Cato's Jim Harper replies to Solove-Hoofnagle privacy regulation proposal [priv]

[Declan McCullagh <declan () well com>]

Previous Politech message:
http://www.politechbot.com/2005/03/11/request-for-critique/

Jim makes some very reasonable points. Keep reading.

-Declan

-------- Original Message --------
Subject: RE: [Politech] Request for critique: a 16-point plan for 
privacyregulation [priv]
Date: Mon, 14 Mar 2005 13:00:00 -0500
From: Jim Harper <jharper () cato org>
To: Declan McCullagh <declan () well com>
CC: <hoofnagle () epic org>, <dsolove () law gwu edu>

Declan, Chris, and Daniel:

This document has much to commend it.  Sections 12-14, in particular, 
dealing with "Government Access to and Use of Personal Data" identify 
serious problems that should be addressed.

As more and more people conduct more and more of their lives online, 
Supreme Court rulings holding that there is no reasonable expectation of 
privacy in data held by third parties grow further and further out of 
synch with the true expectations of the people.

"Data mining" is an ambiguous term but, to the extent it means sifting 
through databases trying to discover incipient wrongdoing, it is wrong, 
probably ineffective, and a violation of the Fourth Amendment. 
Investigators should use database information only subject to search 
warrant or subpoena, as appropriate, to follow specific investigatory leads.

And, yes, the Privacy Act is a paper tiger. Congress should revise it, 
especially in light of the end-run made possible by companies like 
ChoicePoint who do the dossier-building that the Privacy Act is meant to 
prevent. Even a revised statute, however, does not reach the source of 
the problem: a large government with extensive tax and entitlement 
programs will demand tremendous amounts of personal information from 
citizens. The costs to privacy of government programs have gone 
unconsidered as they have been enacted and expanded.

Because of their institutional incentives and unique powers, it is 
appropriate to circumscribe governments' use of data more closely. 
Everyone agrees (except for government agents and their hangers-on in 
the surveillance-industrial complex) that governments are the greatest 
threat to privacy.

The sections that address private-sector data use are quite a bit less 
intuitive. They do not seem to emerge from a general theory of privacy. 
Rather, they focus on "business" and "companies" - as if wrongful 
collection, use, or publication of facts by a company is worse than the 
same behavior by an individual.

(I'll admit my pro-corporate bias: I have started and today operate two 
corporations, one for-profit (but not profitable) and one non-profit. I 
do not know how I would have started or kept either one alive under the 
regulatory regime needed to carry out the aspirations in this paper, 
relying as they do on information about people.)

Essentially, these rules attempt to reverse the general rule - a rule 
with foundations deep in physics and justice - that information flows 
freely unless constrained by its author. The solution is not to reverse 
or stop the flow of data streams, but to address harms caused by 
wrongful data collection, use, or publication.

ChoicePoint has harmed people by subjecting them to identity fraud and 
the expense, time, and embarrassment of trying to rebuild their 
financial lives. It has also harmed various companies who in the main 
will suffer the bulk of the financial repercussions. ChoicePoint should 
pay for its negligence.

The case of Remsburg v. Docusearch provides a good example of how courts 
adapt common law negligence rules to address dangers and harms in modern 
circumstances. In that case, a data broker sold information about a 
young woman to a man who ultimately murdered her. The New Hampshire 
Supreme Court found that the data broker owed it to the woman to protect 
her.

http://www.courts.state.nh.us/supreme/opinions/2003/remsb017.htm

ChoicePoint, likewise, owes a duty to all the people on whom it compiles 
information, a duty to protect them (us) from harm. It appears that 
ChoicePoint has failed in that duty, so ChoicePoint should pay. Lawsuits 
alleging ChoicePoint's negligence have already been filed. Politicians 
are grabbing headlines with hearings and legislation, but the real 
action is quietly underway in the courts.

Recognizing a common law rule like this takes care of a lot of the 
problems that would otherwise require long, detailed regulations. The 
California law requiring consumer notice of data breaches has been given 
too much credit in this case. ChoicePoint's compliance with the 
California law broke the story, but it is both over- and 
under-inclusive: it requires notice in cases where notice doesn't 
matter, and it doesn't require notice in some cases that do.

Once data holders recognize their legal duty to protect backed by the 
responsibility to pay, they will eagerly notify consumers when doing so 
will avoid harm - because this will save them money. They will also 
notify banks when that is appropriate, credit bureaus when that is 
appropriate, and credit card issuers when that is appropriate - all in 
direct proportion to need.

The genius of simple, general rules like this is that they capture the 
self-interest of companies like ChoicePoint and direct it toward 
consumer welfare rather than trying to reverse information flows or 
weigh the economy and society down with unnatural, innovation-stifling 
regulation.

Finally, many proposals in the document have a one-way privacy bias 
(which is appropriate in the government context where choice is not 
available). This bias will appeal to many, but it is not good public 
policy for a country that respects the will and genius of the people.

Perhaps it is unfortunate, but my careful observation over many years 
finds that consumers often prioritize things other than privacy - goods 
such as convenience, lower costs, better customer service, and so on. 
Indeed, they are sometimes just plain indifferent.

I am loathe to assume that the great mass of Americans are just wrong 
and in need of caring for by self-appointed elites (even really smart 
ones). We might like everyone to be more privacy conscious, but I do not 
think it is wise to force privacy on people who would not otherwise 
choose it.

The section on preemption of state law illustrates this bias. It would 
allow states to institute more-comprehensive privacy protections, but 
not less-comprehensive privacy protections. Given that individuals 
choose less privacy protection all the time, I do not see why state 
legislatures should be disabled from representing their people in a way 
that may be perfectly rational. If there is to be legislation (and I 
don't think it's needed), states should be fully able to innovate, not 
just innovate in the federally preferred way.

For your consideration.

Jim



Jim Harper
Director of Information Policy Studies
The Cato Institute
and
Editor
Privacilla.org

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)