Reason Magazine

No Telling

The push for Internet privacy controls combines a bad theory with a dangerous agenda.

Virginia Postrel from the June 1998 issue

Over the past week, I received about two dozen unsolicited mass e-mails, otherwise known as "spam." About half were devoted to sex, including six messages promoting a new Hustler Web site and one paradoxically promising a site "SO HOT WE CANT SHOW IT ON THE WEB." Most of the rest advertised the stuff of late-night TV commercials and dubious classified ads: "LUXURY CARS FOR UNDER $1000" from government auctions, family histories and coats of arms ("All Nationalities"), credit cards for people with lousy credit records, a psychic hotline. One offered to teach me how to become a spammer myself. The most reputable-seeming message promoted a site for golf-related classified ads.

I wasn't interested in any of them. None of the spammers had bothered to find out the most obvious facts about me--Hustler is not known for its appeal to women--much less to determine, for instance, that I have an excellent credit record and don't play golf.

Spam costs virtually nothing to send, and it bothers the people who receive it. That upsets "privacy advocates" and their friends in Congress: "No one--from the consumer to the small business[es] who run servers--should be forced to pay for unsolicited advertisements," said Rep. Chris Smith (R-N.J.) when he announced a bill to ban spam. Smith is too easily outraged. A week's worth of junk costs me maybe a quarter, hardly the sort of expense that justifies congressional action.

The cost to Internet service providers can indeed be substantial, and suits by American Online, Earthlink, and other ISPs have already forced big-time spammers to pay large damages for violating the ISPs' terms of service. But for consumers, spam should be of no more public concern than grocery lines, Sunday drivers, or squirming children in restaurants; it is simply part of living with other people, and the solution is as close as the delete key. To demand legal action every time something annoys you is the surest way to end up living in a conflict-filled society ruled by intrusive regulation and constant litigation. Telling people to hit "delete" or let their ISP know they're being bothered won't attract TV cameras, however. For that you need a crisis and a bill.

Cyberspace is full of "crises" these days, many involving "privacy rights," and Congress is full of bills to address them, 32 by one count. What really has privacy advocates riled isn't spam but its exact opposite: targeted marketing information. Cyberspace offers people the chance to easily find others with similar interests--hence the flourishing of specialized Web sites and Usenet groups. That same efficient search, enhanced by sorting software, has commercial applications. Web sites can collect data from the people who visit them and either display individually tailored advertising or send visitors product information later. Or they may not be interested in individual information at all but in general patterns and aggregates: What is the average age of our audience? Which parts of our site are most popular? Where do our visitors come from?

The answer to the burning question, How is anyone ever going to make money on the Web?, probably lies in collecting and efficiently using such information. Eventually commercial sites must pay for themselves, and one of the most promising ways to do so is to use them to find customers for other products and services.

Absent a single, government-imposed rule for what information can be gathered and how it can be used, commercial Web sites have taken many different approaches: Some let individuals choose exactly what to reveal about themselves and how to let the information be used. Others tell visitors how they intend to use information and leave it to each visitor to decide whether to stick around. Still others say nothing at all, letting the surfer beware. (Common sense goes a long way in those cases: If a site asks your name, address, and telephone number, chances are the company may someday try to sell you something, and it may also rent or sell the information to others.) Meanwhile, software has been developed that gives Web browsers more control over what information can be automatically collected about them. And many people surf anonymously.

This laissez faire regime not only allows different strokes for different folks. It also lets bootstrapped Web sites grow without immediately creating complex systems for managing information from visitors. It allows small operations to informally poll people without violating federal laws. It permits experimentation and learning. It fits the flexible, diverse, entrepreneurial, sometimes-amateurish world of the Web.

Very little of this commercial activity has hostile intent, unless you consider advertising assault. But it displeases people for whom "privacy" is an absolute. Under pressure from privacy lobbyists, the Federal Trade Commission is out trolling the Web, looking for sites that dare to collect information from visitors without posting a "voluntary" privacy policy. But privacy policies, voluntary or not, won't satisfy advocates who are determined to impose a single standard on everyone.

Testifying before a House subcommittee in late March, Marc Rotenberg, the director of the Electronic Privacy Information Center, condemned the variety and gradual evolution of privacy standards. "Where once individual consent was central to the disclosure of personal information, now the focus is on individual choice for a range of disclosures," he said. "Where privacy techniques focused on the means to protect identity, now the focus is on means to obtain information. Many of the techniques that are put forward as `technical solutions'...will make it easier, not more difficult, to obtain information from individuals using the Internet. Something is clearly amiss."

Rotenberg is infuriated by the very idea of "self-regulation." Debating how to give Web surfers choices, he maintains, detracts from the urgent need to adopt a single, technocratic standard for everyone. All this choice is too disorderly and out of control. It does not produce the outcome Rotenberg wants. "[S]elf-regulation has not helped protect privacy on the Internet," he says. "It has in fact made it harder for us to focus on the larger questions of a coherent privacy policy. It has also led to erosion in our basic understanding of privacy protection." Self-regulation has permitted diversity and allowed people to disagree. If you believe that "privacy" is an inalienable right, that is an intolerable situation.

By their nature, new communications technologies make it harder to keep secrets: "We shall soon be nothing but transparent heaps of jelly to each other," worried a London writer in 1897, concerned about the telephone. And there is no question that the general public is anxious about protecting privacy in cyberspace. They've heard lots of scary stories about stalkers, child molesters, con artists, and credit card fraud. They've read George Orwell. They're easily persuaded that every corner of the Web is filled with vicious evil people. "Privacy advocates" like Rotenberg tap into that generalized fear--much of it a fear of totalitarian government--to justify a broad agenda of commercial regulation, based on dangerous assumptions about the nature of information and identity.

True to our technocratic political culture, people are unwilling when asked about the subject to be patient. A much-cited Business Week poll found that 53 percent of respondents said that "government should pass laws now for how personal information can be collected and used on the Internet," while 23 percent said that "government should recommend privacy standards for the Internet but not pass laws at this time." Only 19 percent said that "government should let groups develop voluntary privacy standards but not take any action now unless real problems arise." As David Medine, the FTC's point man on the issue, told Business Week, "This is the last year for industry to demonstrate effective self-regulation."

Before we rush to replace diverse and voluntary standards with a single, inflexible approach, however, it's worth considering the many different issues subsumed under the label "privacy" and "personal information." The stakes are much higher than advocates like Rotenberg often admit: In the name of privacy, activists are pushing serious restrictions on the freedom to gather and disseminate truthful information--otherwise known as freedom of speech and the press. They are demanding that businesses provide valuable information without reaping anything in return. They are seeking to impose today's preferences, technologies, and limited imagination on the unknown and evolving future. And the world of stifled speech they want to create is not limited to a few big players in a well-defined (and implicitly suspect) "industry." It includes everyone who sells anything or collects any information in cyberspace: from Time Warner and Yahoo! to startup entrepreneurs working out of their spare bedrooms and teenagers gathering e-mail addresses of fellow Leonardo DiCaprio fans.

Privacy advocates begin with the assumption that you own your "identity"--all the disparate information about yourself--and therefore have the right to control which information is available to others. That's what Rotenberg means when he refers to "consent." Such activists want to require that before someone can tell someone else a fact about you, the teller should have to get your permission; you exclusively own the facts about your life, your "personal information."