Home' Technology Review : July August 2009 Contents ESSAY
TECHNOLOGY REVIEW JULY/ AUGUST
insisting on secure systems, governments and corporations
alike have allowed themselves to get stuck with insecure ones.
Consider the humble Social Security number. As a privacy
advocate, I always chafe when people ask me for my "social."
As a security professional, I am deeply disturbed that a number
designed as an identifier---for the single specific purpose of track-
ing individuals' earnings to calculate Social Security benefits---
has come to be used as a verifier of identity for countless other
purposes. Providing my SSN should not "prove" that I am who I
say I am any more than providing my name or address does. But
in the absence of any better system, this number has become,
in the words of Joanne McNabb, chief of California's O ce of
Privacy Protection, the "key to the vault for identity thieves."
Yes, privacy as we know it is under attack---by a govern-
ment searching for tax cheats and terrorists; by corporations
looking for new customers; by insurance companies looking
to control costs; and even by nosy friends, associates, and
classmates. Collectively, we made things worse by not build-
ing strong privacy and security guarantees into our informa-
tion systems, our businesses, and our society. Then we went
and networked everything, helping both legitimate users and
criminals. Is it any wonder things turned out this way?
All of a sudden, we have a lot of work to do.
But while our current privacy issues feel as new as Twitter,
the notion of privacy as a right is old. Americans have always
expected this right to be maintained, even as technology opened
ever more powerful tools for its subversion. The story of privacy
in America is the story of inventions and the story of fear; it is
best told around certain moments of opportunity and danger.
The word privacy doesn't appear in the U.S. Constitution, but
courts and constitutional scholars have found plenty of privacy
protections in the restriction on quartering soldiers in private
homes (the Third Amendment); in the prohibition against
"unreasonable searches and seizures" (the Fourth Amendment);
and in the prohibition against forcing a person to be "a witness
against himself " (the Fifth Amendment). These provisions
remain fundamental checks on the power of government.
Over time, however, the advance of technology has threat-
ened privacy in new ways, and the way we think about the
concept has changed accordingly.
Back in 1890 two Boston lawyers, Samuel Warren and Louis
Brandeis, wrote an article in the Harvard Law Review warning
that the invasive technologies of their day threatened to take
"what is whispered in the closet" and have it "proclaimed from
the house-tops." In the face of those threats, they posited a
direct "right to privacy" and argued that individuals whose
privacy is violated should be able to sue for damages.
Warren and Brandeis called privacy "the right to be let alone"
and gave numerous examples of ways it could be invaded.
After more than a century of legal scholarship, we've come to
understand that these examples suggest four distinct kinds of
invasion: intrusion into a person's seclusion or private a airs;
disclosure of embarrassing private facts; publicity that places a
person in a "false light"; and appropriation of a person's name
In our world, "intrusions into a person's seclusion or private
a airs" might describe someone's hacking into your computer
system. Consider the case of Patrick Connolly, a U.S. military
contractor accused of victimizing more than 4,000 teenagers
by breaking into their computers and threatening to make their
pictures and videos public unless they sent him sexually explicit
photos and videos of themselves. You can also be intruded
upon in many lesser ways: when companies force advertise-
ments onto your screen, for example, or make pop-ups appear
that you need to close. It's intrusive for a telemarketer to call
you during dinner. That's why programs that block Internet
advertisements and the federal government's "do not call" list
are both rightly seen as privacy-protecting measures.
The desire to prevent the disclosure of embarrassing private
facts, meanwhile, is one of the driving forces behind the privacy
regulations of the Health Insurance Portability and Account-
ability Act (HIPAA). Because of this law and the regulations
deriving from it, a health-care provider cannot disclose infor-
mation in your medical records unless you give explicit permis-
sion. Another law, the Video Privacy Protection Act of 1988,
makes it illegal for Netflix to disclose the movies you rent.
"False light" is a problem we still don't know how to address
online. It's all too easy on today's Internet to attack a person's
reputation with anonymously posted false statements. And
even though free-speech advocates invariably say that the anti-
dote to bad speech is more speech, experience has shown that
this remedy is less e ective in the age of Google. For example,
two years ago AutoAdmit, an online message board for law stu-
dents and lawyers, was sued by two female Yale Law students
who said they'd been unable to obtain summer associate posi-
tions because vile and malicious sexual comments about them
appeared whenever someone searched for their names.
Using a name or likeness without permission is at the heart
of most "sexting" cases that reach the newspapers. Journalists
often focus on the fact that teens are willingly sending sexy or
downright pornographic photos of themselves to their boy-
friends or girlfriends. But the real damage happens when a
recipient forwards one of these photos to friends. That is, the
damage is caused by the appropriation, not the receipt.
The fact that a dusty Harvard Law Review article corre-
sponds so closely with the online privacy problems we face
Links Archive May June 2009 September October 2009 Navigation Previous Page Next Page