Internet Privacy is a Three-Headed Dragon
Policy discourse on Internet privacy has been stagnant since it started in the 20th century. There are distinct battle lines and a working consensus about the obligations of current Internet data collectors, but that’s it. The FTC Act excludes common carriers from FTC jurisdiction, and the Ninth Circuit has decreed that any firm that looks like a common carrier fits the exception. Oddly, the court’s decision applies even when the firm is doing non-common carrier things. The FCC wants to regulate common carriers in a way that’s beneficial to the agency’s non-carrier captors.
So Internet privacy law and policy is a mess that’s not getting any better. The major problem on the policy front is that privacy lacks a consistent meaning. There are at least three different activities that can be said to have privacy implications, and we probably want different policies in each area.
Internet Privacy vs. Surveillance
Most of us think police activities that prevent terrorists from attacking innocent people are just fine. We don’t want to know too much about them, but we assume they’re always taking place. We assume that the FBI, NSA, and CIA are watching the bad guys. Since we’re not bad guys, that doesn’t concern us. The NSA in particular has the power to intercept and decrypt most of the information passed over the Internet. While Americans were shocked by the Snowden revelations about the NSA, my guess is more people are worried about the misuse of NSA-gathered data than anything else.
In particular, the disclosure that people who work for the NSA are e-stalking ex-girlfriends is disturbing. But it’s an isolated incident so there’s not been a great public outcry against the NSA, even if privacy hawks have made hay from it. Snowden seems like a sincere man, but he needs to return home and face the music.
Surveillance takes on a different color when the law enforcement purpose is less black-and-white than terrorist fanatics. The War on Drugs depends on the collection of the same kind of information as the War on Terror, and it’s much less popular. We want more control over data gathering to enforce unpopular laws than popular ones, so each drug-related wiretap needs to be scrutinized by an ordinary criminal court.
We’re probably most supportive of surveillance after an attack has taken place. Following the San Bernardino shooting, most Americans wanted Apple to help the FBI break into the shooter’s iPhone to find whatever it could about his contacts, even if Apple didn’t want to do it. And we still have an ongoing discussion about just how secure we want our phones to be. The consensus answer seems to be “so secure our enemies can’t break in, but not so secure the FBI can’t catch the bad guys with massive computer power to break encryption.”
Internet Privacy vs. Advertising
The main privacy tussle in Washington is actually about which firms can sell consumer buying preferences to potential advertisers. Facebook and Google are said to control 85% of the market for web ads today. This concentration of power has come about because these two firms have the deepest troves of our personal histories. Amazon and Netflix also know a lot about us, and the credit card companies know even more. But Amazon uses what it knows to sell us products and services and Netflix uses it to recommend movies. The credit card companies are subject to specific financial privacy laws forbidding them from sharing our details.
The titans of the web want to keep others out of their sandbox: Nothing is more threatening to their prospects than competition from broadband carriers. Hence, the advertisers are promoting campaigns that liken carriers to the NSA. So far these campaigns have been successful, for the same reasons that the dubious net neutrality campaign was. If you can get enough people repeating your story nobody is going to fact-check it and it becomes a substitute for reality. The attempt to keep ICANN under the control of the US government follows a similar script, but it appears to be failing. Nonetheless, we’re still a long way from fact-based Internet policy.
Consumers actually have a lot to gain from increased competition for advertising dollars. There are too many ads on the web today, and each one distracts from the user experience. Many ads are superfluous reflections of recent buying activity. These are helpful neither for the consumer or for the advertiser, but they are profitable for advertising networks. A more comprehensive view of consumer behavior would reduce the number of superfluous ads, which should be a public policy goal. We get closer to that condition by making more consumer information available to ad networks, not less. Hence, privacy regulations on advertising can be harmful to consumers.
Real Internet Privacy
Apart from privacy conflicts with law enforcement and advertising, consumer concerns about Internet privacy are linked in concerns about income and reputation. Privacy hawks frequently raise concerns about information related to health, but these should be viewed in context. When medical insurance prices are linked to health status, consumers have financial interests in keeping them private. But this is more an insurance policy issue than a matter of privacy. If insurers are legally barred from considering pre-existing conditions when pricing health insurance plans, consumers don’t suffer harm from such information.
In fact, it can be beneficial for Health Maintenance Organizations to have greater awareness of patient health status than they currently have. Preventive medicine is, after all, a legitimate part of their role. The real culprit is not the sharing of personal information with responsible parties, it’s the fear that such information will fall into unscrupulous hands. Quack medicine merchants, for example, could easily prey upon cancer suffers if they could buy lists of the from ad networks. But isn’t the solution to this problem a ban on quack medicine or strict regulation of faulty medical claims?
The Internet is rich with quack medicine sites selling useless and harmful supplements and diet plans. These sites are allowed to operate as long as they offer minimal disclosures to the effect that the information they offer is educational and not medical. But they clearly offer products as cures for a broad spectrum of illnesses as if they were superior to genuine medicine. So many of the concerns about personal information are reflections of poor regulation in spheres of economic activity that should be more carefully regulated.
But damage to reputation is a different matter. Rumors, innuendo, libel, and the sharing of true but private information can certainly be damaging to income and social standing. These issues are not unique to the Internet and are generally resolved in real life by accountability measures such as lawsuits. But the Internet is short on accountability because it’s so easy for malicious actors to hide behind cloaks when spreading untruths and other forms of attack. So it appears that the privacy enjoyed by Internet speakers has a great deal to do with the personal privacy fears of ordinary people.
While Internet privacy is no less a legitimate concern than is privacy in the offline realm, the issue is easily warped by commercial interests. Consequently, Internet privacy protections should be balanced by policy progress in law enforcement, competition for advertising dollars, and accountability. We’re relatively far from the proper balance of interests on the web because we face too many superfluous ads and too many attacks by unaccountable parties.
Privacy also needs to be refined in terms of the balance of restrictions on the gathering of personal information and its sale and use. In general, it’s not difficult to distinguish legitimate uses from illegitimate ones for nearly all types of information. It will be helpful to think about for kinds of uses as we seek to fill the vacuum in regulatory authority created by the joint actions of the FCC and the Ninth Circuit.