Privacy for Sale: Peddling Data on the Internet
By Andrew L. Shapiro
I've got Ted Turner's Social Security number here, along with Rush Limbaugh's home address and a couple of phone numbers for Bob Dole in Kansas. I found this information for free on the Internet in about ten minutes. With a little money and some wily sleuthing, I could probably use this data to get their credit histories, financial records and maybe some confidential medical facts. I might even be able to screw around with their bank accounts.
It is this naked vulnerability that has, quite justifiably, made Americans increasingly anxious about privacy over the past two decades. A 1995 Louis Harris poll found that 82 percent of respondents were concerned about their personal privacy, up from 64 percent in 1978. Over the same period, the proportion of those who were "very concerned" about privacy increased almost 50 percent. This new fear reflects the emergence of a sophisticated system of private surveillance -- or dataveillance, as David Shenk calls it in his new book, Data Smog -- that is rapidly overshadowing threats from the state.
It was once too expensive for anyone but the government to collect, store and coordinate data, creating profiles on hundreds of millions of citizens. But the creeping ubiquity of digital computer technology has ushered in a major industry of high-tech data pushers who are dedicated to gathering and selling personal information about practically everyone, mostly for marketing purposes. (Privacy experts estimate that the average American is profiled in at least twenty-five, and perhaps as many as 100, databases.) "Marketers can follow every aspect of our lives, from the first phone call we make in the morning to the time our security system says we have left the house, to the video camera at the toll booth and the charge slip we have for lunch," said President Clinton recently -- a somewhat unexpected remark given his poor record on privacy. With the rise of online commerce and communication, this collection increasingly happens imperceptibly and without the consent of the observed. The result is a broad and lucrative market for personal information that allows anyone with a buck to find out a whole lot about anyone else -- often just by trolling around the Net. It's Orwell meets Adam Smith, introduced by Bill Gates.
Traditionally, privacy advocates have responded to this plight with calls for broad federal legislation to replace the current patchwork of state and federal law that leaves personal data woefully unprotected. Proposals usually require conspicuous notice of what information is being collected and for what purpose; meaningful and informed consent by consumers (for example, allowing them to "opt in" to data collection rather than having to "opt out"); the ability to access files about oneself and to correct inaccuracies; a scheme of redress for violations; and creation of an independent federal privacy protection agency to enforce compliance.
But in the current deregulatory climate, the Clinton Administration and some privacy defenders are taking a different approach. They're calling for the creation of a market for privacy to compete with or complement the growing market for personal information. (A report released in April by a presidential advisory panel, for example, mentioned "the intriguing possibility that privacy could emerge as a market commodity in the Information Age.") Just as there is demand for consumer data among profiteers, so there is a counterdemand on the part of individuals to keep that information private. The answer, say these advocates, is to have consumers bargain with vendors over acceptable rules for data collection and use.
For example, if I'm a real stickler for privacy, I may want to pay more to use an Internet service provider or a Web site that will guarantee me Level 5 privacy (on a hypothetical 1 to 5 scale where 5 represents a commitment not to gather any data). Someone else who doesn't care at all about privacy can pay less to use a Level 1 provider, the kind that sucks up data like a Dustbuster. From the company's standpoint, this makes sense because there is monetary value in that data. If they get it, they charge you less (or give you more); if they don't, they charge more (or provide less).
This, in some sense, is how the World Wide Web works today. Web sites generally offer their material for free; in return, users give them personal information. This may mean typing your name, phone number or whatever in some blank registration field. But using something called "cookies," Web sites also surreptitiously collect data such as what Internet service provider you use, what site you most recently visited, what computer and browser you're using (for a demonstration, see www.cdt.org/privacy). Since the Net is already so geared toward information exchange, some privacy advocates figure they might as well formalize that process in an open market. That market would extend beyond cyberspace to every exchange of data -- with the stores you shop at, your doctors, maybe even your friends.
Now, before you go postal about how your privacy rights are being sold down the river, consider some appealing features of the market for privacy: Recognizing the value of information as an asset, it seeks to give consumers property rights in that information. Your data and sanctuary are your own; you sell them only if you choose -- and you can, at least in theory, choose exactly who knows what about you. This would seem to be better than today's free-for-all, where the few rules that exist are vague and, even worse, our data are routinely stolen from us by invisible thieves.
Consider also that this market approach has received support not just from the Netscape-led business consortium looking into it but from many of the leading digital civil liberties organizations, including the Center for Democracy and Technology and the Electronic Frontier Foundation. C.D.T. is working with the World Wide Web Consortium, the Direct Marketing Association and others on the Platform for Privacy Preferences, a technical standard that will allow users to negotiate privacy practices with data collectors in a way similar to my Level 1 to 5 example. E.F.F. has teamed up with other industry players to create eTrust, a coalition that rewards privacy-friendly Web sites with a sort of Good Housekeeping seal of approval. Even stalwarts like Marc Rotenberg of the Electronic Privacy Information Center believe that consumers should start bargaining over the flow of their facts and figures. "There are already now markets for personal data," says Rotenberg. "The goal is to make them more fair, to give individuals more control."
The problem is, the data pushers will be fighting tooth and nail to see that this doesn't happen. And even if it does, the privatization of privacy will create as many dilemmas as it solves, if not more.
First, it may make privacy even more elusive than it is today, particularly online. For example, while dataveillance is the norm on the Net, cybersavvy privacy hawks have their ways of evading it. One trick is to use technologies that allow for anonymous Web surfing. Another is the ever popular low-tech option of providing false information when queried, which 34 percent of Net users admit they do, according to a Georgia Tech survey (you can bet the real number is higher). These renegade tactics will likely be unavailable in the world of formally established privacy markets. Users will have to contract with vendors in an aboveboard fashion and, as Pat Faley of the Direct Marketing Association sees it, "You're not going to be able to go to too many places if you want to be anonymous." That's the way the market works. You have to play by the rules, which may be different at every Web site you visit -- not to mention noncyber data interactions (in a store, on the phone, etc.). This points to a bigger problem: All that time and effort spent dickering over various privacy arrangements adds up to what economists call high -- even inefficiently high -- transaction costs. In plain terms, it means more hassle for what may be less privacy.
Second, the privacy market will hit the poor particularly hard. As companies are able to charge increasingly higher rates for finer shades of privacy, poorer customers who can't afford these premiums will be left more exposed simply by dint of economic disadvantage. Even if the markups are small, a little added privacy may not seem worth it for those with little disposable income, especially since they are already likely to be monitored by the state if they receive welfare or live in high-crime neighborhoods. (In fact, only 39 percent of Internet users expressed a willingness to pay a markup of more than half a cent on the dollar to assure their privacy, according to eTrust.) Do we really want to perpetuate such a system of first- and second-class privacy rights?
Third, the privacy market may create a false sense of comfort, blinding us to certain unforeseeable consequences of dealing in data. For example, though a company may faithfully notify me that it collects personal information for direct marketing, I may be exposed to more than just junk-mail annoyance. Inaccurate or incomplete information in databases is routinely used to determine whether someone should be hired, insured, rented to or given credit. The readily available nature of data can lead to discrimination, harassment and even physical danger -- as a Los Angeles reporter demonstrated when she bought detailed information about 5,000 children from information broker Metromail using the name of Richard Allen Davis, who was convicted of murdering 12-year-old Polly Klaas. In the arm's length transactions of the market, vendors have "no incentive to have you think about these dangers," says Oscar Gandy Jr. of the University of Pennsylvania's Annenberg School for Communication. "We're not going to be fully informed."
Fourth, there is the problem of unequal bargaining power. While most companies are less interested in your data than in having you as a customer, certain powerful firms, such as the three major credit reporting agencies, are interested exclusively in your numbers. And these companies tend to be monopolistic, presenting consumers with little real choice in the market. If you don't like the terms of the deal they offer, there's really nowhere else you can go to establish a reputable credit report that will allow you to obtain, say, a checking account or a mortgage. And then there's the person who arrives at the hospital after a car accident: Is he supposed to haggle over use of his medical data before he's treated? What about kids browsing the Web who stumble upon, say, the Batman Forever site, which asks them to "help Commissioner Gordon with the Gotham census" by answering questions about what products they buy? (The site was recently changed after complaints from the Center for Media Education.) As Gandy argues in a recent article, "The fundamental asymmetry between individuals and bureaucratic organizations all but guarantees the failure of the market for personal information." Even a free-marketeer like E.F.F. chairwoman Esther Dyson says, "Where there is an element of coercion, you want some regulation."
Finally, looming over all of this is a commodification critique, which warns that privacy and personal information become debased when subjected to market pressures. "This is like asking people to pay to practice freedom of religion or free speech," says University of Washington professor Philip Bereano. "We do not buy and sell civil liberties. This is commodity fetishism. It is capitalism run amok." So it would seem. Yet Bereano is actually referring to well-established privacy rights, like the Fourth Amendment right to be free from unreasonable search and seizure and the due process right to make decisions about intimate matters such as contraception and abortion. These rights, one hopes, cannot be peddled to the highest bidder. The situation is less clear, however, when it comes to personal information. In part, that's because privacy is not well defined or protected in our legal system (video rental records, for example, are protected but medical information is not). Privacy is not even mentioned in the Constitution, and our courts and legislatures have made it the somewhat insecure stepchild of legal rights.
Look, for example, at the compromised status of privacy in the ongoing debate over encryption, the text-scrambling technology that keeps electronic communications secure. Civil libertarians have argued strenuously and persuasively against law enforcement's attempts to tap encrypted messages -- first with the Clipper Chip, now with an equally problematic "key recovery" scheme. But their arguments based on pure privacy principles have fallen on deaf ears. Instead, modest progress now seems likely because of complaints from high-tech giants in a tizzy over their inability to compete with the foreign software companies that are dominating the growing global market for encryption tools. Crypto supporters have every reason to cheer industry's arm-twisting, since it may help secure passage of two pending bills in Congress lifting restrictions on this crucial technology. But a cynic would conclude that privacy is getting a boost just because profits -- and perhaps some campaign donations -- are at stake. What about the idea that privacy should be protected for its own sake?
Lately, it's an idea that has had more currency abroad than it has here. The Organization for Economic Cooperation and Development, for example, has rejected the Clinton Administration's attempts to hamstring encryption, and the European Union has enacted a strict directive limiting personal data transfer. Indeed, the E.U. will prod the United States during upcoming trade negotiations to beef up its lax standards. The Europeans can draw on any number of resources to chasten our leaders. Many instruments of international law recognize that privacy is a fundamental human right. It is also, according to scholars from various disciplines, a core value that protects dignity, autonomy, solitude and the way we present ourselves to the world.
While privacy can conceal scourges from scrutiny, it is more often a fulcrum of democracy preserving other basic freedoms, including rights of association and free speech, voting and the pursuit of liberty and happiness. As Justice William O. Douglas wrote in a 1952 dissent, echoing an idea expressed earlier by Justice Louis Brandeis, "The right to be let alone is indeed the beginning of all freedom." In this view, privacy attains special status: Just as we don't allow people to sell their vote, their body parts or themselves into slavery, we shouldn't allow them to sell their privacy.
But does this mean that I shouldn't be able to trade my own data for money or services? The market-failure problems noted above are certainly red flags. Stanford law professor Margaret Jane Radin, the author recently of Contested Commodities, points out that such concerns have led society to prevent other kinds of bargaining. A landlord, for example, is legally required to keep a rented apartment habitable; he can't ask the renter to waive that requirement in exchange for reduced rent. Similarly, a company can't sell a toaster at a $5 discount to a buyer who agrees not to sue in the event that a product defect causes her to be injured.
Perhaps, then, what this market needs is a safety net, a minimal level of personal information privacy that cannot be bartered away. This baseline should certainly prevent bargaining with kids. It might also include inalienable control over our most sensitive material, such as medical and financial information. Whatever its specific features, a safety net for privacy would help create an environment where personal information privacy is the norm, not the exception. The burden would be on data pushers to justify their practices rather than on hapless individuals trying to protect themselves in a perplexing new marketplace.
One more point: Some fans of the market for privacy, particularly those in industry, seem to think they've found a way to protect privacy that is an alternative to lawmaking and regulation -- as if the choice was either the market or government. This is just wrong. As Phil Agre of the University of California, San Diego, notes, "Governments create markets -- and the more intangible the commodity, the more that is true." To work efficiently and equitably, a privacy market will require a concrete legal regime to protect what's being traded and the integrity of that trading. Some sort of federal privacy agency will likely be necessary for enforcement -- to protect against data theft, and to insure fair dealing and compliance. Whether or not we trust the self-regulatory efforts of groups like the Direct Marketing Association, they surely can't control the actions of fly-by-night companies that swoop down on the Net to pick up the trail of an unsuspecting mouse. "We'll see where the market will work and where it won't, and supplement that with government action," says Christine Varney, a Federal Trade Commissioner who will be leading an F.T.C. conference on these issues in mid-June.
What's clear is that the market for privacy won't do away with the need for new statutory protections and government oversight. It certainly won't give consumers the upper hand against the masterminds of dataveillance. If anything, it will further reduce privacy from an assumed right to the unceremonious status of a commodity. Folks like Ted Turner, Rush Limbaugh and Bob Dole will pay to keep meddlers from getting access to their confidential information. But what about the rest of us? If privacy is for sale, will we peddle our digits or save our data souls?
Andrew L. Shapiro (ashapiro@interport.net), a Nation
contributing editor and fellow at the Twentieth Century Fund, is writing a book for the fund on the politics of new media.
Or send your letter to the editor to letters@thenation.com.
Copyright (c) 1997, The Nation Company, L.P. All rights reserved. Electronic redistribution for nonprofit purposes is permitted, provided this notice is attached in its entirety. Unauthorized, for-profit redistribution is prohibited. For further information regarding reprinting and syndication, please call The Nation at (212) 242-8400, ext. 226 or send e-mail to Max Block at mblock@thenation.com.
