Home' Technology Review : July August 2009 Contents ESSAY
TECHNOLOGY REVIEW JULY/ AUGUST
In both cases, Congress acted to prevent personal informa-
tion from being reused in certain ways without permission.
Score two for the updated concept of privacy.
In the 1980s and early 1990s, while lawmakers in Europe
and Canada passed comprehensive privacy legislation com-
plete with commissioners and enforcement mechanisms, the
United States adopted a piecemeal approach. Some databases
had legally mandated privacy guarantees; others didn't. Wire-
tapping required a warrant---except when companies taped
employees for the purpose of "improving customer service."
But even if policies weren't consistent, they basically covered
most situations that arose.
Then came the Internet's explosive growth---a boon to com-
munity, commerce, and surveillance all at the same time. Never
before had it been so easy to find out so much, so quickly. But
while most Internet users soon became dependent on services
from companies like Yahoo and Google, few realized that they
themselves were the product these companies were selling.
All activity on the Internet is mediated---by software on your
computer and on the remote service; by the remote service
itself; and by the Internet service providers that carry the data.
Each of these mediators has the ability to record or change the
data as it passes through. And each mediator has an incentive
to exploit its position for financial gain.
Thousands of di erent business models bloomed. Com-
panies like Doubleclick realized that they could keep track of
which Internet users went to which websites and integrate this
information into vast profiles of user preferences, to be used
for targeting ads. Some ISPs went further and inserted their
own advertisements into the user's data stream. One e-mail
provider went further still: it intercepted all the e-mail from
Amazon.com to its users and used those messages to market
its own online clearinghouse for rare and out-of-print books.
Whoops. That provider was eventually charged with violating
the Federal Wiretap Act. But practically every other intrusive
practice was allowed by the law and, ultimately, by Congress,
which was never able to muster the will to pass comprehen-
sive Internet privacy legislation.
It's not that Congress was shy about regulating the Internet.
It's just that congressional attention in the 1990s was focused
on shielding children from online pornography---through
laws eventually found unconstitutional by the Supreme Court,
because they also limited the rights of adults. The one signifi-
cant piece of Internet privacy legislation that Congress did
manage to pass was the Children's Online Privacy Protection
Act (COPPA), which largely prohibited the intentional collec-
tion of information from children 12 or younger.
Instead, it fell mostly to the Federal Trade Commission to
regulate privacy on the Internet. And here the commission
used one primary tool: the FTC Act of 1914 (since updated),
which prohibits businesses from engaging in "unfair or decep-
tive acts or practices." The way this works in connection
with online privacy is that companies write "privacy policies"
describing what they do with personal information they obtain
from their customers. Companies that follow their policies
are fine---even if they collect your information and publish it,
sell it, or use it to send e-mail or for "any other lawful purpose"
(and the law is pretty tolerant). The only way for companies to
get in trouble is to claim that they will honor your privacy in a
specific manner and then do something di erent.
Hearings were held at the end of the Clinton administration
to pass some online privacy legislation with real teeth. I testi-
fied in favor of strong regulations at one of those hearings, but
sitting next to me at the witness table were powerful business
interests who argued that regulation would be expensive and
hard to enforce. The legislation didn't go anywhere. Business
groups saw this outcome as the triumph of their "market-based"
approach: consumers who weren't happy with a company's pri-
vacy stance could always go elsewhere. Privacy activists winced,
knowing that legislation would be unlikely to pass if the Repub-
licans won in 2000. We had no idea how right we were.
9/11: THE FIRST NATIONAL SCARE OF THE COMPUTER AGE
The terrorist attacks of September 11, 2001, changed the terms
of the debate. Suddenly, the issue was no longer whether Con-
gress should protect consumer privacy or let business run wild.
Instead, the question became: Should Congress authorize the
Bush administration to use the formidable power of state sur-
veillance to find terrorists operating inside the United States
and stop them before they could carry out their next attack?
The administration itself had no doubts. Where laws protect-
ing privacy got in the way of its plans to prevent attacks, it set out
to change those laws. The pinnacle of this e ort was the USA
Patriot Act, signed on October 26, 2001, which dramatically
expanded government power to investigate suspected terrorism.
In the months that followed, representatives for the administra-
tion repeatedly denounced those who complained about threats
to privacy and liberty; they were, said Attorney General John
Ashcroft, "giv[ing] ammunition to America's enemies."
It was a strong, simple, and remarkably effective mes-
sage---so e ective that we know of only a few cases in which
Congress pushed back. The first and most public such case
involved a Department of Defense research project called
Total Information Awareness (TIA).
Soon renamed Terrorism Information Awareness, TIA
was the brainchild of the Defense Advanced Research Proj-
Links Archive May June 2009 September October 2009 Navigation Previous Page Next Page