privacy and technology: reconsidering a crucial public policy debate in the post-september 11 era

Privacy and Technology: Reconsidering a Crucial Public Policy Debate in the Post-September11 EraAuthor(s): Lisa NelsonSource: Public Administration Review, Vol. 64, No. 3 (May - Jun., 2004), pp. 259-269Published by: Wiley on behalf of the American Society for Public AdministrationStable URL: http://www.jstor.org/stable/3542591 .

Accessed: 14/06/2014 23:55

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .http://www.jstor.org/page/info/about/policies/terms.jsp

.JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range ofcontent in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new formsof scholarship. For more information about JSTOR, please contact [email protected].

.

Wiley and American Society for Public Administration are collaborating with JSTOR to digitize, preserve andextend access to Public Administration Review.

http://www.jstor.org

This content downloaded from 62.122.79.78 on Sat, 14 Jun 2014 23:55:24 PMAll use subject to JSTOR Terms and Conditions

http://www.jstor.org/action/showPublisher?publisherCode=black

http://www.jstor.org/action/showPublisher?publisherCode=aspa

http://www.jstor.org/stable/3542591?origin=JSTOR-pdf

http://www.jstor.org/page/info/about/policies/terms.jsp


Lisa Nelson University of Pittsburgh

Special Report

Privacy and Technology: Reconsidering a Crucial

Public Policy Debate in the Post-September 11 Era

In the post September 11 era, one truism in the ongoing public policy debate surrounding technology and privacy is that there is no easy solution to the increasing presence of technology in our lives. There are, however, several long-standing guiding principles. We must be wary of extending political authority to protect privacy without careful contemplation of the consequences. While it may appear that the idea of balancing technology and privacy is novel, the tension between them is informed by a broader theoretical framework that is inherent to democracy. Understanding this broader theoretical framework is helpful in identifying ways to advance the debate toward policy solutions rather than continuing a dogmatic discussion that juxtaposes technological innovation with the loss of privacy. The purpose of this discussion is not to settle the public policy debate. Instead, the aim is to consider how long-standing constitutional doctrine and the theoretical framework of democracy can lend insight into the current debate surrounding privacy and technology.

The events of September 11, 2001, and the ever-increasing prominence of information technology in our lives have had a significant influence on the nature of public policy debates on privacy. As society becomes more information based, the tendency-perhaps necessity-of individuals to distribute their personal information continues to increase. Yet, as personal information becomes more important and is accessible to a greater number of people and institu- tions, concerns about privacy protection and civil liberties abound. The escalating information society, together with the increasing reliance on technology for intelligence gathering and surveillance in the aftermath of September 11, 2001, has resulted in a growing public policy debate regarding the balance that should be forged between technology and privacy.

In these policy debates, however, the terms are often mired in time-worn dichotomies and stymied by entrenched political positions. The first step in moving the public policy debate forward is reconsidering the terms of debate. While it may appear that the question of balancing technology and privacy is novel, the tension between them is informed

by a broader theoretical framework that is inherent to de-

mocracy. Understanding this broader theoretical framework is helpful in identifying ways to advance the debate to-

ward policy solutions rather than continuing a dogmatic discussion that juxtaposes technological innovation with the loss of privacy. In other words, there must be a means of ensuring the ongoing protection of privacy in light of innovations in information technology and within the context of continued efforts to guard against terrorism. An un-

derstanding of the democratic underpinnings of privacy, which are affected by the growth of the information age and the events of September 11, 2001, is essential to a re- consideration of the terms of the debate. The purpose of this discussion is not to settle the public policy debate. In- stead, the aim is to consider how long-standing constitutional doctrine and the theoretical framework of democracy can lend insight into the current debate surrounding privacy and technology.

Implicitly, the exercise of political authority in the name of preventing harm informs the current public policy debates regarding the proper balance between technology and

Lisa Nelson is an assistant professor in the University of Pittsburgh's Gradu- ate School of Public and International Affairs and a fellow at the Philosophy of Science Center of the University of Pittsburgh. She also serves as an affili- ate in the InSITeS Institute at Carnegie Mellon University and the University of Pittsburgh School of Law. She is a recent recipient of a National Science Foundation award to study the societal and legal implications of biometric technology. E-mail: [email protected].

Special Report 259



privacy. Harm, however, is perceived differently by those involved in the making of public policy. On one hand, those concerned with the loss of privacy have taken issue with the increased political authority exercised in the post-Sep- tember 11 environment. The war on terror is viewed as a threat to our liberty interests in privacy because of increased intelligence gathering, expanded surveillance, and extended bureaucratic prerogative to use technology to ferret out terrorism. On the other hand, there is a growing sentiment that contends there is a need for greater government protection for individuals against invasions of privacy by the vagaries of the information age. Here, the threat to privacy takes the form of unfettered information gathering by government and private industry. The solution from this perspective is increased regulation. In either case, the liberty interest in privacy is juxtaposed with the exertion of political authority. Thus, the policy debate regarding the proper balance between technology and privacy presents an ironic contradiction: Political authority is viewed both as a threat and a panacea to our liberty interests in privacy. To better understand the equilibrium between political authority and privacy, we begin first with the concept of liberty in our democratic tradition.

Liberty and Democracy The origin of liberty in democratic theory is best de-

scribed by John Stuart Mill as "the civil or social liberty which exists within the nature and limits of the power which can be legitimately exercised by society over the individual" (Mill 1956, 2). As Mill explains, the balance between liberty and authority is struck by guaranteeing certain immunities that cannot be violated by those holding political authority. If violated, those in positions of authority have breached their duty as leaders. As a secondary check on political authority, constitutional checks that are established by the consent of the community are a necessary condition of the acts of governing power (Mill 1956, 4). In practice, this means the exercise of political authority is mediated by the immunities of the citizenry and the consent of the governed.

The liberty interest in privacy is construed similarly. To paraphrase Justice Robert H. Jackson in his concurring opinion on the 1952 Youngstown Sheet and Tube Co. v. Sawyer (343 U.S. 579) decision, "the Fourth Amendment protects more than privacy; it ensures that governmental invasions of individual privacy are based upon rules established by the people, rules our rulers must follow in order to engage in surveillance." Jackson's description of privacy mirrors that of Mill. The conditions of our liberty interest in privacy are created by the immunities of the citizenry and the consent of the governed. Each serves as a limit on political authority. Yet, the analysis is not quite so

simple. The equilibrium of this balance between political authority and the liberty interests of individuals is changed in the face of harm. As Mill explains, government should be established on the harm principle: "That the sole end for which mankind is warranted, individually or collec- tively, in interfering with the liberty of action of any of their number, is self-protection. That the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others" (Mill 1956, 4).

The authority to interfere with a member of a civilized community in defense of liberty occurs when there is a need to prevent harm. In fact, as Mill argues, "it is one of the undisputed functions of government to take precau- tions against crime before it has been committed, as well as to detect and punish it afterwards" (Mill 1956, 116). Liberty, augmented in our constitutional framework by the principles of privacy, is mediated by the exercise of political authority to protect against harm. What is left unanswered is the type and form of political authority that is ideal for preserving our liberty interests in privacy. In theory, the answer seems quite simple: The exercise of political authority is justified when the political will necessary for the prevention of harm is warranted. Yet, as a practical matter, the perception of harm-and the justification of political authority necessary to combat it-is often problematic. As Mill warns, "the preventative func- tion of government, however, is far more liable to be abused, at the prejudice of liberty, than the punitive func- tion" (Mill 1956, 116).

This concern is particularly acute in the post-Septem- ber 11 environment because it is not only the assertion of political authority, but also the architecture of it that potentially threatens our liberty interest in privacy. Far-reach- ing regulations that enable the gathering and sharing of information, the concentration of power in the hands of the intelligence community, and the extensive power granted to the executive branch in the name of the "war on terrorism" is seen as altering the structural balance between political authority and social and civil liberties at the expense of democratic principles. The call for increased political authority to protect privacy in the wake of the information age, however, faces similar criticisms. Here, it is argued that under the limits of the Constitution, there is insufficient legal basis for the exercise of political authority to protect privacy. In this sense, protective legislation is seen as potentially overstepping the appropriate constitutional boundaries of political authority and squelching free enterprise and innovation in the information age.

Though it seems to be at the other end of the spectrum, the question of whether the Constitution allows for the power of government to adopt and enforce laws to protect private information from intrusion by the private sector is

260 Public Administration Review * May/June 2004, Vol. 64, No. 3



not unlike the question of whether the events of Septem- ber 11 justify increased intelligence gathering and surveillance. Each is a question of enhanced political authority and its relationship to the liberty interests of privacy. Yet, the answer is not so easily discerned from either constitutional doctrine or public sentiments. Rather, the public policy debate must account for the interplay between each, because one is not separate from the other.

Interestingly, the war on terror coincides with the ac- celeration of the information age and, as a result, affects the direction of policy debates regarding each. Perhaps the war on terror seems less intrusive and less threatening to our privacy because our notions of privacy have been altered in an unprecedented age of information. Surveillance is becoming commonplace, frequent, and innocuous. More- over, the information age has altered the traditional physical divide between the public and the private with the age of the Interet and other technologies. Physical locale is no longer the definitional quality of privacy, and, as a result, the traditional demarcation of privacy is no longer apt in either legal doctrine or societal perceptions. Similarly, the events of September 11 and the subsequent prominence of surveillance and information gathering may have caused us to be overly sensitized to information sharing in both the government and private sectors.

The events of September 11 and the rise of the information age challenge the previous balance between political authority and liberty, but it does not follow that a new balance cannot be struck. Yet, it is necessary to move the debate beyond its current dichotomy, which tends to view the rise of technology and the information age as intruding on privacy. The dichotomy is not helpful because it is im-

possible to eliminate the specter of terrorism and turn back the clock on the information age. Instead, each is a new factor to be weighed in the quest for a balance between

liberty and the exercise of political authority. For this, let us return to Mill.

As Mill advocates, the balance is secured by the guarantee of certain immunities that cannot be violated by those

holding political authority. As a secondary check on political authority, constitutional checks that are established by the consent of the community are a necessary condition for the acts of governing power. Thus, as a point of departure, the proper course of policy development to protect privacy while fostering the appropriate exercise of political authority requires us to turn to the necessary immunities, which cannot be trammeled, and to the constitutional checks that must remain intact.

The Constitutional Doctrine of Privacy One of the most prominent frameworks for the devel-

opment of policy for surveillance and information gather-

ing is, of course, the constitutional doctrine on privacy. Although privacy is absent from the text of the Constitu- tion, the Supreme Court has found privacy interests in numerous amendments. Privacy exists within the prohibition against search and seizures; in decisional freedom in pro- creation, marriage, contraception, and abortion; and in a

prohibition against the disclosure of information. For the

purposes of this discussion, however, the liberty interest in

privacy is most directly affected when government surveillance and information gathering occur. Here, privacy is defined relative to the exercise of political authority within the context of Fourth Amendment freedoms. The 1928 Olmstead v. United States (277 U.S. 438) decision-a case

involving Fourth Amendment protection against unreasonable search and seizure-provided the beginning of the constitutional concept of privacy in this regard. Privacy as

developed in the search and seizure cases has applications beyond Fourth Amendment jurisprudence. It may not be obvious that a broader legal right to privacy is expressed through the doctrine of search and seizure cases; however, the loss of the condition of privacy is analogous and, more

importantly, instructive for understanding the key concepts that inform the intersection of privacy and technology in current public policy debates.

In Olmstead, the Supreme Court was asked to consider whether the Constitution provides protection for citizens when the government places a wiretap on their telephones and records their conversations. In its decision, the Court held that wiretapping does not violate the guarantee against unreasonable search and seizure because of the lack of

physical intrusion or seizure of tangible evidence. Employ- ing a traditional trespass analysis, the Court argued that because the taps were placed without any actual physical trespass on the property of the defendants, the evidence was secured with the use of the "sense of hearing and that

only," and therefore did not violate Fourth Amendment

protections. This precedent regarding governmental use of

technological surveillance allowed law enforcement to use electronic means to enter the physical domain of privacy in the name of preventing potential harm. The familiar di-

chotomy between the political authority to prevent harm and the realm of personal privacy is evident in Olmstead. The protection of privacy was relegated to a secondary concern when the necessity of preventing harm to society was present. There was, of course, strong opposition to this limited conception of privacy and the acceptance of the exercise of governmental authority within it. Justice Louis D. Brandeis dissented, claiming the protections of the Fourth Amendment reach farther than what the Court's decision reflected. Brandeis characterized the right to privacy as "the right to be let alone-the most comprehen- sive of rights and the right most valued by civilized men." More important for our purposes, Brandeis's dissent rec-

Special Report 261



ognized that the Supreme Court should take into account the evolution of technology when interpreting the Consti- tution. "Discovery and invention have made it possible for the government by means far more effective than stretch- ing upon the rack to obtain disclosures in court of what is whispered in the closet." Though outdated in terms of the technology under consideration, Olmstead outlines the parameters of the current debate regarding the nexus between privacy and technology. There is both a constitutionally recognized need for governmental authority to protect against harm and a need to protect personal au- tonomy and privacy. The pressing question in Olmstead- and in the current debates-is whether the technological invasion of privacy is justified in the name of preventing harm. This depends, of course, on the underlying conception of privacy and the definition of harm against which it is juxtaposed.

In its 1967 decision in Katz v. United States (389 U.S. 347), the Supreme Court elaborated on the definition of harm and privacy first discussed in Olmstead. In applying the Fourth Amendment to government searches of citizens' homes, the Court stated, "At the very core [of the Fourth Amendment] stands the right of a man to retreat into his own home and there be free from unreasonable governmental intrusion." In Katz, a bookie had placed an incrimi- nating phone call from inside a public phone booth, to which FBI officials had attached an electronic listening and recording device. The question presented to the Court was whether the conversation was admissible. In ruling the conversation inadmissible, the Court noted that the Fourth Amendment protected people and not places. In his concurrence, Justice John M. Harlan formulated what has become the prevailing standard in Fourth Amendment cases. In essence, the two-pronged test requires a subjective expectation of privacy that society deems objectively reasonable. The Supreme Court has applied this principle to hold that a Fourth Amendment search does not occur unless "the individual manifested a subjective expectation of privacy in the object of the challenged search," and "society [is] willing to recognize that expectation as reasonable." The subjective perception of privacy informs the realm of privacy, but the justification for invasion is mea- sured by normative expectations of privacy defined by societal standards. Here, perceptions of harm can affect the evaluation of subjective perceptions of privacy. If societal perceptions of harm diverge from an individual's claim to privacy, the individual's perspective is given less credence and may even be viewed with a modicum of suspicion. The decision lends insight into the nexus between subjective and objective expectations of privacy, but it also offers guidance for understanding the effect of technological innovations on societal evaluations of privacy. As technological innovations become more commonplace, the ex-

pectation that an individual remains outside their purview is considered less reasonable by societal standards.

This principle was further articulated in Kyllo v. United States (533 U.S. 27 [2001]). In Kyllo, the Court considered "whether the use of a thermal-imaging device aimed at a private home from a public street to detect relative amounts of heat within the home constitutes a search within the meaning of the Fourth Amendment." The Court subse- quently held that "obtaining by sense-enhancing technology any information regarding the interior of the home that could not otherwise have been obtained without physical intrusion into a constitutionally protected area... constitutes a search-at least where the technology in question is not in general public use." According to this standard, as so- phisticated technologies become more widely available, privacy protection diminishes. This has much to do with what characterizes a reasonable expectation of privacy. The "reasonable expectation of privacy" requirement begs the question: what renders scrutiny unreasonable? It is less of an invasion, it seems, if the public is made aware that the technology is in place.

When technology becomes more widely used, the expectation of privacy that an individual may retain is di- minished. The same can be said about the context of an act. Traditionally, action in a public sphere compared to a private one entails a much lower expectation of privacy. The collection of biometric identifiers through face recog- nition systems, for example, takes place in public arenas, thereby delimiting privacy claims because one cannot expect that his or her facial features are private in the public sphere. This point was noted in United States v. Dionisio (410 U.S. 1 [1973]), in which a grand jury subpoenaed individuals to obtain voice samples and compare them with a recorded conversation that was in evidence. In ruling such a subpoena constitutional, the Court noted that "no person can have a reasonable expectation that others will not know the sound of his voice, any more than he can reasonably expect that his face will be a mystery to the world." One

might argue that privacy is construed more broadly as the inviolability of an individual's rights over his or her person beyond the physical person to intellectual activities and personality (Cohen 2000, 1424-28). If privacy is perceived as being free from influence to express and develop oneself outside the public eye, then monitoring of this sort is indeed an invasion of privacy (Allen 1999, 754). This concept of privacy is tied to the First Amendment's protection of anonymity. The concept of anonymity has not been featured as prominently in discussions surrounding technology, though its presence in our historical political tradition is arguably as essential as privacy. More importantly, courts have generally protected anonymity in public spaces, whereas they have generally held that there is no expectation of privacy in public places.




Similarly, if iris scans are used to restrict access to schools or if fingerprints are used to verify identity before the boarding of an airplane, is there a privacy interest at stake? In these types of settings, the privacy interest must be mitigated by the interest in security. For instance, in striking a balance between the liberty interest of the right to travel and the need to protect security, courts have allowed searches of passengers and baggage. The logic of the administrative search doctrine is best articulated in United States v. Edwards (498 F.2d 496 [1974]), in which the court held,

When the risk is the jeopardy to hundreds of human lives and millions of dollars of property inherent in the pirating or blowing up of a large airplane, the danger alone meets the test of reasonableness, so long as the search is conducted in good faith for the purpose of preventing hijacking or like damage and with reasonable scope and the passenger has been given advance notice of his liability to such a search so that he can avoid it by choosing not to travel by air.

In considering the balance between the liberty interest in privacy and the exercise of political authority to protect against harm, the public policy debate must be nuanced. The growing prevalence of technology, as well as the set- ting and the purpose for technology all must be factored into to public policy debates that attempt to strike a balance between privacy interests and the exercise of political authority. Sometimes, the exercise of political author-

ity is not as obvious as a search. An invasive search of digital activities or transactional data can be performed automatically, and the information gathered and stored without the attention of a human intermediary. The threat to privacy here is the lack of control that the subject of a "search" has over the information gathered. Privacy in this context is conceived of as control over personal data or control of what others (individuals, companies, or government) know about the individual (Katsh 1995).

Privacy, when it is conceived of as control over personal data, is less established in the Constitution. In the 1975 Whalen v. Roe (423 U.S. 1313) decision, patients and doc- tors challenged a statute in New York that required copies of prescriptions for certain drugs to be recorded and stored in a centralized government computer, arguing that it violated their constitutional right to privacy. Although the Court rejected this claim, a majority argued that under certain circumstances, the disclosure of health care information may violate a constitutionally protected right to privacy. Justice John Paul Stevens, writing for a majority of the Court, identified informational privacy as one aspect of the constitutional right to privacy. Stevens argued, "The cases sometimes characterized as protecting 'privacy' have in fact involved at least two different kinds of interests. One is the individual interest in avoiding disclosure of per-

sonal matters, and another is the interest in independence in making certain kinds of important decisions." Whalen, although distinct from Fourth Amendment protections of privacy, nonetheless mirrors the logic of Olmstead and Katz. Privacy acts as a bulwark against government surveillance and information gathering, but only to the extent that a societal harm is not compromised. Additionally, it is clear that defining privacy as a physical sphere of security is becoming less and less workable in the face of both technological innovation and the increasing prevalence of tech-

nology in society. Nonetheless, the definitional quality of the constitutional doctrine on privacy juxtaposes the exercise of political authority with a protected sphere of privacy. In current policy debates, this balance should be retained, but with an eye toward changing technologies and, as a consequence, changing notions of privacy.

In simple terms, while the constitutional doctrine of privacy represents a point of departure for understanding the

proper exercise of political authority, it is only that: a point of departure. Recall that Mill argues the balance between

political authority and liberty is not only secured by certain constitutional immunities that cannot be violated by those holding political authority, but also by the consent of the community. Although constitutional immunities estab- lish a check on political authority, a secondary check is

provided by the consent of community members. Limits on information gathering and government surveillance are also found in legislative provisions that provide notice, access, control, and consent.

Notice, Access, Control, and Consent: Legislative Efforts

Legislative protections of privacy appear in a variety of statutes aimed at both government and private actors. The Fair Credit Reporting Act of 1970 was one of the first at-

tempts to protect individuals' interests in information privacy from private actors, while the Privacy Act of 1974 was among the earliest statutory protections against governmental misuse of personal information. In addition, Congress has enacted a wide variety of other statutes in an effort to protect information privacy, including the Bank

Secrecy Act, the Cable Communications Policy Act, the

Computer Matching and Privacy Protection Act, the Driver's Privacy Protection Act, the Electronic Communi- cations Privacy Act, the Electronic Fund Transfer Act, Title III of the Omnibus Crime Control and Safe Streets Act (also known as the Wiretap Act), the Right to Financial

Privacy Act, and the Video Privacy Protection Act. In each case, the legislation institutes a means for indi-

viduals to be made aware of-and thus control or consent to-surveillance and information gathering. Yet, these provisions limit the exercise of political authority only to the

Special Report 263



extent they are effective in practice. Consider the Privacy Act of 1974, which was designed to protect the privacy of citizens by requiring government departments and agencies to observe certain rules in the use of personal information. The purpose of the act was to safeguard the interests of citizens in informational privacy with the creation of a code of fair information practices that delineates the duties owed to individual citizens by federal agencies that collect, store, and disseminate information. The Privacy Act does not preclude governmental collection, maintenance, or use of private information about individuals generally or federal employees in particular. Instead, it imposes restrictions on federal agencies to curb abuses in the acquisition and use of such information. In principle, the Privacy Act limits the disclosure of personnel records and forbids federal government agencies from disclosing any record that is contained in a system of records regarding an individual without that individual's express permission. The act prohibits any federal agency from disclosing any record contained in a system of records without notice and the written consent of the individual to whom the record pertains; however, the expansive scope of this prohibition on nonconsensual disclosure is subject to numerous exemptions. In practice, the requirements of notice and prior consent are often circumvented with a "routine use" exemption. In addition to the routine use exemption, records may also be disseminated pursuant to a court order when the need for the disclosure outweighs the potential harm of disclosure. In the case of airline travel, one might easily infer that the need for disclosure, in the face of a hijacking or terrorist threat, far outweighs the potential harm of disclosure. In a closely related exception, information can also be disseminated to other parties without prior consent when the records are to be used for law enforcement purposes. This exception obviously applies to law enforcement agencies; however, it also applies to other agencies whose functions normally do not include law enforcement. The limit on federal agencies to gather only information that is required to accomplish their purposes is another procedural safeguard established by the Privacy Act of 1974. In theory, this imposes a limit on the collection, maintenance, and dissemination of information, but in practice, the expansive meaning of "purpose" translates into a broad discre- tion. These broad exemptions have led privacy advocates to argue that the Privacy Act offers little in the way of protection against technological surveillance or information gathering by the government.

Similar criticisms have been leveled at the Electronic Communications Privacy Act (ECPA) (18 U.S.C. ??2510- 20), which prohibits the illegal procurement of communications in the form of wire, oral, and electronic communications. The methods of interception prohibited under the ECPA include wiretapping, audio recording, and the use

of electronic devices. This statute also prohibits the use of any such illegally attained communications and the pro- duction or distribution of devices used specifically for the illegal procurement of protected communications. While the ECPA seems to offer protections against the harms of surveillance and information gathering, there are concerns that the act's reach has been undermined by the events of September 11, 2001. The USA Patriot Act amended the ECPA to allow and encourage the sharing of information obtained through the interception of wire, oral, and electronic communications relating to computer fraud and abuse. The Patriot Act amends Title 18 of the ECPA, au- thorizing any "investigative or law enforcement officer, or attorney for the Government" to disclose the contents of any wire, oral, or electronic communications or evidence so derived, as well as "any other Federal law enforcement, intelligence, protective, immigration, national defense, or national security official" if the contents of the communications include foreign intelligence or counterintelligence. Before the Patriot Act, provisions for sharing information relevant to national security were more circumscribed.

Here, it is argued that the increase in governmental authority authorized under the Patriot Act alters the ECPA's effectiveness in limiting government surveillance and information gathering and sharing. The Patriot Act is viewed as extending political authority at the expense of the protections offered under the ECPA. While proponents of this view would like to limit the authority granted under the Patriot Act, at the same time they would like to see authority extended under the ECPA to control the use of surveillance and information-gathering tools in private industry and government. The broad exemptions of the Privacy Act and the countervailing effects of September 11 have given rise to a call for increased regulation to fill in these regulatory gaps.

The question, however, is whether these legislative protections represent effective methods of limiting political authority by providing notice, access, control, and consent to those who come under the scrutiny of surveillance or information gathering. As discussed above, there are noted shortcomings with regard to legislative protections. In part, the sense of dissatisfaction in current public policy debates comes with the ineffectiveness of legislation to provide notice, access, control, and consent to individuals, and thus the limits on political authority seem lacking to some en- gaged in the public policy debates. From this perspective, one solution is to shore up these provisions through increased legislation.

In this regard, the provisions of the European Directive on Data Privacy provide an example for privacy legislation in the United States. For instance, the first principle of European data protection requires that information be col- lected only for specific and specified purposes, used only




in ways that are compatible with those purposes, and stored no longer than is necessary for those purposes. As a secondary check on the misuse of information, the directive requires that measures that are appropriate to the risks involved be taken to protect against the "unauthorized alter- ation or disclosure or any other unauthorized form of processing." Particular types of data receive special protection under the directive. According to its language, "racial or ethnic origin, political opinions, religious beliefs, philo- sophical or ethical persuasion ... or concerning health or sexual life" are generally forbidden. With regard to individual control, the directive requires that processing activities "be structured in a manner that will be open and understandable." Similarly, personal information cannot be transferred to third parties without the permission of the subject. Lastly, the directive requires independent oversight principle and individual redress. These principles ensure a right to access personal information, to correct inaccurate information, and to pursue legally enforceable rights against data collectors and processors that fail to adhere to the law. Individuals have recourse to the courts or government agencies to investigate and prosecute noncompliance by data processors.

While notice, access, control, and consent may assuage privacy concerns and limit political authority in terms of government surveillance and information gathering, can the same be said of regulations applied to private industry? Increasing political authority to defend privacy in the form of protective legislation against government surveillance and information gathering may not achieve the results we desire because private industry is increasingly being viewed as the culprit.

Privacy in Private Industry The call for increased political authority to defend pri-

vacy is not limited to the government sector. Many argue that the patchwork of privacy legislation-which includes state legislation, private agreements, industry self-regulatory codes, company privacy policies, and individual self- help-does little to squelch information gathering and surveillance in private industry. Despite the wide variety of U.S. data protection, there is a continued presumption that

personal data usually may be processed without individual or government permission.

The call for increased regulation to protect privacy interests in the private sector represents a different exercise of political authority than that wielded in the post-Sep- tember 11 environment, yet it is arguably no less problematic. Increased political authority, in the form of legislation to protect against the use of technology and information gathering, is contentious in democratic theory. Does the exercise of political authority to restrict the availability of

information violate the Constitution when it is used to restrict the collection and use of information by the private sector? Further, do restrictions on the use of information violate the rights protected under the First Amendment?

The surge in privacy legislation has proceeded on the premise that the harm to be protected-the rise of surveillance and information gathering in private industry-necessitates increased political authority. From this perspective, privacy protection is often traded for commercial incentive. If information is conceded willingly, U.S. law can do little more to protect the subject (Froomkin 1996, 492). The literature supports the idea that some public policy measures ought to be adopted to protect privacy interests and to override the market rhetoric of current privacy standards when it is assumed that information is a traded commodity once consent is obtained (Litman 2000).

Yet, while the protection of privacy rights presents it- self as an unmitigated good in the public policy debates, there may be a cost to be borne. As Cate and Litan argue, "The U.S. Constitution has been largely ignored in the recent flurry of privacy laws and regulations designed to protect personal information from incursion by the private sector despite the fact that many of these enactments and efforts to enforce them significantly implicate the First Amendment" (2002, 38).

Just as antiterrorism rhetoric in the post-September 11 environment fueled legislation to enable government surveillance and information gathering, the rush to legislate to protect privacy is fueled by the rhetoric of preventing the harms of the information age. In each case, the constitutional limits on political authority may have been over- looked. The Constitution represents a starting point for understanding the balance that must be struck with regard to the regulation of private industry. Here, one important limit must be retained in the ongoing effort to enact legislation that protects privacy interests: the First Amendment. "The Supreme Court has decided many cases in which individuals sought to stop, or obtain damages for, the publication of private information, or in which the government restricted expression in an effort to protect privacy. Virtu- ally without exception, the Court has upheld the right to

speak or publish or protest under the First Amendment, to the detriment of the asserted privacy interest" (Cate and Litan 2002, 49). This line of argument points out the tension between the First Amendment's protection for expression and an individual's interest in privacy involving the

publication of information in which there is legitimate public interest. Where there is a legitimate public interest, the individual's privacy interest is narrowed. As Cate and Litan explain, "The speech of corporations is routinely accorded the highest First Amendment protection, 'strict

scrutiny' standard, unless the Court finds that the purpose of the expression is to propose a commercial transaction

Special Report 265



or that the expression occurs in the context of a highly regulated industry or market (such as the securities ex- changes), where the regulation of expression is essential to the government's regulatory objectives" (2002, 51).

Commercial speech, therefore, is accorded First Amend- ment protection unless the public interest behind the government's regulatory objectives justifies the exercise of political authority. This idea of public interest returns us to the question of preventing harm. The question left unanswered in constitutional doctrine and in current public policy debates is whether information gathering by private industry represents a harm so great that it necessitates limiting the free exchange of information in the market- place of ideas. "Although we may feel uncomfortable knowing that our personal information is circulating in the world, we live in an open society where information may usually pass freely" (Cate and Litan 2002, 54). Although it is clear there are harms to be avoided in light of the information age, it is not clear that increased legislation ad- equately addresses the harms, and, even more problematic, it may limit the free exchange of information. Here there are some guidelines on the construction of policy to protect privacy while retaining some control over the exercise of political authority. Restraints on private industry must be evaluated for their restriction on expression ver- sus restriction on the use of private information. Similarly, it is necessary to ask whether the First Amendment is im- plicated when the government seeks to restrict the use of personal information when the use does not implicate matters of general public concern. Finally, it is necessary that legislation be designed to protect privacy in a way that is "narrowly tailored" to achieving privacy protection (Cate and Litan 2002).

These principles were addressed in a 1999 decision by the U.S. Court of Appeals of the Tenth Circuit Court, U.S. West, Inc. v. Federal Communications Commission (182 F.3d 1224), in which FCC rules were challenged on the basis they violated U.S. West's First Amendment freedom. The FCC required U.S. West to obtain "opt-in" consent from customers. In its decision, the Court found that under the First Amendment, the rules were found to be presump- tively unconstitutional unless the FCC could demonstrate they are necessary to prevent a "specific and significant harm" to individuals, and that the rules were "no more extensive than necessary to serve [the stated] interest[s]." As in the case of government surveillance and information gathering, the call for increased legislation must be mea- sured by both the constitutional limits on political authority and the harm that is to be avoided.

The harm to be prevented is definitional to the proper exercise of political authority when privacy protection is sought. This has been true in constitutional doctrine, legislation, and in the growing body of law surrounding the

regulation of private industry. At the center of the public policy debate regarding privacy, then, is the nature of harm that is inflicted when privacy is lost. Although we have spent a great deal of time talking about the doctrinal limits on political authority being exercised, relatively little time has been spent discussing the nature of harm that rhetori- cally justifies the invasion or protection of privacy. The most important limit on the exercise of political authority in democratic theory is whether there is harm to be avoided. For this, we must understand privacy and the harm faced in light of the loss of privacy.

Privacy Increasingly, privacy relates to the diverse modes by

which people, personal information, certain personal property, and personal decision making are made less accessible to others. While privacy is protected by law, it is also governed by culture, ethics, and business and professional practices. Given the multifarious nature of privacy, constitutional principles and legislation are only the first step toward understanding the effects of increased technology in our lives and the potential harms and benefits it carries.

The classic legal argument for the harm effected by the loss of privacy was stated by Samuel D. Warren and Louis D. Brandeis in 1890: "The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the

refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modem enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury" (196).

The right to privacy is grounded in preconstitutional concepts and possesses both legal and moral underpinnings. In

part, Brandeis and Warren developed their argument from the natural law concepts that dominated discussions of law in the late 1800s. The creation of legal doctrine was to mir- ror the dictates of natural law. In line with this logic of the relationship between mankind and governance, Brandeis and Warren constructed their argument around a notion of privacy that was founded on human dignity and equal re- spect for persons. In their articulation of the "inviolate personality," they sketch out a notion of privacy that is still relevant today. Privacy is an essential component of personhood and is limited only by sufficient justification for the invasion of privacy by government, private individuals, or business entities. While Brandeis and Warren provided a framework that came to characterize the development of privacy doctrine, many questions regarding the practical implementation of privacy remain problematic throughout the development of the doctrine of privacy.




It is no surprise that the current policy debate surrounding privacy continues to strive for appropriate protections by wrestling with these difficult and persistent dilemmas. For instance, if privacy is an essential component of personhood, how is personhood compromised by the information age, surveillance technologies, and other potential invasions of privacy? Similarly, what constitutes sufficient justification for the invasion of privacy by government, private individuals, or business entities? Lastly, for the purposes of constructing policy, how should policy reflect the appropriate balance in protecting privacy? The modem enterprise and invention that Brandeis and Warren write about is salient for considering the intersection of technology and privacy because they highlight the long-standing difficulties of balancing the liberty interest of privacy with modem society that cannot be answered with finality. Per- haps the most difficult part of defining the liberty interest in privacy in the current debate is locating its meaning.

Beyond the doctrinal principles of privacy, there is also the normative expectation of freedom from government, technological or physical intrusion, and the right not to have information used for the purposes of discrimination. These are but a few of the markers for privacy that figure either explicitly or implicitly in the policy debates surrounding privacy. Given the myriad definitions of privacy that are available, it is necessary to winnow down the guiding principles for affecting the conditions of privacy. Here it is important to draw a distinction between privacy as a factual condition of life and privacy as a legal right (Hart 1949). Privacy as a factual condition of life is demarcated by the

perception that it has been altered or lost by the actions of others. The perception that we face a loss of privacy in light of the information age is a factual condition of privacy loss and is attributable to our normative expectations of privacy. This is where the call for greater regulation and safeguards occurs, because a factual condition of privacy loss is distinct from a violation of the legal right of privacy in that there are no legal protections afforded for it. The normative expectation of privacy is significant when de- veloping new trajectories of public policy, and it is arguably more influential in today's debate regarding the protections that should be afforded privacy. The question for the current policy debate is twofold. Prior constitutional doctrine and legal policy can guide our understanding of where the violation of the legal right of privacy occurs and where political authority must be reigned in. Beyond this, however, is the more illusive but nonetheless important factual condition of the loss of privacy founded in our normative expectations. While more obtuse and abstract, these

general sentiments regarding privacy are the precursors of policy. Brandeis and Warren's notion of the inviolate personality is thus important for understanding the complexity of normative and factual expectations of privacy, which

are heightened in the current debate on the proper balance between technology and privacy.

Tracing the normative expectations of privacy is a difficult task because our notions of privacy are complicated. Humphrey Taylor, working with privacy expert Alan Westin, reported in a 2003 Harris Poll that respondents fell into three general categories: "Privacy fundamental- ists" (about one-quarter of those polled) feel they have al-

ready lost a great deal of privacy and are resistant to any further erosion. "Privacy unconcerned" constituted about 10 percent of respondents; they have little anxiety about the collection and use of their personal data. Sixty-five percent of those polled were considered "privacy pragmatists," who are concerned about protecting their information from misuse but are willing to provide access to and use of their information when there are clear reasons and tangible benefits, and when there are safeguards against misuse. Regarding the control of personal data, 69 percent felt that consumers have lost control of companies' use of this information. Over half disagreed that companies use information responsibly, and over half disagreed that existing laws and practices provide adequate protections against misuse. In the context of the war on terrorism, however, 45 percent felt the government should have the abil-

ity to track interet activity at all times, and 66 percent agreed the government should make it easier for law enforcement to track online activities without notice or consent (Harris Interactive 2003).

Similar results were found in a 2002 Harris Poll conducted on behalf of the Privacy and American Business think tank. According to that survey, a majority of consumers (57 percent) did not trust businesses to properly handle personal information, and 84 percent preferred in-

dependent examination of privacy policies. Respondents reported concern for the following privacy risks: companies will sell data to others without permission (75 percent); transactions are not secure (70 percent); and crack- ers are able to steal personal data (69 percent). A majority (63 percent) felt that existing law does not provide enough protection against privacy invasions. Eighty-seven percent of respondents had refused to give information to a business because they felt the collection of such information to be unnecessary or the information too personal. Large majorities believed that access within businesses to col- lected information ought to be limited, and that individual

permission (or legal justification) ought to be necessary for an exchange of information outside the company (Har- ris Interactive 2002).

However, privacy concerns shifted considerably after the terrorist attacks in 2001. Several polls conducted in the months after the attacks sought insight into public opinion about how the government's antiterrorist measures would affect privacy. In general, the public was supportive of

Special Report 267



measures that would be limited to tracking and deterring terrorism, but skeptical that technological means would be limited to the pursuit of that end. A December 12, 2001, New York Times report gave survey results on privacy concerns in the political landscape after September 11. Sixty- five percent of respondents reported they did not want the government to monitor the communications of ordinary Americans to reduce the threat of terrorism. Forty-eight percent supported wiretap surveillance by the government to deter terrorism, while 44 percent opposed such surveillance on the grounds that it constitutes a civil rights violation (Toner and Elder 2001). A similar Harris Poll conducted in October 2001 showed Americans to be generally supportive of new surveillance technologies when applied to deterrence of terrorism, but also concerned that law enforcement applications of the technologies would be extended beyond that purpose (Harris Interactive 2001)

Not surprisingly, the difficulty in assessing the normative expectations of privacy is defined by the complicated opinions about the role of technology in our lives, which is affected by the context of both the information age and the events of September 11. In practice, the distinction between normative and factual expectations of privacy requires the public policy debate to account for constitutional and legislative limits on political authority that may im- pinge upon privacy. In addition, the context of the action, the prevalence of technology, the war on terror, and societal and individual expectations of privacy all figure into the proper balance between political authority and privacy. The changing nature of privacy is the only constant in the ongoing debate regarding privacy and technology. In fact, the increasing prevalence of information technologies in our lives may become more commonplace and more ac- cepted in time and, as a result, the normative loss of privacy may become less pressing. "The explosion in information technologies decreases both the ability of, and the need for, law to protect privacy. Instead, we should recognize the democratic promise of technologies that help equal- ize our access to information and our ability to speak and that provide technological protections for privacy that were never dreamed of before" (Cate and Litan 2002, 62).

Conclusion One truism in the ongoing public policy debate surround-

ing technology and privacy is that there is no easy solution to the increasing presence of technology in our lives. There are, however, several long-standing guiding principles. We must be wary of extending political authority to protect privacy without careful contemplation of the consequences. This admonishment is true for those who advocate increased political authority in the post-September 11 environment and for those who contend there is a need for

greater government protections against invasions of individual privacy by the vagaries of the information age. In either case, the exertion of political authority presents a potential threat to our liberty interests according to democratic theory. Thus, the policy debate regarding the proper balance between technology and privacy must work within an ironic contradiction: Political authority is viewed both as a threat and panacea to our liberty interests in privacy. This contradiction, however, does not mean that a proper balance cannot be struck.

Although there are protections afforded by constitutional doctrine and federal protections of privacy, we must also be cognizant of the fact that technological innovation, surveillance, information gathering, and the conditions of the post-September 11 environment are also parts of the new landscape of society which will not disappear. We must accept both the continued presence of technology in our lives and continue to use political authority to prevent its loss within existing democratic and constitutional guidelines. The use of legal means to protect privacy must be carefully construed, however. Increasingly, privacy is informed by a myriad of meanings and defined in a multi- tude of contexts. Legal doctrine, therefore, must account for a variety of contexts and conditions under which privacy must be protected. Additionally, if the protections afforded by legal doctrine seem lacking, it is necessary to remember that it is not our only form of protection against potential violations of privacy. Technological innovation- whether it is for the purposes of surveillance or information gathering-takes into account technological safeguards and solutions for protecting privacy. Technological innovation, in other words, strives to provide technological solutions for surveillance and information gathering. For instance, many Web sites that collect personal data publish a privacy statement that specifies the uses of data so that an individual may decide whether to use the site. Another tech- nical approach to protecting privacy is to design systems that allow consumers and businesses to interact without the need to directly disclose privacy-sensitive data. This

may involve either cryptography or public key infrastruc- ture. In practical terms, public key technologies enable users on the Internet or other networks to encrypt their communications for confidentiality purposes, identify the people receiving or sending them communications, preventing tampering with their communications, controlling access to protected information, and binding other users to electronic transactions and communications. In short, protecting privacy represents not only a delicate balance between political authority and liberty, but also represents a

swiftly changing landscape of interests, technological innovations, and, most important, public policy solutions.




Acknowledgment I would like to thank Thomas K. Lammert for his thoughtful

and insightful comments on this work.

References

Allen, Anita L. 1999 Coercing Privacy. William and Mary Law Review 40: 723, 754-55.

Annenberg Public Policy Center, University of Pennsylvania. 2003. Americans and Online Privacy: The System is Broken. http://www.annenbergpublicpolicycenter.org.

Cate, Fred H., and Robert Litan. 2002. Constitutional Issues in Information Privacy. Michigan Telecommunications and Tech- nology Law Review 9(1): 35-63.

Cohen, Julie. 2000. Examined Lives: Informational Privacy and the Subject as Object Stanford Law Review 52(1373) 1424- 28.

Cohen, Julie. 2003. DRM and Privacy. Berkeley Technology Law Journal 18(2): 575-88.

Froomkin, A. Michael. 1996. Flood Control on the Information Ocean: Living with Anonymity, Digital Cash, and Distrib- uted Databases. Journal of Law and Commerce 395(15): 492.

Gavison, Ruth. 1980. Privacy and the Limits of Law. Yale Law Journal 89(3): 421-71.

Harris Interactive. 2001. Overwhelming Public Support for In- creasing Surveillance Powers and, Despite Concerns about Potential Abuse, Confidence that the Powers Will be Used

Properly. October 3. http://www.harrisinteractive.com/news/ allnewsbydate.asp?NewsID=370.

.2002. First Major Post-9/11 Privacy Survey Finds Con- sumers Demanding Companies Do More to Protect Privacy; Public Wants Company Privacy Policies to Be Independently Verified. February 20. http://www.harrisinteractive.com/news/ allnewsbydate.asp?NewsID=429.

. 2003. Most People are "Privacy Pragmatists" Who, While Concerned about Privacy, Will Sometimes Trade It Off for Other Benefits. March 19. http://www.harrisinteractive. com/harris_poll/index.asp?PID=365.

Hart, H. L. A. 1949. The Ascription of Responsibility and Rights. Proceedings of the Aristotelian Society 49: 171-94.

Katsh, Ethan. 1995. Law in a Digital World. New York: Oxford University Press.

Litman, Jessica. 2000. Information Privacy/Information Prop- erty. Stanford Law Review 52(5): 1283-1313.

Mill, John Stuart. 1956 [1859]. On Liberty. Edited by Currin V. Shields. New York: Macmillan.

Toner, Robin, and Janet Elder. 2001. A Nation Challenged: Atti- tudes; Public Is Wary but Supportive on Rights Curbs. New York Times, December 12. http://query.nytimes.com/gst/ abstract.html?res=F20617FF3E5BOC718DDDAB0994D9404482.

Warren, Samuel D., and Louis D. Brandeis. 1890. The Right to

Privacy. Harvard Law Review 4(1): 192-220.

Special Report 269



privacy and technology: reconsidering a crucial public policy debate in the post-september 11 era

Documents