Yearly Archives: 2012

The End of “Notice and Consent” as Meaningful Privacy Protection

Feb 3, 2012 Frank Pasquale

Scott Peppet’s article Unraveling Privacy: The Personal Prospectus & the Threat of a Full Disclosure Future has offered a fundamental challenge to reigning privacy paradigms in cyberlaw.  The old privacy law assumed that the right set of laws could help individuals hide embarrassing facts or disable invasive tracking.  The encroaching “full disclosure future” ensures that those who try to maintain secrets look like they have “something to hide.”  We used to be afraid of shadowy watchers collecting incriminating “digital dossiers;” now we worry over not measuring up when rivals reveal better “personal prospectuses” than our own.  Peppet’s elegant interweaving of social science and law renders us unable to rely on old privacy paradigms like “notice and consent” online.

Something to Hide

Traditionally, privacy law experts have assumed that a combination of markets and law can preserve privacy.  Firms will compete to offer more or less privacy.  Data collectors will provide customers with various “privacy settings” that tailor online services to optimize self-disclosure.  Some have proposed “personal data vaults” to manage the emanations of sensor networks that track movements and actions in real space.  Jonathan Zittrain’s classic article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

These technological “self-help” measures reflect privacy law’s consent paradigm.  Generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to.  The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy.  The consent paradigm sense if one assumes that we live in a society where individuals have a relatively free choice whether or not to disclose critical data. But it becomes less realistic as individuals are under more pressure to compete by revealing important aspects of their past.

Peppet  observes that individuals are increasingly volunteering information about themselves in order to stand out from the crowd.  When such self-disclosure reaches a critical mass, a tipping point is reached, and everyone essentially must disclose in order to avoid being stigmatized as someone with something to hide. Economists of information label this process “unraveling.”  As “rapidly changing information technologies are making possible the low-cost sharing of verified personal information for economic reward,” the ultimate effect will be little different than if snooping employers, government officials, and other decisionmakers could directly demand damaging information.

Reorienting Cyberspace’s Privacy Law

Mainstream privacy scholarship has for too long attempted to adopt old tort law and ossified, sectoral statutes to rapidly changing technologies. The scholarship has paid too little attention to economic changes that have made cutthroat competition in the workplace and pervasive surveillance not only de rigeur, but intimately connected. While the data can be used in many cases for good, it would be naïve to ignore the extent to which it will be repurposed to classify and stigmatize individuals. In an age of diminishing expectations, intensive data gathering is a critical tool for deciding which human resources should be invested in, and which should be treated like flotsam.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm that Peppet challenges would be a good foundation for addressing concerns about privacy.  If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests.  But the actual occurrence of such acts of self-assertion and self-protection are rare.  Given the frequently abstract benefits that privacy and reputational integrity afford, they are almost always traded away for competitive economic advantage.  This process further erodes societal expectations of privacy.

It is to Peppet’s great credit that he squarely wrestles with this phenomenon before engaging in the legal interpretation (or drafting of proposed statutes and regulations) that is the more common end of privacy scholarship.  By bringing a lucid account of the “economics of signaling” to the field, Peppet may help it leapfrog its current infatuation with “notice and consent” models and move on in three directions.

First, we may simply seek to assure that informational harms cannot bring any individual below a social minimum.  In that case, a good bit of privacy regulation and cyberlaw is effectively absorbed into broader campaigns of social justice.  For example, if we eventually enter into an equilibrium where employers are demanding very positive “personal prospectuses,” and a large and growing class of individuals cannot provide such profiles, the answer may not be to regulate information flow so much as it is to take on the larger social task of reducing the stigma and material wants arising out of unemployment. Similarly, health privacy becomes less of a concern when insurers can’t deny coverage to anyone, including those with pre-existing conditions.

The second response, which might be addressed in some of Peppet’s future work, is to turn a Panoptic eye onto those who demand personal prospectuses, subjecting them to the same level of competition as they subject individuals to.  As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate and governmental authors of that trend reciprocate, and become more open about the data they gather.

Finally, as full disclosure dynamics render the average citizen’s life an open book, one-time privacy advocates might seek a different end: equalizing the surveillance that is now being aimed disproportionately at the vulnerable.  Large corporations have used both privacy and trade secrecy laws to deflect scrutiny.  As David Brin suggested in his book The Transparent Society, the “full disclosure future” might be a little less scary for ordinary citizens and consumers if government and business powers had to live up to the same standards of openness that they impose on others.

Law and Borders, Revisited

Jan 4, 2012 Michael Madison

Fifteen years ago, David Post and David Johnson published what some still regard as the seminal paper of cyberlaw scholarship:  Law and Borders: The Rise of Law in Cyberspace.  Post and Johnson argued that because cyberspace was defined, in a way, by the very absence of territoriality, cyberspace should be governed by laws and lawmakers not tied in traditional ways to territorial states.  That paper provoked a reply, Against Cyberanarchy, by Jack Goldsmith, and those two positions – “cyberspace is different”; “no, it isn’t” — have pretty much defined the landscape of cyberlaw ever since.  Later scholars have had little choice but to explore the implications and details of staking out intermediate positions.  When and how does cyberspace differ, and what do we do about it?

Marketa Trimble’s article approaches this topic by revisiting a species of the territorial question that prompted Law and Borders.  How can and should the law address behavior online by people who are physically located in one place but who wish to create or manage online identities in other places?  Trimble calls this the challenge of “cybertravel,” a phenomenon that is hardly new but that has taken on renewed significance as Internet technologies (and governments) have caught up to the many ways in which cybertravelers can be in more than one place at a time.

The article describes the problem to be addressed in blunt terms.  Governments have ongoing interests in effective taxation and in regulating at least some online behavior (gambling, for example), and commercial interests (often backed by governments) have strong interests in policing geographically-dependent use of intellectual property rights.  Individual interests in online freedom and privacy, particularly in anonymous and pseudonymous behavior – in “cybetravel” — have long been threatened by both law and technology used to back interests in regulation.  What has changed is the development and use of geolocation tools that have made it easier than ever for both governments and firms to determine where a particular online actor is located in physical space.  That technological shift is compounded by the growing acknowledgement of the inadequacy “soft law” approaches to balancing government, commercial, and individual interests (that is, approaches grounded in application of jurisdictional rules in cyberspace-related litigation), and the undesirability from both technical and policy levels of accommodating those interests via compulsory or voluntary activity (such as the use of geographically-oriented filtering technology) at the service provider level.  The question is, as it was 15 years ago, how to construct a manageable and sensible regime at the user level.

Approaching this question, Trimble adopts a premise that may put off cyberlaw idealists:  Borders should be viewed positively from a normative perspective.  Borders are enabling (they help governments keep the bad guys in – such as a gambling enterprises that might like to “offshore” their activities — so that they can be regulated productively) as well as disabling (they help governments keep the good guys out).  That pragmatic perspective informs the whole article.  Cyberlaw no longer deals in a purely borderless world, online or off.  I have a lot of sympathy for that point of view, and I confess that my appreciation of Trimble’s article is grounded in the first place by the fact that she does not try to dodge the point.  Some appeal to borders in a geographic sense – physical, virtual, or simply psychic – may be hard-wired into our appreciation of what cyberspace “is.”  But the point is hardly uncontested, or uncontestable.  Trimble does not cite to the post-Law and Borders literature of a decade ago, which included a number of articles addressing the law and policy implications of the arguable “place-ness” or “placeless-ness” of cyberspace, but she comes down clearly on the side of the scholars who argued that cyberspace is a place, after all.

The article conducts a thorough review of geolocation technologies, with appropriate nods to history and “lower” or less sophisticated or complex technological versions of contemporary tools.  It reviews evasion approaches, some that permit access to illegal or regulated content or services, some that enable online participation by individuals or groups with legitimate concerns for their own safety or the safety of others if their location and/or identity were disclosed.  The article acknowledges, in other words, that the cybertravel problem is related to jurisdictional issues and to anonymity and identity questions, but also distinct from both.

There is a long section talking about liability risks faced by those who engage in evasion tactics and by those who supply evasion tools.  This section describes relevant contract law, copyright law, anti-circumvention law, and tort and fraud questions, with significant and appropriate attention to international and non-US legal regimes.  The article does not make its case only from the US perspective.

The most interesting part of the article consists of its review of the normative and prescriptive future.  Under what circumstances should individual evasion of geolocation technologies be lawful – that is, what is the proper scope of legitimate regulation of cybertravel?  Trimble begins by accepting an analogy between virtual travel and physical travel, such that the interests of citizens (and governments) in each are approximately identical.  The argument here is rooted partially in US law and partially in international legal and human rights norms.  Given the physical travel analogy, a partial remedy is proposed in the form of a “digital passport” for “netizens” (she does not use that term, but it seems appropriate here, given the modestly anachronistic flavor of the underlying problem), with the rights and duties of the passport holder coded into the architecture of the Internet.  Acknowledgement of the “passport” would be more or less a matter of technology rather than politics; the rights underlying the passport holder would be grounded in the holder’s residence or nationality (or perhaps, both).  Basing digital rights on terrestrial rights offers a way of balancing the virtues of permitting and enabling evasion of geolocation with legitimate commercial and state interests in supporting a robust geolocation infrastructure.

It is almost a tautology to note that, in light of the article’s Law and Borders ancestry, the solution is unsatisfactory.  To her great credit, Trimble acknowledges as much, describing the serious risks to individual privacy that the proposal entails, and the concerns regarding data integrity that it engenders.  She also takes care to observe that the proposal could not be implemented without a business, technical, and regulatory infrastructure to support it, and that such an infrastructure would create second-order risks of privatization of the entire enterprise and a corresponding lack of meaningful transparency.  Both the proposal and the critique borrow heavily from themes developed originally by Lawrence Lessig.

Trimble closes not with despair that the idealism of cyberlaw pioneers has not been sustained, but with a pragmatic acknowledgement that we live in a second-best world.  She argues that the tradeoffs embedded in her proposal are worth accepting, at least conceptually, in order to enable cybertravel that is to some degree freer than it might be in an age of unrestricted use of geolocation tools.  Implicit in that conclusion is a response to the debate between Post and Johnson, on the one hand, and Goldsmith, on the other, the conflict between the idea of reinventing social and political life online and the idea of continuing online our lives as we have always lived them.  Trimble’s careful, pragmatic article shows that this split is and has always been irremediable, and that the Internet and our experiences within, by, on, and through it, are simultaneously and entirely new and the same.