09-02-2000
TECHNOLOGY: Privacy's Price
You're driving down the freeway, listening to your car radio and singing
along to some silly song from the 1970s such as "Mellow Yellow."
Most likely, you would never suspect that a device mounted on a billboard
might be monitoring car radios as they speed by, tallying the number that
are tuned in to oldies, rock, classic, or country stations, and forwarding
the results to a market research corporation.
Should you be concerned about your privacy in this situation? The
devices-which are actually being used in several American cities-can't
tell who is listening to what station. They can only count the number of
radios tuned to each channel. If you like `70s music, you might not mind
having the advertisers know that lots of people listen to that music. On
the other hand, you have unwittingly become a survey participant.
Everyone wants privacy, but these days there is little consensus on what
the concept means. Nor is it clear how much can be done to ensure privacy
without undermining free speech rights, consumer convenience, or economic
growth. Yes, people want rules that make it difficult for credit card
thieves to ruin a person's financial record, and they want tough
restrictions on the distribution of health data; but they don't seem to
care very much if their local supermarket knows whether they eat broccoli
or lima beans, and often they want to customize their favorite Web sites
with the aid of interactive calling cards known as
"cookies."
Privacy issues are complex because they touch on so many areas of life and
involve such a wide range of activities: corporate data collection, the
use of credit card numbers, computer hacking, telemarketing, e-mailed
"spam" advertising, advertising on cell phone displays, and
medical data collection, to name just a few.
The hottest privacy debates center on personal information, mainly because
this information is increasingly collected and shared in the Internet
economy. Last year, for example, a dispute over the privacy of financial
information nearly derailed a long-fought rewrite of the landmark 1933
Glass-Stegall regulations, which shaped the nation's financial
sector.
Washington has already tackled many aspects of privacy. Congress has
passed the 1970 Fair Credit Reporting Act, the post-Watergate 1974 Privacy
Act, the 1984 Cable Act, the 1986 Electronic Communications Privacy Act,
and the 1999 Gramm-Leach-Bliley Act, which toughened privacy rules for the
financial sector. For several years in the late 1990s, Congress
considered, but never approved, bills that would have safeguarded the
privacy of personal health information. Now a slew of new bills is being
offered in Congress, and privacy is becoming Washington's favorite new
mom-and-apple-pie issue.
Alan F. Westin, a law professor at Columbia University in New York City
and a privacy consultant, conducts regular surveys of people's attitudes
toward privacy. He said the percentage of citizens who are very concerned
about privacy-and unwilling to compromise on it-has grown to about 30
percent, up from 20 percent in the early 1990s. He attributes that rise in
"privacy fundamentalists" to the growing number of Internet
users who react negatively to stories of companies that monitor
transactions and gather data on individuals' tastes and buying habits. But
polls also show that roughly 20 percent of the population simply don't
care about the issue, while roughly 50 percent are willing to trade some
personal privacy for some benefits-if they trust the data collector. The
polls also show that women, by 10 to 20 percentage points, are more
concerned about information privacy than men. "In political terms,
you don't want to be against strong privacy when this resonates so
strongly with women," said Westin.
The public's particular worries over privacy have not yet coalesced into a
wedge issue, and neither major political party has yet seized an advantage
in the privacy debate. For now, enterprising politicians of all stripes
can safely back laws that curb identity theft, say, or bar discrimination
against employees or patients based on a person's genetic data. But
privacy worries will soon collide with other priorities. Thus, when Sen.
John McCain, R-Ariz., announced a new online privacy bill on July 26, he
said his first priority was not to hinder the current economic boom with
new regulations. Moreover, free speech rules limit politicians' ability to
curb companies' use of data. Over the past few years, the Supreme Court
has shown increased concern for the commercial speech rights of
corporations. According to Eugene Volokh, a law professor at the
University of California (Los Angeles), a company and its shareholders can
fairly argue that tough privacy-protection laws hurt their ability to
speak about, and thus use, the data they gather in voluntary
transactions.
Industry's Dilemma
Industry is split over whether to back privacy-enhancing measures that
bolster the public's trust or to eschew compromise in defense of the free
market. In the online industry, many executives and lobbyists hope to see
by next year a new privacy law that would require data swapped in ordinary
commercial Internet transactions for goods such as cars, stereos, and
software-but not health care or financial services-to be governed by
contracts between buyers and sellers. These contracts would explain to
consumers how their personal data might be used and would allow them to
make sure the data is correct. Consumers could then choose to buy the
product-and let the companies do what they will with the data-or do
business elsewhere. These provisions form the heart of the bill, which was
unveiled on July 26 by Sens. McCain, Spencer Abraham, R-Mich., Barbara
Boxer, D-Calif., and John F. Kerry, D-Mass. The measure preempts state
laws-a major goal of the global high-tech sector, which worries about the
patchwork of state regulations.
The advertising industry is also feeling the pressure to create tougher
privacy protections. On July 27, a coalition of online advertisers won the
Federal Trade Commission's approval for its voluntary rules that would
curb advertisers' collection of personal data from Internet users. But the
agreement did not prompt the commission to drop its call for legislation
that would force many online companies to adhere to the same
rules.
Other industry sectors should also make concessions to privacy concerns in
order to avoid a consumer backlash and further regulations, argues
Mary-Claire Fitzgerald, executive director of the Washington-based
Electronic Commerce Forum. "The smart move is for industry to step up
and take this issue away" by accepting third-party verification that
each company is complying with the privacy promises it has made to its
customers, she said.
But industry has traditionally opposed privacy regulations, saying these
rules could restrict economic growth. Industry leaders argue that the
Internet spurs business competition and prompts companies to continuously
improve service. That can only happen, they say, if companies have vast
amounts of customer data. For example, companies want customers' addresses
and credit card numbers recorded in databases so customers don't have to
type in that information every time they buy an item. Companies also want
to know consumers' tastes to avoid wasting time and money advertising
skimpy bathing suits to 40-ish office workers with presumably expanding
waistlines. Moreover, there are many established corporations that are
betting their futures on data-driven corporate reorganization. With
information about their customers, companies can make smarter decisions to
divide into smaller business units, merge with other firms, or expand or
outsource their workforce. The central role of data in the new economy was
made obvious in July by Toysmart.com after it had gone belly-up. The only
asset it offered in its bankruptcy sale was a hoard of personal data. Once
this fact was publicized, the FTC stepped in and said any buyer of this
data would have to comply with the privacy promises Toysmart had made to
its customers.
No matter what their position on additional regulations, companies have a
powerful incentive to protect their valuable and sensitive data from
misuse and hackers, and to make sure their customers know their personal
information is protected. Many companies, such as America Online, send
electronic advertisements to their customers who match a profile set by
the advertisers-without turning over their customer data to those
advertisers. For example, a chain of health clubs might pay America Online
to e-mail ads to all single, middle-income adults who visit AOL's health
care and fitness sites. That way, AOL gets ad revenue, the health club may
get new customers, consumers get information that may be useful, and
everybody's private activities are kept secret within AOL's computers.
Indeed, the failure to address consumers' privacy concerns can cause a
company's stock to crash overnight, partly because investors worry that
privacy scandals may prompt Washington to impose rules that would destroy
a company's business prospects. For example, the value of DoubleClick
stock has dropped from $120 per share to $25 per share since it ran into a
hail of criticism-and the threat of new privacy laws-for its now-abandoned
plan to track online activities of individual Internet users by name, not
merely as part of a homogenous demographic cohort.
Long Road to Compromise
The pro-privacy community, which includes legislators such as Reps. Edward
J. Markey, D-Mass., and Joe Barton, R-Texas, wants tougher rules, but it
is split over the extent to which government should protect privacy and
whether the main threat comes from government or industry. Privacy
advocates agree on this much: Government and law-enforcement agencies'
data collection activities should be curbed; customer data should be used
only for the original purpose for which it was collected; consumers should
have a measure of control over the sale of their personal data; government
agencies should keep a sharp eye on companies that violate privacy
agreements with customers; and discrimination based on health and genetic
data should be outlawed.
Others would go further: "We believe that the individual should have
control of [company-held] information about himself or herself, and that
the government has a role to play in securing that right," said David
Sobel, a lawyer at the Electronic Privacy Information Center in
Washington. He says he believes that companies should have to get
customers' explicit permission-their "opt-in"-before storing
their personal data. Other privacy advocates say people should be
protected from being mischaracterized by a partial release of personal
data. Jeffrey Rosen, a George Washington University Law School professor
and author of The Unwanted Gaze: The Destruction of Privacy in America,
makes this argument, but warns that the interest in not being
mischaracterized should not become a legal right, because it would clash
with others' free speech rights.
Genetic discrimination-for example, being denied a job because one's
genetic makeup makes a future disability more likely-is such a worry for
these privacy proponents that The New Republic urged in a June 29
editorial that the nation should adopt a constitutional amendment to
protect medical privacy. "We need to do it very quickly, before
someone can invent something that creates an interest group to block such
an amendment," said Gregg Easterbrook, a New Republic editor.
Congress appears set to pass a law barring genetic discrimination, but
Republicans and Democrats disagree on whether to include a provision
facilitating lawsuits for such discrimination.
One possible route to compromise is greater use of privacy-protection
technologies: data encryption, anonymous financial transactions, and
untraceable e-mail. While such innovations can shield personal data from
hackers-and even from some merchants-and could ease the negotiation of
privacy contracts by Internet buyers and sellers, they could also obstruct
the rights of other citizens and of the courts to gather information in
criminal and civil lawsuits. For example, could one party in a divorce
case ask the courts for the right to view e-mail on the computer of a
spouse's suspected lover? Could the court order the decryption of the
alleged lover's e-mail messages?
There are simply too many new technologies and business opportunities, and
too many ideological viewpoints and pressure groups, for peace to come to
this expanding political battlefield anytime soon.
Neil Munro
National Journal