Last week, I forwarded Tom Bell's Cato Institute study to Politech: "Cato: Free speech means nixing both censorship and 'privacy' laws" http://www.politechbot.com/p-02373.html Attached below are: 1. A response from Peter Swire, a privacy counselor at the White House under Clinton and now at George Washington University, writing on behalf of the Center for Democracy and Technology. 2. A reply from Tom, who once worked at Cato and now is at the Chapman School of Law. -Declan ********** Date: Tue, 14 Aug 2001 10:10:32 -0400 From: ariat_private Subject: Swire on Cato's Privacy Briefing We have received many questions about a Cato Institute Briefing Paper released last week entitled "Internet Privacy and Self Regulation: Lessons from the Porn Wars," by Tom W. Bell. Mr. Bell makes several assertions about the policy positions of the Center for Democracy and Technology (CDT), and other civil liberties organizations. The following statement was prepared in response to the CATO paper by law Professor Peter Swire, a consulting expert on CDT's privacy work. [...] "Cato Privacy Paper Not Persuasive" Peter P. Swire This document responds to a Cato Institute Briefing Paper released on August 9, 2001, written by Professor Tom W. Bell and entitled "Internet Privacy and Self-Regulation: Lessons from the Porn Wars." Available at www.cato.org. The Briefing Paper criticizes the American Civil Liberties Union, the Center for Democracy and Technology, and the Electronic Information Privacy Center for supporting Internet privacy legislation while opposing legislation that would restrict Internet speech considered "harmful to minors." This paper represents the personal views of Peter Swire, currently Visiting Professor of Law at George Washington University and formerly the Clinton Administration's Chief Counselor for Privacy from 1999 until early 2001. This paper explains why the Cato paper is wrong on the facts, chiefly because self-help will not work for personal information once it is in the hands of outside parties. The paper also explains why the Cato paper is wrong on the law. The Cato paper would seem to make the doctor/patient and attorney/client privileges unconstitutional as violations of doctor and lawyer free-speech rights. Any such analysis is subject to serious doubt indeed. (1) Why the Cato paper is wrong on the facts. Professor Bell states: "Digital self-help offers more hope of protecting Internet users' privacy than it does of effectively filtering out unwanted speech, and the availability of such self-help casts doubt on the constitutionality of legislation restricting speech by commercial entities about Internet users." The ACLU, CDT, and EPIC have all supported use of self-help, also known as privacy-enhancing technologies, as an important component of protecting privacy on the Internet. Although the groups have differed about the desirability of one such technology, known as the Platform for Privacy Preferences, it is after extensive experience with privacy-enhancing technologies that the groups have each concluded that Internet privacy legislation is needed. Professor Bell lists a number of existing privacy-enhancing technologies, none of them used by a large portion of Internet users. These technologies can indeed do specific useful tasks, such as rejecting cookies or preventing a web site from knowing the identity of an anonymous surfer. Professor Bell suggests that surfers should arm themselves with an arsenal of privacy-protecting software in order to fend off data collection by web sites. Reasonable people may doubt whether ordinary surfers can, or will, out- fox the data collection efforts of sophisticated web sites. Even if surfers use every weapon in their arsenal, however, the technologies cannot provide any help with a pervasive problem of Internet privacy -- what will happen to data once the web site knows it. A web site may require your name to ship a product, sign you up to a subscription, register your software, or allow access to the site itself. Anyone who wishes to participate in e-commerce or many other Internet activities will repeatedly have to provide his or her personal information simply to carry out that activity. Without privacy rules in place, all of that identifying information can be shipped from the first site to any other, with no possibility of technological self-help by the individual. The hard problem about privacy, then, is that technology does not work once the data is in the hands of outside parties such as a web site. By contrast, self-help offers a more compelling answer for what a family downloads to its own computer. The parent or other family member can set criteria for what is read on the computer. The rest of the world can make its own choices about what to read on the Web, while self-help works effectively in the home. (2) Why the Cato paper is wrong on the law. Professor Bell briefly refers to a lack of controlling case law, but then concludes that Internet privacy legislation would "almost certainly" face the fairly strict standard that applies to commercial speech and "might well" face the strict scrutiny test that applies to political and other speech that is most protected under the First Amendment. I believe these conclusions are wrong, and they fly in the face of the most authoritative court decisions to date as well as the principal scholarship on which Professor Bell relies. The only case that Professor Bell mentions in his text is a Tenth Circuit decision, [1] issued over a sharp dissent, that discussed privacy and the First Amendment but never made any holding on the subject. He relegates to a footnote a recent, unanimous D.C. Circuit decision that found no First Amendment obstacle to a privacy rule that barred sale of names and addresses for target marketing purposes. [2] He does not mention another recent federal decision that upheld the Gramm-Leach-Bliley financial privacy protections against a similar challenge. [3] This kind of unconsented-to sale of personal information is precisely the sort of regulation that is at the heart of most proposed Internet privacy legislation. To my knowledge, no judge has followed the dicta of the 10th Circuit and found any First Amendment basis for striking down data privacy protections. The deeper problem with Professor Bell's analysis is that it proves far too much. Professor Bell focuses on the First Amendment rights of those who receive the individual's personal information. His analysis, though, would seem to apply generally to those who receive personal information from another. For instance, is the doctor-patient privilege unconstitutional because it limits doctors' rights to speak about their patients? Is the attorney-client privilege an unconstitutional burden on the attorney's right to blab client secrets? No. The First Amendment has existed comfortably for two centuries together with the power of the legislature to set appropriate limits on the disclosure of client information. That is what is contemplated by Internet privacy legislation as well. A web site could receive a customer's information, but not disclose that information to others except pursuant to the customer's choice. Indeed, the leading academic article on the First Amendment and privacy, on which Professor Bell principally relies, explains in detail why client information can constitutionally be protected by the sort of privacy laws supported by the ACLU, CDT, and EPIC. Professor Eugene Volokh says that "contract law not to reveal information" is "eminently defensible under existing free speech doctrine." Although Professor Volokh expresses concerns about other sorts of speech restrictions, he specifically states that the telecommunications privacy rules struck down on other grounds by the 10th Circuit "are constitutionally permissible." [4] In sum, the legal portion of Professor Bell's argument is contrary to the only federal court rulings on the subject, contrary to the leading academic article on which he claims to rely, and gives no basis for upholding the constitutionality of the doctor/patient and attorney/client privileges. Endnotes: 1. U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999). 2. Trans Union Corp. v. FTC, 245 F.3d 809 (D.C. Cir. 2001). 3. Individual Reference Services Group, Inc. v. FTC, 145 F. Supp. 2d 6 (D.D.C. 2001). 4. Eugene Volokh, "Freedom of Speech and Information Privacy: The Troubling Implications of a right to Stop People from Speaking about You," 52 Stanford L. Rev. 1049 (2000), at 1057 & 1060 n. 37. ********** Date: Tue, 14 Aug 2001 12:07:13 -0700 Subject: Re: Cato: Free speech means nixing both censorship and "privacy" laws From: "Tom W. Bell" <tbellat_private> To: Declan McCullagh <declanat_private> Declan, Thanks for informing me of Peter Swire's comment on my recent Cato Institute paper. I'm happy to offer a brief reply. I credit Professor Swire with a thoughtful and temperate comment on my recent paper, Internet Privacy and Self-Regulation: Lessons from the Porn Wars (Cato Institute, Policy Briefing # 65, 2001), available at <http://www.cato.org/pubs/briefs/bp-065es.html>. As I observed in that paper, much of the law relating to Internet privacy remains unsettled, leaving a good deal of room for reasonable people to differ. Nonetheless, I find Professor Swire's attempt to defend unconstitutional and unwise privacy regulations unconvincing. In brief, he relies on facts that are not legally relevant and legal claims that are not supported by fact. (1) Why Professor Swire's Comment Relies on Irrelevant Facts Professor Swire complains that the privacy-protecting technologies I describe in my paper would do little to stop speech about consumers who willingly trade personal facts for Internet services. He might as well complain that Lady Godiva suffered wanton looks. As my paper details, consumers already have easy and free access to technologies capable of completely hiding them from online spying. That gives them the power to remain as private as they like or, more to the present point, to dollop out personal information solely on acceptable terms. Granted, as Professor Swire observes, privacy-protecting tools cannot re-bottle the genie of personal information once a consumer chooses to set it free. But those tools give consumers control over the release of their personal information, and thus power to demand enforceable contractual controls on the subsequent use of that information. Technology cannot do everything, but with regard to Internet privacy it can certainly do enough. It can, moreover, do better than federal lawmakers. Perfection is *never* an option. The relevant factual question is therefore this: Can technology protect our privacy *more effectively* than politicians and regulators? It can, as I detail in my paper. And that it can renders the call for federal regulation of what commercial entities say about Internet consumers not just unwise but unconstitutional. (2) Why Professor Swire's Comment Misinterprets the Law Professor Swire's legal analysis relies on suspect interpretations of the relevant authorities and, at any rate, does nothing to defend the sorts of federal regulations that my paper targeted. Professor Swire claims, for instance, that "[T]he leading academic article on the First Amendment and privacy, on which Professor Bell principally relies, explains in detail why client information can constitutionally be protected by the sort of privacy laws supported by the ACLU, CDT, and EPIC." To the contrary, however, that paper merely argues that enforcing implied contracts to keep information private would not violate the First Amendment. See Eugene Volokh, "Freedom of Speech and Information Privacy: The Troubling Implications of a right to Stop People from Speaking about You," 52 Stanford L. Rev. 1049, 1057-63 (2000). Professor Volokh thus calls (and rightly so) for protecting privacy through states' extant contract laws. The ACLU, CDT, and EPIC have, in contrast, called for new federal regulations that would do far more than merely enforce contractual obligations between consumers and commercial entities. Does CDT really want to base its Internet privacy policy on Professor Volokh's theory? Note that he would first demand a showing that Internet use comes with an implied promise of confidentiality. It seems highly unlikely, to say the least, that we approach Internet browsing with the same assumption of confidentiality that we rightly assume applies to communications with our attorneys and doctors. Note next that Professor Volokh would, consistent with standard principles of contract law, allow an express disclaimer of confidentiality to trump any supposedly implied obligation to keep information about Internet users secret. I would be pleased--but greatly surprised--if CDT adopted that approach to Internet privacy. Note further that Professor Swire surely errs in attributing to Professor Volokh the view that "the telecommunications privacy rules struck down . . . by the 10th Circuit 'are constitutionally permissible.'" To the contrary, Professor Volokh merely says that his theory "might suggest" that the 10th circuit case of U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), "could be interpreted" to embrace an opposing view of the constitutional scope of privacy regulations. If all those conditionals hold, granted, Professor Volokh would presumably argue that the court erred because "such rules [i.e., rules that merely enforce implied promises not explicitly disavowed by either party] are constitutionally permissible." But contrary to Swire's reading, Volokh does not flatly say the 10th Circuit was wrong--or, more pointedly, that CDT and company are right to call for broad federal regulation of Internet privacy. Similar interpretive problems apply to Professor Swire's other invocations of legal authority. As my paper observed, Trans Union Corp. v. FTC, 245 F.3d 809 (D.C. Cir. 2001), "stands on shaky ground." The Trans Union court stretched Dun & Bradstreet, Inc., 472 U.S. 749 (1985)--a case concerning injurious falsehoods--to find that target marketing lists merited reduced constitutional protection. Notably, however, only three justices signed on to the portion of Dun & Bradstreet upon which Trans Union relied, and even they emphasized that they did not intend to "leave all credit reporting subject to reduced First Amendment protection." Id. at 762, n. 8. The other authority cited by Professor Swire, Individual Reference Services Group, Inc. v. FTC, 145 F. Supp. 2d 6 (D.D.C. 2001), relies on Trans Union and thus shares its defects. At any rate, though, neither of those cases speak directly to the issue at hand. They did not concern the collection of information from Internet users and, thus, did not consider the legal impact of the privacy-protecting technologies discussed in my paper. (3) Conclusion Though I welcome Professor Swire's addition to our mutual and on-going attempt to discern the constitutional and prudential bounds of Internet privacy protection, his commentary ultimately fails to disprove the thesis of my recent paper: The ready availability of technological self-help protections of Internet privacy makes regulation by state authorities not only constitutionally suspect but, from the more general point of view of policy, functionally inferior. -- Tom W. Bell Associate Professor, Chapman School of Law tomwbellat_private http://www.tomwbell.com ******** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 12:39:20 PDT