52:1461
moreor less at ofsurveillance andother forms monitoring software, cameras, gotcheap, technology longbefore surveillance taken A 1993 survey, oftheir comto monitoring workers weresubject twenty million showed that communicamail, and othernetworking puterfiles,voice and electronic by twocameras are so smalltheyfiton a one-inch tions.74 Today,digital whichare expected to fallto onlya inchchip. Miniaturization lowers costs, and hidden At thesepricesand sizes,ubiquitous fewdollarsper camera.75 to capture keystrokes, is easily affordable.Software designed monitoring available. For example,a or surreptitiously, is also readily either overtly dollarsand,once one hundred 2.0" costsunder program called"Investigator it does androuthat monitors everything installed on thetarget PC, covertly everytechnology to theboss.76 In addition, emailsdetailedreports tinely at the at thehomecan also be targeted described belowthat can be targeted office.
Will.73
communications b. Electronic monitoring. theUnited Parliament, prepared fortheEuropean According to a report a massiveworldwide Statesand itsallies maintain apparatus capable spying all forms communications.77 Knownas "Echelon," ofcapturing ofelectronic modemform every important thenetwork can "access,intercept andprocess The network is supported by a withfewexceptions."78 of communications, makesitpossible recognition Voiceprint technologies. variety ofprocessing in a call are on a watchlist. If to determine whether anyoftheparticipants Simican be routed to a human beingforreview.79 theyare,therecording textmessagessuchas faxesand emailscan be runthrough so-called larly,
tion from theassault onworkplace with privacy. Similarly, thelawprovides employers little guidanceconcerning the oftheir permissible depth intrusions."). laws. See Quentin 73. Covert videosurveillance violates somestates' ScowlBeBurrows, on Candid and Video 31 VAL. U. L. REV. 1079,1114cause You're Camera: Privacy Surveillance, 21 (1997)(collecting casesandstatutes). 74. See GaryMarx,Measuring Everything ThatMoves: The New Surveillance at Work <http://web.mit.edu/gtmarx/www/ida6.html>. on a Chip, ZDNETPC MAG, Oct.7, 75. See DanielGrotta & SallyWiener Camera Grotta, 1999<http://www.zdnet.comlpcmag/stories/trends/0,7607,2349530,00.htm>. 76. See Stuart Glascock, Stealth Software Rankles Privacy Advocates, TECHWEB, Sept.9, 1999<http://www.techweb.com/wire/story/TWB19990917S0014>. STOA REPORT]. (1999)<http://jya.com/ic2000-dc.htm> [hereinafter ? 2. 78. Id. atSummary 79. "Contrary toreports inthe effective 'word search to press, spotting' systems automatically selecttelephone calls of intelligence interest are notyetavailable, despite 30 yearsof research. However, speaker been developed recognition systems-in effect, 'voiceprints'-have and are torecognise oftargeted deployed individuals international [sic]the speech making telephone calls." ? 7. Id. atSummary
77. See DUNCAN CAMPBELL, DEVELOPMENT OF SURVEILLANCE TECHNOLOGY AND RISK OF ABUSE OF ECONOMIC INFORMATION: AN APPRAISAL OF TECHNOLOGIES FOR POLITICAL CONTROL
May2000]
THEDEATHOFPRIVACY?
1483
orword with references dictionary programs that flagmessages interesting patterns.80 As artificial these should intelligence beimproves, programs comeincreasingly invoicerecognition sophisticated. advances Meanwhile, (translating speech into text) promise thetelephone totransform monitoring problem into another type oftext problem. is oncea conversation Further, converted into text, the National to Security Agency is ("NSA") ready gauge itsimportance with semantic forests: on TheNSA recently a patent received a computerized procedure that produces ofa conversation a topical summary usinga "tree-word-list" to scorethetext. The patent a "predescribes processing" phase that removes "stutter phrases" from a transcript. Then, a computer automatically assigns a label,or topicdescription, to thetext.81 The method promises to allowcomputerized sorting andretrieval of tranandother scripts documents based upon their meaning, not justkeywords.82 Notonly havethecommunications intelligence agencies oftheUnited anditsmajor States allies"reaffirmed their requirements for accesstoall the world's communications,"83 but they have alsotaken a number ofsteps inthe pasttwoyears to ensure cangetit. TheNSA installed they "sniffer" software tomonitor andcollect traffic atnine major Internet exchange points.84 On May7, 1999, the European Parliament passed the Lawful Interception of Communications Resolution on New Technologies,85 known as Enfopol. Although theEnfopol resolution is nonbinding, itserves as a declaration of theregulatory agenda oftheEuropean lawenforcement community. Under theEnfopol proposal, Internet service providers andtelephone companies in Europe wouldbe required to provide law enforcement agencies with fullreal-time time, accessto all Internet transmissions. In addition, wireless communications providers would be required toprovide geographical position information locating their cellphone customers. Iftheservice provider
80. Seeid. ?3?T72. 81. See Patent5937422: Automatically a topicdescription generating fortextand searching and sorting textby topicusingthesame <http://cryptome.org/nsa-vox-pat.htm>. 82. See SueletteDreyfus,This Is JustBetweenUs (and the Spies), INDEPENDENT, Nov. 15, 1999 <http://www.independent.co.uk/news/Digital/Features/spiesl5 1199.shtml>. 83. STOA REPORT, supra note77, ? 1,? 6. 84. See id. ? 2,?T60. 85. EuropeanParliament, Legislativeresolution embodying Parliament's opinionon thedraft Council Resolutionon the lawfulinterception of telecommunications in relationto new technologies (10951/2/98-C4-0052/99-99/0906 (CNS)) (Consultation procedure)<http://www2.europarl.eu. int/omk/omnsapir.so/pv2?PRG=DOCPV&APP=PV2&LANGUE=EN&SDOCTA=5&TXTLST=1 &POS=1&Type_Doc=RESOL&TPV=PROV&DATE=070599&PrgPrev=PRG@TITREJAPPePV 2ITYPEF@TITREIYEAR@99IFind@%69%6e%74%65%72%63%65%70%74%69%6fb/o6elFILE @BIBLIO991PLAGE@l&TYPEF=TITRE&NUMB=2&DATEF=990507>. As of March 2000, Europeangovernments had yetto reacha finalagreement on Enfopoldue to disputesregarding its applicationto bank secrecyrules. See Jellevan Buuren,No Final Agreement on Convention on Mutual Assistance in Criminal Matters,Mar. 28, 2000 <http://www.heise.de/tp/english/special/ enfo/6691/1 .html>.
1484
LAWREVIEW STANFORD
[Vol.52:1461
wouldbe retheprovider as partofthecell phoneservice, encryption offers itbe able todecodethemessages.86 that to ensure quired forLaw Assistance theCommunications in theUnited States, Similarly, all new telecommunicathat Act of 1994 ("CALEA") requires Enforcement it does not although wiretaps, to allow lawful be engineered tionsnetworks how also does notspecify The legislation theissueof encryption.87 address leaving shouldbe able to support, thenetwork wiretaps manysimultaneous of "capacity assessment In its initial regulations. thisto the implementing in majorurbanareas to carriers requiring theFBI proposed requirements," caof "engineered of one percent capacity surveillance a maximum install of one out of to makeit possiblefora maximum words, pacity"-in other Thisprosimultaneously.88 phonelinesto be monitored one hundred every a differsubstituted it and FBI withdrew the that so controversial posal was therevised all ambiguity, notfreefrom Although projection.89 entcapacity provisions. For example,the rule appearsto requireverylargecapacity calculatedthatunderthe formula CenterforDemocracyand Technology 136,000 wouldhave to be able to perform by theFBI, thesystem proposed areaalone.90 intheLos Angeles intercepts simultaneous a courtorderis illegal in the United without Domesticwiretapping agenciesare aland counter-intelligence States,and onlylaw enforcement 1329 courtsauthorized lowed to apply forwarrants.9'State and federal
TECHWEB,May 13, Infrastructure, forISP Spying Acey,EuropeVotes 86. See Madeleine 19990513SOOO9>. 1999 <http://www.techweb.com/wire/story/TWB 87. See 1994 Pub. L. No. 103-414, 108 Stat.4279 (1994) (codifiedas amendedat 47 U.S.C sectionsof 18 & 47 U.S.C.); cf JamesX. Dempsey,Communications ?? 1001-1010 and scattered
have required technology SCI. & TECH. 65 (1997) (arguingthatrecentchangesin communications of privacy policy). reexamination Act,60 Fed. AssistanceforLaw Enforcement of theCommunications 88. See Implementation Reg. 53,643, 53,645 (proposed Oct. 16, 1995). To be fair,the FBI assessmentlumped together and "trapand such as pen registers formsof surveillance wiretapneeds along withless intrusive disclosingthe aboutwho is speakingto whomwithout whichreveal information trace"operations, See id. substanceof theconversation. AssistanceforLaw Enforceof Section 104 of the Communications 89. See Implementation mentAct,62 Fed. Reg. 1902 (proposedJan.14, 1997). Briefof Amicus Curiae,CellularTelecomms. 90. See CenterforDemocracyand Technology, Indus. Ass'n v. UnitedStatesTel. Ass'n, No. 1:98CV01036 & 1:98CV0210 (D.D.C. 1999) <http:// on CenterforDemocracyand Technology,Comments www.cdt.org/digi_tele/capacitybrief.shtml>; the FBI's Second CALEA CapacityNotice, Feb. 18, 1997 <http://www.cdt.org/digi_tele/970218_ comments.html>. foreigners, whentheUnitedStatesis wiretapping abroad,either are notrequired 91. Warrants 494 U.S. 259 (1990) (holdingthatthe see, e.g., United States v. Rene MartinVerdugo-Urquidez, does not apply to the searchand seizure,by United States agents,of property FourthAmendment foreign or even when democratic country), alien and located in a foreign owned by a nonresident their own citizens. See, e.g., Nick Fielding& Duncan Campbell,Spy are wiretapping governments TIMES(London),Feb. 27, 2000 <http://www.the-times.co.uk/ in on Diana, SUNDAY AgenciesListened (allegingthat"a loophole in the 1985 Internews/pages/sti/2000/02/27/stinwenwsO2O35.html?999>
8 ALB.L.J. Privacy, LawstoEnhance FederalWiretap the Age:Revitalizing inthe Digital Privacy
May2000]
THEDEATHOFPRIVACY?
1485
in 1998,an increase wiretaps of eighty percent overthe738 authorized a decadeearlier.92 Thesestatistics are somewhat bemisleading, however, causea single order wiretap can affect hundreds ofphone linesandup to 100,000 conversations.93 The statistics arealso difficult to reconcile with reports, attributed totheFBI,that onpeakdays uptoonethousand different telephone lines aretapped intheLos Angeles area.94 thenumber Although ofwiretap orders is increasing, andthenumber ofpersons to legal subject eavesdropping is also increasing, these statistics arestill small compared to theenormous volume oftelecommunications. Onereason why wiretaps remain relatively rare may be that judges haveto approve them (although the number of wiretaps refused annually is reputed to be nearzero);another, perhaps more important reason, is that they areexpensive. Theaverage cost ofa wiretap is over $57,000,95 with much ofthe expense attributable topayingthe people wholisten tothe calls. However, as technology developed by intelligence agencies trickles down to domestic law enforcement, themarginal costoftelephone, fax, andemail surveillance should decline considerably. Evenifdomestic lawenforcement agencies remain scrupulously within thelaw,96 thenumber oflegalwiretaps is likely toincrease rapidly oncethe cost constraint is reduced.97
ceptionof Communication Act means intelligence officialscan put individualsand organisations [sic] undersurveillance without a specificministerial warrant"). 92. See ADMINISTRATIVE OFFICE OF THE U.S. COURTS, 1998 WIRETAPREPORT5 (1999) <http://www.uscourts.gov/wiretap98/contents.html;> Associated Press, State Authorities' Wiretapping Up, May 5, 1999 <http://jya.com/wiretap98.htm>. 93. See Marc Cooper, Wired, NEWSTIMESLA.COM., Jan. 23, 1998 <http://www. newtimesla.com/archives/1998/08 1398/featurel-2.html> ("Under the single wiretapauthorization thatproduced the Gastelum-Gaxiolacase, a mind-boggling 269 phone lines, includingan entire retailcellularphone company, were monitored.Taps on just three pay phones at theL.A. County jail in Lynwood,forinstance, yieldedabout 100,000 conversations in six months, accordingto the Public Defender'soffice.").
94. See id.
Services, Sept. 24, 1998 <http://www.worldserver.pipex.com/coi/depts/GOT/coi6O43e.ok?> (announcing OFTEL had forced BT to cease practice after complaints).
Office ofTelecomms., OFTELActs toEnsures Fair Competition inMarketing ofBT Click Internet
95. ADMINISTRATIVE OFFICEOF THEU.S. COURTS, supra note92, at Table 5. 96. Thereis reasonto doubtthattheydo. See, e.g., Cooper,supra note 93 (describing LAPD officers'testimony concerning hundredsof illegal "hand offs" of information, acquired in one wiretap,in orderto initiatenew cases via fictitious informants); Los Angeles Public Defenders State Wiretap Office, Related Cases <http://pd.co.la.ca.us/cases.htm> (listingknownand suspected cases affected by illegal LAPD use of wiretap information). 97. Thereare also powerful commercial incentives to privately gather caller information. For example,British Telecom searcheditsrecordsto findpeople who were regularly calling competing Intemnet service providers, and had its sales staff call and encouragethemto switchto BT. See
1486
STANFORD LAWREVIEW
[Vol.52:1461
c. Online tracking.
The worldwide web is justlycelebrated as a cornucopia of information availableto anyone with an Internet connection. The aspects oftheweb that make it such a powerful information medium (its unregulated nature, the flexibility of browsing software andtheunderlying protocols, and itsroleas the world's largest library, shopping mall,and chatroom)all combineto make the web a fertile ground forharvesting personaldata aboutInternet surfers.The morethat peoplerelyon theweb fortheir reading and shopping,themorelikelyit becomesthat dataabouttheir interests, preferences, andeconomic behavior willbe captured andmadepart ofpersonal profiles. The baseline level of user monitoring is builtintothe mostpopular on a linkinstructs a browser to browsers and operates by default.Clicking has endisclosethereferring automatically page to thenewsite. If a person in thebrowser's software that tered a nameor emailaddress communication offcannot be turned too willbe disclosedautomatically.98 Thesefeatures one can delete transfer theyare partof the hypertext protocol-although from thesoftware. Web surfers one's nameandemailaddress can,however, to maskpersonal tools such as the anonymizer employprivacy-enhancing information.99 on thetwomostpopular browsers The default setting (Internet Explorer and NetscapeNavigator) allowsweb sitesto set and read all the"cookies" allows a web siteto theywant. Cookies are a meansby whicha browser thisworks to theuser'sadvantagewrite dataa user'sharddrive.100 Often eliminate theneedtomemorize orretype Prefstored passwords passphrases. to customize web pages to match allowsa web designer erenceinformation and evenwhen individual users'tastes. Buttheprocessis usuallyinvisible; itis nottransparent sincefewcookiesareuser-readable. madevisible, a number ofpotential Cookiespresent privacy problems.Anyuserdata orphonenumber, can be embedded in disclosed to a site,suchas an address can then with a cookie. Thatinformation be correlated userID numbers set a profile.If taken to itslimit, thiswouldpermit a parby thesiteto create intrusive siteto builda dossieron theuser. An onlinenewspaper ticularly of thearticles a readerselects,allowingit forexample, might, keep track a picture of thereader'sinterests.Cookies can be over timeto construct between web sites,allowing shared to figure outwhat savvyweb designers visitors and (to theextent other sitestheir theother sitesstore inpatronize, in cookies)whattheyhave revealedto thoseother formation sites. When this"clicktrail" can quietly revealbothpersonaland compieced together,
Privacy Analysis of Your Internet browser saysaboutyou,visit 98. To find outwhatyour Connection at<http://privacy.net/anonymizer/>. 99. See Anonymizer <http:Hlwww.anonymizer.com/3.0/index.shtml>. Cookie Central <http://www.cookiecentral.com/>. 100. See generally Netscape,
May2000]
THEDEATHOFPRIVACY?
1487
mercial information abouta userwithout hereverbeingawareof it. A frequentvisitor to AIDS sites,a regular of anti-cancer purchaser or medicine, even someonewho has a passionforBarry Manilow,all mayhave reasons for notwanting others to knowoftheir interests oractions. Complicating whatappears matters, as one page in a browser mayactuallybe madeup ofmultiple parts from originating servers.Thus,it multiple is possibleto embedvisible, or eveninvisible, in a web page,which content an occasionforsetting provides a cookie. Doubleclick, an Internet advertising company, servesads thatappearon a largenumber of commercial and advertising-supported web pages. By checking fortheDoubleclickcookie, thecompany can assigna uniqueidentifier to each surfer and notonlytrace whichDoubleclick-affiliated web sitesthey visit, butalso when,how often, andwhatthey choosetoviewwhilethey arethere. 101 Cookies,however, are onlythetip of the iceberg. Far moreintrusive features can be integrated intobrowsers, intosoftware downloaded from the 103 In theworst Internet,102 and intoviruses or Trojanhorses. case, thesoftwarecouldbe configured torecord every keystroke. The United Statesgovernment suggested that Congress shouldauthorize law enforcement and counter-intelligence agenciesto remotely access and planta back doorin suspects'computers.104 Usinga back doorcouldgive thegovernment accessto every keystroke, allowing itto learn passwords and filesprotected decrypt withstrong, otherwise uncrackable, cryptography.105 The proposal in theoriginal draft of theCyberspace Electronic Security Act was sufficiently ambiguous that someimagined thegovernment might even contract withmakers of popularsoftware to plantback doorsthatcould be activated remotely as part of an investigation.106 Instead, theclause in ques-
101. See ChrisOakes,Doubleclick Plan Falls Short, WIRED NEWS, Feb. 2000 <http:// www.wired.com/news/business/0,1367,34337,00.html>. 102. E.g., ChrisOakes, Mouse PointerRecords Clicks,WIREDNEWS,Nov. 30, 1999 <http:// www.wired.com/news/technology/0,1282,32788,00.html>. 103. A trojanhorseis a "malicious,security-breaking program thatis disguisedas something benign,such as a directory lister, archiver, game, or . . . a program . . ." FOLDOC, Trojan Horse <http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?query=trojan+horse>. 104. See DraftCyberspaceElectronicSecurity Act Bill, Aug. 4, 1999, ? 203 (to amend 18 U.S.C. 2713) <http://www.cdt.org/crypto/CESA/draftCESAbill.shtml>. A "back door" is a deliberate hole in system security. See FOLDOC, Back Door <http://wombat.doc.ic.ac.uk/foldoc/ foldoc.cgi?back+door>. 105. See RobertO'Harrow, Jr., Justice Department MullsCovert-Action Bill,WASH. POST, Aug. 20, 1999,atAl <http://www.washingtonpost.com/wp-srv/business/daily/aug99/encryption2O.htm 106. The DOJ Sectionby Sectionanalysisof The CyberspaceElectronic Security Act of 1999 (Aug 4, 1999) <http://www.cdt.org/crypto/CESA/CESAanalysis.shtml#secret>, notedthatproposed ? 2713 allowed a governmental to seek a warrant entity to searchnot only fordata but also "other information necessaryto obtainaccess to theplaintext of data or communications, or to installand use a recovery device." As the DOJ noted,proposed? 2713 defineda "recovery device" as "any enablingor modification of anypartof a computer or othersystem, including hardware or software, thatallows plaintext to be obtainedeven if attempts are made to protectit through or encryption
1488
STANFORDLAWREVIEW
[Vol.52:1461
tion, ? 2713,was quickly inthefaceoffurious dropped opposition from civil liberties groups.107Other countries have considered similar plans. For example,according to the uncensored versionof the Australian Walsh Report,108 intelligence agenciessought to altersoftware authority or hardware so thatit wouldfunction as a bugging device,capturing all userkeystrokes 109 whenactivated by law enforcement authorities. Monitoring issues also arise in the context of automated intellectual property rights management. Proposals aboundfor"copyright management technologies" (sometimes dubbed"snitchware"),ll0 unkindly whichwould
othersecurity techniquesor devices." This definition seemed capacious enough to include back doors builtinto software thatcould be activatedremotely-something thatwould expose law enforcement agentsto farless riskthanmakingsurreptitious to gain access to the target entry computer. 107. See The Center forDemocracy and Technology,A Briefingon Public Policy Issues Affecting Civil Liberties Online, CDT POL'Y POST, Sept. 17, 1999, at 22 <http://www.cdt.org/ (noting changein administration position). publications/pp_5.22.shtml/#3> 108. For thestrange saga of theattempts to censortheWalsh report, see THE WALSHREPORT: REVIEW OF POLICY RELATINGTO ENCRYPTION TECHNOLOGIES <http://www.efa.org.au/Issues/ Crypto/Walsh/>. 109. See id. ? 1.2.33. Authority shouldbe created fortheAFP, theNCA and ASIO to alterproprietary software so that itperforms additional functions tothosespecified bythemanufacturer. Suchan authority, whichclearly shouldbe subject to warranting provisions, would,forexample, enablepassive access to a computer workstation ofa LAN and linkinvestigative capability moreeffectively to current technology. Whilethere are issuesof liability, theReviewis convinced theeffort shouldbe madeto accommodate theseso that a target computer maybe converted to a listeningdevice. Thiscapacity mayrepresent one oftheimportant avenuesofaccessing plaintext. Id. The opportunity maypresent itself to the AFP, NCA or ASIO to altersoftware locatedin premises used by subjects of intensive investigation or destined to be locatedin thosepremises. The software (or morerarely thehardware) mayrelate to communication, data storage, encoding, encryption or publishing devices. Whilesomemodifications mayhavetheeffect of a listening creating devicewhich maybe remotely monitored bymeansof thetelecommunicationsservice, forwhich purposes extant warranting provisions wouldprovide, others maycreate an intelligent a permanent memory, setof commands notspecified in theprogram written by themanufacturer or a remote switching devicewitha capacity to issue commands at request. The cooperation ofmanufacturers or suppliers maysometimes be obtained byagencies. Whenmanufacturers or suppliers are satisfied themodification has no discernible effect on function, they to assistoracquiescein itsinstallation. mayconsent Itwillnotalwaysbe possitoapproach ble,however, manufacturers or suppliers or thelatter maybe in no position to consentto modification of proprietary software. Whenagenciesare investigating a highpriority target, practising [sic] effective personal andphysical security, moving premises and changing telephone/fax regularly, an opportunity to access thetarget's computer equipment mayrepresentnotonlythesole avenuebutpotentially themost productive. Id. ? 6.2.10. 110. See generallyJulieE. Cohen,A Rightto Read Anonymously: A Closer Look at "CopyrightManagement" in Cyberspace,28 CONN. L. REV. 981 (1996) <http://www.law.georgetown. JulieE. Cohen, Lochner in Cyberspace: The New Ecoedu/faculty/jec/read_anonymously.pdf>; nomic Orthodoxyof "RightsManagement," 97 MICH. L. REV. 462 (1998) <http://www.law. Julie E. Cohen, Some Reflections georgetown.edu/faculty/jec/Lochner.pdf>; on Copyright ManagementSystems and Laws Designed to ProtectThem,12 BERK. TECH. L.J. 161 <http://www.law. berkeley.edu/joumals/btlj/articles/12_1/Cohen/html/text.html>.
May2000]
THEDEATHOFPRIVACY?
1489
record and in some cases discloseeverytimea useraccessed a document, or even page of licensedmaterial article, in order to finely assess charges. which Similarly, digital insert invisible watermarking systems,1"I customized tagsintoelectronic allowthosedocuments to be tracked.Using documents, variousforms ofthesetechnologies, owners of valuableproprietary datacan sell theinformation with less fear itwillbe copiedwithout that If payment. theinformation is sold in encrypted or device form, alongwitha program thatdecrypts it everytimea licenseewishesto view partof the content, can be done on a pay-per-view charging basis rather thanrequiring a large feein advance. Leavingaside theissueoftheeffect on fair monitoruse,112 ingfor pricing purposes onlyraisesprivacy issuesifinformation is recorded (and thusdiscoverable or subjectto searchand seizure)or reported to the licensor. If onlythequantity of use is reported, rather thantheparticular pages viewedor queriesrun, userprivacy is unaffected. Whenmetering is conducted in real time, it is particularly however, difficult fora userto be confident aboutwhatis beingreported.If, forexample, a copyright management system connects via the Internet to the content ownerto ensure or evenpayment billing before access,then onlythemostsophisticated user will be able to determine how muchinformation is beingtransmitted. The temptation to create userprofiles for marketing purposes maybe quitegreat. Already, programs that quietly report, to a central registry in real time, everyURL viewedare common. Click on "what'srelated" in the default configuration of Netscape4.06 or above and everyURL visitedin that browser sessionwill be reported back to a server at Netscape/AOL.Alone, thisinformation onlytellsNetscapewhichsitespeople consider related to ithelpsthem others; construct a database they can use to guidefuture surfers. Butthisdata,in conjunction with cookiesthat recorded personal information, could be used to buildextensive dossiers of individual users. Thereis no evidence that Netscapedoes this, butthere is no technical obstacle preventing it.113
related/faq.html#12>. Nonetheless, thethreat seems particularly acute because Netscape itself sets a fairly detailed cookiebefore allowing download of browsers 128-bit containing cryptography. Curtin et.al,supra.Furthermore, reaction Netscape's tothe andMonroe Curtin, Ellison, was report intemperate atbest. Netscape setits"what's related" feature toshowtheUnabomber manifesto as "related" to thereport!See MattCurtin, "What's Related?"Fallout<http://www.interhack.net/ pubs/whatsrelated/fallout/>.
Netscape, Are there Privacy Issues with What's Related? <http://home.netscape.com/escapes/
Privacy, Oct.10,1998<http://www.interhack.net/pubs/whatsrelated/>. Netscape promises notto misuse theinformation, andthere is no reason to doubt this. See
112. See note 110 supra. 113. See MattCurtin, GaryEllison & Doug Monroe, "What'sRelated?" Everything But Your
111. See, e.g., DigimarkCorp. <http://www.digimarc.com/>.
1490 d. Hardware.
LAWREVIEW STANFORD
[Vol.52:1461
are also deploying feaHardware manufacturers privacy-compromising of devices. The GeneralMotorscorporation has turesin a wide variety vehicles with(until secret equippedmorethansix million recently) devices, areable to known as "blackboxes,"that datarecorders akinto airplane flight in 1990,theautomobile blackboxeshave introduced record crash data. First The 1994versions: more becomeprogressively powerful.
11 categories theamount of deceleration, of information, record[ed] including was disabled, whether thedriver waswearing a seatbelt, whether theairbag any malfunctions recorded atthetime ofthecrash system bytheon-board computer in some inflated. A moresophisticated installed and whentheairbag system brake status and throttle forfive 1999modelsalso records velocity, position 114 seconds before impact.
datarecorders intheir manufacturers less elaborate cars. Other include used fornetworkMakersof computer chipsand ethernet cardadapters Internet buildin uniqueserialnumaccess routinely ing and forhigh-speed which can then be accessedeasilyovertheweb. bersto their hardware, III chip has a uniqueidentification Each IntelPentium number. Intel thechipID to function andbe accessibleto originally designed continuously software such as web browsers.115 The intention appearsto have been to makeelectronic Intelreaanonymity impossible.Anonymous usersmight, 6 commit or fraud intellectual a unique, soned, pirate digital property." With indelible ID number on eachchip, software couldbe configured to work only on one system.Users could onlymasktheir identities whenmanypeople or whenone personused severalmachines. The used a singlemachine, forweb sites,cookiecountuniqueID couldalso serveas an indexnumber meansoftracking usersacrosstheInternet. ers,andother The revelation that Intel was buildingunique serial numbersinto Pentium III chips caused a small furor. In response, Intel announced it 17 wouldcommission a software program that wouldturn off theID function.' Intel'ssoftware can be circumvented However, by a sufficiently malicious
114. Bob Van Voris, BlackBox Car Idea OpensCan of Worms, NAT'LL.J.,June 7, 1999 <http://www.lawnewsnetwork.com/stories/A20241999Jun4.html>. 115. See Stephanie Miles,IntelDownplays ChipHackReport, Feb. 24, 1999<http://news. cnet.com/news/0-1003-200-339182.html?tag=> ("Pentium III's serial codecanbe retrieved without orapproval."). the user'sknowledge A BillionTrusted 116. See Patrick Gelsinger, Computers (Jan. 20, 1999)<http://www.intel. com/pressroom/archive/speeches/pgO12099.htm>; see also Robert Lemos,Intel:Privacy Is Our Concernas Well, ZDNET NEWS, Jan. 20, 1999 <http://www.zdnet.com/zdnn/stories/news/ 0,4586,2190019,00.html> (noting Intel's that a lossofsomeprivacy). argument security justifies 117. See BigBrother Inside Homepage <http://www.bigbrotherinside.coml#notenough>.
May2000]
means. 118
THEDEATHOFPRIVACY?
1491
in a cookieor by other broadcast program andtheID number surreptitiously intoitscomIntelis nottheonlycompany to putuniqueserialnumbers thebasis for Formany all ethernet munication-related products. years, cards, networks and most DSL 119connections, had a "Media Access Control" (MAC), a six-byte (usuallyrepresented as twelvealphanumeric characters) ID number builtintothem.Thisunique, is important unchangeable number that for no networks, becauseitforms part ofeachdevice'saddress, ensuring witheach other, no datapackets twodevicesgetconfused and that getmisdelivered. The privacy issuesbecomemost acutewhensucha cardis partof a computer thatis used on theInternet or other communications networks, because the number can be used to identify the computer to whichthe ethernet cardis attached. Indeed,the new Internet Protocolversion6 ("IPv6"),120 which will graduallyreplace the current Internet protocol,contemplates using an ethernet card's uniqueID to createa globally uniqueidentifier ("GUID"). The IPv6 standard requires software to includea GUID in the headerof every Internet communication (email, web browsing, chat, and others). withan ethernet card would createa GUID by combining Computers the uniqueID number assigned to thecard'smanufacturer with a uniquenumber assignedto thecard in the factory.121 Thus,"[e]very packetyou send out ontothepublicInternet usingIPv6 has yourfingerprints on it. And unlike IP address your under IPv4,which youcan change, thisaddress is embedded in yourhardware.Permanently."122 In response to criticism, thestandardbodiesare reconsidering setting revisions whichwouldallow users-if they are savvyenough to do so-to picka random number to replacetheGUID
118. See Michael Kanellos & StephanieMiles, Software Claimsto UndoPentium III Fix, CNET NEWS,Mar. 10, 1999 <http://news.cnet.com/news/0-1003-200-339803.html?tag=>. 119. DSL standsfor"Digital Subscriber Line." See generallyJohn Kristoff, comp.dcom.xdsl Frequently AskedQuestions<http://homepage.interaccess.com/-jkristof/xdsl-faq.txt>. 120. See generally STEVE KING, RUTH FAX, DIMITRY HASKING,WEAKEN LING, TOM MEEHAN,ROBERTFINK& CHARLESE. PERKINS, THE CASE FORIPv6 4 (1999) <http://www.ietf. org/internet-drafts/draft-iab-case-for-ipv6-05.txt> (toutingIPv6's "enhanced features,such as a larger address space and improved packet formats");Ipv6. The Next Generation Internet! <http://www.ipv6.org>. 121. See KING et al., supra note 120, at 34 (defining IPv6 requiredheaderto include"a genericlocal addressprefix to a unique token(typically derivedfrom thehost's IEEE LAN interface
see also IEEE, Guidelines address)"; for 64-bit GlobalIdentifier (EUI-64)Registration Authority
<http://standards.ieee.org/regauth/oui/tutorials/EUI64.html> (explaining ID numbers). 1999 <http://www.intemetwk.com/columns/frezz100499.htm>
122. BillFrezza, Where's AlltheOutrage About the IPv6Privacy Threat?, TECHWEB, Oct.4,
1492
STANFORDLAWREVIEW
[Vol.52:1461
from timeto time.'23 But thismodification is stillunder consideration and wouldnot, apparently, be thedefault. Evenbefore IPv6 was introduced, somesoftware Word products, notably 97, Excel 97, and PowerPoint 97, routinely embedded a uniqueID number intoevery If a computer document. had an ethernet used card,theprograms its MAC, muchlike IPv6.124 As a result, it becamepossibleforlaw enforcement and others to trace theauthorship of seemingly anonymous documents ifthey couldmatch theMAC to a computer. Thismatching taskwas made easierby another Microsoft product:The initial version of theWindows 98 registration wizardtransmitted theuniqueID to Microsoft; visitors to theMicrosoft web sitewho had previously registered werethengivena cookiewith theID number.'25 As a result, ID notonlyidentitheMicrosoft fieda computer, buttiedit directly to an individual's personal data. These features werenotdocumented.126 Although there is no reasonto believethat Microsoft usedtheinformation for anything other than tracking theuse of its website, there arepowerful financial and commercial incentives forcorporationsto collectthisinformation. A filing in a recent lawsuit claimsthat user information collected by Yahoo was worth four billiondollars.127 Not surprisingly, other companies, including RealNetworks and Amazon.com, have been collecting, or considering collecting, similar personalinformation.128 Indeed,it is possiblethat Microsoft's datacollection activity was a dryrun forsomething moreelaborate. Documents disclosedduring the Microsoft
customers hadexplicitly indicated didn't they want the numbers disclosed."). 127. Kathleen Murphy, $4B Sought from Yahoo forNotSharing Customer Data, INTERNET WORLDNEWS,Dec. 27, 1999 <http://www.internetworldnews.com/GetThisStory.cfm?Stor 1 D3-976500AOCC40B49B>. 746B3487-B95D128. See John Bitter Markoff, DebateonPrivacy DividesTwoExperts, N.Y. TIMES,Dec. 30, 1999<http://www.nytimes.com/library/tech/99/12/biztech/articles/30privacy.html>.
vestingthose serial numbersfromcustomers-along withtheirnames and addresses-even when
privacy-O 1.txt>. 124. See YusefMehdi, Microsoft Addresses Customers' Privacy Concerns, PRESSPASS, Mar. 8, 1999 <http://www.microsoft.com/presspass/features/1999/03-08custletter2.htm> ("The unique identifier number inserted into Office 97 documents wasdesigned tohelpthird parties build tools to work with, and reference, Office 97 documents. The uniqueindentifier generated forOffice 97 documents contains information that is derived inpart from a network card...."). Until themost recent revisions, these numbers werethen transmitted during theWindows 98 registration process. See Mike Ricciuti, Microsoft Admits Privacy Problem, Plans Fix, CNET NEWS, Mar. 7, 1999 <http://news.cnet.com/news/01006-200-339622.html?st.ne. 160.head>. 125. See DavidMethvin, WinMag Exclusive. Windows 98 Privacy IssueIs Worse thanYou Thought, TECHWEB, Mar.12, 1999<http://www.windowsmagazine.com/news/1999/0301/0312a. Userscantest for theproblem atPharlap Software, Windows 98 RegWiz Privacy LeakDemoPage A patch <http://security.pharlap.com/regwiz/index.htm>. for Word 97, Excel97, andPowerPoint 97 is available at<http://officeupdate.microsoft.com/downloadDetails/Off97uip.htm> 126. Associated Press, Microsoft Promises a PatchforID Feature, Mar. 9, 1999 <http:// search.nytimes.com/search/daily/homepage/bin/fastweb?getdoc+cyber-lib+cyber-lib+41 wAAA+microsoft%7EID%7Eprivacy> ("thecompany also acknowledged it mayhavebeenhar-
123. See THOMASNARTEN, & R. DRAVES,PRIVACY EXTENSIONS FORSTATELESS ADDRESS IN IPv6 1 (1999) <ftp://ftp.isi.edu/intemet-drafts/draft-ietf-ipngwg-ad AUTOCONFIGURATION
May2000]
THEDEATHOF PRIVACY?
1493
had considered antitrust that Microsoft to an "annucase revealed switching itymodel"by which userswouldhavepaid an annualfeefora Windows license in future versions of theoperating Annualbillingwould system.'29 mostlikely haverequired andidentifying registering users. Hardware ID numbers is notyetubiquitous, withbuilt-in butproposals forexpanding itsuse are increasingly in part common, becauselaw enforcement andothers fear that activities lead to criminality and antisoanonymous cial behavior. For example, thefearthat people could use colorcopiersto counterfeit United States has spurred makers ofcolorcopiers to put currency in each machinein orderto tracecounterinvisible, unique ID numbers feits.130 The ID number appearsin all color copies,making everycopied document traceable to its originating machine. Because thequality of personalcolorprinters continues to improve, theU.S. Treasury has Department become increasingly concerned thatcommon color inkjet printers may becomegood enough for counterfeiters. As a result, theTreasury has begunto investigate thepossibility of requiring printer manufacturers to buildtracing 131 information intoall colorprinters. hardware ID numbers are probably Ubiquitous inevitable because they will enablesmart homesand offices. Consider, forexample, thesmart refrigerator: Its computer can automatically a shopping display listof whatis running short. The listcan thenautomatically be sentto a shop over the A smart Internet. fridge also can be linked to an onlinecookbook to suggest suitable recipes dependingupon its contents.'32 Once every food is and thefridge tagged,'33 knowsitsexpiration date,thesmart fridge can even be programmed to remind youto throw outmilkthat outlasts itssell-by date. Smart homeand office applications suchas thesmart fridge or thesmart officesupply will cabinet a cornucopia provide of marketing data,and theinformation officers of foodsuppliers, andothers, arealready devising plansto
129. See Jason A Study Catlett, ofthe Privacy andCompetitiveness Implications ofan Annuity Model for Licensing Microsoft Windows 2000, JUNKBUSTERS, Mar. 4, 1999 <http://www.
PRIVACY FORUMDIGEST,Dec. 6, 1999 <http://www.vortex.com/privacy/priv.08.18>. 131. See U.S. Bureau of Engravingand Printing, Counterfeit DeterrenceFeatures <http:// www.bep.treas.gov/countdeterrent.htm>. Mar. 4, 1999 <http://www.tagish.co.uk/ethosub/lit7/1484e.htm>; see also Joseph 'Jofish' Kaye, Counter Intelligence & Kitchen Sync: WhitePaper 3 (June 1999) (unpublishedmanuscript) <http://www.media.mit.edu/ci/research/whitepaper/cil3.htm> (detailing"Kitchen Sync," the "digitallyconnected, self-aware kitchen"). 133. See JosephKaye, Niko Matsakis,MatthewGray,AndyWheeler& Michael Hawley,PC
junkbusters.com/ht/en/bill.html>.
130. See LaurenWeinstein, IDs in Color Copies-A PRIVACYForumSpecial Report,
132. See Ny Teknick, Electrolux Demonstrates theSmart FridgeConcept, ETHOS NEWS,
Dinners, Mr.JavaandCounter Intelligence: Smart Prototyping Appliances forthe Kitchen (Nov. 1,
1999) (unpublishedmanuscript submitted to IEEE) <http://www.media.mit.edu/ci/ieee.cgajofish/ ieee.cgajofish.htm> ("We predict-even assume,in manyof our scenarios-that all products sold will have a digitalID.").
1494
STANFORD LAWREVIEW
[Vol.52:1461
theinformation be ofintermay Ultimately information.134 getandusethat liketo for companies, example, might others as well. Insurance esttomany she whether intheinsured's home, packages areanycigarette know ifthere eats foods. she fatty andhowoften snacks regularly,
3. Biometrics.
as at leastas quickly foridentifying peopleis advancing Technology for With distinguishing technologies machines. technology for identifying it quickly, parts'35 improving body faces, orother irises, fingerprints, human base rather than as password" "body tousethe increasingly attractive seems card.'36 token such as a smart a PIN,ora hardware ona passphrase, security or authentication (whois this?) can be used foridentification Biometrics have?).137 person doesthis (what permissions prevent informamay To the extent onbiometric identifiers reliance that it is a privacy-enhancing disclosed, or improperly tionfrom beingstolen is a person whether scans todetermine now useiris Some banks technology. government TheUnited States money from anATM.138 towithdraw entitled to cards issued identification crossing inthe border identifiers usesbiometric as States onbusiness,'39 the United travel toandfrom whofrequently aliens andother accessto welfare fraudulent do several states seeking to prevent 140 benefits.
134. See AliceLaPlante, TheBattle forthe TheFoodIndustry Fridge: Is Looking toHookUp Your Hometo theSupply Chain, COMPUTERWORLD, Apr.5, 1999,at 52(1) <http://www.chic.sri. com/library/links/smart/fridge.html> ("CIOs in thegrocery areputting in theproper industry technicalinfrastructure tocollect andconsolidate customer data."). 135. Fora listofpossibilities, see Java CardSpecialInterest Group, Introduction toBiometrics<http://www.sjug.org/jcsig/others/biometrics_intro.htm>. 136. See generally Ontario Info.& Privacy Comm'r, Consumer Biometric A Applications: Discussion Paper<http://www.ipc.on.ca/web_site.eng/matters/sum_pap/papers/cons-bio.h (discussing itsbenefits biometrics, andconcerns, anditseffects onprivacy); Clarke, supranote 9. 137. See generally DutchData Protection Authority (Registratiekamer), R. Hes, T.F.M. Hooghiemstra & J.J. Borking, AtFace Value: OnBiometrical Identification andPrivacy ? 2 (1999) (discussing the variousapplications of <http://www.registratiekamer.nl/bis/top_1_5_35_1.html> biometrics). 138. See, e.g.,GuyGugliotta, TheEyesHave it:Body Scansat the ATM,WASH. POST., June 21, 1999, atAl <http://www.washingtonpost.com/wp-srv/national/daily/june99/scans2 1.htm>. 139. See 8 U.S.C.A.? 1101(a)(6)(WestSupp.1999);Theta Pavis,U.S. Takes Immigration in Hand, WIRED, Sept. 15, 1998 <http://www.wired.com/news/news/technology/story/15014. (describing INSPASSsystem, which relies onhandprints). 140. See JOHN D. WOODWARD, JR., U.S. DEP'T OF COMMERCE, COMMENTS FOCUSING ON (1998) <http://www.ntia.doc.gov/ntiahome/privacy/mail/disk/woodward.htm> Califor("Arizona, nia,Connecticut, NewJersey, Illinois, NewYorkandTexasareusing Massachusetts, finger imaging to prevent entitlement fraud. Florida, North Carolinaand Pennsylvania have biometric operational systems Connecticut ofSocialServices, pending."); Department ConDigital Imaging: necticut's Biometric Imaging Project <http://www.dss.state.ct.us/digital.htm> linksto (providing
PRIVATE SECTOR USE OF BIOMETRICS AND THE NEED FOR LIMITED GOVERNMENT ACTION ? IIB
May2000]
THEDEATHOFPRIVACY?
1495
privacy, biometrics pose a two-pronged to enhance Despitethepotential thatcan serveas a a unique identifier provides threat. First, a biometric availableabout an individual. The high-quality indexforall information to be used,and the themoreit is likely a biometric morereliable identifier, '4' Because a biometric is to it. ofdatalikely to be linked greater theamount that current indexes, a partof theperson, it can never be changed.It is true whichis whythey make arerarely changed, suchas social security numbers, a orjoin witcases one can leave thecountry butin extreme good indexes, an irisor a fingerness protection program.As faras we know,changing particularly those Second,some biometrics, print is muchmoredifficult. suchas aboutthedatasubject, that involve DNA typing, discloseinformation typdiseases,and (as thegenome propensity forcertain race,sex, ethnicity, to detect may providethe capability ing improves) even more.'42 Others emotions.143 states ofmind, truthfulness, fear, orother unique'44 and (so It is almost powerful identifier. DNA is a particularly databasesalready of stateand federal to change. A number far)impossible General Janet and others.'45 Attorney collectand keep DNA dataon felons of DNA EviReno recently asked theNationalCommission on theFuture person arrested dencewhether a DNA sampleshould be collected from every wouldbecome in theUnitedStates. Underthisproposal, DNA information mildatabase: More thanfifteen and sizable,national partof a permanent, lionpeoplewerearrested in theUnited Statesin 1997 alone.146 Such a plan a bill to comis farfrom government considered Icelandic unthinkable-the
extendeddescriptions of biometrical imagingof AFDC and GeneralAssistancerecipients foridentification purposes).
? 4, in POLIZEI UND DATENSCHUTZ-NEUPOSITIONIERUNG IM ZEICHEN DER INFORMATIONS-
141. See AnnCavoukian, Biometrics and Policing:Comments from a Privacy Perspective
GESELLSCHAFT (Data Protection Authority ed., 1999) <http://www.ipc.on.ca/web_site.eng/matters/ sumpap/PAPERS/biometric.htm>. 142. See id. at ? 4. In addition, some people, forreligiousor personalreasons,findsubmittingto a biometric testing to be unacceptable. Even if thescan does notrequirea blood sample or other physical invasion, it may encroach on other sensibilities. See Ontario Info. & Privacy Comm'r,supra note 136, at textfollowing note 168 ("Having to give something of themselves to be identified is viewed as an affront to their dignity and a violationof their person. Certainbiometric techniquesrequiretouching a communalreader,whichmay be unacceptableto some, due to culturalnormsor religiousbeliefs."). 143. See Dutch Data Protection Authority (Registratiekamer et al.), supra note 137, ?? 2.22.3. 144. See DNA Fingerprinting, ENCYCLOPEDIA BRITANCICA ONLINE <http://search.eb.com/ bol/topic?eu=31233&sctn=l&pm=l> (notingthatDNA is usuallyunique with"the only exception from beingmultiple individuals a singlezygote(e.g., identical twins)"). 145. The FBI CombinedIndexDNA IndexingSystem("CODIS") alone currently containsinformation on 38,000 people. Approximately 450,000 samples await processing. See EPIC, supra note 36. Butsee Ng Kang-Chung, SOUTHCHINAMORNING Fear POST,Feb. 12, 1999,Legislators DNA TestPlans Open to Abuse, available in 1999 WL 2520961 (describing theHong Kong legislature'sfearsof "allowingpolice to takeDNA samplesfrom suspectstoo easily"). 146. See EPIC, supra note36.
1496
LAWREVIEW STANFORD
[Vol.52:1461
pilea database andgeneamedical containing records, genetic information, logical information for allIcelanders.147
4. Sense-enhanced searches.
ononeormore Sense-enhanced searches todetect that rely technologies which ordinarily could notbe detected with un-aided human senses.These searches differ from surveillance inpublic with a few places because, exceptions such as airport sense enhanced searches arenot body searches, rouyet tine, perhaps because oftherarity ofthenecessary or expense equipment. thetypical Instead, sense-enhanced is targeted at someone or somesearch or carried thing outat specific specific, andusually locations. temporary Unlike home oroffice which monitoring, inside usually requires equipment the location ofinterest, many sense-enhanced searches allowsomeone onthe outside toseewhat is happening inside a building, a package, oreven clothing. Becausethere is no "entry" as theterm is commonly nora defined, physical andbecause intrusion, of the many on emanations technologies rely that arenotcoerced bytheobserver, these technologies maybe permissible under boththeFourth Amendment andprivate law trespass law. Senseenhanced search is changing technology rapidly, raising doubts as to what a reasonable constitutes expectation ofprivacy in a world where we areall increasingly naked andliving intransparent homes. Governments tobe the ofsense-enhanced appear users primary searches, but ofthe many technologies aremoving into the private sector as prices decrease.
a. Looking down:satellite monitoring.
Once thesole property of governments, satellite high-quality photointhe graphs visible spectrum arenowavailable for purchase. Thesharpest pictures onsaletoday areabletodistinguish objects two meters long,'48 with a competing one-meter resolution service planned for later this year.'49 Meanwhile, governments areusing toregulate satellites behavior. Satellitetracking is being usedto monitor convicted criminals on probation, pahome role, orwork detention, release. Convicts carry a small tracking device thatreceives coordinates from globalpositioning satellites ("GPS") and
147. Mannvemd, Association for Ethical Science, TheHealth-Sector DatabasePlans inIceland,July 7, 1998 <http://www.simnet.is/mannvemd/english/articles/27. 11.1998_mannvernd_ summary.html>. 148. See SPIN-2High Resolution Satellite Imagery <http://www.spin-2.com/>. 149. Theimproved pictures willcomefrom theIkonos satellite. See Ikonos, Carterra Ortho Products Technical Specs<http://www.spaceimaging.com/carterra/orthotechpan.htm>.
May2000]
THEDEATHOFPRIVACY?
1497
communicates themto a monitoring center.'50 The cost forthisserviceis 15 low,about$12.50pertarget perday. theUnited Meanwhile, is considering theadoption of a GPSKingdom based system, in theNetherlands field tested and Spain,'52 already to prevent speeding. Cars wouldbe fitted withGPS monitors that wouldpinpoint the car's exactlocation, linkwith a computer built intothecarcontaining a database ofnational roads, theapplicable identify andinstruct a govspeedlimit, ernor builtintothevehicleto stopthefuelsupply ifthecarexceedsa certain speed.153 GPS systems allow a receiver to determine its locationby referenceto satellites, butdo notactually transmit therecipient's location to anyone.'54 The onboard computercould, however,permanently record everywhere the car goes, if sufficient wereprovided. The United storage Kingdomproposalalso calls formakingspeed restrictions alcontextual, lowing traffic engineers to slowdowntraffic in schoolzones,after accidents, or during bad weather.155This contextual control requires a meansto load updatesintothe computer; indeed,unlessthe UnitedKingdomwishedto freeze itsspeedlimits forall time, somesortofupdatefeature wouldbe essential. Data integrity validation usuallyreliesupon two-way communication. Once the speed control system and a central authority are the routine communicating, downloading of vehicletravelhistories would becomea realpossibility. Andevenwithout two-way communication, satellite-control overa vehicle'sfuelsupply wouldallow immobilizing vehicles forpurposes other thantraffic control.For example, cars could be stopped forriotcontrol or ifbeingchasedby police,parents wouldhave a new way of"grounding" children, andhackers wouldhavea newtarget. Thata government can track a devicedesigned to be visibleby satellite does not,ofcourse, necessarily meanthat an individual without one couldbe tracked by satellite in themanner depicted by thefilm Enemy of theState. However, a one-meter resolution suggests that itshould be possibleto track a singlevehicleifa satellite wereable to provide sufficient images, and satellitetechnology is improving rapidly.
150. See Joseph Rose,Satellite Offenders, WIRED,Jan.13, 1999<http://www.wired.com/ news/news/technology/story/17296.html>. 151. See Gary Fields, Satellite "BigBrother" EyesParolees, Apr.8, 1999,USA TODAY, at
10A.
152. See Satellites in the Driving Seat,BBC NEWS, Jan. 4, 2000 <http://newsvote.bbc.co.uk/ hi/english/uk/newsid_590000/590387.stm> (reporting that halfof theusersin thetestsaid they would be willing toadopt thesystem voluntarily). 153. See Jon Hibbs, Satellite PutstheBrakeon Speeding Drivers, TELEGRAPH, Jan. 4, 2000 <http://www.telegraph.co.uk:80/et?ac=000 141005951983&rtmo=kLJAeZbp&atmo=kLJAeZbp&pg =/et/00/1/4/nspedO4.html>; "Spyin theSky"Targets Speeders, BBC NEWS, Jan. 4, 2000 <http:// newsvote.bbc.co.uk/hi/english/uk/newsid_590000/590336.stm>. 154. See WATCHING ME, WATCHING YOU, supra note 61. 155. See Hibbs, supra note153.
1498
STANFORD LAWREVIEW
[Vol.52:1461
secret howaccurate doesnotdisclose record Thepublic spysatellites of the monitor other than visible might be, norwhat parts spectrum they of secret satellites is limited, belight.The routine privacy consequences the inanything lessthan tobelieve that results tend causegovernments using their As theprivate to disclose circumstances tends extreme capabilities. for sector catches up with governments, however, technologies developed willgradually become available for newuses. national security purposes
b. Seeingthrough walls.
Itmay be that "the house ofevery oneis tohim as hiscastle andfortress, hisdefence andviolence, as for as wellfor hisrepose,"'56 but against injury thewallsof that fortress are farmore permeable today than everbefore. observers cannowdraw Suitably equipped informed conclusions about what within is occurring a house without to enter it. Mostofthese having techarepassive.They donot nologies require the observer toshine a light orany orbeamon thetarget; other instead detect particle they preexisting emanations. Thermal forexample, imaging, allowslaw enforcement to determine whether a building has"hot spots."In several cases, lawenforcement agencieshaveargued that heat concentrated inonepart ofa building tends toindicatetheuse of growlights, whichin turn (theyargue)suggests the cultivation ofmarijuana. Thewarrantless discovery ofhotspots hasbeen usedtojustify the issuance ofa warrant tosearch the premises. Although the courts arenotunanimous, most holdthat passive thermal imaging that does not reveal details about the inside ofthe home doesnot require a warrant.157
156. Semayne's Case,77 Eng.Rep. 194,195(K.B. 1604), with quoted approval inWilson v. Layne, 526U.S. 603,609-10 (1999). 157. See United States v. Kyllo, 190F.3d 1041,1046-47 (9thCir.1999)(holding that theuse ofa thermal didnotrequire imager a warrant it"didnotexpose because anyintimate details" ofthe inside ofa home, andtherefore a privacy indissipated interest heat was notonethat society would accept as "objectively reasonable"); United States v. Robinson, 62 F.3d 1325,1328-29 (11thCir. 1995) (holding that a thermal imager search does notviolate theFourth Amendment); see also United States v. Ishmael, 48 F.3d850,853-55 Cir.1995);United (5th States v. Myers, 46 F.3d668, 669-70(7thCir.1995);United v. Ford, States 34 F.3d992,995-97(11th Cir.1994);United States v. Pinson, 24 F.3d 1056,1058-59 (8th Cir.1994);but see United States v. Cusumano, 67 F.3d 1497, 1500-01 (10th Cir.1995), en banc,83 F.3d 1247(10th aff'd Cir.1996)(raising thepossibility that thermal scanswithout a warrant theFourth violate Amendment andarguing that other circuit courts have"misframed" theFourth Amendment inquiry); Statev. Young,867 P.2d 593, 594 (Wash. 1994)(holding a warrantless that thermal imagesearch violates StateandFederal Constitutions). Foran analysis ofthelower courts' thermal imaging cases,see Lisa Tuenge v. Hale,United States Ford: TheEleventh Circuit Permits Unrestricted Police Use of Thermal Surveillance on Private A Warrant, Property Without 29 GA.L. REV. 819,833-45(1995); SusanMoore, Does HeatEmanateBeyond theThreshold?: HomeInfrared Remote and theFourth Emissions, Sensing, AmendmentThreshold, 70 CHI.-KENT L. REV. 803, 842-58 (1994); Lynne M. Pochurek,Fromthe to theHomefront: Battlefront Surveillance and theWaron DrugsPlace Privacy Infrared Under Siege,7 ST. THOMASL. REV. 137, 151-59 (1994); MatthewL. Zabel, A High-Tech Assault on the
May2000]
THEDEATHOF PRIVACY?
1499
devicethat allowsnew forms of is nottheonlyelectronic The telephone monitors broadcast monitoring.Computer signalsthatcan be replicated and virusescan use from a considerable distance.158 Computer programs this capability to surreptitiously broadcast information otherthanwhatis on the screen. These emissions displayed are so powerful thatone of the them that Microsoft have its lidocumented academicswho first suggested function of its licenseserialnumber. "radiate a one-way censedprograms tellwhether twomachines weresimultaneously This would let an observer more."159 running thesamecopyof Word, butnothing Microsoft, however, in a copyprotection was notinterested schemethatwouldhave apparently required itto employ a fleet ofpiracy detection monitors cruising theworld's or hallways. Users can protect the crudest highways against typesof this distance monitoring by employing "Tempest fonts."Thesespecialfonts will protect theuser'sprivacy by displaying to anyeavesdropper a textdifferent from theone actually displayed on theusers'screen.'60 c. Seeingthrough clothes. Passive millimeter wave imagingreads the electromagnetic radiation emitted by an object.'6' Muchlikean X-ray, thistechnology can specifically theradiation identify spectrum of mostobjectscarried on theperson, even thosein pockets, under clothes, or in containers.162 It thusallowstheuserto see through clothes, and conduct a "remote frisk" forconcealedweapons,'63 or other contraband.164 Imagers are availableas handheld scanners, visible gateway scanners, orin hidden surveillance models.l65
"Castle ": Warrantless Thermal Surveillance Residences ofPrivate andthe Fourth 90 Amendment, Nw. U. L. REV.267,282-87 (1995). 158. See Marcus J.Kuhn & RossAnderson, Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations <http://www.cl.cam.ac.uk/-mgk25/ih98-tempest.pdf>. 159. Email from Ross Anderson to ukcrypto list (Feb. 8, 1998) (availableat mailing <http://www.jya.com/soft-tempest.htm>). 160. Tempest-resistant fonts designed by Ross Anderson are available at <http://www.cl.cam.ac.uk/-mgk25/st-fonts.zip>. 161. See generally Alyson L. Rosenberg, PassiveMillimeter Wave A New Weapon Imaging: in theFight Against or a Fourth Crime Amendment Violation?, 9 ALB. L.J.SCI. & TECH.135 (1998). 162. See Millivision, Security Applications <http://www.millivision.com/security.html>; MerrikD. Bernstein, "Intimate Details":A Troubling NewFourth Amendment Standard for Government Surveillance Techniques, 46 DUKEL.J.575,600-04(1996) (noting that although Millivision cansee through clothes itdoesnot reveal anatomical details ofpersons scanned). 163. See Millivision, Concealed Weapon Detection <http://www.millivision.com/cwd.html>. 164. See Millivison, Contraband Detection<http://www.millivision.com/contband.html> ("As an imaging system, millimeter wave sensors cannot determine chemical composition, but whencombined withadvanced imaging software, they can provide valuable shapeand location information, helping todistinguish contraband from permitted items."). 165. See id.(containing links tovarious models).
1500
STANFORD LAWREVIEW
[Vol.52:1461
A similar whichis not passive,uses low levels of X-raysto product, screen for individuals concealed andother contraband. weapons, drugs, The makersof "BodySearch" boast thattwo foreign government agenciesare usingit forbothdetection and head-of-state and that a state security, prison is usingit as a substitute forstrip searching prisoners.The UnitedStates customs service is usingit as an alternative to pat-down searches at JFKairport,prompting fromthe ACLU. According complaints to the ACLU, "BodySearch" provides a picture of theoutline of a human body,including genitals:"If there is evera place wherea person has a reasonable expectationofprivacy, it is under their The samplephotoprovided clothing."166 by BodySearch makersAmerican Science and Engineering, Inc. is fairly revealing.167 Stillnewerdevicessuchas a radarskinscanner can distinguish all anatomicalfeatures over one millimeter, makingit possible to "see through a person'sclothing withsuch accuracy thatit can scan someone on the street standing and detectthe diameter of a woman's nipples,or whether a manhasbeencircumcised."168 d. Seeingeverything: smart dust. Perhapsthe ultimate privacyinvasionwould be ubiquitous miniature sensorsfloating aroundin theair. Amazingly, someoneis trying to build them: The goal of the"smart dust"project is "to demonstrate thata completesensor/communication system can be integrated intoa cubicmillimeter package"capableofcarrying anyone ofa number ofsensors.Whilethecurrent prototype is sevenmillimeters long (and does notworkproperly), the engineers hopeto meet their one cubicmillimeter goal by2001. At that size, the"motes" wouldfloat on thebreeze, and couldworkcontinuously fortwo weeks,or intermittently forup to two years. A milliondustmoteswould havea total volume ofonlyone liter.169
166. Deepti Hajela, AirportX-Ray Device Spurs Concerns, AP ONLINE, Dec. 29, 1999 (quotingtestimony of ACLU legislative counselGregory T. Nojeim). 167. See <http://216.149.33.140/images/pic_bodyO2lgjpg> (showingsample BodySearchimage in whichcontours of body are discernable);see also SchNews May 1997, Public EnemyNo. One <http://www.gifford.co.uk/i-contact/graphics/bodysearchjpg> (reportingthat privacy campaignersdubbed invention "PubeMaster2000"). U.S. CustomsPublic Affairs Officer Mike Fleming admitted thattheBodySearchproducesquitegraphic imagesand does detailgenitalia, butnoted the image is moreof a photographic negativethana positive. U.S. Custom's scans are done in a privateboothaway from prying eyes, he said, and preformed by same-gender agents. See Sharon Gerrie, X-Rated X-Rays May Bypass Las Vegas, LAS VEGAS Bus. PRESS (Jan. 24, 2000) <http://206.27.171 /news/stories/000 1241On.html>. 168. Judy Jones, Look Ahead to the Year 2000: Electronic ArmOf The Law Is Getting More High-Tech, COuRIER-J. (Louisville,KY), Oct. 19, 1999,available in 1999WL 5671879. 169. See KRIS PISTER, JOE KAHN, BERNHARDBOSER & STEVE MORRIS, SMART DUST: AUTONOMOUS SENSINGAND COMMUNICATION IN A CUBIC MILLIMETER<http://robotics.eecs. berkeley.edu/-pister/SmartDust/>.
May2000]
THEDEATHOF PRIVACY?
1501
funded Although theproject bythePentagon, foresee a large managers number ofpotential civilian as wellas military ifthey areableto applications perfect their miniature sensor the less incredible platform. Among possibilitiesthey are:battlefield suggest surveillance, treaty monitoring, transportation scud monitoring, hunting, inventory control, product quality monitoring, andsmart office spaces.They that the admit, however, have technology may a "dark side"for personal privacy.170
II. RESPONDING TO PRIVACY-DESTROYING TECHNOLOGIES
Theprospect of"smart ofcameras dust," toosmall toseewith the naked eye,evokes DavidBrin's andNeal Stephenson's vision ofa world without privacy.17l As the previous discussion demonstrates, even however, without ubiquitous microcameras, governments andothers aredeploying a widevariofprivacy-destroying ety These technologies. developments raise the immediate question ofthe appropriate andsocial legal response. Onepossibility is tojust"get over it"andaccept realities. emerging Before adopting this counsel ofdefeat, however, itseems prudent toexplore the extent towhich the lawoffers strategies for resistance todata collection. The next ofthis part article thus offers a survey ofvarious proposals for a legal response tothe problem ofubiquitous personal datacollection. Because any reform legal designed toprotect informational privacy arises inthe context of existing law,thediscussion begins by outlining someof themajorconstraints that must shape any practicable response toprivacy-destroying technologies.
A. TheConstraints
An effective response toprivacy-destroying technologies, in theUnited States atleast, is constrained bythree factors: first, market failure caused by myopic, imperfectly informed consumers; second, a clear, correct vision of the First Amendment; andthird, fear.
1. Theeconomics ofprivacy myopia.
Under current ideasofproperty ininformation, consumers areina poor legalposition to complain about thesale ofdataconcerning themselves.172
170. Seeid. 171. See BRIN, supra note 1; NEAL STEPHENSON, THE DIAMOND AGE (1995) (imagining a future in which nanotechnology is so pervasivethatbuildingsmustfilter air in orderto exclude nanotechnology spies and attackers). 172. For an extreme example,see Moore v. Regentsof California, 793 P.2d 479, 488-97 (Cal. 1990) (holdingthata patienthad no cause of action,underproperty law, againsthis physicianor others who used thepatient'scells formedicalresearch without his permission).
1502
STANFORDLAWREVIEW
[Vol.52:1461
nomics.
they willselltheir data toooften andtoocheaply. Modest assumptions about consumer privacy myopia suggest that evenAmericans whoplace a high valueon information privacy willselltheir privacy bitbybitforfrequent flyer miles. Explaining this a brief requires detour into stylized microeco-
ality.Thisis unrealistic due becauseconsumers suffer from privacy myopia:
The original alienation of personal datamayhaveoccurred with theconsumer's orexplicit acquiescence consent. economic transaction hasat Every least two inmost parties; thefacts ofthe transaction cases, to belong equally both.173 As evidenced existence ofthe direct mailindustry, both bythe sides toa transaction arefree to selldetails about the transaction toany generally interested third party. There areexceptions tothe default rule ofjoint andseveral of ownership thefacts ofa transaction, butthey arerelatively minor. Sometimes thelaw creates a special ofconfidentiality duty oneofthe tosilence. binding parties Examples include duties fiduciary anda lawyer's tokeep a client's duty con174 Overall, fidence. the number oftransactions inwhich is the confidentiality legaldefault is relatively small tothe compared total number oftransactions inthe United States. Intheory, the parties toa transaction canalways contract for confidenti-
Assume that a representative consumer engages in a largenumber of transactions. Assume further that the basicconsumer-related details ofthese transactions-consumer identity, item purchased, costof item, place and time of sale-are of roughly equivalent valueacross transactions forany consumer andbetween consumers, andthat themarginal valueof thedata produced byeachtransaction is lowon itsown. In other words, assume we arelimiting thediscussion toordinary consumer transactions, notextraordinary private ones,suchas thepurchase ofanticancer drugs.Now assume that aggregation addsvalue: Oncea consumer profile reaches a given size, theaggregate valueofthat consumer profile is greater than thesumofthe valueofthe individual data.Most heroically, assume that oncesome threshold hasbeenreached thevalueofadditional datato a potential profiler remains linear and does notdecline. Finally, assume that databrokers or profile compilers areabletobuy consumer datafrom merchants atlowtransactions costs, because the parties arerepeat players whoengage innumerous transactions involving substantial amounts ofdata.Consumers, however, are unaware ofthe value oftheir aggregated data toa profile compiler. With one
173. See Spiros Simitis, From theMarketto thePolis: The EU Directiveon theProtection of Personal Data, 80 IOWAL. REV. 445, 446 (1995) (notingthe traditional view, now retreating in Europe,that"data ... wereperfectly normalgoods and thushad to be treated in exactlythe same way as all other products and services."). 174. See ABA MODEL CODE OF PROFESSIONAL RESPONSIBILITY Cannon 4 (1999); ABA
MODEL RULES OF PROFESSIONAL CONDUCT Rule 1.6. (1999).
May2000]
THEDEATHOF PRIVACY?
1503
possibleexception, the assumption thatthe value of consumer data never declines, theseall seemtobe very tameassumptions. In an ordinary a consumer willvalue a datum at itsmarginal transaction, value in terms of lostprivacy.In contrast, a merchant, who is sellingitto a will value it at or nearits averagevalue as partof a profile. Beprofiler, to ourassumptions, theaveragevalue of a singledatum cause,according is greater thanthemarginal value of thatdatum adds (remember, aggregation willalwaysbe willing value),a consumer to sell dataat a pricea merchant is willing topay. The ultimate effect ofconsumer privacy myopia depends upona number of things.First, it depends on theintrusiveness of theprofile.If theprofile creates a privacy intrusion that is noticeably thandisclosing greater an occasionalindividual fact-thatis, ifaggregation notonlyadds valuebutaggravation-thenprivacy is indeeda problem.I suspect myopia that thisis, in thecase and thatmanypeople sharemy intuition. fact, It is considerably moreintrusive to find strangers aboutme,be they making assumptions true or painfully thanit is to have mynameand address false, in a dataresiding base restricted to thefirms from whichI buy. On theother hand,ifpeople who objectto beingprofiled are unusual, and aggregation does not cause harmto mostpeople's privacy, themainconsequence of privacy myopiais greatly reduced.Forsome,it is onlydistributional. Consumers whoplace a low value on theirinformation privacy-people forwhom theiraverage valuation is less than theaverage valuation ofa profiler-would have agreed to sell their privacy even if they wereawareof thelong-run consequences. The onlyharm to them is that they havenotextracted thehighest pricepossible. Butconsumers whoplace a highvalueon information privacy willbe moreseriously harmed bytheir information myopia.Had they beenawareof theaverage valueofeachdatum, they might havepreferred notto sell. ifthemarginal Unfortunately, value175 to theconsumer of a givendatum is small,thenthevalue of notdisclosing thatdatum will in mostcases be lowerthaneither thecostof negotiating a confidentiality clause (if that optioneven exists), or thecost of forgoing theentire transaction.176 Thus,in theordinary case,absent anything terribly revealing aboutthedatum, privacy clausesareunlikely to appearin standard form contracts, andconsumers will acceptthis.177 Furthermore, changing thelaw to makeconsumers thedefault ownersof information abouttheir economic activity is unlikely to produce
175. Oreventhe average valuetoa well-informed consumer.
"businesses haveboth theincentive andtheability toincrease consumers' transaction costsinprotecting their andthat privacy somemarketers do infact inflate those costs."). 177. See Richard S. Murphy, Property Rightsin Personal Information: An EconomicDefense ofPrivacy,84 GEO. L.J.2381,2413(1996).
176. See Joel R. Reidenberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 IOWA L. REV.497, 519-23(1995); Sovern, supra note22, at 1033(arguing that
1504
LAWREVIEW STANFORD
[Vol.52:1461
largenumbers of confidentiality clauses in theagora. In mostcases, all it will do is move some of theconsumer from information surplus to buyers information producers orsellers as thestandard contracts forms add a term in whichtheconsumer to theinformation in exchange conveys rights fora frequentflyer mileortwo. In short, ifconsumers areplausibly aboutthevalueofa datummyopic focusing on itsmarginal valuerather than itsaverage value,whichis difficult to measure-butprofilers are notand thedata are morevaluablein aggregate,thentherewill be substantial of personaldata even over-disclosure whenconsumers careabouttheir informational privacy. If thisstylized is evensomewhat story ithas unfortunate accurate, implicationsformanyproposalsto changethe default rulesregarding property of personaldata in ordinary ownership The sale will tendto transactions. happeneveniftheconsumer has a sole entitlement to thedata. It also suggeststhatEuropean-style data protection rulesshouldhave onlya limited forhighly effectiveness, primarily sensitive personaldata. The European Union'sdataprotection directive allowspersonal datato be collected forreuse andresaleifthedatasubject agrees;'78 theprivacy myopia story suggests that will ordinarily customers agreeexcept whendisclosing particularly sensitive facts personal with a highmarginal value. On theother hand,theprivacy myopia story severalquestions suggests forfurther research. Forexample, themyopia story suggests that we needto knowhowdifficult itis to measure thevalueofprivacy and,once that value has beencalculated, howdifficult it is to educate consumers to value dataat itsaverage rather than marginal value. Can information provide a corrective lense?179 Or,perhaps consumers already havetheability to valuetheprivacy in smallamounts interest ofdataifthey consider thelongterm consequences ofdisclosure. Consumers sometimes havean interest in disclosure of information. For example, proof of credit-worthiness tends to improve theterms uponwhich lenders offer credit.The myopia story assumesthisfeature away. It would be interesting to try to measure therelative importance ofprivacy anddisclosureas intermediate and final goods. If theintermediate good aspectof informational privacy and disclosure substantially outweighed their final good aspect,the focuson blocking disclosure advocated in thisarticle might be misguided.European data-protection rules, whichfocuson requiring trans178. See Viktor Mayer-Schonberger, Generational Development of Data Protection in Europe, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 219,232 (Philip E. Agre& Marc
Rotenberg eds.,1997). 179. For an innovative, ifslightly cute, attempt to teachchildren aboutprivacy, see Media Awareness Network, Privacy Playground. The First Adventures of the Three Little CyberPigs <http://www.media-awareness.ca/eng/cpigs/cpigs.htm>.
May2000]
THEDEATHOF PRIVACY?
1505
parency thefuture be thebeststratregarding uses of gathered data,might egy. It wouldalso be useful of data to knowmuchmoreabouttheeconomics In particular, profiling. itwouldbe helpful to knowhowmuchdatait takes to makea profile valuable-at whatpoint does thewholeexceedthesumof thedataparts? Additionally, itwouldbe important to knowwhether profilers regularly suffer from dataoverload, and to whatextent there are diminishing returns to scale fora singlesubject'spersonal data. Furthermore, it couldbe useful toknowwhether there be increasing to scale as returns might thenumber ofconsumers profiled increases.Ifthere areincreasing returns to scale overanyrelevant of part thecurve, themarginal consumer wouldbe worth extra. It might follow that in an efficient market, profilers wouldbe to paymorefordataaboutthepeoplewhoaremostconcerned willing about informational privacy. Therehas alreadybeen considerable workon privacy-enhancing technologiesforelectronic transactions.180 Thereseemsto be a need formore research, however, to determine which types oftransactions arebestsuited to usingtechnologies such as information intermediaries. The hardest work, will involvefinding waysto applyprivacy-enhancing technologies to those transactions are that notnaturally suited tothem. Perhaps themostpromising avenueis to designcontracts and technologies thatundercut theassumptions in themyopiastory. For example, one seek to lowerthetransaction might costsof modifying standard form conor of specifying tracts, restrictions on reuseof disclosed data. The lowerthe costofcontracting for privacy, thegreater thechancethat sucha costwillbe less thanthemarginal value of thedata(notethat merely lowering it below averagecost failsto solve theunderlying problem, because sales will still in that happen pricerange). If technologies, suchas p3p,181 reducethemarginaltransactions costsinvolved innegotiating thereleaseofpersonal datato nearzero,evenprivacy willbe able to express myopics their privacy preferencesintheP3P-compliant ofthemarketplace. part
sum_pap/papers/anon-e.htm>. 181. P3P is thePlatform for Preferences a setofstandards, Privacy Project, architecture, and grammar toallowcomplying machines tomake for requests personal dataandhavethem answered subject topredetermined setbya datasubject. privacy preferences See Joseph M. Reagle, P3P Jr., andPrivacy ontheWeb FAQ <http://www.w3.org/P3P/P3FAQ.html> ("P3P [allows] [w]ebsites to express their andenable privacy practices users to exercise overthose preferences practices. P3P products willallowusersto be informed of sitepractices (in bothmachine and human readable to delegate formats), to their decisions when computer andallowusersto tailor appropriate, their tospecific relationship sites.").
180. See, e.g., INFORMATION AND PRIVACY COMM'R/ONTARIO, CANADA & REGISTRATIEKAMER [DutchData Protection THE NETHERLANDS, 1 PRIVACY-ENHANCING Authority], TECHNOLOGIES: THE PATH TO ANONYMITY(1995) <http://www.ipc.on.ca/web_site.ups/matters/
1506
LAWREVIEW STANFORD
[Vol.52:1461
2. First Amendment. The FirstAmendment affects potential rules in at privacy-enhancing leastthree ways: (1) mostprohibitions on private in public data-gathering (i.e. surveillance) riskviolating theFirst Amendment mostgov(conversely, ernment in publicappearsto be unconstrained surveillance by the Fourth Amendment)182; (2) theFirst Amendment limits on theextent mayimpose to whichlegislatures may restrict the collection and sale of personaldata in connection with commercial and (3) theFirst transactions; Amendment right to freedom of association imposessome limits on the extent to whichthe government mayobserveand profile if onlyby creating citizens, a right to insomecases.'83 anonymity One of thearguments advanced moststrenuously in favor of theproposition that theprivacy battle is nowlosttoubiquitous surveillance is that "information wantsto be free," and that once collected, datacannot in practice be controlled. themostabsolutist Although versions ofthisargument tend to invokedata havensor distributed databasetechnology, the argument also drawssome force from theFirst a little Amendment-although less perhaps than itusedto. a. TheFirst Amendment inpublic places. Perhaps thecritical question shaping thelegalandsocialresponse to new surveillance is theextent technology to whichthegovernment can limit the initial collection ofpersonal datainpublic. Once information is collected, it is hardto control, andalmost impossible to eraseonce itgetsintodistributed databases. Legal rulesprohibiting datacollection in publicare nottheonly possibleresponse; defenses against collection might also includeeducating peopleas totheconsequences ofdisclosure ordeploying countertechnologies suchas scramblers, detectors, ormasks.184Unlikea legal solution, however, mosttechnological responses involve shifting coststo thedatasubject. The costofcompliance with lawsrestricting datacollection is likely to fallon the at leastinitially. observer, The difficulty is writing rulesthat are consistent with both theFirst Amendment andbasicpoliciesoffreedom. Professor Jerry Kang recently proposed and defended a statute limiting thecollection of personal information in cyberspace.As seen from thedis182. "[I]fpolicearelawfully ina position from which they viewan object, ifitsincriminating character is immediately apparent, andiftheofficers havea lawful ofaccessto theobject, right they mayseizeitwithout a warrant." Minnesota v. Dickerson, 508 U.S. 366,375 (1993);see also Michigan v. Long, 463 U.S. 1032,1049-50 (1983). 184. On masks, however, see text accompanying notes301-303infra (discussing antimask lawsinseveral states).
THE INFORMATION SOCIETY 113 (1999).
183. See generallyA. Michael Froomkin, Legal Issues in Anonymity and Pseudonymity, 15
May2000]
THEDEATHOF PRIVACY?
1507
cussioninpart I, there is no doubt that thecollection ofpersonal information and that in cyberspace a serious to information is already threat this privacy, will continue to growby leaps and bounds. Professor threat Kang's statute if it wereadopted. wouldbe a valuablecontribution to information privacy is stillonlya But even if its economicimportance is growing, cyberspace thata greatdeal of the smallpartof mostdailylives. PartI demonstrates to information in "meatspace" threat is rooted privacy firmly (thepartof life that is notcyberspace).The problem moregeneral. Indeed, is considerably and meatspace sincethedata drawn cyberspace privacy are related, privacy from bothwill be matched in databases. The Kang proposal, alreadyunlikely to be adopted a wouldneedto be radically by legislature, generalized to meatspace could thestatus just to protect quo ante. Even if a legislature be persuaded to adoptsucha radically it is notat all pro-privacy initiative, clearthat suchan ambitious in publicplaces to create attempt privacy rights wouldbe constitutional. The corequestion is whether a legislature could constitutionally change the default rules,whichhold thatwhatis visibleis public,in orderto increaseinformational privacy.Current doctrine does notmakecleartheextentto whichCongressmay seek to preserve, or even expand,zones of in privacy publicplaces(or informational to transactions) privacy relating by it an offense to use a particular making to view or record technology others. This maybe because attempts to expandthezone of privacy in theUnited Statesby legislation are stillrelatively rare. Prohibiting theuse of technologies thatare not already commonplace prevents thepublicfrom becoming and itensures a reasonable desensitized, ofbeingable to walkin expectation public without being scannedby them. Similarly, prohibiting the use of commonplace also createsa (legally)reasonableexpectation technologies thatothers will followthelaw; and that restricted technologies will not be used. At someundefined point, perhaps quitecloseto itsinception, anysuch willbeginto intrude on coreFirst attempt Amendment values. In peacetime, theFirst Amendment allows onlythelightest restrictions upontheordinary of information gathering in publicplaces (or uponrepeatingof suchinformation).185 Other than cases protecting bodilyintegrity, the constitutional to privacy right is anemic, especially whencompared to the First Amendment's protection of therights to gather and disseminate information.This is notnecessarily a bad thing, becausemostrulesdesigned to protect privacy in publicplaces wouldprobably have a substantial harmful effect uponnewsgathering andpublicdebate. Nevertheless, there are a few areaswhere light privacy-enhancing regulation might notimpinge uponcore First Amendment values. Thereare also areaswherelaws that actively hinderprivacy be reformed. might
185. See note 191 infra.
1508
STANFORD LAWREVIEW
[Vol.52:1461
status of a regulation of data collection has implicaThe constitutional theregulation of itssubsequent uses. If it wereunconstitutional to tionsfor to thenit wouldbe difficult imposea restriction upontheinitial collection, usersof the on downstream limitations imposeconstitutionally acceptable theconstitutional is notthedataproprietor, data. Whenthegovernment justification fora rulelimiting, forexample, thedissemination of mall camera will be closelytied,and sometimes photosor thesale of consumer profiles, in thefirst thedatacollection for to thejustification identical, banning place. could be imposedconstitutionally, collection If restrictions upon theinitial conditions that runwiththedata are easy to forimposing then justifications rules see. If,on theother hand,thedatawerelawfully acquired, justifying evenused by theinitial colit from that prevent beingshared (or,perhaps, ifone can categorize thedissemination of thedata lector) is farless onerous in commerce thanas a publication as theshipment of a data-good rather or other speechact. The recent andunanimous inRenov. Condon186 Supreme Court decision that theact of transmitting could be readto suggest personal data forcommercial is something less thaneven commercial purposes speech. In ContheDriver's Protection Act ("DPPA") against don,theCourt upheld Privacy claimsasserted In so doing, under theTenth andEleventh Amendments. the that Courtagreedwiththepetitioner information that "personal, identifying in interstate theDPPA regulates is a 'thin[g] andthat commerce,' thesale or releaseof that information in interstate commerce is therefore a proper subunder ject of congressional regulation" Congress'sCommerce Clause powers.187The circumstances andposture of Condonsuggest, however, that this reading, whichwould be a radicalbreakwithexisting FirstAmendment principles, is not justified. inpublic. The FirstAmendment Gathering information protects the freedom of speechand ofthepress, butdoes notexplicitly mention theright to gatherinformation. However,boththe SupremeCourtand appellate courts have interpreted theFirst Amendment to encompass a right to gather information.188 Theright is notunlimited. Itdoes not,for example, create an affirmative on thegovernment duty tomakeinformation available.189
186. 120 S. Ct. 666, 668 (2000) (upholding Driver's Privacy Protection Act of 1994, 18 U.S.C. ?? 2721-25 (1994 & Supp.III), against itviolated claimthat federalism principles ofConstitution). 187. Id. at671 (quoting United States v. Lopez,514U.S. 549,558-59 (1995)). 188. In Kleindienst v. Mandel, 408 U.S. 753,765-70(1972),theCourt acknowledged a First Amendment right to receive information, butsaid that theright must bow to Congress' plenary powerto exclude aliens. See also Lamont v. Postmaster 381 U.S. 301, 305-07(1965) General, (invalidating a statutory requirement that foreign of"communist mailings political propaganda" be delivered onlyuponrequest v. Cityof Struthers, bytheaddressee); Martin 319 U.S. 141,146-49 (1943) (invalidating a municipal ordinance forbidding door-to-door distribution of handbills as of therecipients' violative First Amendment rights); TheRights of thePublicand thePress to
May2000]
THEDEATHOF PRIVACY?
1509
ifa person As a general shecan write can see itinpublic, aboutit matter, and talkaboutit. It does notinevitably followthat because she mayshare her natural sense impressions, or her written she may also recollections, photograph it or videotape eventsand thenpublishmechanically recorded imagesand sounds. Most courtsthathave examined the issue, however, haveheldthat shemaydo so, subject onlyto very limitations slight imposed torts.190 byprivacy haveconsistently "[C]ourts refused to consider thetaking of a photograph as an invasion of privacy whereit occursin a publicfora [sic]."191 foran invasion "Thus,in order ofprivacy to occur,'[t]heinvasion or intrusion must be ofsomething which thegeneral publicwouldnotbe free to view."'192 Perhaps it might be constitutional to prohibit theuse of devicesthat see through clothes on thetheory that there is a limited First Amendment exceptionallowingbans on outrageous assaultsupon personal modesty.On the otherhand,the government's use of passive wave imaging,which see through clothes, suggests that theexecutive branch believeseither that there is no constitutional problem, or that theproblem can be solvedby offering subjects thealternative ofan (equallyintrusive?) patdown search.'93 Or,perhaps, the government's abilityto ban intrusive monitoring sweeps more broadly.The correct doctrinal answer is unclear becausethere havebeenno privacy-enhancing statutes seekingto block systematic data collectionin
Gather Information, 87 HARV. L. REV.1505,1506(1974) ("[W]hen thepublic has a right to receiveinformation, itwould seemtohavea [Flirst [Almendment toacquire that right information."). 189. See Los Angeles PoliceDep'tv. United Reporting Publ'gCorp., 120S. Ct.483,489-90 (1999);Zemelv. Rusk, 381U.S. 1, 16-17 (1965). 190. See generally E. Hassaman, Phillip Annotation, Taking Unauthorized as Photographs Invasion ofPrivacy, 86 A.L.R.3d374 (1978). The classiccase is Daily Times Democrat v. Graham,162So. 2d 474,478 (Ala. 1964),reflected in theRestatement (Second)ofTorts: "Evenina public place, there however, be somematters may about the suchas hisunderwear plaintiff, orlack ofit,that arenotexhibited tothe public gaze;andthere maystill be invasion ofprivacy when there is intrusion uponthese matters." RESTATEMENT (SECOND) OF TORTS? 652Bcmt. C (1977). 191. United States v. Vazquez, 31 F. Supp.2d 85,90 (D. Conn.1998)(finding no invasion of privacy where plaintiffs were photographed ona city sidewalk inplain viewofthe public eye);see also Jackson v. Playboy 574F. Supp.10,13 (S.D. Ohio 1983);Fogelv. Forbes, Enter., Inc.,500 F. Supp.1081,1087(E.D. Pa. 1980)(noinvasion ofprivacy when photographing plaintiff at"a public place or a place otherwise opento thepublic"); PeoplefortheEthical Treatment of Animals v. Bobby Berosini, Ltd.,895 P.2d 1269,1281(Nev. 1995)(no invasion ofprivacy filming backstage before liveperformance); Cox v. Hatch, 761 P.2d 556,564 (Utah1988)(no invasion ofprivacy when "inan openplaceandina common photographing workplace where there werea number of other people");Jaubert v. Crowley Post-Signal, Inc.,375 So. 2d 1386(La. 1979)(holding that the First Amendment theright protects to takeandpublish photos of a housefrom a publicstreet); Mark v. KING Broad. Co.,618 P.2d512,519(Wash.Ct.App.1980), aff'd subnom. Mark v. SeattleTimes, 635 P.2d 1081(Wash.1981)(no invasion ofprivacy when filming interior ofpharmacy from the exterior ofthe building). 192. Vazquez, 31 F. Supp.2d at90 (quoting Mark, 618P.2dat519). 193. TheUnited States Customs offers travelers theoption ofchoosing a patdown search inofthe stead X-ray, that arguing somemight find theimaging tobe lessintrusive. See Hajela,supra note166.
1510
STANFORD LAWREVIEW
[Vol.52:1461
theanswer publicplaces. Ultimately, onjusthowoutrageous mayturn hightechsurveillance becomes. Meanwhile, one mustlook to privacy however, Amendment was raisedas a defense tort cases in whichtheFirst in order to Amendment as to thepossiblesweepof theFirst getan indication in public viewcases. Tort-based to addresstheuse of privacy-destroying attempts technologies in publicplaces tendto focuseither thetypeof informaon thetarget, tion,or whether a personmight reasonably expectnotto be examined by sucha technology. seekto define Unlessthey dataas theproperty personal of thedata subject, that focuson thetargeted individual tendto approaches ask whether there is something or secluded abouttheplace in which private theperson was locatedthat create a reasonable ofprivacy. might expectation If there was not,theviewingis usuallylawful, and theprivacy tort claim failseither becauseoftheFirst Amendment orbecausethecourt the saysthat is nota tort.Cases that viewing focuson thistype of information areusually limited to outrageous factsituations, such looking underclothes.194 Cases thatfocuson reasonable expectations are themostlikelyto findthatnew can giveriseto a privacy technologies buttheseexpectations tort, arenotoriouslyunstable:The morewidely a technology is deployed andused,theless reasonable theexpectation notto be subjected to it. Thus,forexample, absentstatutory courts wouldbe unlikely change, to find a reasonable expectationof notbeingphotographed in public,although it does not necessarily follow that one has no reasonable objection tobeingon camera all thetime. General of newtechnologies regulation suchas thermal or pasimaging sive wave imaging seemsunproblematic on FirstAmendment grounds so long as theregulation wereto applyto all uses. The legislature can ban a that technology to be useful happens for newsgathering ifitdoes so through a law of generalapplication, and theban is reasonably tailored to achieve some legitimate objective. Privacy is surely such an objective. Thereare limits:It is doubtful, forexample, that a ban on pensandpencilsostensibly to prevent designed in publicwouldsurvive note-taking verylong. On the other hand,it might well be constitutional to prohibit using,or even possessing,some devicesthatenhance natural sensory perceptions on privacy grounds.195 Indeed,federal regulations already criminalize thesale of various types ofspygear.'96
194. See note191supra. 195. Cf Andrew Jay McClurg, Bringing Privacy Law outoftheCloset: A Tort Theory ofLiability forIntrusions inPublic Places,73 N.C. L. REV. 989,1063(1995)(making a similar distinctionin connection witha privacy tort and proposing that "mostsituations involving actionable public intrusions would involve thedefendant using someform oftechnological device (e.g.,video camcorder, single-frame audiorecording camera, device, binoculars, telescope, night vision scope) toviewand/or record the plaintiff'). 196. See 18 U.S.C. ? 2512(1)(a)-(b) (1986) (prohibiting mailing, manufacturing, assembling, orselling possessing, of"anyelectronic, orother mechanical, device, orhaving knowing reason to
May2000]
THEDEATHOF PRIVACY?
1511
to apply to use orpossession in Whether thebancouldbe crafted only the thiscutsmore public placesis more dubious, because closely against in court First Amendment. Pragmatically, theresults maydepend uponthe It is inconceivable, for that a banon currency ofthetechnology. example, inpublic with capturing all photographic images could possibly be squared the First more than could a banoncarrying a notebook and Amendment, any a pencil.Photography andtelevision havebecome so much a part ofordinary life, as wellas newsgathering andreporting, that sucha banwould surely be heldtoviolate thefreedom ofthepress andofspeech, no matter howweighty thepublic in privacy.197 interest Possibly, however, a more limited banmight be crafted to allownewsgathering, butnottwenty-fourhour surveillance. Sucha rule might, for example, limit thenumber ofimagesofa particular placeperhour, day,orweek, although lineswould inbe difficult evitably to draw.'98 A more practical rule, perhaps easierto enforce, would distinguish among various technologies.
know that thedesign ofsuchdevice itprimarily renders useful for thepurpose ofthesurreptitious interception of wire, oral,or electronic so longas there is a connection communications," with interstate The section commerce). also bansadvertising suchdevices unlessfor official use only. See id.? 2512(c). 197. Cf Forster v. Manchester, 189A.2d 147,150 (Pa. 1963)(rejecting an invasion ofprivacyclaimbecause"all ofthesurveillances took placeintheopenon public where thoroughfares appellant's activities couldbe observed To this bypassers-by. extent hasexposed herself appellant to publicobservation andtherefore is notentitled to thesamedegree of privacy that she would enjoy within theconfines ofherownhome"); v. Graham, 162So. 2d 474, DailyTimesDemocrat 478 (Ala. 1964)(relying onFoster v.Manchester for the that itis not"suchan invasion proposition totake hisphotograph insuch a place, this since tonothing amounts more than a record, not making differing from a full essentially written ofa public description which sight anyone would present be free tosee"). 198. Theconstitutionality oflimits on datagathering inpublic placesmaybe tested byantipaparazzi statutes. Thestatute inCalifornia recently adopted howsucha lawmight suggests look, theCalifornia although statute avoids artfully theinteresting constitutional issues.Thekeyparts of the statute state: b) A person is liable for constructive invasion ofprivacy when the defendant attempts tocapina manner that ture, is offensive toa reasonable person, any type ofvisual image, sound reorother cording, physical ofthe impression plaintiff ina personal engaging orfamilial activity under inwhich circumstances the hada reasonable plaintiff expectation ofprivacy, through the useofa visual orauditory enhancing device, regardless ofwhether there is a physical trespass, ifthis image, sound or other recording, physical impression couldnothavebeenachieved a trespass without unless the visual orauditory enhancing device wasused. (e) Sale,transmission, publication, oruseofany broadcast, image orrecording ofthe type, or under the described inthis circumstances, section shall not itself constitute a violation ofthis nor shall this section, section be construed tolimit all other rights orremedies ofplaintiff in laworequity, but including, not limited to, the publication ofprivate facts. CAL. CIV.CODE ? 1708.8(b), (e) (West1999). By limiting theoffense to invasions offensive toa reasonable person, where there was already a reasonable expectation of privacy, and exempting thestatute republishers, avoidsthehard issues. See generally Privacy, Technology, and theCalifornia"Anti-paparazzi" 112HARV. Statute, L. REV.1367(1999); Andrew D. Morton, MuchAdo About Newsgathering: Personal Privacy, Law Enforcement, and theLaw of Unintended ConsequencesforAnti-paparazzi Legislation,147 U. PA. L. REV. 1435 (1999).
1512
STANFORD LAWREVIEW
[Vol.52:1461
accurate Disseminating Data collection becomesmuchless information. ifthere attractive are fewer thenumber ofbuyers buyers.One wayto reduce is to makeit illegalto buy,use, or revealtherespective data. Although the issue is notsettled, are good reasons there to believethat theFirstAmendment wouldforbid mostlegislation thedissemination or use of criminalizing accurate information.199 Whilegood forfreespeech,it makesany ban on datacollection muchmoredifficult to enforce.Conversely, if it is constitutionalto penalizedownstream uses of certain data,or evenretention or publication,then enforcement of a collectionban becomes easier, and the incentives toviolate theruledecrease. The case fortheconstitutionality of a ban on thedissemination of some forms of accurate collected personal datais notnegligible.It has longbeen assumedthatsufficiently great government interests allow thelegislature to criminalize thepublication of certain specialtypes of accurate information. Even priorrestraint, and subsequent criminal prosecution, might be a constitutionally acceptable reaction to thepublication of troopmovements, or other similar information that might aid an enemy, during armed conflict.200 In peacetime, copyright protections arejustified by a specific constitutional derogation from thegeneral principle of freedom of speech.201 Some highly regulated industries, such as the securities industry, heavilyrestrict the speech of individuals, such as financial advisorsor those with marketsensitive information, although the constitutionality of thoserulesis itself subject to somedoubtand debate.202 Generally, however, mosttruthful disin theabsenceofa specific closures contractual duty to keepsilent haveusuallybeenconsidered tobe constitutionally protected. The SupremeCourt'sdecisionsdo not give blanket FirstAmendment protection to thepublication of information acquiredlegally. Insteadthey have noted"[t]hetension between theright whichtheFirst Amendment accordsto a free press, on theone hand, andtheprotections which various statutes and common-law doctrines accord to personalprivacyagainstthe
199. "Regulations that suppress thetruth areno lesstroubling because they target objectively verifiable information." 44 Liquormart, Inc.v. RhodeIsland, 517 U.S. 484, 502 (1996); see also v. CoorsBrewing Rubin Co., 514 U.S. 476,491 (1995) (holding that law abridging brewer's right to provide accurate information to public about thealcoholic ofmalt content is unconbeverages stitutional). See also text accompanying notes 205-220 infra. 200. See Nearv. Minnesota ex rel.Olson, 283U.S. 697,716 (1931)("No onewould question butthat a government might prevent actual obstruction toitsrecruiting service orthepublication of the sailing dates oftransports orthe number andlocation oftroops."). 201. See U.S. CONST. art. I, ? 8,cl. 8. 202. See Taucher v. Born, 53 F. Supp.2d 464,482 (D.D.C. 1999)(upholding a First Amendment challenge to? 6M(1) oftheCommodity Exchange Act,7 U.S.C. ? 6m(1)(amended 1994), as applied to publishers of books, newsletters, Internet websites, instruction manuals, and computer software providing information, andadvice analysis, oncommodity futures trading, because speech may not be proscribed "basedsolely ona fear that someone may publish advice that is fraudulent or misleading").
May2000]
THEDEATHOFPRIVACY?
1513
of truthful publication on theother ...."203 thanin information, But,other cases involving or persons intellectual withspecialdutiesof property rights themodemCourthas struck down all peacetime confidentiality,204 restrictionson publishing it. The Court true information that havecomebefore has keptopen thetheoretical thata sufficiently possibility compelling government interest might justify thepublication oftrue statements. penalizing But, whenfacedwith whatmight to be fairly appear such compelling interests, as protecting theprivacy ofrapevictims, theCourt has found theprivacy interestsinsufficient to overcome theFirst Amendment.205 Thispattern suggests that a compelling interest wouldhavetobe weighty indeed to overcome First Amendment values,and thatmost,if not all, privacy claimswould failto meetthestandard. As theSupreme in Smith Court stated v. Daily Mail Publishing "stateaction to punish Company, thepublication of truthful information seldom can satisfy constitutional standards."206 "if a Furthennore, newspaper lawfully obtains truthful information abouta matter ofpublicsignificance thenstateofficials maynotconstitutionally punish publication of the information, absenta need to further a stateinterest of thehighest order."207
In Cox Broadcasting Corp.v. Cohn,theCourt considered a statestatute making it a "misdemeanor to publish or broadcast thenameor identity of a rapevictim."208The Courtheldthat, despite theveryprivate nature of the information, theFirst Amendment protected thebroadcasting of thenameof a deceased, seventeen-year-old rapevictim, becausethereporter obtained the information from openpublicrecords.Relying upon ? 867 of theRestatement of Torts by analogy, theCourt noted that "theinterests in privacy fade whentheinformation involved already appears on thepublicrecord."209 Then,in Landmark Communications, Inc. v. Virginia, theCourtstruck downa statestatute that criminalized thepublication of thenamesofjudges who were subjectto confidential judicial disciplinary proceedings.210 Although thenewspaper received theinformation from someonewho had no
203. Id. at 530. 204. E.g., Snepp v. United States,444 U.S. 507, 510-15 (1980) (holding thatgovernment could enforce secrecycontract withformer CIA agent);Cohen v. Cowles Media Co., 501 U.S. 663 (1991) (holdingthata confidential sourcecould recoverdamages forpublisher'sbreachof promise of confidentiality). 205. In DetroitEdison Co. v. NLRB, 440 U.S. 301 (1979), theCourtprotected informational privacyinterests in holdingthat theNationalLabor RelationsBoard could notcompel a companyto disclose resultsof psychologicaltestson individualemployeesto a union without the employees' consent. The Courtheld that, underfederallaborlaw, theemployees'right to privacyoutweighed theburden on theuniondespitetheunion's assertion thatitneededthedata. 206. 443 U.S. 97, 102 (1979). 208. 420 U.S. 469, 472 (1975). 209. Id. at 494-95. 210. 435 U.S. 829 (1978).
207. Id. at 103;quoted with approval inFlorida Star v. B.J.F., 491 U.S. 524,524(1989).
1514
STANFORDLAWREVIEW
[Vol.52:1461
barred theFirst Amendment heldthat right to discloseit,theSupreme Court information accurate criminal prosecution of a newspaper forpublishing thatthecase of publicconcern.The Courtnoted, abouta matter however, of confidentiality nordid it indid notinvolvea personwithan obligation with thepossibleapvolve stoleninformation: "We arenothereconcerned theinformation ofthestatute to one whosecures plicability by illegalmeans v. Daily Mail Publishing and thereafter divulgesit."21 I And,in Smith Co., a newspaper that theCourt said that theFirst Amendment protected lawfully and then thenamesof juvenileoffenders, interviewed witnesses, obtained leave of of a statestatute thosenamesin violation published requiring prior it left court to do So.212 Although theCourt struck downthestatute, openthe of trueand lawfully information that obtained possibility publication might than is present here."213 be prohibited "to further an interest moresubstantial in FloridaStarv. B.J.F.,theCourt heldthat theFirst Amendment Similarly, barred a newspaper that thenameofa rapevictim damages against published ithad lawfully that acquired.214 in Rubinv. CoorsBrewing Morerecently, Co., theCourtstruck downa statute from preventing brewers stating the alcohol content of beer,even though theCourtfound that theruleregulated commercial speechand thus was subjectto less exacting scrutiny thanregulations upon other typesof
speech.215
the SupremeCourthas "carefully Thus, although eschewedreaching th[e]ultimate question" ofwhether truthful publications ofnewscan everbe or eventhenarrower of"'whether truthful banned, question publications may everbe subjected to civilor criminal forinvading liability' 'an area of privacy,"'216its decisions suggest thatifthere is a category of truthful speech that can constitutionally be banned, itis smallindeed. The ruleremains that "stateactionto punishthepublication of truthful information seldomcan constitutional standards."2l7 satisfy The Supreme Court'sdecisionsleave open thepossibility that theFirst Amendment might applymorestrongly whenfactsare legallyacquired, as in the illegalactionsof another.Legallyacquired opposedto originating facts havethehighest protection: "[I]fa newspaper lawfully obtains truthful information abouta matter ofpublicsignificance then state officials maynot
211. Id. at837. 212. 443 U.S. 97 (1979). 213. Id. at 103.
fractured Courtoverturned Rhode Island's ban on truthful advertising of theretailpriceof alcoholic beverages. 216. Florida Star,491 U.S. at 532-33 (quotingCox Broad. Corp. v. Cohn, 420 U.S. 469, 491
215. 514 U.S. 476 (1995). In 44 Liquormart, Inc. v. Rhode Island,517 U.S. 484 (1996),a
214. 491 U.S. 524 (1989).
(1975)). 217. DailyMail,443 U.S. at 102.
May2000]
THEDEATHOF PRIVACY?
1515
of theinformation, absenta need to furconstitutionally punish publication of the order."218 Of the cases discussedabove, thera stateinterest highest involved a leakof information Communications onlyLandmark by someone witha legal duty to maintain itsconfidentiality. Thatcase couldbe readto forreporting Amendment dependupontheheightened First protection upon ofjudges. important publicissues,suchas thehonesty a ban on the as to whether Thus,theSupreme Court'scases areunclear thepresumably ofillegally information couldfallwithin publication acquired stanof truthful constitutional smallclass of regulations speechthatsatisfy oftruthful informadards. Whether itis everpossibleto banthepublication of the a "stateinterest tionis unclear becausetheCourthas neverdefined order"219 andbecauseithas never highest decidedwhether illegally acquired information is (1) contraband perse, (2) contraband so longas a reasonable recipient shouldhaveknown that itwas illegally acquired, or (3) notcontraband whenlaundered sufficiently, thusallowing publication under theprooftheFirst Which tections Amendment.220 ofthetheseis thelaw willhavea greatimpact uponanyattempt to regulate technologies of surveillance, and profiling technologies generally, because it affects how easilydata can be
laundered.221
A recentdivergence betweentwo circuits suggeststhatthe Supreme Courtmaybe askedto decidewhether truthful obtained information, legally can nonetheless be contraband by the ultimate recipient, because it was originally acquired illegally.The D.C. Circuit andtheThird Circuit recently reached opposite conclusions regarding thepotential liability of a third party of information receiver that was illegally acquired bya secondparty.In both cases theinformation was an illegally intercepted telephone conversation on of public interest; a matter in bothcases the information was ultimately
218. Id. at 103; see also Florida Star,491 U.S. at 532-33 (quotingDaily Mail, 443 U.S. at 103, withapproval). 219. Daily Mail, 443 U.S. at 103. 220. See Florida Star,491 U.S. at 534 n.8 (citations omitted): TheDaily Mail principle does notsettle theissuewhether, incases where information has been acquired unlawfully by a newspaper orbya source, government mayeverpunish notonlythe unlawful acquisition, buttheensuing publication as well. Thisissuewas raisedbutnotdefiniin New YorkTimes tively resolved Co. v. United andreserved in Landmark States, Communications.We haveno occasiontoaddress ithere. 221. Washington is notoriously leaky. Except fortherarepriorrestraint cases involving national security such as New YorkTimesv UnitedStates,403 U.S. 713 (1971) (the "Pentagonpapers" case), and UnitedStates v. Progressive, Inc., 467 F. Supp. 990 (W.D. Wis. 1979) (the Hbomb case), thegovernment's unbroken practiceis to either ignoreleaks, or, occasionally,to seek to imposeafter-the-fact criminal sanctions on theleakersbutnoton thepress. See L. A. Powe, Jr., Mass Communications and theFirstAmendment: An Overview, 55 LAW & CONTEMP.PROBS. 53, 57-58 (1992) ("It has been almosttwenty yearsand fiveadministrations since Branzburgv. Hayes held thatthereis no generalfirst amendment privilegeforreporters who wish to protect their confidentialsources. Yet therehas not been a single subpoena to tracean inside-the-Beltway leak of information ....") (citation omitted).
1516
LAWREVIEW STANFORD
[Vol.52:1461
passed to newsmedia. In Boehnerv. McDermott,222 theD.C. Circuit held a Congressman that whoactedas a conduit for a tapebetween theinterceptor and a newspaper couldbe prosecuted forviolating theWiretapping Act, 18 U.S.C. ? 2511 .223 The D.C. Circuit heldthat theprohibition on disclosure by third parties whohad reasonto knowthat theinformation had been illegally acquired was justified because: "Here,the 'substantial intergovernmental est' 'unrelated to the suppression of freeexpression' is evident."224 The Wiretapping Act, the D.C. Circuitsuggested, increasesthe freedom of speechbecause"[e]avesdroppers destroy theprivacy of conversations. The greater thethreat ofintrusion, thegreater theinhibition on candidexchanges. Interception itself is damaging enough.Butthedamageto free speechis all themoreseverewhenillegally intercepted communications maybe distributedwithimpunity."225 In reaching thisconclusion, thecourt characterized Congressman McDermott's actionin beinga conduit from theeavesdropper to the media as being a combination of speech and conduct.226 Judge Randolph characterized his act of handing overthetapeas beingakinto reand passingon, stolen ceiving, property.227 Judge Ginsburg concluded that Congressman McDermott's conduct was outside theFlorida Star rule-that truthful publishing speechcan onlybe punished ifthere is a stateinterest of the"highest order"228-because he knowingly and"unlawfully obtained" the tape. Intermediate scrutiny was therefore appropriate, and thestatute could survive that test.229 Judge Sentelle dissented on thegrounds that theFlorida Starruleappliedandcompelled strict scrutiny. The third-party provisions of theWiretapping Act failedthismoreexacting testbecausetheywerenota
222. 191F.3d463 (D.C. Cir.1999). Judge Randolph authored the court's with opinion, Judge Ginsburg inthe concurring judgment andwith ofthe parts opinion. Sentelle Judge dissented. 223. See 18 U.S.C. ? 2511 (1)(c)-(d),creating civilandcriminal causesofaction against anyonewho: (c) intentionally discloses, orendeavors todisclose, toanyother person the contents of any wire, oral, orelectronic communication, orhaving knowing reason toknow that the information wasobtained the through interception ofa wire, orelectronic oral, communication in violation ofthis subsection; (d) intentionally orendeavors uses, touse,the contents ofanywire, orelectronic oral, communication, knowing orhaving reason toknow that the infonnation wasobtained through theinterception ofa wire, oral, orelectronic communication in violation ofthis subsection 224. Boehner, 191F.3dat468. 225. Id. 226. See id. at466-67(citing United States v. O'Brien, 291 U.S. 367,376 (1968),for proposition that "when 'speech'and'nonspeech' elements arecombined inthesamecourse ofconduct, a sufficiently important governmental interest in regulating thenonspeech element canjustify incidental limitations onFirst Amendment freedoms"). 227. See id.at469. 228. Florida Star v. B.J.F., 491 U.S. 524,524 (1989)(quoting Smith v. DailyMailPublishing Co.,443 U.S. 97, 103(1979)). 229. See Boehner, 191F.3dat480 (Ginsburg, J., concurring).
May2000]
THEDEATHOF PRIVACY?
1517
content-neutral regulations.230 JudgeSentellealso specifically disagreed with themajority's assertion as he putit,thegovernment that, a maypunish publisher ofinformation theinformation inquestion ina [who]has obtained manner lawful in itself butfrom a source whohas obtained itunlawfully."231 he concededthatthe stateinterest Although in protecting the privacyof communications was compelling, he disagreed thata blanket ban on thirdparty uses was narrowly tailored to serve that end.232 The Third Circuit also divided a majority saw theissue 2-1,butthistime muchlikeJudge Sentelle.Bartnicki v. Vopper involved a tapeof a cellular telephone conversation between twomembers ofa teachers' unionwhowere engagedin contentious with their paynegotiations schooldistrict. Someone recorded a conversation in which thetwounionmembers discussed goingto thehomesofschoolmembers and"blow[ing] off their front An porches."233 unknown left thetapein themailboxof JackYocum,an opponent party of theteachers' union, whothen tookittothepress.234 On an interlocutory appeal,theThirdCircuit held 2-1 that Yocum (the and thesubsequent conduit) publishers wereprotected by theFirst Amendment evenifthey knewor hadreasonto knowthat thetapewas illegally recorded. Although theBartnicki majority tried to minimize theextent of its disagreement withthe D.C. Circuit by focusing on the media defendants, whohadno analoguein theBoehner case,235 theBartnicki majority stillheld thattheconduit of theinformation was protected every bit as muchas the ultimate publishers.In so doing,theBartnicki majority characterized Yocum's conduct as pure speech,rejecting Boehner'sconclusion thatit was more properly seen,at leastpartially, as conduct. The first difficulty theThird Circuit hadto overcome in reaching itsconclusionwas Cohenv. CowlesMedia. In thatcase, the Supreme Courtexplainedthat"generally applicablelaws do notoffend theFirst Amendment simply becausetheir enforcement against thepresshas incidental effects on its ability to gather and report thenews."236 Furthermore, "enforcement of such generallaws againstthepressis not subjectto stricter scrutiny than wouldbe appliedtoenforcement against other persons ororganizations."237 Despiteholding that bothYocum and themediadefendants engagedin purespeech,rather thana mixture of conduct and speech,themajority ap230. See id.at480-84(Sentelle, J., dissenting). 231. Id. at484-85. 232. See id.at485. 233. Bartnicki v. Vopper, 200 F.3d 109,113(3d Cir.1999). 234. Id. 235. See 191F.3dat467 (noting that the ultimate publishers oftheconversation were notdefendants inthe Boehner case). 236. Cohen v. CowlesMediaCo.,501U.S. 663,669 (1991). 237. Id. at670.
1518
STANFORDLAWREVIEW
[Vol.52:1461
plied intermediate scrutiny becauseit found theWiretap Act to be contentneutral.Intermediate scrutiny requires thecourt to weighthegovernment's and themeansselectedto effectuate interest, thatinterest, againstcountervailing First Amendment freedoms. In doingthisbalancing, thecourt determinedit must ask whether theregulation is "narrowly tailored" to achievea "significant governmental interest."238 The dissent thiswas the agreedthat right test, butrejected themajority's application ofittothefacts.239 The government argued that theActwas narrowly tailored.The regulationof third-party use, it said, eliminates thedemandforthe fruits of the wrongdoer's labor.240 The Bartnicki majority was notpersuaded, callingthe connection between thethird-party provisions of theWiretapping Act and the prevention of the initialinterception of communications "indirect at incontrast, best";241 thedissent accepted theconnection.242 The twosidesthusdiffered on twoissues: Whether overa tape handing is pure "speech,"and whether theprophylactic effect of a prohibition on or "using"thecontents "disclosing" of a communication wouldsufficiently discouragethe illicitacquisition of communications, thusjustifying the speechrestriction at issue. Although thereis something distasteful about considering accurate information contraband, evenifhedgedwitha scienter requirement, it seemshardto believethat criminalizing thereceipt and publishing ofpersonal datawouldhaveno discernable effect on theincentive to deployprivacy-destroying technologies. it seemslikelythatsucha Rather, law wouldreducetheincentive to gather datain thefirst place,sincebuyers wouldbe harder to find.The argument is weakest in a context suchas Bartwhere themotives nicki, for disclosure arepolitical rather than financial, and thematter is of publicinterest. The argument is surely stronger whenappliedto thedisclosure ofpersonal profile data. However, evenifone accepts a connection between thedissemination prohibiting of information and disitscollection, couraging it does notnecessarily followthat privacy interests trump freespeechrights.How thebalancecomes out will dependin part uponwhatsortof scrutiny is applied;that in turn will dependuponhow the actofsharing theinformation is categorized. A related issueraisedby theBartnicki/Boehner splitis whether sharing information is alwaysspeechprotected by theFirst Amendment, or whether thereare occasions in whichinformation is just a regulated commodity. Questionsconcerning whatis properly characterized as "speech"surround
238. See Barnicki, 200F.2dat 124. 239. See id.at 130. 240. Id. at 125. The govemment also argued that theActwould"deny[] thewrongdoer the fruits of his [own]labor," butthemajority noted on thefacts neither defendant was the"wrongdoer"-theeavesdropper-so that justification didnot apply.Id. 241. Id. at 126. 242. Id. at 133-34 (Pollak, J., dissenting).
May2000]
THEDEATHOF PRIVACY?
1519
thesale of bulkconsumer theregulation from data to of everything digital, theregulation ofsoftware.243 In bothReno v. Condonand Los AngelesPolice Department v. United Reporting Publishing Court treated Corp,244 theSupreme government-owned dataas a commodity that to reasonable personal couldbe subjected regulations on subsequent use. is a decisionaboutfederalism. Neither side briefed Condon,however, nor arguedthe FirstAmendment issues concerning reuse or republication rights of datarecipients,245 so theissueremains It remains open.246 so even theCondondecisionspecifically though relieduponand upheldthepartof theDPPA that theresaleand redisclosure regulates of drivers' inpersonal formation byprivate individuals (whohaveobtained that information from a statedepartment of motor vehicles).247 The DPPA, theCourtstated, "regulatestheStatesas theowners of databases."248 It follows thatsimilar rules couldbe appliedto anydatabaseowner;indeedtheCondonCourt defended theDPPA against SouthCarolina'sclaimthat it regulated states exclusively that by noting ? 2721(c) regulates everyone whocomesintocontact with the data.249 In thislight, thekeyfactor in Condonmaybe theCourt'sdecisionthat no one has a right to drivers' licensedatain thefirst place becausethedata belongsto thegovernment. Whenexamining cases involving theregulation
243. Cf Bernstein v. United States, 176F.3d 1132,1146(9thCir.1999),opinion withdrawn, rehearing enbancgranted, 192F.3d 1308(9th Cir.1999)(deciding that source codeis speech). 244. 120S. Ct.483,489 (1999). 245. Neither party orargued briefed theFirst Amendment issue, except that the United States' reply brief responded to a claim, byan amicus, that Condon was analogous tothegovernment tara particular geting member ofthe press for adverse treatment. See Reply for Brief thePetitioners at 17,Renov. Condon, 120S. Ct.666(2000)(No.98-1464), available in 1999WL 792145. 246. As Eugene Volokh reminded me,"casescannot be readas foreclosing an argument that they never 511 U.S. 661,678 (1994) (plurality dealtwith."Waters v. Churchill, opinion) (citing United States v. L.A. Tucker Truck Lines, Inc.,344 U.S. 33,38 (1952));see also Miller v. CaliforniaPac. Med.Ctr., 991 F.2d536,541 (9thCir.1993)("Itis a venerable principle that a court isn't bound bya prior decision that failed to consider an argument or issuethelater court finds persuasive."). 247. See 18U.S.C. ? 2721(c)(1999): Anauthorized recipient ofpersonal information . . . may resell orredisclose theinformation a usepernitted only for under subsection (b). . .. Any authorized recipient (except a recipient under subsection (b)( 11))that resells or rediscloses personal infornation covered by this chapter must for a period keep of5 years records identifying each person orentity that receives information andthe pernitted purpose for which the information willbe usedandmust make such records available tothe motor vehicle department upon request. 248. Renov. Condon, 120S. Ct.666,668 (2000). 249. See id.(noting that the DPPA is generally In Travis applicable). v.Reno,163F.3d 1000, 1007 (7thCir. 1998),Judge Easterbrook characterized First Amendment arguments against the DPPA as "untenable." It is clearfrom thecontext, that however, Judge Easterbrook was speaking ofthealleged only First Amendment toviewdriver's right license anddidnotaddress records, the republishing issue.
1520
STANFORD LAWREVIEW
[Vol.52:1461
of government datause and reuse,theCourtadoptswhatamounts to an informational right/privilege distinction: If access to thedata is a privilege, it can be regulated. The samelogicappears inLos Angeles Police Department v. United Reporting Publishing Corp.250 theCourtuphelda statute There, requiring persons requesting arrestee data to declarethatthearrestees' addresseswouldnotbe used directly or indirectly to sell a product or service. The Courtreasoned that because California had no dutyto releasearrestee dataat all, itsdecision to imposesubstantial conditions uponhow theinformation wouldbe used couldsurvive at leasta facialFirst Amendment challenge.251
If theCourtadoptswhatamounts to a right/privilege distinction relating to government data,it is hardto see whythegovernment's to impose ability conditions upontheuse ofitsproprietary datashould be anyless than that of a private party, especially ifthose conditions arguably restrict speech. If data are just commodities, thendata usage can be regulated by contract or license-a view that mayimport elements of a property intowhathad theory previously beenthepreserve oftheFirst Amendment. One view of theFirstAmendment, implied by Bartnicki, suggests that thegovernment cannot impose sweeping restrictions on datadissemination in thenameofprivacy.The alternate viewoftheFirst Amendment, offered by Boehner, is morelikely to allow thegovernment to imposepubliclimits on datadissemination andcollection, andthus enhance privacy.252 TheBoehner vision,however, has potentially sweeping consequences unless some distinction can be delivered to prevent its application to publishers-which seems particularly dubiousnow thateveryone is a publisher.253 If it does applypublishers, theneverynewspaper thatpublishesa leak based upon classified information is at risk, and political reporting wouldbe thoroughly chilled.254 Just as a newspaper does notlose its status as protected speech becauseitis sold for a profit, other in other information, media, maybe entitledto fullFirst Amendment protection however itis transferred or sold.
250. 120S. Ct.483,489 (1999). 252. Ironically, a vision that makes itpossible to restrict thespeech ofpersons whoreceive contraband inthenameofprivacy information is also themost compatible with diverse enactment suchas theUniform Information Computer Transactions Act and theCopyleft license, each of which impose private conditions ondatadissemination. 253. See generallyEugene Volokh, Cheap Speech and Whatit WillDo, 104 YALE L.J. 1805
251. Seeid.
254. "[N]early every action, orpolicy recommendation, decision in theforeign policy ornational field is classified security as a secret at sometime, bysomeone often without validreason, except for bureaucratic convenience," Floyd Mark Abrams, Henry Don Oberdorfer Holzer, & RichardK. Willard, The FirstAmendment and National Security, 43 U. MIAMIL. REV. 61, 75 (1988)
of Washington (remarks Post reporter Don Oberdorfer).
(1995).
May2000]
THEDEATHOFPRIVACY?
1521
b. TheFirst Amendment and transactional data. Transactional data-who boughtwhat, when, where,and for how much-might be considered commercial ordinary speech, speech,orjust an informational commodity.If transactional data is commercial speech,its regulation wouldbe reviewed under thetestenunciated in Central Hudson Gas & Electric Corp.v. PublicService Commission ofNew York:
Forcommercial to comewithin speech First [the itat leastmust Amendment], concern lawful andnotbe misleading. activity we ask whether Next, theasserted governmental interest is substantial. If both inquiries anyieldpositive swers,we mustdetermine whether the regulation advancesthe directly governmental interest asserted, andwhether itis notmore extensive than is necessary toserve that interest.255
Unlikepublicsurveillance data,transactional datais usuallycollected in privatebyone oftheparties tothetransaction. The government's to regulate ability privately generated speechrelating to commerce is surprisingly underlitigated. Thismaybe becausethere is not (yet)much relevant inUnited regulation States law. Under thecommon law, absenta specialdutyof confidentiality such as an attorney-client relationship, thefacts ofa transaction belong jointly andseverally to theparticipants. If Alice buysa chattel from Bob, ordinarily bothAlice and Bob are freeto disclosethisfact. (If Alice is famous, however, Bob maynotuse herlikenessto advertise hiswareswithout herpermission, although he certainly can tellhis friends that Alice was in his shop.256) Current doctrine suggests that speechrelating to commerce is ordinary speech,if one applies"'the 'commonsense'distinction between speechproposing a commercial transaction, whichoccursin an area traditionally subject to government regulation, and other varieties of speech."'257 On theother hand,thetwo mostrecent Supreme Court decisions relating to theregulation ofpersonal dataseemto imply thatsome transactional data is just a commodity, although the special
255. 447 U.S. 557, 566 (1980). 256. See RESTATEMENT (SECOND) OF TORTS ? 652C (1977) (stating that itis an invasion of privacy forsomeone to appropriate thenameor likeness ofanother); see also CAL. CIV. CODE ? Haas, Storehouseof Starlight:The First Amendment Privilege to Use Names and Likenesses in Commercial 19 U.C. DAVIS Advertising, L. REV. 539 (1986) (arguing that theSupreme Court has
3344.1(1999) (extending theright protect one'sname or likeness from publicity for 70 years after death).Fora survey oftheevolving ofpublicity right in theUnited States, compare Theodore F. a revolutionary begun reinterpretation oftheconstitutional status ofcommercial creatadvertising, inga tension between theright to control theuse ofone'snameandlikeness, andthefree speech rights of advertisers), with James M. Treece, Commercial Exploitation of Names, Likenesses,and Personal Histories, 51 TEX. L. REV.637 (1973) (arguing that only those whocan showactualinjuryfrom theappropriation of their nameor likeness should be compensated; otherwise theFirst Amendment should prevail). 257. Rubin v. CoorsBrewing Co., 514 U.S. 476,482 (1995) (citing Central Hudson Gas & Electric v. Public Corp. Serv. Comm'n ofN.Y.,447 U.S. 557,562 (1980) (quoting Ohralik v. Ohio State BarAss'n,436 U.S. 447,455-56(1978))).
1522
STANFORD LAWREVIEW
[Vol.52:1461
circumstances of thosedecisions-thedata was heldby stateor local governments-make hazardous. generalization A verysmallnumber of statutes of priimposelimits uponthesharing vatetransactional datacollected notclassedas professionals. bypersons The mostimportant Act.258 In addition maybe theFairCredit to imReporting pressing rulesdesigned to makecredit moreaccurate, reports thestatute also contains rulesprohibiting credit bureaus from certain accurate statemaking mentsaboutaged peccadilloes, thisrestriction although does not applyto reports requested forlarger transactions.259 More directly federal privacyoriented commercial datastatutes arerare. The Cable Communications PolicyActof 1984 forbids cable operators andthird parties from monitoring the viewinghabitsof subscribers. Cable operators musttell subscribers what personaldata is collectedand, in general, mustnot disclose it to anyone without thesubscriber's consent.260 The "BorkBill," formally known as the Video PrivacyProtection Act, also prohibits mostreleasesof customers' videorental data.261 Neither theprivacy provisions of theCable Act northoseof theBork Bill appearto havebeenchallenged in court.Some have suggested that this is evidenceof their uncontroversial constitutionality.262 More likely,this provesonlythat merchants in thesetwoindustries sell a great deal of sexually themed products and have no incentive to do anything to reducetheir customers'confidence thattheirviewinghabitswill not become public knowledge.As a doctrinal matter, thestatutes seemdebatable.At leastone other restriction upontheuse of legally acquired transactional datafailedon First Amendment grounds:Whenthestateof Maine sought to require consumer consent before a firm could request a credit history, credit reporting
258. 15U.S.C. ?? 1681-1681s (1999). 259. See id. ? 1681c(prohibiting ofbankruptcies reporting that aremore than10 years old; "[c]ivilsuits, civiljudgments, andrecords ofarrest from that, dateofentry, antedate thereport by more than sevenyears or until thegoverning statute of limitations has expired, whichever is the longer period;" taxliens paidseven ormore years earlier; orother noncriminal adverse information that is more than seven years old. Noneoftheprohibitions ifthetransaction apply for which the report willbe usedexceeds $150,000, orthe job offer paysmore than $75,000 peryear.); see also id. ? 1681k (requiring that consumer credit reporting agencies haveprocedures inplacetoverify the ofpublic accuracy records containing information adverse tothe datasubject). 260. See 47 U.S.C. ? 551(1999). rental providers torelease customer names andaddresses tothird parties so longas there is no disclosure oftitles purchased orrented. Customers can,however, be grouped into categories accordingtothe offilm type they rent. See id. ? 271 O(b)(2)(D)(ii). 262. See Kang,supranote16,at 1282(arguing that theproposed Cyberspace Privacy Act survives First Amendment scrutiny because ofitssimilarity totheCableActandtheVideoPrivacy Protection Act, neither ofwhich havebeensuccessfully challenged onFirst Amendment grounds).
261. 102 Stat. 3195 (1988) (codifiedas 18 U.S.C. ? 2710 (1999)). The act allows videotape
May2000]
THEDEATHOF PRIVACY?
1523
from thestatesupreme court agencyEquifaxwon a judgment that holding Amendment on itsFirst restriction thiswas an unconstitutional right.263 3. Fear. on an effective The most important constraint responseto privacydatadrives is fear.Whilegreedfor some destroying technologies marketing to overcome. fearseems farmorecentral, and muchharder applications, workers Employers monitor becausethey areafraid employees maybe doing camerasin or even illegal things. Communities unproductive appreciate ormerely cameras reduce publicplacesbecause,whether one displacecrime, in front seemsto be safer of thelens. Law enforcement officials constantly seek new toolsto compete in whatthey see as an armsrace withterrorists, andother criminals.264 drug dealers, It wouldbe wellbeyond thescopeofthisarticle to attempt to determine whichof thesefearsare well founded, butanypoliticalattempt to restrict will have to confront data collection personal thesefears, whether theyare wellfounded ornot. In arguing forincreased privacy protection, one subtle fear also needsto be considered:Anything that increases a citizen's reasonable expectation of privacywill, undercurrent doctrine, also increasethe scope of Fourth Amendment protections.265 Law enforcement officials are generally notreto obtain in order quired warrants to examine things that peoplehaveno reasonable expectation of keepingprivate;expanding the reasonableness of privacy expectations wouldmeanthat law enforcement officials wouldhave to securewarrants before aiming newtechnologies at homesor bodies. The answer to thesubtle fear maybe a counter-fear: The more commonplace that surveillance ubiquitous becomes, theless theFourth Amendment willbe able toprotect theaverage citizen. B. Making Privacy Rules Within theConstraints The resultof these constraints on an effective responseto privacydestroying is evidentfromthe relatively technologies limitedprotection againstdata acquisition provided by existing privacyrules in the United
263. See generallyEquifax Serv., Inc. v. Cohen, 420 A.2d 189 (Me. 1980) (characterizing Equifax's interest as commercialspeech, but nonethelessfinding thatthe FirstAmendment was violated). and theConstitution, 143 U. PA. L. REV. 709, 850-60 (1995) (discussingfearin thecontext of constitutional archetypes) <http://www.law.miami.edu/-froomkin/articles/clipper.htm>. 265. See Morton, supra note 198, at 1470 (notingthatcurrent Fourth Amendment law is settledin regard to an individual'sreasonableexpectation of privacy).
264. See A. Michael Froomkin, TheMetaphor Is theKey: Cryptography, theClipper Chip,
1524
STANFORD LAWREVIEW
[Vol.52:1461
also suggest States. The constraints that several forimproving proposals priarelikely vacyprotections tobe less effective than proponents might hope. 1. Nonlegal proposals. Proposalsfornonlegalsolutions to the problem of privacy-destroying mustfocuseither technologies on thedata collector or on thedata subject. Proposals on thedatacollector focusing of enusuallyinvokesomeversion lightened self-regulation. on thedatasubject Proposals focusing usuallyinvoke therhetoric of privacy-enhancing or other forms of selftechnologies help. has provedto be a chimera. In contrast, Self-regulation privacyenhancing technologies clearlyhave a role to play in combating privacydestroying in areas suchas protecting technologies, particularly theprivacy of telecommunications and otherelectronic messaging systems. It is unlikely, however, that privacy-enhancing technologies alonewillbe sufficient to meetthemultifaceted challenge described in PartI above. Theremaybe someopportunities forthelaw to encourage privacy-enhancing technologies through subsidiesor otherlegal means,but frequently the mostimportant role forthelaw will be to remove existing obstacles to theemployment of privacy-enhancing technologies orto ensure newonesdo notarise. a. " "Self-regulation.
United States privacy policyhas,until beendominated recently, by a focus on a verylimited number of issuesand,within thoseissues,a commitmentto ask industry to self-regulate.266 Since the economicincentive to providestrong privacy protections is either weak, nonexistent, or at least nonuniformly distributed amongall participants in the marketplace, most seriousproposals forself-regulation amongmarket participants relyon the threat of government regulation if thedata collectors failto regulate themselvessufficiently.267 Withoutsome sort of government intervention to encourageselfregulation, "[w]olvesself-regulate forthegood of themselves and thepack,
266. See William J.Clinton & Albert Gore, Jr., A Framework for GlobalElectronic Commerce ? 2 (1997)(the "E-Commerce White Paper") <http://www.iitf.nist.gov/eleccomm/ecomm.htm 267. See JoelR. Reidenberg, Restoring Americans' Privacy in Electronic Commerce, 14 BERKELEY TECH. L.J.771,789 (1999)("During thedebate overself-regulation, U.S. industry took privacy more seriously onlywhen government threats ofregulation wereperceived as credible."); see also Peter P. Swire, Markets, Self-Regulation, and Government Enforcement in theProtection (U.S. Dep't of Commerce ed., 1997) (arguing that industry members might rationally prefer an unregulated market in which they can sell personal information to a self-regulated market, and therefore only the threat ofmandatory government regulation caninduce them toself-regulate).
of Personal Information, in PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE 3, 11
May2000]
THEDEATHOFPRIVACY?
1525
notthedeer."268 themostvisibleand successful Perhaps iniself-regulatory tiative has been TRUSTe.com,a private third-party privacy-assurance system. TRUSTe.com providesa privacy"trustmark" to about 750 online merchants whopayup to $6900 peryearto licenseit.269 In exchange for the fee,TRUSTe verifies theexistence of theonlinemerchant's privacy policy, but does not conduct an audit. TRUSTe does, however, cominvestigate plaints allegingthatfirms have violated their privacy policies. It currently receives about375 complaints peryear, and finds abouttwenty percent to be valid,triggering additional investigation. These decisionsdo notappearto be published save in exceptional circumstances.270 The meaningfulness ofthe"trustmark" recently was called intoquestion by theactionsof a trustmark holder. TRUSTe confirmed that milthirteen lion copies of trustmark holderRealNetworks' RealJukebox Software had created"globallyunique identifiers" ("GUIDs") and transmitted themto RealNetworks via the Internet everytimethe software was in use. The GUID couldbe associated with theuser'sregistration information to create a profile of their listening habits.271 RealNetworks' privacy policydisclosed none of thesefacts. Nevertheless, once theycame to light, RealNetworks keptits"trustmark" becausethedatacollection was a result of downloaded software, and not anything on RealNetworks' web page. Both the company'sweb privacy policyanditsaccompanying "trustmark" appliedonlyto data collection via its web pages rather thanInternet-related privacy intrusions.272 A similar distinction between data collected via a web page and datacollected byuser-run software allowedMicrosoft to keepits"trustmark" after thediscovery that itsregistration software senta GUID and accompanying userdata during Windows 98 registration, evenwhentheusertoldit
268. Roger Clarke, TheLegal Context ofPrivacy-Enhancing andPrivacy-Sympathetic Tech-
nologies,Apr. 12, 1999 <http://www.anu.edu.au/people/Roger.Clarke/DV/Florham.html>. 269. See <http://www.truste.com/users/users_lookup.html> (describing TRUSTe's services). 270. See id. at Investigation Results <http://www.truste.org/users/users_investigations.html> (stating thatTRUSTe posts resultsof its investigations "[f]romtimeto time"). The page currently liststheresults of onlysix investigations (as of April2000). 271. See RealNetworks' Privacy Intrusion, JUNKBUSTERS <http://wwwjunkbusters.comn/ht/ en/real.html> (detailingthe controversies the GUID discovery); TRUSTe, Truste& surrounding RealNetworks Collaborate to Close Privacy Gap <http://www.truste.org/about/about_ software.html> (describing TRUSTe's efforts to resolvetheGUID situation); RealJukebox Update, REALNETWORKS <http://www.realnetworks.com/company/privacy/jukebox/privacyupdate.html> (announcingRealNetwork'srelease of a software update designedto address customerconcerns about privacy); Robert Lemos, Can You TrustTRUSTe?, ZDNET NEWS, Nov. 2, 1999 <http:// www.zdnet.com/zdnn/stories/news/0,4586,2387000,00.html> (claimingthatTRUSTe does not take activemeasuresto assurethatitslicenseholdersdo notviolateconsumer privacy). 272. See TRUSTe & RealNetworks Collaborate,supra note271 (explaining thattheGUID incidentwas outsidethe scope of TRUSTe's privacyseal program because it did not involvecollection of data on RealNetworks' website); see also TRUSTe FAQ <http://www.truste.org/users/ users_investigationfaqs.html> thatTRUSTe does not deal withsoftware (stating or offline privacy practices butonlywithinformation collectedand used by web sites).
1526
LAWREVIEW STANFORD
[Vol.52:1461
notto.273TRUSTe announced, itwas developing that a pilotsofthowever, wareprivacy withRealNetworks. theannouncement program did Although not actually would be expandedto other say thattheprogram companies, itwould.274 itimplied that muchless when, The RealNetworks incident followed an earlier, similar fiascoin which the FTC settled a complaint The FTC chargedthat againstGeoCities.275 GeoCities"misrepresented thepurposes for whichitwas collecting personal identifying information from children and adults."276 to theFTC, According GeoCitiespromised customers thattheir information registration would be used onlyto "provide members thespecific offers and products advertising or servicestheyrequested and thatthe 'optional' information [education level,income, marital status, andinterests] occupation, wouldnotbe released to anyone without themember's permission."277 In fact, however, GeoCities created a database that included "emailandpostaladdresses, member interest areas,anddemographics including income, education, gender, marital status, and occupation" and disclosed customer datato marketers.278 In settling the case, GeoCitiesissued a pressreleasedenying the allegations. GeoCities thenchanged itsprivacy policyto statethat userdatamight be disclosedto third with parties userconsent (theprevious policyalso implied this;in any event the FTC chargewas that disclosuresoccurredwithoutconsent). TRUSTe, which had issueda trustmark to GeoCities during theFTC investigation, didnotremove it.279 CriticssuggestthatTRUSTe's unwillingness to removeor suspenda trustmark results from itsfunding structure. Firms licensethetrustmark; in somecorporate addition, sponsors, including Microsoft butneither RealNetworksnor GeoCities, contribute up to $100,000per yearin support.280 If TRUSTe were to start suspending trustmarks, it would lose revenue;if it
273. See Watchdog #1723-Microsoft Statement ofFinding,TRUSTe <http://www.truste.org/ users/users_w1723.html> thatMicrosoft (announcing had notviolatedits TRUSTe license because the mannerin which the information was transferred did not fall withinthe boundariesof the TRUSTe license agreement, but acknowledging thatthe data transfer did compromiseconsumer trust and privacy). 274. See TRUSTe &RealNetworks Collaborate,supra note 271 (announcing TRUSTe's plan to extenditsprivacyservicesto RealNetworks'software applications and to form a working group of software and Internet experts to advise TRUSTe how to extenditsprivacyseal program). 275. See JamieMcCarthy, TRUSTe Decides Its Own Fate Today,SLASH DOT, Nov. 8, 1999 <http://slashdot.org/yro/99/11/05/1021214.shtml> (detailingseveralotherdebacles, in whichtrustmarkholdersviolatedprivacy policies or principles butkepttheir accreditation). 276. Janet Kornblum, FTC, GeoCities Settle onPrivacy, CNET NEWS,Aug. 13, 1998 (quoting on FTC statement) <http://news.cnet.com/news/0-1005-200-332199.html>. 277. Id. (quotingGeoCities' membership sign-up form). 278. Id. (quotingFTC statement). <http://www.spectacle.org/998/mccarthy.html> (detailing thedenial). 280. See TRUSTe, TRUSTe Sponsors <http://www.truste.org/about/about_sponsors.htm> (listingTRUSTe's corporate sponsors).
279. See Jamie McCarthy, Is TRUSTeTrustworthy?, THE
ETHICAL SPECTACLE,
Sept.1998
May2000]
THEDEATHOF PRIVACY?
1527
toward forbeingtoo aggressive wereto geta reputation clients, they might a trustmark arebetter off without andtheattendant hassle. In the decidethey to evaluatethemeaning of a absenceof a meaningful way forconsumers has no economic TRUSTe certainly or competing trustmark certifications,28' tobe tough on itsfunding sources. incentive Perhaps the most troubling aspect of the TRUSTe story is that has a great deal ofmerit:The expectations TRUSTe's defense of itsactions loaded upon it, and perhaps thepublicity surrounding it,vastlyexceed its asserof verifying web-site modest mission members' self-imposed privacy andbringing intocompliance with their ownoften tions, members quitelimitedpromises.282 Takenon its own terms, TRUSTe is a verymodestfirst in self-regulation. Thatsaid,TRUSTe's nonprofit initiative thesponstatus, of publicinterest suchas theElectronic Frontier sorship groups Foundation, andtheenlightened ofparticipant self-interest whomaywishto corporations avoid government all providereasonswhyprivacy certification regulation bodiesmight someday growteeth. A moregeneric withself-regulatory even thoselimproblem schemes, itedto e-commerce or web sitesin general, is that they regulate onlythose motivated orprincipled totakepart in them.It maybe that enough competitivepressures drivefirms might ultimately to seekprivacy certification, but fewer than1000 firms currently participate in either TRUSTe's or BBBOnline'sprograms, which that suggests market pressure toparticipate is weakto nonexistent. Indeed, after several yearsof callingforself-regulation regardof data from ing thecollection children, theFederalTradeCommission finally decided to issue extensive regulations controlling onlinemerchants to collectpersonal seeking information from minors.283 Even if,as seemsto be thecase, industry self-regulation is at bestmarginally effective without andcurrent legal intervention, third-party trust certification bodieshaveonly a verylimited influence, itstilldoes notmeanthat theFTC's response is the onlywaytoproceed. The United States maybe uniquein endorsing self-regulation without leto incentivize gal sanctions or enforce it;284 itis hardtobelievethat thestratmorethana political egyis anything deviceto avoidregulation. It does not that follow, however, self-regulation is a bad idea,so longas legalconditions
281. See McCarthy, supra note 275 (notingthatTRUSTe is by farthe industry leader in the United States. Its only competitor, BBBOnline, has fewer than 100 members,compared to TRUSTe's 750.). 282. See, e.g., note273 supra. 283. See Children'sOnline PrivacyProtection Rule, 16 C.F.R. ? 312.5 (effective April 21, 2000) (requiring parental consent prior to collectionof information from children under13). 284. See ROGERCLARKE,SENATELEGALANDCONSTITUTIONAL REFERENCES COMMITTEE INQUIRY INTOPRIVACY ANDTHEPRIVATE SECTOR(July7, 1998) <http://www.anu.edu.au/people/ Roger.Clarke/DV/SLCCPte.html>
1528
STANFORDLAWREVIEW
[Vol.52:1461
create incentives forparties to engagein itseriously.For example, an enormousamount ofenergy hasgoneinto "fair information crafting practices."285 One way ofcreating foraccurate, incentives ifnotnecessarily ideal,privacypolicieswouldbe touse legislation, market andthelitigiousness forces, of Americans to create a self-policing (as opposedto self-regulating) system forweb-based datacollection.If all sitesthat collectpersonal datawererequiredto disclosewhatthey collectand whatthey do withit,if it werean actionable offense to violatea posted privacy and ifthat policy, private right of actionwereto carry statutory then damages, users-or class-action counsel-would have an effective incentive to police privacy policies. Indeed, thesurreptitious harvesting of musicpreference databy RealJukeBox motivatedtwo setsof enterprising lawyers to fileclass actionlawsuits.286 One federal class actionsuitallegedmisrepresentation and violation of theComputer Fraudand AbuseAct.287 Another class actionwas filedin California statecourtunderthe state'sunfair business practices law. Both lawsuits, however, face a problem in valuingthedamages. In the federal case, the plaintiffs seeka refund of thethirty dollars that someuserspaid fortheregistered version ofthesoftware. In theCalifornia case,plaintiffs planto base damagesupon their estimate of themarket value of data thatRealJukebox collected;theywill pick a figure after discovery.288 Unfortunately forthe plaintiffs, there is no reason tobelievethat evena great deal ofmusicpreference data is worth anything nearthefivehundred dollars perheadthat their lawyers estimated forthepress. The willingness of thefederal plaintiffs to sue for onlythirty dollars perheadsuggests that a statutory creating damages remedy, evenwith onlysmalldamages, might create a sufficient incentive to policeonline privacy policies. The web,however, is nottheonlysource ofconcern; other meanswillbe required to address different technologies. b. PETs and other self-help. Privacy Enhancing Technologies ("PETs") havebeendefined as "technical devicesorganizationally embedded in order to protect personal identity by minimizing or eliminating thecollection of data thatwould identify an
Clarke, InternetPrivacy Concerns Confirm the Case for Intervention <http://www.anu.edu.au/ people/Roger.Clarke/DV/CACM99.html>. 286. See Brian McWilliams,Real Hit With Another PrivacyLawsuit,INTERNETNEWS.COM, Nov. 10, 1999 <http://www.intemetnews.com/streaming-news/article/0, 1087,8161_236261 ,00.html>. 287. 18 U.S.C. ? 1030 (1999). 288. See McWilliams,supra note286.
FLOWS OF PERSONAL DATA <http://www.oecd.org/dsti/sti/it/secur/prid/PRIV-EN.HTM>; Roger
285. See, e.g., OECD, GUIDELINESON THE PROTECTION OF PRIVACYAND TRANSBORDER
May2000]
THEDEATH OFPRIVACY?
1529
individual a legalperson."289 or,ifso desired, In addition toPETs embedded in organizations, there are also a number of closelyrelated technologies that people can use forself-help, whenconfronted especially by organizations that are notprivacy-friendly. Such devicescan be hardware, suchas masks or thick or software, curtains, suchas thePlatform forPrivacy Preferences ("P3P"), whichseeks to reducethe transaction cost of determining how much personal datashould be surrendered ina giventransaction. PETs and other privacy protection can be integrated technologies in a system or theycan be a reaction design, to it. Law can encourage thedeof PETs, butit can also discourage ployment sometimes them, unintentionally. Somehavesuggested that thelaw should or at leastencourage, require, thedevelopment of PETs. "Government must. . . act in a fashion thatassurestechnological in a direction development favoring privacy protections rather than privacy intrusions."290 It is a worthy goal and should be part of a comprehensive response toprivacy-destroying technologies. Sometimes overlooked, arethewaysin which however, law can existing imposeobstacles to PETs. Laws and regulations designed to discourage the spreadof cryptography are onlythemostobviousexamples of impediments to privacy-enhancing technology. Legal obstacles to privacy self-help also extend to thelowest technologies, suchas antimask laws. In somecases,all PETs mayneedto flourish is theremoval oflegalbarriers. can be engineered Privacy intosystems design,291 systems can be built without muchthought aboutprivacy, or they can be constructed in waysintentionally designed to destroy it,in order to capture consumer information orcreate audit trails for security purposes.In eachcase,after thesystem is in operation, usersmaybe able to deployself-help PETs to increase their privacy. Systemdesigners frequently have greatflexibility to includeprivacy protections if theyso choose. For example, whendesigning a road-pricing system, transponders can be connected to a cardthat records a tollbalance and deductsfunds as needed. No data identifying thedriver or thecar is needed, just whether there are sufficient funds.Or,thetransponder can insteademita uniqueID code,keyedto a record, that identifies thedriver and
289. Herbert Burkert, Privacy Enhancing Technologies and Trust in theInformation Society (1997) <http://www.gmd.de/People/Herbert.Burkert/Stresa.html>. 290. Reidenberg, supranote267,at 789; see also Joel R. Reidenberg, LexInformatica: The Formulation ofInformation Policy RulesThrough Technology, 76 TEX.L. REV. 553, 584 (1998) (advocating that companies that do notprotect personal datathrough PETs should be subject to legalliability). 291. For some suggested basic design principles, see INFORMATION AND PRIVACY COMMISSIONER/ONTARIO, CANADA & REGISTRATIEKAMER, supranote180; see also Ian Goldberg, David Wagner & EricBrewer, Privacy-enhancing Technologies for theInternet <http://www.cs. berkeley.edu/-daw/papers/privacy-compcon97-www/privacy-html.html> (describing existing PETs andcalling for additional ones).
1530
STANFORD LAWREVIEW
[Vol.52:1461
funds or billsher. The first prichecksforsufficient system protects either whose cards are dean alternate way to chargedrivers vacy but requires of andcan create a hugedatabase requires billing pleted.The secondsystem movements.292 vehicular can organizethe system to withhold (or never In general,designers theactionpertheobjectof thetransaction, data abouttheperson, gather) schemes itself.293 Most electronic road-pricing or even thesystem formed, token. oran attached thevehicle identify currently deployed theneed forindividual has beenbuiltintoa system, If privacy self-help software andother in thisworld where hightechnolmaybe small,although usersmayhave reasonsforcaution. If PETs imperfect, ogy is notoriously in itsimplementaor theuserlacksconfidence are notbuiltintothesystem, oftechnology that is likely to be The sort shemayengagein self-help. tion, andthenature ofthethreats to prieffective depends uponthecircumstances a person fears hidden cameras, then a pocketcamera vacy. If,forexample, detector isjustthething.294 encommunications or data storage, involving electronic For matters is themajorPET.295Here,however, theUnitedStatesgovernment cryption has engagedin a long-running effort to retard thespreadof consumer crypthatmight be used to protect emails,faxes,stored data,and teletography from and intruders-ostensibly because eavesdroppers phoneconversations thesesame technologies also enablethe targets of investigations to shield Circuit their communications from As a panelof theNinth investigators.296 in an opinion concluded for en bancconsideration: subsequently withdrawn
mayoffer an opportunity to reThe availability anduse of secure encryption efforts to control claimsomeportion oftheprivacy we havelost. Government thusmaywell implicate of Amendment rights notonlytheFirst encryption of their science, butalso the intent on pushing theboundaries cryptographers constitutional ofeachofus as potential ofencryption's bounty. recipients rights in efforts to retard progress Viewedfrom thisperspective, thegovernment's to as well as theright theFourth Amendment, cryptography mayimplicate
292. Fora discussion ofsuchsystems, see generally SantaClaraSymposium onPrivacy and IVHS,supranote 65. 293. See Herbert Burkert, Privacy-Enhancing Technologies: Typology, Critique, Vision, in 294. See Carl Kozlowski, ChicagoSecurity-Device Shop GetsCaught in Privacy Debate, CHI.TRIB., Dec. 16,1999, available in 1999WL 28717597 (describing $400to$1600pocket-sized detectors that vibrate when recording devices arenear). 295. Fora discussion ofencryption, seegenerally 264. Froomkin, supranote 296. See generally id.;A. Michael It CameFrom Froomkin, PlanetClipper: TheBattle Over Cryptographic Key "Escrow," 1996U. CHI.LEGAL F. 15 (1996); Norman Andrew ComCrain, mentary, Bernstein, andJunger: Karn, Constitutional toCryptographic Challenges Regulations, 50
TECHNOLOGY ANDPRIVACY, supra note 178,at 125, 125-28.
ALA. L. REV. 869 (1999).
May2000]
THEDEATHOFPRIVACY?
1531
speak the andthe anonymously, toinforright against compelled speech, right mational privacy.297 Perhaps in fearof another adverse from theNinth the judgment Circuit, issuedsubstantially liberalized government rulesthat recently for encryption thefirst timeallow theunrestricted of source export cryptographic code.298 In a striking demonstration oftheeffects ofa removal ofgovernment restrictionson PETs, thenew rulesemboldened theleadingmanufacMicrosoft, turer of consumer PC operating to pledgeto includestrong systems, 128-bit inthenext releaseofitssoftware.299 encryption The United States'cryptography was an intentional effort toblock policy thespreadof a technology forreasonsof national or law enforcesecurity ment convenience.Cryptography is a particularly PET because, significant ifproperly implemented, themathematical lies withthedefender. advantage Each increase in keylength and security imposesa relatively smallburden upon theparty securing thedata,but an exponential computational burden upon any would-beeavesdropper. Unlike so many othertechnologies, is relatively cryptography inexpensive and accessibleto anyone witha comor a dedicated puter encryption device. Cryptography is no privacy panacea, however.It is difficult to implement properly, vulnerable to everysecurity in underlying weakness operating systems and software programs, and even at itsbest,itaddresses onlycommunications andrecords privacy-which, as I Part abovedemonstrates, is a significant fraction, butonlya fraction, ofthe waysinwhich technology allowsobservers to collect information aboutus. In other cases, legal obstaclesto PETs are either by-products of other policies,or theresult of long-standing prohibitions whichhad consequences in thenetworked era. For example, theprohibition against"reverse engineering" software-decompiling something to find outwhatmakesit tickmayor maynotbe economically efficient.300 But,it makesit nearly impossible fortechnically sophisticated usersto satisfy themselves that programs are cryptographically secure, thusmaking it nearly impossible forthemto
297. Bernsteinv. United States, 176 F.3d 1132, 1146 (9th Cir. 1999) (citationsomitted), opinionwithdrawn, reh'g en banc granted,192 F.3d 1308 (9thCir. 1999). 298. See Revisionsto Encryption Items,65 Fed. Reg. 2491 (2000) (to be codifiedat 15 C.F.R. pts. 734, 740, 742, 770, 772 & 774); see also Letter from theDep't of Commerce, Bureau of Export Admin.,to CindyA. Cohn, attorney, McGlashnandSarrail(Feb. 17, 2000) <http://www.cryptome. org/bxa-bernstein.htm> (explaining thatsourcecode is notconsidered "publiclyavailable" and thus remains subjectto post-export reporting requirements). 299. See Reuters, StrongEncryption for Win2000 <http://www.wired.com/news/technology/ 0, 1282,33745,00.html>. 13 BERKELEYTECH. L.J. 1173, 1214-24 (1998); cf Celine M. Guillou,TheReverseEngineering of
300. See David McGowan, Free Contracting, Fair Competition, and Article 2B: SomeReflections on FederalCompetition Policy, Information and "Aggressive Transactions, Neutrality,"
J.L. & ARTS533 (1998) (contrasting rulesgenerally allowingreverseengineering of software in the EuropeanUnion withmorerestrictive rulesin theUnitedStates).
Computer Software inEuropeand theUnited A Comparative States: 22 COLUM.-VLA Approach,
1532
STANFORD LAWREVIEW
[Vol.52:1461
authors releasethesourcecode therestof us, unlesstheprogram's reassure for review. Rules banning low-technology privacy toolsmayalso need reexaminationin light inpublicplaces. One possiblereaction to ofthereduced privacy in publicplaces wouldbe widespread of masks ubiquitous cameras wearing as fashion accessories. Many states, have antimask laws on the however, theKu Klux Klan; someof books,usually enacted as a meansof controlling thesestatutes aremorethan one hundred old.301 The statutes makeita years crime to appearin publicin a mask.302 Judicial opinion divided over appears whether prohibitions againstappearing maskedin public violatethe First Amendment.303 Regardless of theconstitutional issues,it is undeniable that existing antimask laws wereenacted before anyoneimagined thatall urban public spaces mightbe subjectto round-the-clock surveillance. Masks, whichwereonce identified with KKK intimidation, couldtakeon a newand potentially morebenign social purpose and connotation; if so, themerits of antimask laws-if they areevenconstitutional under theright to anonymous
301. See,e.g.,Walpole v. State, 68 Tenn. 370,372-73 (1878). 302. See WayneR. Allen,Klan, Clothand Constitution: Anti-Mask Laws and theFirst Amendment, 25 GA.L. REV.819,821 n.17(1991) (citing statutes from 10 states); OskarE. Rey, Antimnask Laws: Exploring theOuter Bounds ofProtected theFirstAmendmentSpeechUnder Statev. Miller, 260 Ga. 669, 398 S.E.2d 547 (1990), 66 WASH. L. REV. 1139, 1145 (1991). Additionally, 18 U.S.C. ? 241 makes ita felony for twoor more to travel in disguise persons on publichighways or enter thepremises of another with theintent to prevent thefree exercise and ofanylegalright enjoyment orprivilege citizen. byanother See 18U.S.C. ? 241 (1999). 303. Decisionsholding antimask laws unconstitutional include: American of Ku Knights KluxKlanv. City ofGoshen, 50 F. Supp.2d 835,840 (N.D. Ind. 1999)(holding that a city ordinanceprohibiting mask-wearing forthepurpose of concealing in publicviolated identity First Amendment rights tofreedom ofexpression andanonymity); v. Mackey, Aryan 462 F. Supp.90,91 (N.D. Tex. 1978) (granting temporary restraining order preventing enforcement of antimask law against Iranian students demonstrating against theShah); Ghafari v. Municipal 150 Cal. Court, Rptr. 813,819 (Cal. Ct.App.1978)(holding that a statute prohibiting wearing masks inpublic was overbroad andfinding thestate's fear that violence would result from themere presence ofanonymous persons is "unfounded"). Cases upholding antimask laws include:Church of theAmerican of theKu Klux Knights Klanv. Safir, No. 1999U.S. App.LEXIS 28106(2d Cir.Oct.22, 1999)(staying order ofinjunction against an 1845NewYorkstate lawforbidding masks atpublic demonstrations); Ryan v. County of DuPage, 45 F.3d 1090,1092(7thCir.1995)(upholding a rule prohibiting masks inthecourthouse a First against Amendment challenge on grounds that the rulewas reasonable because "[t]he wearing of a mask inside a courthouse impliesintimidation"); Hernandez v. Superintendent, Fredericksburg-Rappahannock Joint Security Center, 800F. Supp.1344,1351n.14(E.D. Va. 1992) (noting that a statute might havebeenheldunconstitutional ifpetitioner haddemonstrated that unmasking himself would haverestricted hisability toenjoy free speech andfreedom ofassociation); Schumann v. State, 270 F. Supp.730,731-34(S.D.N.Y. 1967)(denying temporary injunction of enforcement ofa statute requiring licensing ofassemblage ofmasked persons); State v. Miller, 398 S.E.2d547(Ga. 1990)(rejecting challenge toantimask statute); State v. Gates, 576P.2d 1357,1359 (Ariz.1978)(rejecting a challenge to an antimask provision in an indecent exposure statute); Walpole, 68 Tenn.at 372-73(enforcing statute); Hemandez v. Commonwealth, 406 S.E.2d 398,401 (Va. Ct.App.1991). Compare Allen, supranote 302,at829-30 (arguing for thevalidity andretentionofantimask laws),with Rey, supranote302,at 1145-46 (arguing that antimask lawsareunconstitutional).
May2000]
THEDEATHOFPRIVACY?
1533
in McIntyre v. Ohio ElectionsCommission304-willneed speechenunciated rethinking. 2. Usinglaw tochangethedefaults. As the dimensions of the technological threat to privacyassumptions havebecomeclearer, gradually and techacademics, privacy commissioners, haveadvanced nologists a number of suggestions forlegal reforms designed to shift the law's default rule away from formal data neutrality regarding collection.Rather than transactional databelong and having jointly severally to bothparties, someproposals wouldcreate a traditional or an inproperty tellectual in personaldata,whichcould not be takenby property interest merchants or observers without bargaining.Others proposenew privacy torts and crimes, or updating of old ones,to makevarious kindsof datacolin lection publicorprivate orevencriminal. spacestortious Whilesomeof these proposals haveevident merit, they also have drawbacks. a. Transactional data-oriented solutions. Scholarsand others have proposed a number of legal reforms, usually baseduponeither traditional property orintellectual property law,to increase theprotection availabletopersonal databyvesting thesole initial right touse it in thedata subject. Although current proposals are theproduct of great and thusvaryconsiderably, ingenuity the commonelement is a desireto changethedefault rulesin theabsenceof agreement. Changing thedefault ruleto createa property interest in personal data,evenwhenshared witha or visiblein public,has a number merchant, of attractive properties.305 It also has significant problems, however, both theoretically andpractically. One problem is thatanysuchrulehas to be crafted withcare to avoid theentire trampling First Amendment. Anyrulethat makesit an offense to express whatone sees or knows(such as who shopsin one's storeor who sleptwith whom)strikes dangerously close to corevaluesof freespeech.306 Current doctrine leaves open a space forlimited regulation of transactional
304. 514 U.S. 334 (1995). 305. For a micro-economic argument thatthischangewould be efficient given existingmarket imperfections, see KennethC. Laudon, Extensions to the Theory of Marketsand Privacy: Mechanics ofPricing Information, in PRIVACYAND SELF-REGULATION IN THE INFORMATION AGE, supra note275, at 41.
306. See, e.g.,Rochelle Cooper Dreyfuss, Finding (More)Privacy Protection inIntellectual Property Lore,1999STAN.TECH. L. REV. VS 8 <http://stlr.stanford.edu/STLR/Symposia/Privacy/
index.htm>;Diane Leenheer Zimmerman, Information as Speech, Information as Goods: Some Thoughts onMarketplaces andthe BillofRights, 33 WM. & MARY L. REV. 665 (1992) (worrying thatthisis a bad thing).
1534
STANFORDLAWREVIEW
[Vol.52:1461
oftheCableTelevision thelines ActandtheBork dataalong Bill.307 That As Professor arewiseoreasyto draft. suchrules doesnotmean KangreifBillClinton hadsovereign would what minds us: "Consider conhappen information about him. Then theNewYork trol overevery bitofpersonal BillClinton withinformation about Times could not write aneditorial using No one seriously that outhis approval."308 much suggests giving anyone nottopublic control their andcertainly over personal data, figures. Rather, on propertyor intellectual-property-based concentrate proposals usually transactional data. From a privacy theattraction ofshifting thedefault perspective, ruleis evident. userignorance of theprivacy of discloCurrently, consequences ofdatacollection, theextent andtheaverage valueofa datum, sure, combinedwiththe relatively costs of negotiating hightransaction privacy provisions in consumer transactions governed by standard form clauses, causes issues off inmuch todrop the radar ofroutine privacy economic life. incapturing Firms interested andreselling user data havealmost noincentive to change this state ofaffairs.309 thedefault ruleto require Shifting a data collector to make ofagreement somesort with hersubject before having a right toreuse her datagives thesubject the benefit ofnotice andoftransaction costs. Thetransaction costelement is particularly significant, butalso potentially the misleading. Shifting default rule means that so long as the transaction costs ofmaking anagreement arehigh, the right topersonal data willnot transfer andprivacy willbe protected. Itis a mistake, however, tothink that transaction costsare symmetrical. The very structural features of market that exchange make itcostly for individuals tonegotiate exceptional privacy clauses intoday's market make itinexpensive for theauthor ofthestandard form clauseto worditin order to include a conveyance ofthedataanda consent toitsuse.310 Whether itis worth the trouble, oreven economically efficient, tocraft a system that inpeople results selling their data for a frequent flyer mile ortwo depends primarily upon whether people areabletovalue the consequences of disclosure andwhether properly contract rules canbe changed toprevent the ofthe tyranny standard form. Ifnot, then the standard form willcontinue to
307. See textaccompanying notes260-262 supra. 308. Kang,supra note 16,at 1293 n.332. 309. See, e.g., Paul Schwartz,Privacy and Democracy in Cyberspace,52 VAND. L. REV. 1609, 1686 (1999) (noting"the lack of incentives to make themajority of firms oppose theirselfinterest, whichlies in maintaining thestatus quo"). 310. Cf. Philip E. Agre, Introduction, inTECHNOLOGY & PRIVACY, supranote178,at 1, 11 (notingan information asymmetry between firmsand consumers: firmscontrolthe releases of information aboutthemselves and aboutwhatinformation have on consumers). they
May2000]
THEDEATHOFPRIVACY?
1535
muchof the solution, dominate to the detriment of data privacy; privacy willdo therest. myopia theadvancesin technology Ironically, that are reducing thetransactions costsofparticularized also workto facilitate thesale of personal contracting thecostenough to makethepurchase data,potentially lowering worthwhile. If transaction costs reallyare dropping, it maybe moreimportant to craft rulesthat contracts fordata exchange and prevent thedata require separate sale from form.Such a rulewouldrequire becoming partof a standard not onlyan option to "opt-in" or "opt-out" as an explicit stepin a transaction, if nota wholly that failure to convey separate one,butalso wouldrequire rights topersonal datahaveno repercussions. Buteventhat maynotsuffice. Here, the Europeanexperience is especiallyinstructive. Despite state-of-the-art dataprivacy law,people,
routinely and unknowingly contracted awaytheir to informational right selfdetermination as part andparcel ofa business deal,inwhich theright itself was notevena 'bargaining chip'during negotiations. But,sinceconsent ofthedata subject hadtobe sufficient ground topermit information ifonetakes processing seriously theright to self-determination, suchcontractual devaluations of data protection werelegally valid, andtheindividual's right to dataprotection sudturned into a toothless denly paper tiger.311
In short, even whenfacedwithEuropean dataprotection law, thestandard form triumphed. Giventhat property-law-based solutions are undermined in themarketplace, someEuropean nations have gone further and removed a consumer's freedom to contract awayherright to certain classes of data,suchas information aboutrace,religion, and political opinions.312 Whilelikely to be an effective privacy-enhancing solution, thisis neither one that corrects market in failure order to letthemarket reachan efficient outcome, norone that relies on property rights; itthuseliminates themostcommon justifications for property-law-based proposals to dataprivacy.313 b. Tort law and other approaches topublicdata collection. Tortand criminal-law-based proposals to enhance dataprivacy tendto differentiate betweendata collectedin places whereone has a reasonable expectation ofprivacy, suchas one's home, andpublicplaces where thelaw usually presumes no suchexpectation. Some of themoreintriguing proposals further differentiate bythemeansusedto collectinformation, with sense311. ViktorMayer-Sch6nberger, Generational Development ofData Protection in Europe, in TECHNOLOGY & PRIVACY, supra note 178,at 219, 232. 312. See id. at 233. 313. Cf RichardS. Murphy, Property Rightsin Personal Information: An EconomicDefense of Privacy,84 GEO. L.J. 2381, 2410-16 (1996); Carl Shapiro & Hal R. Varian,U.S. Government Information Policy 16 <http://www.sims.berkeley.edu/-hal/Papers/policy/policy.html>.
1536
LAWRE STANFORD VIEW
[Vol.52:1461
enhanced to increased newones,beingsubject collections, especially regulation. For example, there are proposals to expandthetort of unreasonable intrusion to include intoprivate peering spaces. Where thetort ofpreviously ten required the tortfeasor's presencein the private the proposal space,314 allows thepresence requirement to be fulfilled A rejuvenated virtually.315 tort of unreasonable intrusion might adaptwell to sense-enhanced scanning ofthebodyor thehome. It is unlikely to cope as wellwith datagenerated in commercial transactions, forthe same reasonsnotedabove: transactional data are (at leastformally) disclosedwithconsent. Similarly, torts privacy are unlikely to have muchimpact on DNA or medicaldatabasessince the data are either extracted withconsent, or in circumstances, such as arrests, where consent is notan issue. Thereis also reasonto doubtwhether privacy torts can be extended to coverCCTV and other forms ofpublictracking. Traditionally, privacy torts do notprotect in publicview on thetheory things thatsuch things are,by notprivate.316 definition, Expanding to coverpublicplaceswouldconthem flict directly with theFirst Amendment. Some states havechosen topromote specialized types ofprivacy through targeted statutes.California's antipaparazzi statute maybe a model.317 It
314. The tort an objectively currently requires reasonable ofprivacy expectation inplaceor circumstances. See RESTATEMENT (SECOND) OF TORTS? 652B (1965). Somejurisdictions also require anactual trespass bythe defendant. See,e.g.,Pierson v. NewsGroup Publications, Inc.,549 F. Supp.635,640(S.D. Ga. 1982). 315. "The time has come," argues Professor "forcourts McClurg, to recognize and openly theexistence forthrightly ofthe of'public concept andtoafford privacy' ofthat protection right by allowing forintrusions recovery that occurin or from placesaccessible to thepublic." McClurg, supranote195,at 1054-59 to revive (proposing thetort of invasion of privacy in publicplaces through application ofa multipart test); see also DianeL. Zimmerman, Requiem fora Heavyweight: A Farewellto Warren and Brandeis' Privacy Tort, 68 CORNELLL. REV.291, 347-48,358-62 (1983). 316. See Dow Chemical Co. v. United States, 476 U.S. 227,239 (1986) (holding that taking aerial photographs is nota Fourth Amendment search); Shulman v. Group W Prod., Inc,955 P.2d 469,490 (Cal. 1998)(distinguishing between an accident inpublic scene, view,andmedivac helicopter, where there was a reasonable expectation ofprivacy); see also PROSSERAND KEETONON THELAWOF TORTS? 117(5th ed. 1984).
317. CAL. CIV. CODE. ? 1708.8(b) (West 1999): A person is liableforconstructive invasion ofprivacy whenthedefendant attempts to capture, in a manner that is offensive toa reasonable person, anytype ofvisualimage, soundrecording, or other physical impression of theplaintiff in a personal engaging or familial activity under circumstances in whichtheplaintiff had a reasonable expectation of privacy, through theuse of a visualor auditory enhancing device,regardless of whether there is a physical trespass, if thisimage, soundrecording, or other physical impression couldnothavebeenachievedwithouta trespass unlessthevisualorauditory enhancing devicewas used. Id ? 1708.8(k): Forthepurposes ofthissection, "personal and familial activity" includes, butis notlimited to, intimate details oftheplaintiff's personal life, interactions with theplaintiff's family or significantothers, orother aspects ofplaintiff's private affairs or concerns.Personal and familial ac-
May2000]
THEDEATHOF PRIVACY?
1537
for thegathering of information focuses on creating carefully liability byprivatepersons tools. Whileexpanding thezone ofpriusingsense-enhancing vacy in thehome,treating one's property line like a wall impermeable to on public streets and purposely data,the statute does not cover activities First obstacles. avoidsother Amendment WhiletheCalifornia narrow zones ofprivacy, statute focuses on creating an alternate seeks to regulate access to tools thatcan undermine approach privacy.For example, 18 U.S.C. ? 2512 prohibits themanufacture, distribuof wire,oral,or electronic tion,possession, and advertising communication intercepting devices.318 itis time Perhaps to call for of"snooper's regulation tools," akin to the commonlaw and statutory of "burglar's regulation
tools?"319
Bothof theseapproaches havepotential, although bothalso havepractical limitations in addition to substantial First Amendment constraints. Many privacy-destroying toolshavelegitimate uses. For example, television cameras, even surveillance cameras,have their place, in banks,forexample. Thus blanket rulesprohibiting access to thetechnology are unlikely to be adopted, andwouldhavesubstantial costsifthey were. Rulesallowing some uses butnotothers are likely to be difficult to police. Technology controls will workbestif thetechnology is youngand notyetwidelydeployed; but thatis the moment whenbothknowledge aboutthe technology, and the chanceofpublicoutrage and legislative action areminimal.As for theCalifornia antipaparazzi statute, it only appliesto private collection of senseenhanced data. It addresses either data collection by law enforcement nor database issues.320 And,as noted, itdoesnotapply topublicspaces.
tivity does notincludeillegalor otherwise criminal as delineated activity in subdivision (f). However, "personal and familial shallinclude activity" theactivities ofvictims ofcrime in circumstances where either subdivision (a) or(b), orboth, wouldapply. 318. 18 U.S.C. ? 2512(1)(a), (b) (2000): Exceptas otherwise inthis specifically provided chapter, anyperson whointentionally(a) sendsthrough themail,or sendsor carries in interstate or foreign commerce, any electronic, mechanical, or other device,knowing or having reasonto knowthat thedesignof suchdevicerenders itprimarily useful for thepurpose ofthesurreptitious interception of wire, oral,or electronic communications; (b) manufactures, assembles, possesses, or sells anyelectronic, mechanical, or other device,knowing orhaving reason to knowthat thedesign ofsuchdevicerenders itprimarily usefulfor thepurpose ofthesurreptitious interception ofwire, oral,or electronic communications, and thatsuchdeviceor anycomponent thereof has been or will be sentthrough themail or in interstate transported or foreign commerce. 319. See Annotation, Validity, Construction, and Application ofStatutes Relatingto Burglars' Tools, 33 A.L.R.3d 798 (1970 & Supp. 1999). ("Statutesmakingunlawfulthe possession of burglars' toolsor implements have been enactedin mostjurisdictions."). 320. For a criticism of theseand otherlimitations, see Privacy,Technology, and the California "Anti-Paparazzi"Statute, supra note 198,at 1378-84.
1538
STANFORD LAWREVIEW c. Classicdataprotection law.
[Vol.52:1461
April, 2000.323
withmarket-based The failure of self-regulation, and thedifficulties aphave led regulators in Europe,and to a muchlesserextent proaches, in the UnitedStates, to craft dataprotection laws. Although Unionlaws European are perhaps best knownfortheir restrictions on data processing, reuse,or resaleof data,theUnion's rules,as well as thoseof variousEuropeannations,also containspecificlimitson the collectionof sensitive typesof data.32'European on datause have an extraterritorial Unionrestrictions diin that mension, they theexport of data to countries prohibit thatlack data protection rulescomparable to theUnion's.322 Theseextraterritorial rulesdo not,however, requirethatforeign data collectionlaws meet the Union's theUnited standards, States on itsownto decidewhatprotections, leaving if any,itshould enact to safeguard itsconsumers andcitizens. So far,laws have been few and generally withthe California narrow, antipaparrazi statute a typical example. Thereis one sign,however, that things to change: Whatmaybe themostimportant maybe starting United States'experiment with limits on personal meaningful datacollection by the private sector is aboutto begin. Late lastyeartheFTC promulgated detailed rulesrestricting the collection of data onlinefrom children underthirteen without explicit parental consent.Theserulesare due to comeintoeffect in III. Is INFORMATION PRIVACYDEAD?
In The Transparent Society, futurist David Brinarguesthat thetimefor privacy laws passedlongbefore anyone noticed:"[I]t is already fartoo late to prevent theinvasion of camerasand databases. ... No matter how many laws arepassed,itwillprovequiteimpossible to legislate awaythenew surveillancetools and databases. Theyare hereto stay."324 Instead, perhaps anticipating smart dust, he suggests that thechiefeffect ofprivacy laws will be "to 'makethebugssmaller."'325 He is equallypessimistic abouttechnical countermeasures to data acquisition, sayingthat"theresulting surveillance armsrace can hardly favor the 'littleguy'. The rich, thepowerful, police agencies,and a technologically skilledelite will always have an advan-
5.
321. See Mayer-Schonberger, supra note 311,at232; SCHWARTZ & REIDENBERG, supra note
322. See SWIRE& LITAN, supra note5; SCHWARTZ & REIDENBERG, supra note5. 323. See FTC Children'sOnline PrivacyProtection Rule, 16 C.F.R. ? 312.5 (effective Apr. 21, 2000), (requiring parentalconsentpriorto collectionof information fromchildrenunderthir-
teen).
324. BRIN, supra note 11,at 8-9. 325. Id. at 13.
May2000]
THEDEATHOF PRIVACY?
1539
tage."326 that Havingconcluded as we knewit is impossible, privacy Brin thecritical goes on to arguethat citizens policyissuebecomeswhether will have access to thedatainevitably enjoyed by elites. Onlya policyof maximal shared one in whichall state-created and mostprivatelytransparency, created data are equallyaccessibleto everyone, can createthelibpersonal andaccountability erty neededfor a free society. Brin's pessimism of privacy abouttheefficacy laws reflects the law's weakresponse to thereality ofrapidly increasing surveillance bybothpublic and private bodies described in PartI. Current laws in theUnited privacy Statesmakeup at best a thinpatchwork, one thatis plainlyinadequate to meetthechallenge of new data acquisition technologies.Generalinternationalagreements thataddress theprivacy issue are no better.327 Even the vastly moreelaborate privacy laws in Europeand Canadapermit almost any consensual collection andresaleofpersonal data.328 The worldleaderin the of surveillance deployment theUnitedKingdom, cameras, has some of the strictest dataprotection rulesin theworld, butthishas donelittle or nothing to slow thecameras'spread. Whatis more, thelaw often tendsto impose barriers to privacy-enhancing technology, or to endorse and require various forms of surveillance:In thewordsof one CanadianInformation and Privacy Commissioner, "the pressures for surveillance are almost irresistible."329
Despitetheveryweak legal protections of informational privacy in the UnitedStatestoday, there is an argument thatBrin'spessimism aboutthe potential forlaw to control technology and ScottMcNealy's defeatism are or at leastpremature. unfounded, No legalruleis likely to be perfect. Laws areviolated all thetime. But,making things illegal, orregulating them, does influence outcomes, and sometimes theeffort required to achievethoseoutcomesis worth thecost.
326. Id. 327. Intemational agreements towhich theUnited States is a party speakin at leastgeneral terms ofrights toprivacy. Article 12ofthe Universal Declaration ofHuman Rights, adopted bythe United Nations in 1948,states that "[n]oone shallbe subjected to arbitrary interference with his privacy, family, home orcorrespondence." G.A.Res.217A(III), U.N. GAOR,3d Sess.,Supp.No. 13,at71,UN Doc. A/810 (1948)<http://www.hrweb.org/legal/udhr.html>. Similarly, Article 17of theInternational Covenant on CivilandPolitical Rights states that "[n]oone shallbe subjected to arbitrary orunlawful interference with hisprivacy, home orcorrespondence, family, nortounlawful attacks on hishonour andreputation." International Covenant onCivilandPolitical Rights, March 23, 1976, art.17,999U.N.T.S.171<http://www.unhchr.ch/html/menu3/b/a_ccpr.htm>. Bothagreements state that "[e]veryone hastheright totheprotection ofthelaw against such interference orattacks." 328. Potentially invidious categories suchas ethnicity aresometimes subject to special regulation. 329. DavidH. Flaherty, Controlling Surveillance:Can PrivacyProtection Be Made Effective, in TECHNOLOGY & PRIVACY, supra note178, at 167,170.
1540
VIEW LAWRE STANFORD
[Vol.52:1461
thepoliceto wiretap are a case in point. It is illegalfor statutes Wiretap to intercept third parties a warrant, anditis illegalfor lineswithout telephone to of one or bothparties calls without theconsent and cellular bothlandline thateither of these to suggest thecall.330It wouldbe naivein theextreme it wouldbe of their illegality; as a result disappeared completely practices laws are that the that this demonstrates to suggest though, wrong, equally werelegal,and the and telephone eavesdropping If wiretapping ineffective. therewould be muchmore tools easily available in everyhobbyshop,331 andeavesdropping. wiretapping thelaw that fortheproposition stands Even thedrugwar,whichsurely the also supports in a democracy, as a tool of social control has its limits us, changebehavior. It also reminds thatlaw can sometimes proposition kinds different notbe enough.Thereare many that law alonemight though, theleasteffective is often opregulation and control of laws,and command
tion.332
anlaws and thedrugwar underline thewiretap between The contrast data to use law to reignin personal in anyattempt element other important forsomean incentive creates that is a mechanism collection:Unlessthere effectivelegalruleswill have at bestlimited one to police forcompliance, crimessuch as drug usage is ness.333 Policingof so-called victimless pothemostimportant In contrast, bythelackof suchincentives. hampered gathout illegally byjudges,who throw law is conducted licingof wiretap by highlymotivated petitions ered evidencein the course of reviewing privacy damagesforfalsifying In other cases,suchas statutory defendants. forpolicing incentives economic thelaw can createor reinforce policies,334 compliance. new to craft anyattempt At leastone other shapesandconstrains contrast between As thecontrast technology. to privacy-destroying legal responses forthinking our legal categories PartsI and II of thispaperdemonstrates, from evolution different radically of a product are the collection aboutdata informanew ways of capturing produces thetechnological armsrace that well with do not lineup particularly technologies tion. Privacy-destroying whytheUnitedStatesConthelegal rulesthat them. Thisexplains govern in informational stitution is unlikely to be thesourceof a greatexpansion
330. Some statesrequire consent of bothparties, somejust one. 331. In the case of analog cellularphones,the tools are available in most Radio Shacks, although theyrequireslight modification. See RICHWELLS,RADIOSHACKPRO-26 REVIEW<http:// www.durhamradio.ca/pro26r.htm>; cf Boehnerv. McDermott, 191 F.3d 463, 465 (D.C. Cir. 1999) (describing theuse of a scanner to eavesdrop). 332. See generallyRichardB. Stewart, TheReformation ofAmerican Administrative Law, 88 HARV.L. REV. 1667 (1975). 333. See RobertGellman,Does Privacy Law Work?,in TECHNOLOGY & PRIVACY,supra note293, at 193, 214-15. 334. See textfollowing note288 supra.
May2000]
THEDEATHOFPRIVACY?
1541
privacy rights.The Constitution does notspeakofprivacy, muchless informational the Supreme privacy. Even though Courthas acknowledged that "there is a zone of privacy the data consurrounding everyindividual,"335 tours of that "zone" are murky indeed. The Supreme Court'srelatively few discussions of informational tendto be either in dictaor in theconprivacy textof finding other interests moreimportant,336 or both.337 faSimilarly, miliar constitutional suchas publicforums, categories limited publicforums, and nonpublic forums on future mappoorly debatesabouthow to createor protect zonesofprivacy against privacy-destroying technologies. The variety of potential uses and usersof data frustrate anyholistic attempt to protect dataprivacy.Again,constitutional doctrine is illustrative. Whatever to informational right privacy mayexisttoday, it is a right against governmentally sponsored invasions of privacy only-it does notreachprivateconduct.338 Thus,evenifthecourts wereto find in thefederal Constitution a more robustinformational privacyright, it would addressonly a oftheproblem.339 portion
sion, 25 FLA. ST. U. L. REV. 25, 53 (1997).
335. Cox Broadcasting 420 U.S. 469,487 (1975);see also Griswold Corp.v. Cohn, v. Connecticut, 381 U.S. 479, 484-85(1965) (describing howtheThird andNinth Amendments create "zonesofprivacy"). 336. E.g.,Nixonv. Administrator ofGen.Serv., 433 U.S. 425, 465 (1977) (suggesting that theformer President has a privacy interest in hispapers).In Whalen, theCourt that the accepted right toprivacy includes a generalized "right tobe letalone," which includes "the individual interest inavoiding disclosure ofpersonal matters." Whalen v. Roe,429 U.S. 589,599 (1977) (finding that whatever privacy interest exists for ininformation patients about their was insufficient prescriptions toovercome the compelling state interest). 337. Theleading counterexample tothis assertion is United States Dept.ofJustice v.ReportersComm. forFreedom ofPress, 489 U.S. 749 (1989),inwhich theSupreme Court heldthat there was a heightened privacy interest inan FBI compilation ofotherwise public information sufficient to overcome an FOIA application. Evenifthedatacontained in a "rapsheet" wereavailable in public records located inscattered thecompilation courthouses, the"computerized itself, summary ina single located clearinghouse" wasnot.Id. at764. 338. Other than itsdirect prohibition of slavery, theUnited States Constitution does notdirectly regulate private conduct. Somestate constitutions' privacy provisions alsoapply tothegovernment. only Forexample, theFlorida constitution provides that "[e]very natural person hastheright to be letaloneandfree from governmental intrusion intotheperson's private lifeexcept as otherwise provided herein. Thissection shallnotbe construed to limit thepublic's right ofaccesstopublic records andmeetingsas provided bylaw,"FLA.CONST.artI., ? 23,butthis doesnotapply to private actors.See Hon.BenF. Overton & Katherine E. Giddings, TheRight ofPrivacy inFloridainthe AgeofTechand theTwenty-first nology A Need Century. forProtection from Private and Commercial Intru-
In 1972thepeopleoftheState ofCalifornia adopted a ballot initiative recognizing an "inalienable right" to "privacy": "All peoplearebynature free andindependent andhaveinalienable rights. these Among are enjoying anddefending lifeandliberty, acquiring, possessing, andpro-
billingrecords),withUnitedStatesv. Miller,425 U.S. 435 (1976), and California BankersAssn. v. Shultz,416 U.S. 21 (1974) (finding no suchright in theFederalConstitution).
339. Somestate constitutions go further. State v. Hunt, Compare 450 A.2d 952 (N.J.1982) that (holding theNew Jersey state constitution a protectable creates privacy interest in telephone
1542
STANFORDLAWREVIEW
[Vol.52:1461
Rulesaboutdataacquisition, anduse that workfor retention, might nosy neighbors, merchants, or credit bureaus not be when might appropriate appliedto intelligence agencies. Conversely, governments mayhave access to information ortechnology that theprivate sector lackstoday butmight obtain rulesthat tomorrow; focus toonarrowly on specific uses orusersaredoomed to lag behind technology. one's scope(as I havein thisarticle) Restricting to dataacquisition, and leaving asidetheimportant issuesof dataretention and reuse,may make the problem moremanageable, but even so it remains dauntingly becausetheregulation complex ofa singletechnology tends tobe in different framed ways depending upon the context. Sense-enhanced searches, forexample, tendto be treated as Fourth Amendment issueswhen conducted by thegovernment. If theintruder is private, theFourth Amendment is irrelevant. one might Instead, have to consider whether heractions constitute an invasive tort of sometype(or perhaps evena misappropriation of information), who owns the information, and whether a proposedrule limiting theacquisition or publication of theinformation might runafoulof theFirst Amendment.340 Thatsaid,technological change has notyetmovedso faror so quickly as to makelegalapproaches toprivacy protection irrelevant. Thereis muchthe law can do, onlya little ofwhich has yetbeentried.Manyofthesuggestions outlined abovearepiecemeal, orincremental. preliminary, Atbestthey form onlypartof a moregeneral strategy, whichwill also focuson encouraging theadoption of fair information practices andtheregulation ofdatause once ithas beencollected.Whenever thelaw can address theissueofdatacollectionitself, it reduces however, thepressure on dataprotection law and contributes to dataprivacy greatly protection; theconverse is also true: Rules
tecting andpursuing property, andobtaining andprivacy." safety, CAL.CONST. happiness, art. I, ? I. In 1994theCalifornia Supreme Court heldthat the1972privacy initiative created a right of action against private actors as wellas thegovernment. See Hill v. National Athletic Collegiate Ass'n,865 P.2d 633, 644 (Cal. 1994). Although it described informational as the"core privacy valuefurthered bythePrivacy the Initiative," court also listed several conditions that would haveto be met a claim before that asserting couldsucceed.A plaintiff right must show: (1) that thepublic or private is infringing defendant on a "legally protected privacy interest"-which in thecase of informational privacy an individual's means toprevent right the"dissemination ormisuse ofsensitiveandconfidential information"; (2) a "reasonable ofprivacy" expectation basedon "anobjective entitlement founded on broadly basedandwidely accepted community and(3) a "serious norms"; invasion" of privacy by thedefendant. Id. at 654-55. Eventhen, thecourt stated that privacy claims must be balanced against interests countervailing asserted bythe defendant. Id. at653. 340. Someissuesarecommon toboth andprivate public contexts: for example, whether the subject a reasonable enjoys ofprivacy. expectation Evenifthequestion is thesame, however, the answer maybe different. thesametechnology Generally initially raises distinct issuesin thetwo contexts, at leastuntil theinformation is sold,although this toomaycreate itsownspecialissues. States of Justice Department Cf United v. Reporters Comm. forFreedom of thePress, 489 U.S. 749,752-53, 762-63, 780 (1989) (holding that theFBI couldnotrelease criminal rapsheet consistingpredominately of information elsewhere on public record whendisclosure wouldinvade subject'sprivacy).
May2000]
THEDEATHOF PRIVACY?
1543
and use will shape what is collectedand how it is about data retention done.341 Thereis no magicbullet, no panacea. If theprivacy pessimists are to be provedwrong, the greatdiversity of new privacy-destroying technologies will have to be metwitha legal and social response that is at leastas subtle and multifaceted as the technological challenge. Given the rapidpace at whichprivacy-destroying technologies are beinginvented and deployed, a legalresponse must comesoon,oritwillindeed be too late.
341. Thelineofcasesbeginning with NewYork Times Co. v. Sullivan, 376 U.S. 254 (1964), is a goodexample ofthis phenomenon. Case law defining thecircumstances inwhich a publisher coulddefend itself a charge against oflibel-a problem ofdatause-generates a setofrules and procedures defining datacollection actions that reporters must obeyin order to be able to prove they complied with basicnorms ofduecare.

The Death of Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Death of Privacy

Uploaded by

Copyright:

Available Formats

Stanford Law Review

2000. After I had a chanceto read SIMPSON completing thisarticle

RESPONDING TO PRIVACY-DESTROYING TECHNOLOGIES ............................

JuRGEN THE STRUCTURAL HABERMAS, TRANSFORMATION OF THE PUBLICSPHERE4 (1962), it is

views includeKIM LANE SCHEPPELE, LEGALSECRETS:EQUALITYANDEFFICIENCY IN THE COM-

48. HiddenCamerasSolutions, Catalogue<http://www.concealedcameras.com/catalogue/

8 ALB.L.J. Privacy, LawstoEnhance FederalWiretap the Age:Revitalizing inthe Digital Privacy

94. See id.

Netscape, Are there Privacy Issues with What's Related? <http://home.netscape.com/escapes/

111. See, e.g., DigimarkCorp. <http://www.digimarc.com/>.

vestingthose serial numbersfromcustomers-along withtheirnames and addresses-even when

130. See LaurenWeinstein, IDs in Color Copies-A PRIVACYForumSpecial Report,

132. See Ny Teknick, Electrolux Demonstrates theSmart FridgeConcept, ETHOS NEWS,

Dinners, Mr.JavaandCounter Intelligence: Smart Prototyping Appliances forthe Kitchen (Nov. 1,

141. See AnnCavoukian, Biometrics and Policing:Comments from a Privacy Perspective

ality.Thisis unrealistic due becauseconsumers suffer from privacy myopia:

MODEL RULES OF PROFESSIONAL CONDUCT Rule 1.6. (1999).

214. 491 U.S. 524 (1989).

(1975)). 217. DailyMail,443 U.S. at 102.

264. See A. Michael Froomkin, TheMetaphor Is theKey: Cryptography, theClipper Chip,

279. See Jamie McCarthy, Is TRUSTeTrustworthy?, THE

FLOWS OF PERSONAL DATA <http://www.oecd.org/dsti/sti/it/secur/prid/PRIV-EN.HTM>; Roger

285. See, e.g., OECD, GUIDELINESON THE PROTECTION OF PRIVACYAND TRANSBORDER

ALA. L. REV. 869 (1999).

Computer Software inEuropeand theUnited A Comparative States: 22 COLUM.-VLA Approach,

LAWRE STANFORD VIEW

STANFORD LAWREVIEW c. Classicdataprotection law.

324. BRIN, supra note 11,at 8-9. 325. Id. at 13.

VIEW LAWRE STANFORD

sion, 25 FLA. ST. U. L. REV. 25, 53 (1997).

You might also like