FC: CDT defends regulatory approach to privacy; Cato author replies

[Declan McCullagh <declan () well com>]

Last week, I forwarded Tom Bell's Cato Institute study to Politech:
  "Cato: Free speech means nixing both censorship and 'privacy' laws"
  http://www.politechbot.com/p-02373.html

Attached below are:

1. A response from Peter Swire, a privacy counselor at the White House 
under Clinton and now at George Washington University, writing on behalf of 
the Center for Democracy and Technology.

2. A reply from Tom, who once worked at Cato and now is at the Chapman 
School of Law.

-Declan

**********

Date: Tue, 14 Aug 2001 10:10:32 -0400
From: ari () cdt org
Subject: Swire on Cato's Privacy Briefing

We have received many questions about a Cato Institute Briefing Paper
released last week entitled "Internet Privacy and Self Regulation: Lessons
from the Porn Wars," by Tom W. Bell.  Mr. Bell makes several assertions
about the policy positions of the Center for Democracy and Technology (CDT),
and other civil liberties organizations.

The following statement was prepared in response to the CATO paper by law
Professor Peter Swire, a consulting expert on CDT's privacy work.

[...]

"Cato Privacy Paper Not Persuasive"

Peter P. Swire

        This document responds to a Cato Institute Briefing Paper released on
August 9, 2001, written by Professor Tom W. Bell and entitled "Internet
Privacy and Self-Regulation: Lessons from the Porn Wars."  Available at
www.cato.org.  The Briefing Paper criticizes the American Civil Liberties
Union, the Center for Democracy and Technology, and the Electronic
Information Privacy Center for supporting Internet privacy legislation while
opposing legislation that would restrict Internet speech considered "harmful
to minors."

        This paper represents the personal views of Peter Swire, currently
Visiting Professor of Law at George Washington University and formerly the
Clinton Administration's Chief Counselor for Privacy from 1999 until early
2001.  This paper explains why the Cato paper is wrong on the facts, chiefly
because self-help will not work for personal information once it is in the
hands of outside parties.  The paper also explains why the Cato paper is
wrong on the law.   The Cato paper would seem to make the doctor/patient and
attorney/client privileges unconstitutional as violations of doctor and
lawyer free-speech rights.  Any such analysis is subject to serious doubt
indeed.

        (1)  Why the Cato paper is wrong on the facts.

        Professor Bell states:  "Digital self-help offers more hope of
protecting Internet users' privacy than it does of effectively filtering out
unwanted speech, and the availability of such self-help casts doubt on the
constitutionality of legislation restricting speech by commercial entities
about Internet users."  The ACLU, CDT, and EPIC have all supported use of
self-help, also known as privacy-enhancing technologies, as an important
component of protecting privacy on the Internet.  Although the groups have
differed about the desirability of one such technology, known as the
Platform for Privacy Preferences, it is after extensive experience with
privacy-enhancing technologies that the groups have each concluded that
Internet privacy legislation is needed.

        Professor Bell lists a number of existing privacy-enhancing
technologies, none of them used by a large portion of Internet users.  These
technologies can indeed do specific useful tasks, such as rejecting cookies
or preventing a web site from knowing the identity of an anonymous surfer.
Professor Bell suggests that surfers should arm themselves with an arsenal
of privacy-protecting software in order to fend off data collection by web
sites.

        Reasonable people may doubt whether ordinary surfers can, or will, out-
fox the data collection efforts of sophisticated web sites.  Even if surfers
use every weapon in their arsenal, however, the technologies cannot provide
any help with a pervasive problem of Internet privacy -- what will happen to
data once the web site knows it.  A web site may require your name to ship a
product, sign you up to a subscription, register your software, or allow
access to the site itself.  Anyone who wishes to participate in e-commerce
or many other Internet activities will repeatedly have to provide his or her
personal information simply to carry out that activity.  Without privacy
rules in place, all of that identifying information can be shipped from the
first site to any other, with no possibility of technological self-help by
the individual.

        The hard problem about privacy, then, is that technology does not work
once the data is in the hands of outside parties such as a web site.  By
contrast, self-help offers a more compelling answer for what a family
downloads to its own computer.  The parent or other family member can set
criteria for what is read on the computer.  The rest of the world can make
its own choices about what to read on the Web, while self-help works
effectively in the home.

        (2) Why the Cato paper is wrong on the law.

        Professor Bell briefly refers to a lack of controlling case law, but
then concludes that Internet privacy legislation would "almost certainly"
face the fairly strict standard that applies to commercial speech and "might
well" face the strict scrutiny test that applies to political and other
speech that is most protected under the First Amendment.  I believe these
conclusions are wrong, and they fly in the face of the most authoritative
court decisions to date as well as the principal scholarship on which
Professor Bell relies.

        The only case that Professor Bell mentions in his text is a Tenth
Circuit decision, [1] issued over a sharp dissent, that discussed privacy
and the First Amendment but never made any holding on the subject.  He
relegates to a footnote a recent, unanimous D.C. Circuit decision that found
no First Amendment obstacle to a privacy rule that barred sale of names and
addresses for target marketing purposes. [2] He does not mention another
recent federal decision that upheld the Gramm-Leach-Bliley financial privacy
protections against a similar challenge.  [3] This kind of unconsented-to
sale of personal information is precisely the sort of regulation that is at
the heart of most proposed Internet privacy legislation.  To my knowledge,
no judge has followed the dicta of the 10th Circuit and found any First
Amendment basis for striking down data privacy protections.

        The deeper problem with Professor Bell's analysis is that it proves far
too much.  Professor Bell focuses on the First Amendment rights of those who
receive the individual's personal information.  His analysis, though, would
seem to apply generally to those who receive personal information from
another.  For instance, is the doctor-patient privilege unconstitutional
because it limits doctors' rights to speak about their patients?  Is the
attorney-client privilege an unconstitutional burden on the attorney's right
to blab client secrets?  No.  The First Amendment has existed comfortably
for two centuries together with the power of the legislature to set
appropriate limits on the disclosure of client information.  That is what is
contemplated by Internet privacy legislation as well.  A web site could
receive a customer's information, but not disclose that information to
others except pursuant to the customer's choice.

Indeed, the leading academic article on the First Amendment and privacy, on
which Professor Bell principally relies, explains in detail why client
information can constitutionally be protected by the sort of privacy laws
supported by the ACLU, CDT, and EPIC.  Professor Eugene Volokh says that
"contract law not to reveal information" is "eminently defensible under
existing free speech doctrine."  Although Professor Volokh expresses
concerns about other sorts of speech restrictions, he specifically states
that the telecommunications privacy rules struck down on other grounds by
the 10th Circuit "are constitutionally permissible." [4]

In sum, the legal portion of Professor Bell's argument is contrary to the
only federal court rulings on the subject, contrary to the leading academic
article on which he claims to rely, and gives no basis for upholding the
constitutionality of the doctor/patient and attorney/client privileges.

Endnotes:

1. U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).
2. Trans Union Corp. v. FTC, 245 F.3d 809 (D.C. Cir. 2001).
3. Individual Reference Services Group, Inc. v. FTC, 145 F. Supp. 2d 6
(D.D.C. 2001).
4.   Eugene Volokh, "Freedom of Speech and Information Privacy: The
Troubling Implications of a right to Stop People from Speaking about You,"
52 Stanford L. Rev. 1049 (2000), at 1057 & 1060 n. 37.

**********

Date: Tue, 14 Aug 2001 12:07:13 -0700
Subject: Re: Cato: Free speech means nixing both censorship and "privacy"
        laws
From: "Tom W. Bell" <tbell () chapman edu>
To: Declan McCullagh <declan () well com>

Declan,

Thanks for informing me of Peter Swire's comment on my recent Cato Institute
paper.  I'm happy to offer a brief reply.


I credit Professor Swire with a thoughtful and temperate comment on my
recent paper, Internet Privacy and Self-Regulation: Lessons from the Porn
Wars (Cato Institute, Policy Briefing # 65, 2001), available at
<http://www.cato.org/pubs/briefs/bp-065es.html>.  As I observed in that
paper, much of the law relating to Internet privacy remains unsettled,
leaving a good deal of room for reasonable people to differ.  Nonetheless, I
find Professor Swire's attempt to defend unconstitutional and unwise privacy
regulations unconvincing.  In brief, he relies on facts that are not legally
relevant and legal claims that are not supported by fact.


(1) Why Professor Swire's Comment Relies on Irrelevant Facts

Professor Swire complains that the privacy-protecting technologies I
describe in my paper would do little to stop speech about consumers who
willingly trade personal facts for Internet services.  He might as well
complain that Lady Godiva suffered wanton looks.

As my paper details, consumers already have easy and free access to
technologies capable of completely hiding them from online spying.  That
gives them the power to remain as private as they like or, more to the
present point, to dollop out personal information solely on acceptable
terms.  Granted, as Professor Swire observes, privacy-protecting tools
cannot re-bottle the genie of personal information once a consumer chooses
to set it free.  But those tools give consumers control over the release of
their personal information, and thus power to demand enforceable contractual
controls on the subsequent use of that information.

Technology cannot do everything, but with regard to Internet privacy it can
certainly do enough.  It can, moreover, do better than federal lawmakers.
Perfection is *never* an option.  The relevant factual question is therefore
this:  Can technology protect our privacy *more effectively* than
politicians and regulators?  It can, as I detail in my paper.  And that it
can renders the call for federal regulation of what commercial entities say
about Internet consumers not just unwise but unconstitutional.


(2) Why Professor Swire's Comment Misinterprets the Law

Professor Swire's legal analysis relies on suspect interpretations of the
relevant authorities and, at any rate, does nothing to defend the sorts of
federal regulations that my paper targeted.

Professor Swire claims, for instance, that "[T]he leading academic article
on the First Amendment and privacy, on which Professor Bell principally
relies, explains in detail why client information can constitutionally be
protected by the sort of privacy laws supported by the ACLU, CDT, and EPIC."
To the contrary, however, that paper merely argues that enforcing implied
contracts to keep information private would not violate the First Amendment.
See Eugene Volokh, "Freedom of Speech and Information Privacy: The Troubling
Implications of a right to Stop People from Speaking about You," 52 Stanford
L. Rev. 1049, 1057-63 (2000).  Professor Volokh thus calls (and rightly so)
for protecting privacy through states' extant contract laws.  The ACLU, CDT,
and EPIC have, in contrast, called for new federal regulations that would do
far more than merely enforce contractual obligations between consumers and
commercial entities.

Does CDT really want to base its Internet privacy policy on Professor
Volokh's theory?  Note that he would first demand a showing that Internet
use comes with an implied promise of confidentiality.  It seems highly
unlikely, to say the least, that we approach Internet browsing with the same
assumption of confidentiality that we rightly assume applies to
communications with our attorneys and doctors.  Note next that Professor
Volokh would, consistent with standard principles of contract law, allow an
express disclaimer of confidentiality to trump any supposedly implied
obligation to keep information about Internet users secret.  I would be
pleased--but greatly surprised--if CDT adopted that approach to Internet
privacy.

Note further that Professor Swire surely errs in attributing to Professor
Volokh the view that "the telecommunications privacy rules struck down . . .
by the 10th Circuit 'are constitutionally permissible.'"  To the contrary,
Professor Volokh merely says that his theory "might suggest" that the 10th
circuit case of U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999),
"could be interpreted" to embrace an opposing view of the constitutional
scope of privacy regulations.  If all those conditionals hold, granted,
Professor Volokh would presumably argue that the court erred because "such
rules [i.e., rules that merely enforce implied promises not explicitly
disavowed by either party] are constitutionally permissible."  But contrary
to Swire's reading, Volokh does not flatly say the 10th Circuit was
wrong--or, more pointedly, that CDT and company are right to call for broad
federal regulation of Internet privacy.

Similar interpretive problems apply to Professor Swire's other invocations
of legal authority.  As my paper observed, Trans Union Corp. v. FTC, 245
F.3d 809 (D.C. Cir. 2001), "stands on shaky ground."  The Trans Union court
stretched Dun & Bradstreet, Inc., 472 U.S. 749 (1985)--a case concerning
injurious falsehoods--to find that target marketing lists merited reduced
constitutional protection.  Notably, however, only three justices signed on
to the portion of Dun & Bradstreet upon which Trans Union relied, and even
they emphasized that they did not intend to "leave all credit reporting
subject to reduced First Amendment protection." Id. at 762, n. 8.  The other
authority cited by Professor Swire, Individual Reference Services Group,
Inc. v. FTC, 145 F. Supp. 2d 6 (D.D.C. 2001), relies on Trans Union and thus
shares its defects.  At any rate, though, neither of those cases speak
directly to the issue at hand.  They did not concern the collection of
information from Internet users and, thus, did not consider the legal impact
of the privacy-protecting technologies discussed in my paper.


(3) Conclusion

Though I welcome Professor Swire's addition to our mutual and on-going
attempt to discern the constitutional and prudential bounds of Internet
privacy protection, his commentary ultimately fails to disprove the thesis
of my recent paper:  The ready availability of technological self-help
protections of Internet privacy makes regulation by state authorities not
only constitutionally suspect but, from the more general point of view of
policy, functionally inferior.

--
Tom W. Bell
Associate Professor, Chapman School of Law
tomwbell () tomwbell com
http://www.tomwbell.com

********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
Declan McCullagh's photographs are at http://www.mccullagh.org/
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------