No Telling

The push for Internet privacy controls combines a bad theory with a dangerous agenda.


Over the past week, I received about two dozen unsolicited mass e-mails, otherwise known as "spam." About half were devoted to sex, including six messages promoting a new Hustler Web site and one paradoxically promising a site "SO HOT WE CANT SHOW IT ON THE WEB." Most of the rest advertised the stuff of late-night TV commercials and dubious classified ads: "LUXURY CARS FOR UNDER $1000" from government auctions, family histories and coats of arms ("All Nationalities"), credit cards for people with lousy credit records, a psychic hotline. One offered to teach me how to become a spammer myself. The most reputable-seeming message promoted a site for golf-related classified ads.

I wasn't interested in any of them. None of the spammers had bothered to find out the most obvious facts about me–Hustler is not known for its appeal to women–much less to determine, for instance, that I have an excellent credit record and don't play golf.

Spam costs virtually nothing to send, and it bothers the people who receive it. That upsets "privacy advocates" and their friends in Congress: "No one–from the consumer to the small business[es] who run servers–should be forced to pay for unsolicited advertisements," said Rep. Chris Smith (R-N.J.) when he announced a bill to ban spam. Smith is too easily outraged. A week's worth of junk costs me maybe a quarter, hardly the sort of expense that justifies congressional action.

The cost to Internet service providers can indeed be substantial, and suits by American Online, Earthlink, and other ISPs have already forced big-time spammers to pay large damages for violating the ISPs' terms of service. But for consumers, spam should be of no more public concern than grocery lines, Sunday drivers, or squirming children in restaurants; it is simply part of living with other people, and the solution is as close as the delete key. To demand legal action every time something annoys you is the surest way to end up living in a conflict-filled society ruled by intrusive regulation and constant litigation. Telling people to hit "delete" or let their ISP know they're being bothered won't attract TV cameras, however. For that you need a crisis and a bill.

Cyberspace is full of "crises" these days, many involving "privacy rights," and Congress is full of bills to address them, 32 by one count. What really has privacy advocates riled isn't spam but its exact opposite: targeted marketing information. Cyberspace offers people the chance to easily find others with similar interests–hence the flourishing of specialized Web sites and Usenet groups. That same efficient search, enhanced by sorting software, has commercial applications. Web sites can collect data from the people who visit them and either display individually tailored advertising or send visitors product information later. Or they may not be interested in individual information at all but in general patterns and aggregates: What is the average age of our audience? Which parts of our site are most popular? Where do our visitors come from?

The answer to the burning question, How is anyone ever going to make money on the Web?, probably lies in collecting and efficiently using such information. Eventually commercial sites must pay for themselves, and one of the most promising ways to do so is to use them to find customers for other products and services.

Absent a single, government-imposed rule for what information can be gathered and how it can be used, commercial Web sites have taken many different approaches: Some let individuals choose exactly what to reveal about themselves and how to let the information be used. Others tell visitors how they intend to use information and leave it to each visitor to decide whether to stick around. Still others say nothing at all, letting the surfer beware. (Common sense goes a long way in those cases: If a site asks your name, address, and telephone number, chances are the company may someday try to sell you something, and it may also rent or sell the information to others.) Meanwhile, software has been developed that gives Web browsers more control over what information can be automatically collected about them. And many people surf anonymously.

This laissez faire regime not only allows different strokes for different folks. It also lets bootstrapped Web sites grow without immediately creating complex systems for managing information from visitors. It allows small operations to informally poll people without violating federal laws. It permits experimentation and learning. It fits the flexible, diverse, entrepreneurial, sometimes-amateurish world of the Web.

Very little of this commercial activity has hostile intent, unless you consider advertising assault. But it displeases people for whom "privacy" is an absolute. Under pressure from privacy lobbyists, the Federal Trade Commission is out trolling the Web, looking for sites that dare to collect information from visitors without posting a "voluntary" privacy policy. But privacy policies, voluntary or not, won't satisfy advocates who are determined to impose a single standard on everyone.

Testifying before a House subcommittee in late March, Marc Rotenberg, the director of the Electronic Privacy Information Center, condemned the variety and gradual evolution of privacy standards. "Where once individual consent was central to the disclosure of personal information, now the focus is on individual choice for a range of disclosures," he said. "Where privacy techniques focused on the means to protect identity, now the focus is on means to obtain information. Many of the techniques that are put forward as `technical solutions'…will make it easier, not more difficult, to obtain information from individuals using the Internet. Something is clearly amiss."

Rotenberg is infuriated by the very idea of "self-regulation." Debating how to give Web surfers choices, he maintains, detracts from the urgent need to adopt a single, technocratic standard for everyone. All this choice is too disorderly and out of control. It does not produce the outcome Rotenberg wants. "[S]elf-regulation has not helped protect privacy on the Internet," he says. "It has in fact made it harder for us to focus on the larger questions of a coherent privacy policy. It has also led to erosion in our basic understanding of privacy protection." Self-regulation has permitted diversity and allowed people to disagree. If you believe that "privacy" is an inalienable right, that is an intolerable situation.

By their nature, new communications technologies make it harder to keep secrets: "We shall soon be nothing but transparent heaps of jelly to each other," worried a London writer in 1897, concerned about the telephone. And there is no question that the general public is anxious about protecting privacy in cyberspace. They've heard lots of scary stories about stalkers, child molesters, con artists, and credit card fraud. They've read George Orwell. They're easily persuaded that every corner of the Web is filled with vicious evil people. "Privacy advocates" like Rotenberg tap into that generalized fear–much of it a fear of totalitarian government–to justify a broad agenda of commercial regulation, based on dangerous assumptions about the nature of information and identity.

True to our technocratic political culture, people are unwilling when asked about the subject to be patient. A much-cited Business Week poll found that 53 percent of respondents said that "government should pass laws now for how personal information can be collected and used on the Internet," while 23 percent said that "government should recommend privacy standards for the Internet but not pass laws at this time." Only 19 percent said that "government should let groups develop voluntary privacy standards but not take any action now unless real problems arise." As David Medine, the FTC's point man on the issue, told Business Week, "This is the last year for industry to demonstrate effective self-regulation."

Before we rush to replace diverse and voluntary standards with a single, inflexible approach, however, it's worth considering the many different issues subsumed under the label "privacy" and "personal information." The stakes are much higher than advocates like Rotenberg often admit: In the name of privacy, activists are pushing serious restrictions on the freedom to gather and disseminate truthful information–otherwise known as freedom of speech and the press. They are demanding that businesses provide valuable information without reaping anything in return. They are seeking to impose today's preferences, technologies, and limited imagination on the unknown and evolving future. And the world of stifled speech they want to create is not limited to a few big players in a well-defined (and implicitly suspect) "industry." It includes everyone who sells anything or collects any information in cyberspace: from Time Warner and Yahoo! to startup entrepreneurs working out of their spare bedrooms and teenagers gathering e-mail addresses of fellow Leonardo DiCaprio fans.

Privacy advocates begin with the assumption that you own your "identity"–all the disparate information about yourself–and therefore have the right to control which information is available to others. That's what Rotenberg means when he refers to "consent." Such activists want to require that before someone can tell someone else a fact about you, the teller should have to get your permission; you exclusively own the facts about your life, your "personal information."

But this premise simply isn't true. The other party in any relationship–whether your former landlord, your boss, your ex-girlfriend, or Amazon.com–owns information about you as surely as you do. Gathering and sharing such information is as old as gossip and is absolutely essential to a free society. Neither speech nor commerce can function if such communication is illegal. Privacy advocates want to outlaw not only journalism but reputation.

If we are in fact worried about what happens to electronic information about our lives, well-established systems of contract and criticism can control who says what to whom, with whose permission. The very systems Rotenberg scorns for emphasizing "choice" over "consent" allow parties to agree in advance which information, if any, will stay private. Breaking such an agreement would violate contract law. And just making the deal leads Web sites to invest the time and effort to create systems that will honor it. That's what "privacy policies" are all about.

Nor is contract the only check on unwanted information sharing. Criticism works too, especially when directed at companies that must compete for customers. Faced with outraged clients, America Online reversed its decision to let telemarketers use members' phone numbers, a practice that wasn't specifically forbidden in its terms of service. Amazon has been careful to protect the information it collects about customers' book-buying habits, using it internally but not offering it to outsiders; that information could be quite valuable to other direct marketers (including REASON), but its sale would create an enormous controversy. (The obvious way around such controversy, of course, is to offer lists only of customers who have agreed to be on them–a contractual solution.)

Neither contract nor criticism is perfect. Leaks happen at private organizations, just as they do with grand juries, the Internal Revenue Service, and prosecutors' offices; they just happen somewhat less frequently, and the legal consequences for the leaker are swifter and more severe. Earlier this year, an AOL employee blatantly violated the company's contract with customers by telling a caller which AOL member had a particular screen name. That information led the Navy to begin discharge proceedings against a decorated, 17-year-veteran sailor for being gay. The sailor successfully sued the Navy on the grounds that its investigation violated the "don't ask, don't tell" policy, but his career was seriously disrupted. Clearly AOL should be liable for breaking its contract in a particularly damaging fashion. And the company has come in for stinging criticism, forcing it to take very public steps to reassure customers that such problems won't happen again.

Lawsuits and ostracism aren't good enough for Rotenberg. The AOL case, he says, "shows the shortcomings of contractual solutions. Even with a very clear contract provision detailing when personal information may be disclosed, the Navy investigator was still able to obtain personal information." It's not clear what new federal law–short of a change in the policy against gays in the military–would have prevented a rogue AOL employee's harmful attempt at "customer service." The AOL case proves only that contract is not foolproof, which makes it no worse than any other legal system.

To Rotenberg, however, that horror story is a convenient prop to justify restricting the sale of marketing information–a completely unrelated matter–and establishing a federal privacy agency. Instead of permitting diversity, choice, and enforceable contracts, he and other "privacy advocates" demand that we trust our privacy to the very federal government whose investigator convinced an AOL employee to violate company rules and whose policy forces gay service members to assume false public identities.

In his House testimony, Rotenberg tried to wrap his notion of "privacy" in American constitutional law, by quoting a famous dissent by Supreme Court Justice Louis Brandeis. Rotenberg wanted to suggest that spammers, marketing databases, and customized Web ads somehow violate fundamental rights. But Brandeis was making quite a different point. The Constitution's Framers, he wrote, "sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone–the most comprehensive of all rights and the right most valued by civilized men."

This right, however, has absolutely nothing to do with infringing other people's freedom to communicate. It is quite explicitly a right against the government, enshrined in the Fourth Amendment's protections against search and seizure. It says not that you own every fact about yourself but that the government cannot invade your home, your papers, or your life without giving an awfully good reason.

There are serious privacy issues in cyberspace, issues that go to the heart of such constitutional guarantees; they involve government actions such as wide-ranging subpoenas of database information, misuse of IRS files, or warrantless seizure of private "papers" located not in someone's house or office but on a third party's server. In contrast to commercial transactions, all this information is obtained through coercion, and the government's intentions are not benign. If privacy advocates really want to assuage public fears of Big Brother, they should concentrate on curbing the government's police power, which is exercised without the check of competition, rather than working to suppress commercial speech.

Instead, to achieve their idea of "privacy," activists want to obliterate the freedom to gather information, to communicate, and to contract. They demand "a coherent privacy policy," a single best way for everyone. To enforce this goal, they would give the government greater power over cyberspace–power that will be backed by subpoenas and interrogations, searches and seizures; power that will demand trials and punishment. That is a very strange way to protect the right to be left alone.