The Digital Person: Technology and Privacy in the Information Age

GW Law Faculty Publications & Other Works Faculty Scholarship

2004

The Digital Person: Technology and Privacy in the Information Age The Digital Person: Technology and Privacy in the Information Age

Daniel J. Solove

George Washington University Law School

, dsolove@law.gwu.edu

Follow this and additional works at: https://scholarship.law.gwu.edu/faculty_publications

Part of the Law Commons

Recommended Citation Recommended Citation

Solove, Daniel J., The Digital Person: Technology and Privacy in the Information Age (October 1, 2004). D.

Solve, The Digital Person: Technology and Privacy in the Information Age, NYU Press (2004); GWU Law

School Public Law Research Paper 2017-5; GWU Legal Studies Research Paper 2017-5. Available at

SSRN: https://ssrn.com/abstract=2899131

This Article is brought to you for free and open access by the Faculty Scholarship at Scholarly Commons. It has

been accepted for inclusion in GW Law Faculty Publications & Other Works by an authorized administrator of

Scholarly Commons. For more information, please contact spagel@law.gwu.edu.

Electronic copy available at: https://ssrn.com/abstract=2899131

digital

person

the

Electronic copy available at: https://ssrn.com/abstract=2899131

Ex Machina: Law, Technology, and Society

General Editors: Jack M. Balkin and Beth Simone Noveck

The Digital Person

Technology and Privacy in the Information Age

Daniel J. Solove

1010101010101

10101010101

101010101

1010 101

10101

1 0 1

a NEW YORK UNIVERSITY PRESS New York and London

digital

person

the

Technology and Privacy in the lnformation Age

daniel j. solove

01010101010101

10101010101010

01010101010101

10101010101010

01010101010101

10101010101010

01010101010101

10101010101010

01010101010101

10101010101010

01010101010101

10101010101010

new york university press

New York and London

www.nyupress.org

Library of Congress Cataloging-in-Publication Data

Solove, Daniel J., –

The digital person :

technology and privacy in the information age / Daniel J. Solove.

p. cm.—(Ex machina)

Includes bibliographical references and index.

ISBN ––– (cloth : alk. paper)

.Data protection—Law and legislation—United States.

.Electronic records—Access control—United States.

.Public records—Law and legislation—United States.

.Government information—United States.

.Privacy, Right of—United States. I. Title. II. Series.

KF.CS 

.'—dc 

New York University Press books are printed on acid-free paper,

and their binding materials are chosen for strength and durability.

Manufactured in the United States of America



In loving memory of

my grandma,

Jean

010

1010

01010

101010

0101010

101010

01010

1010

010

Contents

Acknowledgments ix

1 Introduction 

The Problems of Digital Dossiers 

Traditional Conceptions of Privacy 

Rethinking Privacy 

A Road Map for This Book 

i computer databases

2 The Rise of the Digital Dossier 

A History of Public-Sector Databases 

A History of Private-Sector Databases 

Cyberspace and Personal Information 

3Kafka and Orwell:

Reconceptualizing Information Privacy 

The Importance of Metaphor 

George Orwell’s Big Brother 

vii

▲

Franz Kafka’s Trial 

Beyond the Secrecy Paradigm 

The Aggregation Eﬀect 

Forms of Dehumanization:

Databases and the Kafka Metaphor 

4 The Problems of Information Privacy Law 

The Privacy Torts 

Constitutional Law 

Statutory Law 

The FTC and Unfair and Deceptive Practices 

A World of Radical Transparency:

Freedom of Information Law 

The Law of Information Privacy and

Its Shortcomings 

5 The Limits of Market-Based Solutions 

Market-Based Solutions 

Misgivings of the Market 

The Value of Personal Information 

Too Much Paternalism? 

6 Architecture and the Protection of Privacy 

Two Models for the Protection of Privacy 

Toward an Architecture for

Privacy and the Private Sector 

Reconceptualizing Identity Theft 

Forging a New Architecture 

ii public records

7 The Problem of Public Records 

Records from Birth to Death 

viii

contents

▲

The Impact of Technology 

The Regulation of Public Records 

8 Access and Aggregation:

Rethinking Privacy and Transparency 

The Tension between Transparency and Privacy 

Conceptualizing Privacy and Public Records 

Transparency and Privacy:

Reconciling the Tension 

Public Records and the First Amendment 

iii government access

9 Government Information Gathering 

Third Party Records and the Government 

Government–Private-Sector Information Flows 

The Orwellian Dangers 

The Kafkaesque Dangers 

Protecting Privacy with Architecture 

10 The Fourth Amendment, Records, and Privacy 

The Architecture of the Fourth Amendment 

The Shifting Paradigms of

Fourth Amendment Privacy 

The New Olmstead 

The Emerging Statutory Regime and Its Limits 

11 Reconstructing the Architecture 

Scope: System of Records 

Structure: Mechanisms of Oversight 

Regulating Post-Collection Use of Data 

Developing an Architecture 

contents

▲

12 Conclusion 

Notes 

Index 

About the Author 

contents

▲

Acknowledgments

It is often said that books are written in solitude, but that wasn’t true

for this one. The ideas in this book were created in conversation with

many wise friends and mentors. I owe them immense gratitude.

Michael Sullivan has had an enormous inﬂuence on my thinking, and

he has continually challenged me to strengthen my philosophical po-

sitions. Paul Schwartz has provided countless insights, and his work is

foundational for the understanding of privacy law. Both Michael’s

and Paul’s comments on the manuscript have been indispensable. I

also must thank Judge Guido Calabresi, Naomi Lebowitz, Judge Stan-

ley Sporkin, and Richard Weisberg, who have had a lasting impact on

the way I think about law, literature, and life.

Charlie Sullivan deserves special thanks, although he disagrees

with most of what I argue in this book. He has constantly forced me to

better articulate and develop my positions. I may never convince

him, but this book is much stronger for making the attempt.

So many other people are deserving of special mention, and if I were

to thank them all to the extent they deserve, I would more than double

the length of this book. Although I only list their names, my gratitude

extends much further: Anita Allen, Jack Balkin, Carl Coleman, Howard

Erichson, Timothy Glynn, Rachel Godsil, Eric Goldman, Chris Hoofna-

gle, Ted Janger, Jerry Kang, Orin Kerr, Raymond Ku, Erik Lillquist,

Michael Risinger, Marc Rotenberg, Richard St. John, Chris Slobogin,

Richard Sobel, Peter Swire, Elliot Turrini, and Benno Weisberg.

▲

I greatly beneﬁted from the comments I received when presenting

my ideas, as well as portions of the manuscript, at conferences and

symposia at Berkeley Law School, Cornell University, Emory Law

School, Minnesota Law School, Seton Hall Law School, Stanford Law

School, and Yale Law School.

My research assistants Peter Choy, Romana Kaleem, John Spac-

carotella, and Eli Weiss provided excellent assistance throughout the

writing of this book. Dean Pat Hobbs and Associate Dean Kathleen

Boozang of Seton Hall Law School gave me generous support.

Don Gastwirth, my agent, shepherded me through the book pub-

lishing process with great enthusiasm and acumen. With unceas-

ing attention, constant encouragement, and superb advice, he

helped me ﬁnd the perfect publisher. Deborah Gershenowitz at NYU

Press believed in this project from the start and provided excellent ed-

iting.

Finally, I would like to thank my parents and grandparents. Their

love, encouragement, and belief in me have made all the diﬀerence.

This book incorporates and builds upon some of my previously

published work: Privacy and Power: Computer Databases and

Metaphors for Information Privacy,  Stanford Law Review 

(); Access and Aggregation: Privacy, Public Records, and the Consti-

tution,  Minnesota Law Review  (); Digital Dossiers and the

Dissipation of Fourth Amendment Privacy,  Southern California Law

Review  (); and Identity Theft, Privacy, and the Architecture of

Vulnerability,  Hastings Law Journal  (). These articles are

really part of a larger argument, which I am delighted that I can now

present in its entirety. The articles are thoroughly revised, and parts of

diﬀerent articles are now intermingled with each other. The argument

can now fully unfold and develop. Privacy issues continue to change

at a rapid pace, and even though these articles were written not too

long ago, they were in need of updating. The arguments originally

made in these articles have been strengthened by many subsequent

discussions about the ideas I proposed. I have been forced to think

about many issues more carefully and with more nuance. My under-

standing of privacy is a work in progress, and it has evolved since I be-

gan writing about it. This book merely represents another resting

place, not the ﬁnal word.

xii

acknowledgments

▲

Introduction

We are in the midst of an information revolution, and we are only be-

ginning to understand its implications. The past few decades have

witnessed a dramatic transformation in the way we shop, bank, and

go about our daily business—changes that have resulted in an un-

precedented proliferation of records and data. Small details that were

once captured in dim memories or fading scraps of paper are now

preserved forever in the digital minds of computers, in vast databases

with fertile ﬁelds of personal data. Our wallets are stuﬀed with ATM

cards, calling cards, frequent shopper cards, and credit cards—all of

which can be used to record where we are and what we do. Every day,

rivulets of information stream into electric brains to be sifted, sorted,

rearranged, and combined in hundreds of diﬀerent ways. Digital

technology enables the preservation of the minutia of our everyday

comings and goings, of our likes and dislikes, of who we are and what

we own. It is ever more possible to create an electronic collage that

covers much of a person’s life—a life captured in records, a digital

person composed in the collective computer networks of the world.

We are currently confronting the rise of what I refer to as “digital

dossiers.” A dossier is a collection of detailed data about an individ-

ual. Dossiers are used in European courts to assemble information

▲

about a person in order to reach a judgment. Today, through the use

of computers, dossiers are being constructed about all of us. Data is

digitized into binary numerical form, which enables computers to

store and manipulate it with unprecedented eﬃciency. There are

hundreds of companies that are constructing gigantic databases of

psychological proﬁles, amassing data about an individual’s race, gen-

der, income, hobbies, and purchases. Shards of data from our daily

existence are now being assembled and analyzed—to investigate

backgrounds, check credit, market products, and make a wide variety

of decisions aﬀecting our lives.

This book is about how we should understand and protect privacy

in light of these profound technological developments. Our old con-

ceptions of privacy are not up to the task. Much of the law pertaining

to privacy is based on these conceptions, and as a result, it has failed

to resolve the emerging privacy problems created by digital dossiers.

This book aims to rethink longstanding notions of privacy to grapple

with the consequences of living in an Information Age.

The Problems of Digital Dossiers

New Technologies and New Problems. In earlier times, communities were

small and intimate. Personal information was preserved in the mem-

ories of friends, family, and neighbors, and it was spread by gossip

and storytelling. Today, the predominant mode of spreading informa-

tion is not through the ﬂutter of gossiping tongues but through the

language of electricity, where information pulses between massive

record systems and databases. On the upside, this development

means that individuals can more readily escape from the curious eyes

of the community, freeing themselves from stiﬂing social norms in-

hibiting individuality and creativity. On the downside, an ever-grow-

ing series of records is created about almost every facet of a person’s

life. As businesses and the government increasingly share personal

information, digital dossiers about nearly every individual are being

assembled. This raises serious concerns. The information gathered

about us has become quite extensive, and it is being used in ways that

profoundly aﬀect our lives. Yet, we know little about how our personal

information is being used, and we lack the power to do much about it.

introduction

▲

Digital dossiers are constructed and used through three types of

“information ﬂow.”

Information ﬂow is a way of describing the

movement of data. Like water in an elaborate system of plumbing,

data ﬂows through information pipelines linking various businesses,

organizations, and government entities. First, information often ﬂows

between large computer databases of private-sector companies. Sec-

ond, data ﬂows from government public record systems to a variety of

businesses in the private sector. Indeed, many companies construct

their databases by culling personal data from public records. Third,

information ﬂows from the private sector to government agencies

and law enforcement oﬃcials. The increase in digital dossiers has

thus resulted in an elaborate lattice of information networking, where

information is being stored, analyzed, and used in ways that have

profound implications for society.

Even if we’re not aware of it, the use of digital dossiers is shaping

our lives. Companies use digital dossiers to determine how they do

business with us; ﬁnancial institutions use them to determine

whether to give us credit; employers turn to them to examine our

backgrounds when hiring; law enforcement oﬃcials draw on them to

investigate us; and identity thieves tap into them to commit fraud.

Computer Databases. Computers and cyberspace have vastly in-

creased our ability to collect, store, and analyze information. Today, it

seems as if everyone is collecting information—the media, employ-

ers, businesses, and government. Countless companies maintain

computerized records of their customers’ preferences, purchases,

and activities. There are hundreds of records detailing an individual’s

consumption. Credit card companies maintain information about

one’s credit card purchases. Video stores keep records about one’s

video rentals. Online retailers, such as Amazon.com, preserve records

of all the books and other items a person buys. And there are hun-

dreds of companies people aren’t even aware of that maintain their

personal information. For example, Wiland Services maintains a

database of about , diﬀerent points of information on over 

million individuals.

Acxiom.com collects and sells data on con-

sumers to marketers. In its InfoBase, it provides “[o]ver  demo-

graphic variables . . . including age, income, real property data,

introduction

▲

children’s data, and others.” It also contains data on education levels,

occupation, height, weight, political aﬃliation, ethnicity, race, hob-

bies, and net worth.

Computers enable marketers to collect detailed dossiers of per-

sonal information and to analyze it to predict the consumer’s behav-

ior. Through various analytic techniques, marketers construct models

of what products particular customers will desire and how to encour-

age customers to consume. Companies know how we spend our

money, what we do for a living, how much we earn, and where we live.

They know about our ethnic backgrounds, religion, political views,

and health problems. Not only do companies know what we have al-

ready purchased, but they also have a good idea about what books we

will soon buy or what movies we will want to see.

Public Records. Imagine that the government had the power to compel

individuals to reveal a vast amount of personal information about

themselves—where they live; their phone numbers; their physical de-

scription; their photograph; their age; their medical problems; all of

their legal transgressions throughout their lifetimes; the names of

their parents, children, and spouses; their political party aﬃliations;

where they work and what they do; the property that they own and its

value; and sometimes even their psychotherapists’ notes, doctors’

records, and ﬁnancial information.

Then imagine that the government routinely poured this informa-

tion into the public domain—by posting it on the Internet where it

could be accessed from all over the world, by giving it away to any in-

dividual or company that asked for it, or even by providing entire

databases of personal information upon request. Think about how

this information would be available to those who make important de-

cisions about an individual’s life and career—such as whether the in-

dividual will get a loan or a job. Also consider that, in many cases, the

individual would not even know that the information is being used to

make these decisions.

Imagine as well that this information would be traded among hun-

dreds of private-sector companies that would combine it with a host

of other information such as one’s hobbies, purchases, magazines, or-

ganizations, credit history, and so on. This expanded proﬁle would

introduction

▲

then be sold back to the government in order to investigate and mon-

itor individuals more eﬃciently.

Stop imagining. What I described is a growing reality in the United

States, and the threat posed to privacy is rapidly becoming worse.

Federal, state, and local governments maintain public records span-

ning an individual’s life from birth to death. These records contain a

myriad of personal details. Until recently, public records were diﬃcult

to access—ﬁnding information about a person often involved a scav-

enger hunt through local oﬃces to dig up records. But with the Inter-

net, public records are increasingly being posted online, where

anybody anywhere can easily obtain and search them.

Government Access. The data in digital dossiers increasingly ﬂows

from the private sector to the government, particularly for law en-

forcement use. Law enforcement agencies have long sought personal

information about individuals from various companies and ﬁnancial

institutions to investigate fraud, white-collar crime, drug traﬃcking,

computer crime, child pornography, and other types of criminal ac-

tivity. In the aftermath of the terrorist attacks of September , ,

the impetus for the government to gather personal information has

greatly increased, since this data can be useful to track down terror-

ists and to proﬁle airline passengers for more thorough searches. De-

tailed records of an individual’s reading materials, purchases,

diseases, and website activity enable the government to assemble a

proﬁle of an individual’s ﬁnances, health, psychology, beliefs, politics,

interests, and lifestyle. Many people communicate over the Internet

using a screen name or pseudonym; the data in digital dossiers can

unveil their identities as well as expose all of the people with whom

they associate and do business.

The government has recently been exploring ways to develop tech-

nology to detect patterns of behavior based on our dossiers. In ,

it was revealed that the Department of Defense was developing a pro-

gram called Total Information Awareness (since renamed Terrorism

Information Awareness). The program begins with the government

amassing personal information from private-sector sources into a

massive database of dossiers on individuals. Proﬁling technology is

then used to detect those who are likely to be engaged in criminal

introduction

▲

activity. When Congress learned of Total Information Awareness, it

halted the program because of its threat to privacy. However, the

same type of collection and use of data envisioned by those who

dreamed up Total Information Awareness is already being carried out

by the government. The digital dossiers that continue to grow in the

private sector and in public records are now becoming a tool for the

government to monitor and investigate people.

What Is the Problem? The growing collection and use of personal infor-

mation in digital form has long been viewed as problematic—a fear

typically raised under the banner of “privacy.” The use of personal in-

formation certainly presents privacy problems, but what exactly is

the nature of these problems? Although the problems of personal in-

formation are understood as concerns over privacy, beyond this, they

are often not well deﬁned. How much weight should our vague appre-

hensions be given, especially considering the tremendous utility,

proﬁt, and eﬃciency of using personal information?

The answer to this question depends upon how these privacy

problems are conceptualized. Unfortunately, so far, the problems

have not been adequately articulated. Many discussions of privacy

merely scratch the surface by simply pointing out a series of techno-

logical developments with the assumption that people will react with

anxiety. Rarely do discussions about privacy delve deeper. We need a

better understanding of the problems; we must learn how they devel-

oped, how they are connected, what precisely they threaten, and how

they can be solved.

This book aims to reconceptualize privacy in today’s world of rap-

idly changing technology. The task of conceptualizing the privacy

problems digital dossiers create is of the utmost importance. As John

Dewey aptly wrote, “a problem well put is half-solved.”

We can’t really

solve a problem until we know the harm that it causes. A good diag-

nosis of a problem goes a long way toward ﬁnding solutions to it.

The goal of this book extends beyond articulating a new under-

standing of contemporary privacy problems; the book also aims to

demonstrate the ways that the problems can be solved. In particular,

this is a book about the law. A relatively robust amount of law has de-

veloped to protect privacy, but it has often failed to be eﬀective when

introduction

▲

confronted by the problems of the Information Age. This book dis-

cusses why this has happened and what can be done about it.

Traditional Conceptions of Privacy

Traditionally, privacy violations have been understood in a particular

manner. In this book, I contend that these ways of understanding pri-

vacy must be rethought in order to fully comprehend the problems

with digital dossiers. This doesn’t mean that these understandings are

incorrect. They arose with earlier privacy problems and can certainly

be of help in understanding digital dossiers. But these more tradi-

tional ways of understanding privacy don’t account for key aspects of

the unique problems the digital age has introduced.

Orwell’s Big Brother. The dominant metaphor for modern invasions of

privacy is Big Brother, the ruthless totalitarian government in George

Orwell’s novel 1984. Big Brother oppresses its citizens, purges dis-

senters, and spies on everyone in their homes. The result is a cold,

drab, grey world with hardly any space for love, joy, original thinking,

spontaneity, or creativity. It is a society under total control. Although

the metaphor has proven quite useful for a number of privacy prob-

lems, it only partially captures the problems of digital dossiers. Big

Brother envisions a centralized authoritarian power that aims for ab-

solute control, but the digital dossiers constructed by businesses

aren’t controlled by a central power, and their goal is not to oppress us

but to get us to buy new products and services. Even our government

is a far cry from Big Brother, for most government oﬃcials don’t act

out of malicious intent or a desire for domination. Moreover, Big

Brother achieves its control by brutally punishing people for disobe-

dience and making people fear they are constantly being watched.

But businesses don’t punish us so long as we keep on buying, and

they don’t make us feel as though we are being watched. To the con-

trary, they try to gather information as inconspicuously as possible.

Making us feel threatened would undermine rather than advance the

goal of unencumbered information collection. Finally, while Big

Brother aims to control the most intimate details of a citizen’s life,

much of the information in digital dossiers is not intimate or unusual.

introduction

▲

The Secrecy Paradigm. In another traditional way of understanding pri-

vacy that I refer to as the “secrecy paradigm,” privacy is invaded by

uncovering one’s hidden world, by surveillance, and by the disclosure

of concealed information. The harm such invasions cause consists of

inhibition, self-censorship, embarrassment, and damage to one’s rep-

utation. The law is heavily inﬂuenced by this paradigm. As a result, if

the information isn’t secret, then courts often conclude that the infor-

mation can’t be private. However, this conception of privacy is not re-

sponsive to life in the modern Information Age, where most personal

information exists in the record systems of hundreds of entities. Life

today is fueled by information, and it is virtually impossible to live as

an Information Age ghost, leaving no trail or residue.

The Invasion Conception. Under the traditional view, privacy is violated

by the invasive actions of particular wrongdoers who cause direct in-

jury to victims. Victims experience embarrassment, mental distress,

or harm to their reputations. The law responds when a person’s deep-

est secrets are exposed, reputation is tarnished, or home is invaded.

This view, which I call the “invasion conception,” understands pri-

vacy to be a kind of invasion, in which somebody invades and some-

body is invaded. However, digital dossiers often do not result in any

overt invasion. People frequently don’t experience any direct injury

when data about them is aggregated or transferred from one com-

pany to another. Moreover, many of the problems of digital dossiers

emerge from the collaboration of a multitude of diﬀerent actors with

diﬀerent purposes. Each step along the way is relatively small and in-

nocuous, failing to cause harm that the invasion conception would

recognize as substantial.

Rethinking Privacy

Digital dossiers pose signiﬁcant problems, and for a more complete

understanding of these issues, I turn to another metaphor—Franz

Kafka’s depiction of bureaucracy in The Trial. Kafka’s novel chronicles

the surreal nightmare of a person who is unexpectedly informed that

he is under arrest but given no reason why. A bureaucratic court

maintains a dossier about him, but he has no access to this informa-

introduction

▲

tion. Throughout the rest of the novel, the protagonist desperately at-

tempts to ﬁnd out why the Court is interested in his life, but his quest

is hopeless—the Court is too clandestine and labyrinthine to be fully

understood.

The Trial captures an individual’s sense of helplessness, frustra-

tion, and vulnerability when a large bureaucratic organization has

control over a vast dossier of details about one’s life. Bureaucracy of-

ten results in a routinized and sometimes careless way of handling in-

formation—with little to no accountability. This makes people

vulnerable to identity theft, stalking, and other harms. The problem is

not simply a loss of control over personal information, nor is there a

diabolical motive or plan for domination as with Big Brother. The

problem is a bureaucratic process that is uncontrolled. These bureau-

cratic ways of using our information have palpable eﬀects on our

lives because people use our dossiers to make important decisions

about us to which we are not always privy.

Thus far, the existing law protecting information privacy has not

adequately responded to the emergence of digital dossiers. We need

to better articulate what the problems are, what is at stake, and what

precisely the law must do to solve the problems. We must rethink pri-

vacy for the Information Age.

A Roadmap for This Book

In part I, I explore the digital dossiers about individuals that are being

assembled through computer databases and the Internet. I focus pri-

marily on the activities of businesses. Chapter  traces the history of

the developing privacy problems precipitated by computer databases

and cyberspace. In chapter ,Iexamine the prevailing ways that these

privacy problems have been conceptualized. I discuss the predomi-

nance of the Orwell metaphor and why it must be supplemented with

the Kafka metaphor. Chapter  discusses why the law of information

privacy has failed to grapple adequately with the problem of digital

dossiers. Chapter  responds to those who argue that the market

(alone or with some minor tinkering) can appropriately deal with the

problem. In chapter ,Iargue that beyond a set of individual rights,

protecting privacy requires an architecture that regulates the way

introduction

▲

information may be collected and used. Consequently, protecting

privacy must focus not merely on remedies and penalties for ag-

grieved individuals but on shaping an architecture to govern the ever-

increasing data ﬂows of the Information Age.

Part II turns to the way in which public records contribute to the

problems of digital dossiers. Chapter  describes the increasing accu-

mulation of personal information in public record systems and the

emerging threats to privacy posed by the increased accessibility of

this information as records are made available on the Internet. In

chapter , I argue that the regulation of public records in the United

States must be rethought in light of the new technologies in the Infor-

mation Age, and I advance a theory about how to reconcile the ten-

sion between transparency and privacy. I also explore why regulating

the access and use of public records will not infringe upon First

Amendment rights.

Part III examines the problems created by the increasing govern-

ment access to digital dossiers. In chapter , I explore in detail the nu-

merous ways that the government is accessing personal information

held by private-sector businesses and why this is problematic. Chap-

ter  discusses how the Supreme Court has improperly interpreted

the Fourth Amendment so that it doesn’t apply to records maintained

by third parties, a result that virtually prevents the Fourth Amend-

ment from dealing with the problem of government access to digital

dossiers. In the void left by the inapplicability of the Fourth Amend-

ment, Congress has enacted a series of statutes to address the prob-

lem. As I explain, however, the statutes create a regulatory regime that

is uneven, overly complex, and ﬁlled with gaps and loopholes. In

chapter , I explore how the law should appropriately regulate gov-

ernment access to personal information maintained by the private

sector.

introduction

▲

computer

databases

010

1010

01010

101010

0101010

101010

01010

1010

010

The Rise of

the Digital Dossier

We currently live in a world where extensive dossiers exist about each

one of us. These dossiers are in digital format, stored in massive com-

puter databases by a host of government agencies and private-sector

companies. The problems caused by these developments are pro-

found. But to understand the problems, we must ﬁrst understand

how they arose.

A History of Public-Sector Databases

Although personal records have been kept for centuries,

only in con-

temporary times has the practice become a serious concern. Prior to

the nineteenth century, few public records were collected, and most

of them were kept at a very local level, often by institutions associated

with churches.

The federal government’s early endeavors at collect-

ing data consisted mainly in conducting the census. The ﬁrst census

in  asked only four questions.

With each proceeding census, the

government gathered more personal information. By ,  ques-

tions were asked.

When the  census included questions about

diseases, disabilities, and ﬁnances, it sparked a public outcry, ulti-

mately leading to the passage in the early twentieth century of stricter

laws protecting the conﬁdentiality of census data.

▲

Government information collection ﬂourished during the middle

of the twentieth century. The creation and growth of government bu-

reaucracy—spawning well over  federal agencies within the past

century—led to an insatiable thirst for information about individuals.

One such agency was the Social Security Administration, created in

, which assigned nine-digit numbers to each citizen and required

extensive record-keeping of people’s earnings.

Technology was a primary factor in the rise of information collec-

tion. The  census required almost , clerks to tally information

tediously by hand—and it took seven years to complete.

At the rapid

rate of population growth, if a faster way could not be found to tabu-

late the information, the  census wouldn’t be completed before

the  census began. Fortunately, just in time for the  census, a

census oﬃcial named Herman Hollerith developed an innovative

tabulating device—a machine that read holes punched in cards.

Hol-

lerith’s new machine helped tabulate the  census in under three

years.

Hollerith left the Census Bureau and founded a small ﬁrm that

produced punch card machines—a ﬁrm that through a series of

mergers eventually formed the company that became IBM.

IBM’s subsequent rise to prosperity was due, in signiﬁcant part, to

the government’s increasing need for data. The Social Security System

and other New Deal programs required a vast increase in records that

had to be kept about individuals. As a result, the government became

one of the largest purchasers of IBM’s punch card machines.

The So-

cial Security Administration kept most of its records on punch cards,

and by  it had more than  million cards in storage.

The advent of the mainframe computer in  revolutionized in-

formation collection. The computer and magnetic tape enabled the

systematic storage of data. As processing speeds accelerated and as

memory ballooned, computers provided a vastly increased ability to

collect, search, analyze, and transfer records.

Federal and state agencies began to computerize their records. The

Census Bureau was one of the earliest purchasers of commercially

available computers.

Social Security numbers (SSNs)—originally not

to be used as identiﬁers beyond the Social Security System—became

immensely useful for computer databases.

This is because SSNs en-

the rise of the digital dossier

▲

able data to be easily linked to particular individuals. In the s,

federal, state, and local governments—as well as the private sector—

increasingly began to use them for identiﬁcation.

Beginning in the s, the growing computerization of records

generated a substantial buzz about privacy. Privacy captured the at-

tention of the public, and a number of philosophers, legal scholars,

and other commentators turned their attention to the threats to pri-

vacy caused by the rise of the computer.

Congress began to debate

how to respond to these emerging developments.

In , the U.S.

Department of Health, Education, and Welfare (HEW) issued a report

entitled Records, Computers, and the Rights of Citizens, which tren-

chantly articulated the growing concerns over computerized record

systems:

There was a time when information about an individual tended

to be elicited in face-to-face contacts involving personal trust

and a certain symmetry, or balance, between giver and receiver.

Nowadays, an individual must increasingly give information

about himself to large and relatively faceless institutions, for

handling and use by strangers—unknown, unseen, and, all too

frequently, unresponsive. Sometimes the individual does not

even know that an organization maintains a record about him.

Often he may not see it, much less contest its accuracy, control

its dissemination, or challenge its use by others.

These problems continued to escalate throughout the ensuing

decades. Computers grew vastly more powerful, and computerized

records became ubiquitous. The rise of the Internet in the s

added new dimensions to these problems, sparking a revolution in

the collection, accessibility, and communication of personal data.

Today, federal agencies and departments maintain almost ,

databases,

including records pertaining to immigration, bankruptcy,

licensing, welfare, and countless other matters. In a recent eﬀort to

track down parents who fail to pay child support, the federal govern-

ment has created a vast database consisting of information about all

people who obtain a new job anywhere in the nation. The database

contains their SSNs, addresses, and wages.

the rise of the digital dossier

▲

States maintain public records of arrests, births, criminal proceed-

ings, marriages, divorces, property ownership, voter registration,

workers’ compensation, and scores of other types of records. State li-

censing regimes mandate that records be kept on numerous profes-

sionals such as doctors, lawyers, engineers, insurance agents, nurses,

police, accountants, and teachers.

A History of Private-Sector Databases

Although the government played an integral role in the development

of massive dossiers of personal information, especially early on, busi-

nesses soon began to play an even greater role.While the public-sector

story concerns the quest for regulatory eﬃciency, the private-sector

story involves money and marketing.

Long before the rise of nationwide advertising campaigns there

was a personal relationship between merchant and customer. Local

merchants lived next door to their customers and learned about their

lives from their existence together in the community. To a large ex-

tent, marketing was done locally—by the peddler on the street or the

shopkeeper on the corner. Mass marketing, which began in the nine-

teenth century and ﬂourished in the twentieth century, transformed

the nature of selling from personal one-to-one persuasion to large-

scale advertising campaigns designed for the nameless, faceless

American consumer.

Mass marketing consumed vast fortunes, and only a small fraction

of the millions of people exposed to the ads would buy the products

or services. Soon marketers discovered the power of a new form of

marketing—targeted marketing. The idea was to ﬁgure out which

people were most likely to consume a product and focus the advertis-

ing on them.

In the s, the sales department of General Motors Corporation

began an early experiment with targeted marketing. GM discovered

that owners of Ford vehicles frequently didn’t purchase a Ford as their

next vehicle—so it targeted owners of two-year-old Fords and sent

them a brochure on GM vehicles.

GM then began to send out ques-

tionnaires asking for consumer input into their products. GM be-

the rise of the digital dossier

▲

lieved that this would be a good marketing device, presenting the im-

age of a big corporation that cared enough to listen to the opinions of

everyday people. GM cast itself as a democratic institution, its sur-

veys stating that it was “OF the people, FOR the people, BY the

people.” One GM print advertisement depicted a delighted child

holding up the survey letter exclaiming: “Look dad, a letter from Gen-

eral Motors!” The campaign was quite successful—ironically not be-

cause of the data collected but because of GM’s image of appearing to

be interested in the consumer’s ideas.

Today, corporations are desperate for whatever consumer infor-

mation they can glean, and their quest for information is hardly per-

ceived as democratic. The data collected extends beyond information

about consumers’ views of the product to information about the con-

sumers themselves, often including lifestyle details and even a full-

scale psychological proﬁle.

The turn to targeting was spurred by the proliferation and special-

ization of mass media throughout the century, enabling marketers to

tap into groups of consumers with similar interests and tastes. The

most basic form of targeting involved selecting particular television

programs, radio shows, or magazines in which to place advertise-

ments. This technique, however, merely amounted to mass marketing

on a slightly smaller scale.

The most revolutionary developments in targeted marketing oc-

curred in the direct marketing industry. The practice of sending mail

order catalogs directly to consumers began in the late nineteenth

century when railroads extended the reach of the mail system.

The

industry also reached out to people by way of door-to-door salesper-

sons. In the s, marketers began calling people directly on the tele-

phone, and “telemarketing” was born.

Direct marketing remained a ﬂedgling practice for most of the

twentieth century. Direct marketers had long accepted the “ per-

cent” rule—only  percent of those contacted would respond.

With

such a staggering failure rate, direct marketing achieved its successes

at great cost. To increase the low response rate, marketers sought to

sharpen their targeting techniques, which required more consumer

research and an eﬀective way to collect, store, and analyze information

the rise of the digital dossier

▲

about consumers. The advent of the computer database gave mar-

keters this long sought-after ability—and it launched a revolution in

targeting technology.

Databases provided an eﬃcient way to store and search for data.

Organized into ﬁelds of information, the database enabled marketers

to sort by various types of information and to rank or select various

groups of individuals from its master list of customers—a practice

called “modeling.” Through this process, fewer mailings or calls

needed to be made, resulting in a higher response rate and lower

costs. In addition to isolating a company’s most proﬁtable customers,

marketers studied them, proﬁled them, and then used that proﬁle to

ﬁnd similar customers.

This, of course, required not only informa-

tion about existing customers, but the collection of data about

prospective customers as well.

Originally, marketers sought to locate the best customers by identi-

fying those customers who purchased items most recently and fre-

quently and who spent the most money.

In the s, marketers

turned to demographic information.

Demographics included basic

information such as age, income level, race, ethnicity, gender, and ge-

ographical location. Marketers could target certain demographic seg-

ments of the nation, a practice called “cluster marketing.” This

approach worked because people with similar incomes and races

generally lived together in clusters.

The private sector obtained this demographic information from

the federal government. In the s, the United States began selling

its census data on magnetic tapes. To protect privacy, the Census Bu-

reau sold the information in clusters of , households, supplying

only addresses—not names. But clever marketing companies such as

Donnelley, Metromail, and R. L. Polk reattached the names by match-

ing the addresses with information in telephone books and voter reg-

istration lists. Within ﬁve years of purchasing the census data, these

companies had constructed demographically segmented databases

of over half of the households in the nation.

In the s, marketers looked to supplement their data about con-

sumers by compiling “psychographic” information—data about psy-

chological characteristics such as opinions, attitudes, beliefs, and

lifestyles.

For example, one company established an elaborate tax-

the rise of the digital dossier

▲

onomy of people, with category names such as “Blue Blood Estates,”

“Bohemian Mix,” “Young Literati,” “Shotguns and Pickups,” and “His-

panic Mix.”

Each cluster had a description of the type of person,

their likes, incomes, race and ethnicity, attitudes, and hobbies.

These innovations made targeted marketing—or “database mar-

keting” as it is often referred to today—the hottest form of marketing,

growing at twice the rate of America’s gross national product.

In ,

direct marketing resulted in almost $ trillion in sales.

On average,

over  pieces of unsolicited advertisements, catalogs, and market-

ing mailings arrive every year at each household.

Duetotargeting,

direct mail yields $ in sales for every $ in cost—a ratio double that

for a television advertisement—and forecasters predict catalog sales

will grow faster than retail sales.

Telemarketing is a $ billion a year

industry.

In a  Gallup poll,  percent of U.S. companies used

some form of direct mail, targeted email, or telemarketing.

The eﬀectiveness of targeted marketing depends upon data, and

the challenge is to obtain as much of it as possible. Marketers discov-

ered that they didn’t have to research and collect all the information

from scratch, for data is the perspiration of the Information Age. Bil-

lions of bytes are released each second as we click, charge, and call. A

treasure trove of information already lay untapped within existing

databases, retail records, mailing lists, and government records. All

that marketers had to do was plunder it as eﬃciently as possible.

The increasing thirst for personal information spawned the cre-

ation of a new industry: the database industry, an Information Age

bazaar where personal data collections are bartered and sold. Mar-

keters “rent” lists of names and personal information from database

companies, which charge a few cents to a dollar for each name.

Over

 companies compose the personal information industry, with an-

nual revenues in the billions of dollars.

The sale of mailing lists alone

(not including the sales generated by the use of the lists) generates $

billion a year.

The average consumer is on around  mailing lists

and is included in at least  databases.

An increasing number of companies with databases—magazines,

credit card companies, stores, mail order catalog ﬁrms, and even tele-

phone companies—are realizing that their databases are becoming

one of their most valuable assets and are beginning to sell their data.

the rise of the digital dossier

▲

A new breed of company is emerging that devotes its primary

business to the collection of personal information. Based in

Florida, Catalina Marketing Corporation maintains supermarket

buying history databases on  million households from more than

, stores.

This data contains a complete inventory of one’s gro-

ceries, over-the-counter medications, hygiene supplies, and contra-

ceptive devices, among others. Aristotle, Inc. markets a database of

 million registered voters. Aristotle’s database records voters’

names, addresses, phone numbers, party aﬃliation, and voting fre-

quency. Aristotle combines this data with about  other categories

of information, such as one’s race, income, and employer—even the

make and model of one’s car. It markets a list of wealthy campaign

donors called “Fat Cat.” Aristotle boasts: “Hit your opponent in the

Wallet! Using Fat Cats, you can ferret out your adversary’s contribu-

tors and slam them with a mail piece explaining why they shouldn’t

donate money to the other side.”

Another company manufactures

software called GeoVoter, which combines about , categories

of information about a voter to calculate how that individual will

vote.

The most powerful database builders construct information em-

pires, sometimes with information on more than half of the American

population. For example, Donnelley Marketing Information Services

of New Jersey keeps track of  million people. Wiland Services has

constructed a database containing over , elements, from demo-

graphic information to behavioral data, on over  million people.

There are around ﬁve database compilers that have data on almost all

households in the United States.

Beyond marketers, hundreds of companies keep data about us in

their record systems. The complete beneﬁts of the Information Age

do not simply come to us—we must “plug in” to join in. In other

words, we must establish relationships with Internet Service

Providers, cable companies, phone companies, insurance compa-

nies, and so on. All of these companies maintain records about us.

The Medical Information Bureau, a nonproﬁt institution, maintains a

database of medical information on  million individuals, which is

available to over  insurance companies.

Credit card companies

have also developed extensive personal information databases. Un-

the rise of the digital dossier

▲

like cash, which often does not involve the creation of personally

identiﬁable records, credit cards result in detailed electronic docu-

mentation of our purchases.

Increasingly, we rely on various records and documents to assess

ﬁnancial reputation.

According to sociologist Steven Nock, this en-

ables reputations to become portable.

In earlier times, a person’s

ﬁnancial condition was generally known throughout the community.

In modern society, however, people are highly mobile and creditors

often lack ﬁrst-hand experience of the ﬁnancial condition and trust-

worthiness of individuals. Therefore, creditors rely upon credit re-

porting agencies to obtain information about a person’s credit

history. Credit reports reveal a person’s consistency in paying back

debts as well as the person’s loan defaulting risk. People are assigned

acredit score, which impacts whether they will be extended credit,

and, if so, what rate of interest will be charged. Credit reports con-

tain a detailed ﬁnancial history, ﬁnancial account information, out-

standing debts, bankruptcy ﬁlings, judgments, liens, and mortgage

foreclosures. Today, there are three major credit reporting agencies—

Equifax, Experian, and Trans Union. Each agency has compiled ex-

tensive dossiers about almost every adult U.S. citizen.

Credit reports

have become essential to securing a loan, obtaining a job, purchasing

a home or a car, applying for a license, or even renting an apartment.

Credit reporting agencies also prepare investigative consumer re-

ports, which supplement the credit report with information about an

individual’s character and lifestyle.

Launched in , Regulatory DataCorp (RDC) has created a mas-

sive database to investigate people opening new bank accounts. RDC

was created by many of the world’s largest ﬁnancial companies. Its

database, named the Global Regulatory Information Database

(GRID), gathers information from over , diﬀerent sources

around the world.

RDC’s purpose is to help ﬁnancial companies

conduct background checks of potential customers for fraud, money

laundering, terrorism, and other criminal activity. Although some

people’s information in the database may be incorrect, they lack the

ability to correct the errors. RDC’s CEO and president responds:

“There are no guarantees. Is the public information wrong? We don’t

have enough information to say it’s wrong.”

the rise of the digital dossier

▲

Cyberspace and Personal Information

Cyberspace is the new frontier for gathering personal information,

and its power has only begun to be exploited. The Internet is rapidly

becoming the hub of the personal information market, for it has

made the peddling and purchasing of data much easier. Focus USA’s

website boasts that it has detailed information on  million peo-

ple.

Among its over  targeted mailing lists are lists of “Aﬄuent

Hispanics,” “Big-Spending Parents,” “First Time Credit Card Holders,”

“Grown But Still At Home,” “Hi-Tech Seniors,” “New Homeowners,”

“Status Spenders,” “Big Spending Vitamin Shoppers,” and “Waist

Watchers.”

For example, Focus USA states for its list of “New

Movers”:

As much as % of the population moves every year. . . . New

movers have a lot of needs in their ﬁrst few months. . . . During

this lifestyle change period, new movers tend to be more recep-

tive to direct mail and telemarketing oﬀers for a wide variety of

products.

The database contains data about age, gender, income, children, In-

ternet connections, and more. There is a list devoted exclusively to

“New Movers With Children,” which includes data on the ages of the

children. A list called “Savvy Single Women” states that “[s]ingle

women represent a prime market for travel/vacation, frequent ﬂyer

clubs, credit cards, investing, dining out, entertainment, insurance,

catalog shopping, and much more.”

There’s also a list of “Mr. Twenty Somethings” that contains mostly

college-educated men who Focus USA believes are eager to spend

money on electronic equipment. And there are lists of pet lovers, ﬁt-

ness-conscious people, cat and dog owners, motorcycle enthusiasts,

casino gamblers, opportunity seekers, and sub-prime prospects.

Dunhill International also markets a variety of lists, including “Amer-

ica’s Wealthiest Families,” which includes . million records “ap-

pended with demographic and psychographic data.”

There are also

databases of disabled people, consumers who recently applied for a

credit card, cruise ship passengers, teachers, and couples who just

had a baby. Hippo Direct markets lists of people suﬀering from “med-

the rise of the digital dossier

▲

ical maladies” such as constipation, cancer, diabetes, heart disease,

impotence, migraines, enlarged prostate, and more.

Another com-

pany markets a list of  million elderly incontinent women.

In addi-

tion to serving as a marketplace for personal information, cyberspace

has provided a revolution for the targeted marketing industry be-

cause web pages are not static—they are generated every time the

user clicks. Each page contains spaces reserved for advertisements,

and speciﬁc advertisements are downloaded into those spots. The dy-

namic nature of web pages makes it possible for a page to download

diﬀerent advertisements for diﬀerent users.

Targeting is very important for web advertising because a web page

is cluttered with information and images all vying for the users’ atten-

tion. Similar to the response rates of earlier eﬀorts at direct market-

ing, only a small percentage of viewers (about  percent) click the

advertisements they view.

The Internet’s greater targeting potential

and the ﬁerce competition for the consumer’s attention have given

companies an unquenchable thirst for information about web users.

This information is useful in developing more targeted advertising as

well as in enabling companies to better assess the performance and

popularity of various parts of their websites.

Currently, there are two basic ways that websites collect personal

information. First, many websites directly solicit data from their

users. Numerous websites require users to register and log in, and

registration often involves answering a questionnaire. Online mer-

chants amass data from their business transactions with consumers.

For example, I shop on Amazon.com, which keeps track of my pur-

chases in books, videos, music, and other items. I can view its records

of every item I’ve ever ordered, and this goes back well over six years.

When I click on this option, I get an alphabetized list of everything I

bought and the date I bought it. Amazon.com uses its extensive

records to recommend new books and videos. With a click, I can see

dozens of books that Amazon.com thinks I’ll be interested in. It is

eerily good, and it can pick out books for me better than my relatives

can. It has me pegged.

Websites can also secretly track a customer’s websurﬁng. When a

person explores a website, the website can record data about her ISP,

computer hardware and software, the website she linked from, and

the rise of the digital dossier

▲

exactly what parts of the website she explored and for how long. This

information is referred to as “clickstream data” because it is a trail of

how a user navigates throughout the web by clicking on various links.

It enables the website to calculate how many times it has been visited

and what parts are most popular. With a way to connect this informa-

tion to particular web users, marketers can open a window into peo-

ple’s minds. This is a unique vision, for while marketers can measure

the size of audiences for other media such as television, radio, books,

and magazines, they have little ability to measure attention span. Due

to the interactive nature of the Internet, marketers can learn how we

respond to what we hear and see. A website collects information

about the way a user interacts with the site and stores the information

in its database. This information will enable the website to learn

about the interests of a user so it can better target advertisements to

the user. For example, Amazon.com can keep track of every book or

item that a customer browses but does not purchase.

To connect this information with particular users, a company can

either require a user to log in or it can secretly tag a user to recognize

her when she returns. This latter form of identiﬁcation occurs

through what is called a “cookie.” A cookie is a small text ﬁle of codes

that is deployed into the user’s computer when she downloads a web

page.

Websites place a unique identiﬁcation code into the cookie,

and the cookie is saved on the user’s hard drive. When the user visits

the site again, the site looks for its cookie, recognizes the user, and lo-

cates the information it collected about the user’s previous surﬁng ac-

tivity in its database. Basically, a cookie works as a form of high-tech

cattle-branding.

Cookies have certain limits. First, they often are not tagged to par-

ticular individuals—just to particular computers. However, if the

website requires a user to log in or asks for a name, then the cookies

will often contain data identifying the individual. Second, typically,

websites can only decipher the cookies that they placed on a user’s

computer; they cannot use cookies stored by a diﬀerent website.

To get around these limitations, companies have devised strategies

of information sharing with other websites. One of the most popular

information sharing techniques is performed by a ﬁrm called Dou-

bleClick. When a person visits a website, it often takes a quick detour

the rise of the digital dossier

▲

to DoubleClick. DoubleClick accesses its cookie on the person’s com-

puter and looks up its proﬁle about the person. Based on the proﬁle,

DoubleClick determines what advertisements that person will be

most responsive to, and these ads are then downloaded with the web-

site the person is accessing. All this occurs in milliseconds, without

the user’s knowledge. Numerous websites subscribe to DoubleClick.

This means that if I click on the same website as you at the very same

time, we will receive diﬀerent advertisements calculated by Dou-

bleClick to match our interests. People may not know it, but Dou-

bleClick cookies probably reside on their computer. As of the end of

, DoubleClick had amassed  million customer proﬁles.

Another information collection device, known as a “web bug,” is

embedded into a web page or even an email message. The web bug is

a hidden snippet of code that can gather data about a person.

For

example, a company can send a spam email with a web bug that will

report back when the message is opened. The bug can also record

when the message is forwarded to others. Web bugs also can collect

information about people as they explore a website. Some of the nas-

tier versions of web bugs can even access a person’s computer ﬁles.

Companies also use what has become known as “spyware,” which

is software that is often deceptively and secretly installed into peo-

ple’s computers. Spyware can gather information about every move

one makes when surﬁng the Internet. This data is then used by spy-

ware companies to target pop-up ads and other forms of

advertising.

Legal scholar Julie Cohen has noted another growing threat to pri-

vacy—technologies of digital rights management (DRM), which are

used by copyright holders to prevent piracy. Some DRM technologies

gather information about individuals as they listen to music, watch

videos, or read e-books. DRM technologies thus “create records of

intellectual exploration, one of the most personal and private of ac-

tivities.”

(shorthand for “robots”). Also known as “crawlers” or “spiders,” bots

can automatically prowl around the Internet looking for information.

Industry trade groups, such as the Recording Industry Association of

America (RIAA) and the Motion Picture Association of America

the rise of the digital dossier

▲

(MPAA), have unleashed tens of thousands of bots to identify poten-

tial illegal users of copyrighted materials.

Spammers—the senders of

junk email—also employ a legion of bots to copy down email ad-

dresses that appear on the web in order to add them to spam lists.

Bots also patrol Internet chat rooms, hunting for data.

As we stand at the threshold of an age structured around informa-

tion, we are only beginning to realize the extent to which our lives can

be encompassed within its architecture. “The time will come,” pre-

dicts one marketer, “when we are well known for our inclinations, our

predilections, our proclivities, and our wants. We will be classiﬁed,

proﬁled, categorized, and our every click will be watched.”

As we live

more of our lives on the Internet, we are creating a permanent record

of unparalleled pervasiveness and depth. Indeed, almost everything

on the Internet is being archived. One company has even been sys-

tematically sweeping up all the data from the Internet and storing it

in a vast electronic warehouse.

Our online personas—captured, for

instance, in our web pages and online postings—are swept up as well.

We are accustomed to information on the web quickly ﬂickering in

and out of existence, presenting the illusion that it is ephemeral. But

little on the Internet disappears or is forgotten, even when we delete

or change the information. The amount of personal information

archived will only escalate as our lives are increasingly digitized into

the electric world of cyberspace.

These developments certainly suggest a threat to privacy, but what

speciﬁcally is the problem? The way this question is answered has

profound implications for the way the law will grapple with the prob-

lem in the future.

the rise of the digital dossier

▲

Kafka and Orwell

Reconceptualizing

Information Privacy

The most widely discussed metaphor in the discourse of information

privacy is George Orwell’s depiction of Big Brother in 1984. The use of

the Big Brother metaphor to understand the database privacy prob-

lem is hardly surprising. Big Brother has long been the metaphor of

choice to characterize privacy problems, and it has frequently been

invoked when discussing police search tactics,

wiretapping and

video surveillance,

and drug testing.

It is no surprise, then, that the

burgeoning discourse on information privacy has seized upon this

metaphor.

With regard to computer databases, however, Big Brother is incom-

plete as a way to understand the problem. Although the Big Brother

metaphor certainly describes particular facets of the problem, it neg-

lects many crucial dimensions. This oversight is far from inconse-

quential, for the way we conceptualize a problem has important

ramiﬁcations for law and policy.

The Importance of Metaphor

A metaphor, as legal scholar Steven Winter aptly deﬁnes it, “is the

imaginative capacity by which we relate one thing to another.”

▲

their groundbreaking analysis, linguistics professor George Lakoﬀ

and philosopher Mark Johnson observe that metaphors are not mere

linguistic embellishments or decorative overlays on experience; they

are part of our conceptual systems and aﬀect the way we interpret our

experiences.

Metaphor is not simply an act of description; it is a way

of conceptualization. “The essence of metaphor,” write Lakoﬀ and

Johnson, “is understanding and experiencing one kind of thing in

terms of another.”

Much of our thinking about a problem involves the metaphors we

use. According to legal philosopher Jack Balkin, “metaphoric models

selectively describe a situation, and in so doing help to suppress al-

ternative conceptions.” Metaphors do not just distort reality but com-

pose it; the “power [of metaphors] stems precisely from their ability to

empower understanding by shaping and hence limiting it.”

Winter, as well as Lakoﬀ and Johnson, focus on metaphors embod-

ied in our thought processes, pervading the type of language we use.

The metaphors I speak of are not as deeply ingrained. Metaphors are

tools of shared cultural understanding.

Privacy involves the type of

society we are creating, and we often use metaphors to envision diﬀ-

erent possible worlds, ones that we want to live in and ones that we

don’t. Orwell’s Big Brother is an example of this type of metaphor; it is

a shared cultural narrative, one that people can readily comprehend

and react to.

Ascribing metaphors is not only a descriptive endeavor but also an

act of political theorizing with profound normative implications.

Ac-

cording to Judge Richard Posner, however, “it is a mistake to try to

mine works of literature for political or economic signiﬁcance” be-

cause works of literature are better treated as aesthetic works rather

than “as works of moral or political philosophy.”

To the contrary, lit-

erature supplies the metaphors by which we conceptualize certain

problems, and Posner fails to acknowledge the role that metaphor

plays in shaping our collective understanding. Metaphors function

not to render a precise descriptive representation of the problem;

rather, they capture our concerns over privacy in a way that is palpa-

ble, potent, and compelling. Metaphors are instructive not for their

realism but for the way they direct our focus to certain social and po-

litical phenomena.

kafka and orwell

▲

George Orwell’s Big Brother

Orwell’s Totalitarian World. Journalists, politicians, and jurists often

describe the problem created by databases with the metaphor of Big

Brother—the harrowing totalitarian government portrayed in George

Orwell’s 1984.

Big Brother is an all-knowing, constantly vigilant gov-

ernment that regulates every aspect of one’s existence. In every cor-

ner are posters of an enormous face, with “eyes [that] follow you

about when you move” and the caption “big brother is watching

you.”

Big Brother demands complete obedience from its citizens and

controls all aspects of their lives. It constructs the language, rewrites

the history, purges its critics, indoctrinates the population, burns

books, and obliterates all disagreeable relics from the past. Big

Brother’s goal is uniformity and complete discipline, and it attempts

to police people to an unrelenting degree—even their innermost

thoughts. Any trace of individualism is quickly suﬀocated.

This terrifying totalitarian state achieves its control by targeting

the private life, employing various techniques of power to eliminate

any sense of privacy. Big Brother views solitude as dangerous. Its

techniques of power are predominantly methods of surveillance. Big

Brother is constantly monitoring and spying; uniformed patrols

linger on street corners; helicopters hover in the skies, poised to peer

into windows. The primary surveillance tool is a device called a “tele-

screen” which is installed into each house and apartment. The tele-

screen is a bilateral television—individuals can watch it, but it also

enables Big Brother to watch them:

There was of course no way of knowing whether you were being

watched at any given moment. How often, or on what system,

the Thought Police plugged in on any individual wire was guess-

work. It was even conceivable that they watched everybody all

the time. . . . You had to live—did live, from habit that became in-

stinct—in the assumption that every sound you made was over-

heard, and, except in darkness, every movement scrutinized.

In 1984, citizens have no way of discovering if and when they

are being watched. This surveillance, both real and threatened, is

kafka and orwell

▲

combined with swift and terrifying force: “People simply disap-

peared, always during the night. Your name was removed from the

registers, every record of everything you had ever done was wiped

out, your one-time existence was denied and then forgotten.”

Orwell’s narrative brilliantly captures the horror of the world it de-

picts, and its images continue to be invoked in the legal discourse of

privacy and information. “The ultimate horror in Orwell’s imagined

anti-utopia,” observes sociologist Dennis Wrong, “is that men are de-

prived of the very capacity for cherishing private thoughts and feel-

ings opposed to the regime, let alone acting on them.”

Panoptic Power. The telescreen functions similarly to the Panopticon,

an architectural design for a prison, originally conceived by Jeremy

Bentham in .

In Discipline and Punish, Michel Foucault provides

a compelling description of this artiﬁce of power:

[A]t the periphery, an annular building; at the centre, a tower;

this tower is pierced with wide windows that open onto the inner

side of the ring; the peripheric building is divided into cells, each

of which extends the whole width of the building. . . . All that is

needed, then, is to place a supervisor in a central tower and to

shut up in each cell a madman, a patient, a condemned man, a

worker or a schoolboy. By the eﬀect of backlighting, one can ob-

serve from the tower, standing out precisely against the light, the

small captive shadows in the cells of the periphery. They are like

so many cages, so many small theatres, in which each actor is

alone, perfectly individualized and constantly visible.

The Panopticon is a device of discipline; its goal is to ensure order,

to prevent plots and riots, to mandate total obedience. The Panopti-

con achieves its power through an ingenious technique of surveil-

lance, one that is ruthlessly eﬃcient. By setting up a central

observation tower from which all prisoners can be observed and by

concealing from them any indication of whether they are being

watched at any given time, “surveillance is permanent in its eﬀects,

even if it is discontinuous in its action.”

Instead of having hundreds

of patrols and watchpersons, only a few people need to be in the

tower. Those in the tower can watch any inmate but they cannot be

kafka and orwell

▲

seen. By always being visible, by constantly living under the reality

that one could be observed at any time, people assimilate the eﬀects

of surveillance into themselves. They obey not because they are mon-

itored but because of their fear that they could be watched. This fear

alone is suﬃcient to achieve control. The Panopticon is so eﬃcient

that nobody needs to be in the tower at all.

As Foucault observed, the Panopticon is not merely limited to the

prison or to a speciﬁc architectural structure—it is a technology of

power that can be used in many contexts and in a multitude of ways.

In 1984, the telescreen works in a similar way to the Panopticon, serv-

ing as a form of one-way surveillance that structures the behavior of

those who are observed. The collection of information in cyberspace

can be readily analogized to the telescreen. As we surf the Internet,

information about us is being collected; we are being watched, but we

do not know when or to what extent.

The metaphor of Big Brother understands privacy in terms of

power, and it views privacy as an essential dimension of the political

structure of society. Big Brother attempts to dominate the private life

because it is the key to controlling an individual’s entire existence: her

thoughts, ideas, and actions.

The Ubiquity of the Metaphor. Big Brother dominates the discourse of

information privacy. In , when the use of computer databases was

in its infancy, U.S. Supreme Court Justice William Douglas observed

that we live in an Orwellian age in which the computer has become

“the heart of a surveillance system that will turn society into a trans-

parent world.”

One state supreme court justice observed that the

“acres of ﬁles” being assembled about us are leading to an “Orwellian

society.”

Academics similarly characterize the problem.

In The Culture of

Surveillance, sociologist William Staples observes that we have inter-

nalized Big Brother—we have created a Big Brother culture, where we

all act as agents of surveillance and voyeurism.

“The specter of Big

Brother has haunted computerization from the beginning,” computer

science professor Abbe Mowshowitz observes. “Computerized per-

sonal record-keeping systems, in the hands of police and intelligence

agencies, clearly extend the surveillance capabilities of the state.”

kafka and orwell

▲

Commentators have adapted the Big Brother metaphor to describe

the threat to privacy caused by private-sector databases, often refer-

ring to businesses as “Little Brothers.”

As sociologist David Lyon

puts it: “Orwell’s dystopic vision was dominated by the central state.

He never guessed just how signiﬁcant a decentralized consumerism

might become for social control.”

Legal scholar Katrin Byford writes:

“Life in cyberspace, if left unregulated, thus promises to have distinct

Orwellian overtones—with the notable diﬀerence that the primary

threat to privacy comes not from government, but rather from the

corporate world.”

In The End of Privacy, political scientist Reg

Whitaker also revises the Big Brother narrative into one of a multitude

of Little Brothers.

Internet “surveillance” can be readily compared to Orwell’s tele-

screen. While people surf the web, companies are gathering informa-

tion about them. As Paul Schwartz, a leading expert on privacy law,

observes, the “Internet creates digital surveillance with nearly limit-

less data storage possibilities and eﬃcient search possibilities.” In-

stead of one Big Brother, today there are a “myriad” of “Big and Little

Brothers” collecting personal data.

Even when not directly invoking the metaphor, commentators fre-

quently speak in its language, evoke its images and symbols, and

deﬁne privacy problems in similar conceptual terms. Commentators

view databases as having many of the same purposes (social control,

suppression of individuality) and employing many of the same tech-

niques (surveillance and monitoring) as Big Brother. David Flaherty,

who served as the ﬁrst Information and Privacy Commissioner for

British Columbia, explains that the “storage of personal data can be

used to limit opportunity and to encourage conformity.” Dossiers of

personal information “can have a limiting eﬀect on behavior.”

Oscar

Gandy, a noted professor of communications and media studies,

writes that “panopticism serves as a powerful metaphorical resource

for representing the contemporary technology of segmentation and

targeting.”

As legal scholar Jerry Kang observes:

[D]ata collection in cyberspace produces data that are detailed,

computer-processable, indexed to the individual, and perma-

kafka and orwell

▲

nent. Combine this with the fact that cyberspace makes data col-

lection and analysis exponentially cheaper than in real space,

and we have what Roger Clarke has identiﬁed as the genuine

threat of “dataveillance.”

Dataveillance, as information technology expert Roger Clarke deﬁnes

it, refers to the “systematic use of personal data systems in the investi-

gation or monitoring of the actions or communications of one or

more persons.”

According to political scientist Colin Bennet, “[t]he

term dataveillance has been coined to describe the surveillance prac-

tices that the massive collection and storage of vast quantities of per-

sonal data have facilitated.”

Dataveillance is thus a new form of

surveillance, a method of watching not through the eye or the cam-

era, but by collecting facts and data. Kang argues that surveillance is

an attack on human dignity, interfering with free choice because it

“leads to self-censorship.”

Likewise, Paul Schwartz claims that data

collection “creates a potential for suppressing a capacity for free

choice: the more that is known about an individual, the easier it is to

force his obedience.”

According to this view, the problem with data-

bases is that they are a form of surveillance that curtails individual

freedom.

The Limits of the Metaphor. Despite the fact that the discourse appro-

priately conceptualizes privacy through metaphor and that the Big

Brother metaphor has proven quite useful for a number of privacy

problems, the metaphor has signiﬁcant limitations for the database

privacy problem. As illustrated by the history of record-keeping and

databases in chapter , developments in record-keeping were not or-

chestrated according to a grand scheme but were largely ad hoc, aris-

ing as technology interacted with the demands of the growing public

and private bureaucracies. Additionally, the goals of data collection

have often been rather benign—or at least far less malignant than the

aims of Big Brother. In fact, personal information has been collected

and recorded for a panoply of purposes. The story of record-keeping

and database production is, in the end, not a story about the progres-

sion toward a world ruled by Big Brother or a multitude of Little

kafka and orwell

▲

Brothers. Instead, it is a story about a group of diﬀerent actors with

diﬀerent purposes attempting to thrive in an increasingly informa-

tion-based society.

The most signiﬁcant shortcoming of the Big Brother metaphor is

that it fails to focus on the appropriate form of power. The metaphor

depicts a particular technique of power—surveillance. Certainly,

monitoring is an aspect of information collection, and databases may

eventually be used in ways that resemble the disciplinary regime of

Big Brother. However, most of the existing practices associated with

databases are quite diﬀerent in character. Direct marketers wish to

observe behavior so they can tailor goods and advertisements to indi-

vidual diﬀerences. True, they desire consumers to act in a certain way

(to purchase their product), but their limited attempts at control are

far from the repressive regime of total control exercised by Big

Brother. The goal of much data collection by marketers aims not at

suppressing individuality but at studying it and exploiting it.

The most insidious aspect of the surveillance of Big Brother is

missing in the context of databases: human judgment about the ac-

tivities being observed (or the fear of that judgment). Surveillance

leads to conformity, inhibition, and self-censorship in situations

where it is likely to involve human judgment. Being observed by an

insect on the wall is not invasive of privacy; rather, privacy is threat-

ened by being subject to human observation, which involves judg-

ments that can aﬀect one’s life and reputation. Since marketers

generally are interested in aggregate data, they do not care about

snooping into particular people’s private lives. Much personal infor-

mation is amassed and processed by computers; we are being

watched not by other humans, but by machines, which gather in-

formation, compute proﬁles, and generate lists for mailing, email-

ing, or calling. This impersonality makes the surveillance less

invasive.

While having one’s actions monitored by computers does not in-

volve immediate perception by a human consciousness, it still ex-

poses people to the possibility of future review and disclosure. In the

context of databases, however, this possibility is remote. Even when

such data is used for marketing, marketers merely want to make a

proﬁt, not uproot a life or soil a reputation.

kafka and orwell

▲

I do not, however, want to discount the dangerous eﬀects of sur-

veillance through the use of databases. Although the purposes of the

users of personal data are generally not malignant, databases can still

result in unintended harmful social eﬀects. The mere knowledge that

one’s behavior is being monitored and recorded certainly can lead to

self-censorship and inhibition. Foucault’s analysis of surveillance

points to a more subtle yet more pervasive eﬀect: surveillance

changes the entire landscape in which people act, leading toward an

internalization of social norms that soon is not even perceived as re-

pressive.

This view of the eﬀects of surveillance raises important

questions regarding the amount of normalization that is desirable in

society. While our instincts may be to view all normalization as an in-

sidious force, most theories of the good depend upon a signiﬁcant

degree of normalization to hold society together.

Although the eﬀects of surveillance are certainly a part of the data-

base problem, the heavy focus on surveillance miscomprehends the

most central and pernicious eﬀects of databases. Understanding the

problem as surveillance fails to account for the majority of our activi-

ties in the world and web. A large portion of our personal information

involves facts that we are not embarrassed about: our ﬁnancial infor-

mation, race, marital status, hobbies, occupation, and the like. Most

people surf the web without wandering into its dark corners. The vast

majority of the information collected about us concerns relatively in-

nocuous details. The surveillance model does not explain why the

recording of this non-taboo information poses a problem. The focus

of the surveillance model is on the fringes—and often involves things

we may indeed want to inhibit such as cult activity, terrorism, and

child pornography.

Digital dossiers do cause a serious problem that is overlooked by

the Big Brother metaphor, one that poses a threat not just to our free-

dom to explore the taboo, but to freedom in general. It is a problem

that implicates the type of society we are becoming, the way we think,

our place in the larger social order, and our ability to exercise mean-

ingful control over our lives.

kafka and orwell

▲

Franz Kafka’s Trial

Kafka’s Distopic Vision. Although we cannot arbitrarily adopt new

metaphors, we certainly can exercise control over the metaphors we

use. Since understanding our current society is an ongoing process,

not a once-and-done activity, we are constantly in search of new

metaphors to better comprehend our situation.

Franz Kafka’s harrowing depiction of bureaucracy in The Trial cap-

tures dimensions of the digital dossier problem that the Big Brother

metaphor does not.

The Trial opens with the protagonist, Joseph K.,

awakening one morning to ﬁnd a group of oﬃcials in his apartment,

who inform him that he is under arrest. K. is bewildered at why he has

been placed under arrest: “I cannot recall the slightest oﬀense that

might be charged against me. But even that is of minor importance,

the real question is, who accuses me? What authority is conducting

these proceedings?” When he asks why the oﬃcials have come to ar-

rest him, an oﬃcial replies: “You are under arrest, certainly, more than

that I do not know.”

Instead of taking him away to a police station,

the oﬃcials mysteriously leave.

Throughout the rest of the novel, Joseph K. begins a frustrating

quest to discover why he has been arrested and how his case will be

resolved. A vast bureaucratic court has apparently scrutinized his life

and assembled a dossier on him. The Court is clandestine and myste-

rious, and court records are “inaccessible to the accused.”

In an

eﬀort to learn about this Court and the proceedings against him,

Joseph K. scuttles throughout the city, encountering a maze of

lawyers, priests, and others, each revealing small scraps of knowledge

about the workings of the Court. In a pivotal scene, Joseph K. meets a

painter who gleaned much knowledge of the obscure workings of the

Court while painting judicial portraits. The painter explains to K.:

“The whole dossier continues to circulate, as the regular oﬃcial

routine demands, passing on to the highest Courts, being re-

ferred to the lower ones again, and then swinging backwards and

forwards with greater or smaller oscillations, longer or shorter

delays. . . . No document is ever lost, the Court never forgets any-

thing. One day—quite unexpectedly—some Judge will take up

kafka and orwell

▲

the documents and look at them attentively. . . .” “And the case

begins all over again?” asked K. almost incredulously. “Certainly”

said the painter.

Ironically, after the initial arrest, it is Joseph K. who takes the initia-

tive in seeking out the Court. He is informed of an interrogation on

Sunday, but only if he has no objection to it: “Nevertheless he was

hurrying fast, so as if possible to arrive by nine o’clock, although he

had not even been required to appear at any speciﬁc time.”

Al-

though the Court has barely imposed any authority, not even specify-

ing when Joseph K. should arrive for his interrogation, he acts as if

this Court operates with strict rules and makes every attempt to obey.

After the interrogation, the Court seems to lose interest in him.

Joseph K., however, becomes obsessed with his case. He wants to be

recognized by the Court and to resolve his case; in fact, being ignored

by the Court becomes a worse torment than being arrested.

As K. continues his search, he becomes increasingly perplexed by

this unusual Court. The higher oﬃcials keep themselves hidden; the

lawyers claim they have connections to Court oﬃcials but never oﬀer

any proof or results. Hardly anyone seems to have direct contact with

the Court. In addition, its “proceedings were not only kept secret from

the general public, but from the accused as well.” Yet K. continues to

seek an acquittal from a crime he hasn’t been informed of and from

an authority he cannot seem to ﬁnd. As Joseph K. scurries through the

bureaucratic labyrinth of the law, he can never make any progress to-

ward his acquittal: “Progress had always been made, but the nature of

the progress could never be divulged. The Advocate was always work-

ing away at the ﬁrst plea, but it had never reached a conclusion.”

the end, Joseph K. is seized by two oﬃcials in the middle of the night

and executed.

Kafka’s The Trial best captures the scope, nature, and eﬀects of the

type of power relationship created by databases. My point is not that

The Trial presents a more realistic descriptive account of the database

problem than Big Brother. Like 1984, The Trial presents a ﬁctional por-

trait of a harrowing world, often exaggerating certain elements of so-

ciety in a way that makes them humorous and absurd. Certainly, in

the United States most people are not told that they are inexplicably

kafka and orwell

▲

under arrest, and they do not expect to be executed unexpectedly one

evening. The Trial is in part a satire, and what is important for the

purposes of my argument are the insights the novel provides about

society through its exaggerations. In the context of computer data-

bases, Kafka’s The Trial is the better focal point for the discourse than

Big Brother. Kafka depicts an indiﬀerent bureaucracy, where individ-

uals are pawns, not knowing what is happening, having no say or

ability to exercise meaningful control over the process. This lack of

control allows the trial to completely take over Joseph K.’s life. The

Trial captures the sense of helplessness, frustration, and vulnerability

one experiences when a large bureaucratic organization has control

over a vast dossier of details about one’s life. At any time, something

could happen to Joseph K.; decisions are made based on his data, and

Joseph K. has no say, no knowledge, and no ability to ﬁght back. He is

completely at the mercy of the bureaucratic process.

As understood in light of the Kafka metaphor, the primary problem

with databases stems from the way the bureaucratic process treats in-

dividuals and their information.

Bureaucracy. Generally, the term “bureaucracy” refers to large public

and private organizations with hierarchical structures and a set of

elaborate rules, routines, and processes.

I will use the term to refer

not to speciﬁc institutions but to a particular set of practices—

speciﬁcally, how bureaucratic processes aﬀect and inﬂuence individ-

uals subjected to them. Bureaucratic organization, sociologist Max

Weber asserts, consists of a hierarchical chain-of-command, special-

ized oﬃces to carry out particular functions, and a system of general

rules to manage the organization.

Bureaucracy is not limited to gov-

ernment administration; it is also a feature of business management.

The modern world requires the eﬃcient ﬂow of information in order

to communicate, to deliver goods and services, to regulate, and to

carry out basic functions. According to Weber, bureaucracy is “capa-

ble of attaining the highest degree of eﬃciency and is in this sense

formally the most rational known means of exercising authority over

human beings.”

Bureaucratic processes are highly routinized, striv-

ing for increased eﬃciency, standardization of decisions, and the cul-

tivation of specialization and expertise. As Paul Schwartz notes,

kafka and orwell

▲

bureaucracy depends upon “vast quantities of information” that “re-

lates to identiﬁable individuals.”

Much of this information is impor-

tant and necessary to the smooth functioning of bureaucracies.

Although bureaucratic organization is an essential and beneﬁcial

feature of modern society, bureaucracy also presents numerous prob-

lems. Weber observes that bureaucracy can become “dehumanized”

by striving to eliminate “love, hatred, and all purely personal, irra-

tional, and emotional elements which escape calculation.”

Bureau-

cracy often cannot adequately attend to the needs of particular

individuals—not because bureaucrats are malicious, but because

they must act within strict time constraints, have limited training,

and are frequently not able to respond to unusual situations in

unique or creative ways. Schwartz contends that because bureau-

cracy does not adequately protect the dignity of the people it deals

with, it can “weaken an individual’s capacity for critical reﬂection and

participation in society.”

Additionally, decisions within public and

private bureaucratic organizations are often hidden from public view,

decreasing accountability. As Weber notes, “[b]ureaucratic adminis-

tration always tends to exclude the public, to hide its knowledge and

action from criticism as well as it can.”

Bureaucratic organizations

often have hidden pockets of discretion. At lower levels, discretion

can enable abuses. Frequently, bureaucracies fail to train employees

adequately and may employ subpar security measures over personal

data. Bureaucracies are often careless in their uses and handling of

personal information.

The problem with databases emerges from subjecting personal in-

formation to the bureaucratic process with little intelligent control or

limitation, which results in our not having meaningful participation

in decisions about our information. Bureaucratic decision-making

processes are being exercised ever more frequently over a greater

sphere of our lives, and we have little power or say within such a sys-

tem, which tends to structure our participation along standardized

ways that fail to enable us to achieve our goals, wants, and needs.

Bureaucracy and Power. The power eﬀects of this relationship to bu-

reaucracy are profound; however, they cannot adequately be ex-

plained by resorting only to the understanding of power in Orwell’s

kafka and orwell

▲

1984. Big Brother employs a coercive power that is designed to domi-

nate and oppress. Power, however, is not merely prohibitive; as illus-

trated by Aldous Huxley in Brave New World, it composes our very

lives and culture. Huxley describes a diﬀerent form of totalitarian so-

ciety—one controlled not by force, but by entertainment and pleas-

ure. The population is addicted to a drug called Soma, which is

administered by the government as a political tool to sedate the peo-

ple. Huxley presents a narrative about a society controlled not by a

despotic coercive government like Big Brother, but by manipulation

and consumption, where people participate in their own enslave-

ment. The government achieves obedience through social condition-

ing, propaganda, and other forms of indoctrination.

It does not use

the crude coercive techniques of violence and force, but instead em-

ploys a more subtle scientiﬁc method of control—through genetic en-

gineering, psychology, and drugs. Power works internally—the

government actively molds the private life of its citizens, transform-

ing it into a world of vapid pleasure, mindlessness, and numbness.

Despite the diﬀerences, power for both Orwell and Huxley oper-

ates as an insidious force employed for a particular design. The Trial

depicts a diﬀerent form of power. The power employed in The Trial

has no apparent goal; any purpose remains shrouded in mystery. Nor

is the power as direct and manipulative in design as that depicted by

Orwell and Huxley. The Court system barely even cares about Joseph

K. The Trial depicts a world that diﬀers signiﬁcantly from our tradi-

tional notions of a totalitarian state. Joseph K. was not arrested for his

political views; nor did the Court manifest any plan to control people.

Indeed, Joseph K. was searching for some reason why he was ar-

rested, a reason that he never discovered. One frightening implication

is that there was no reason, or if there were, it was absurd or arbitrary.

Joseph K. was subjected to a more purposeless process than a trial.

Indeed, the Court does not try to exercise much power over Joseph K.

His arrest does not even involve his being taken into custody—merely

a notiﬁcation that he is under arrest—and after an initial proceeding,

the Court makes no further eﬀort even to contact Joseph K.

What is more discernible than any motive on the part of the Court

or any overt exercise of power are the social eﬀects of the power rela-

tionship between the bureaucracy and Joseph K. The power depicted

kafka and orwell

▲

in The Trial is not so much a force as it is an element of relationships

between individuals and society and government. These relation-

ships have balances of power. What The Trial illustrates is that power

is not merely exercised in totalitarian forms, and that relationships to

bureaucracies which are unbalanced in power can have debilitating

eﬀects upon individuals—regardless of the bureaucracies’ purposes

(which may, in fact, turn out to be quite benign).

Under this view, the problem with databases and the practices cur-

rently associated with them is that they disempower people. They

make people vulnerable by stripping them of control over their per-

sonal information. There is no diabolical motive or secret plan for

domination; rather, there is a web of thoughtless decisions made by

low-level bureaucrats, standardized policies, rigid routines, and a way

of relating to individuals and their information that often becomes

indiﬀerent to their welfare.

The Interplay of the Metaphors. The Kafka and Orwell metaphors are

not mutually exclusive. As I will discuss in more depth in part III of

this book, the interplay of the metaphors captures the problems with

government access to digital dossiers. In particular, the government is

increasingly mining data from private-sector sources to proﬁle indi-

viduals. Information about people is observed or recorded and then

fed into computer programs that analyze the data looking for certain

behavior patterns common to criminal or terrorist activity. This

method of investigation and analysis employs secret algorithms to

process information and calculate how “dangerous” or “criminal” a

person might be. The results of these secret computations have pal-

pable eﬀects on people’s lives. People can be denied the right to ﬂy on

an airplane without a reason or a hearing; or they can be detained in-

deﬁnitely without the right to an attorney and without being told the

reasons why.

In another example, political scientist John Gilliom’s study of the

surveillance of welfare recipients chronicles a world of constant ob-

servation coupled by an almost pathological bureaucracy.

Recipi-

ents must ﬁll out mountains of paperwork, answer endless questions,

and be routinely monitored. Often, they receive so little ﬁnancial as-

sistance that they resort to odd jobs to obtain more income, which, if

kafka and orwell

▲

discovered, could make them ineligible for beneﬁts. The system cre-

ates a strong incentive for transgression, severe penalties for any

breach, and elaborate data systems that attempt to detect any

malfeasance through automated investigations. The system com-

bines pervasive surveillance with a bureaucratic process that has little

compassion or ﬂexibility.

A quote by noted playwright and author Friedrich Dürrenmatt best

captures how surveillance and bureaucracy interrelate in the Infor-

mation Age:

[W]hat was even worse was the nature of those who observed

and made a fool of him, namely a system of computers, for what

he was observing was two cameras connected to two computers

observed by two further computers and fed into computers con-

nected to those computers in order to be scanned, converted, re-

converted, and, after further processing by laboratory

computers, developed, enlarged, viewed, and interpreted, by

whom and where and whether at any point by human beings he

couldn’t tell.

Surveillance generates information, which is often stored in record

systems and used for new purposes. Being watched and inhibited in

one’s behavior is only one part of the problem; the other dimension is

that the data is warehoused for unknown future uses. This is where

Orwell meets Kafka.

Beyond the Secrecy Paradigm

Understanding the database privacy problem in terms of the Kafka

metaphor illustrates that the problem with databases concerns the

use of information, not merely keeping it secret. Traditionally, privacy

problems have been understood as invasions into one’s hidden

world. Privacy is about concealment, and it is invaded by watching

and by public disclosure of conﬁdential information. I refer to this

understanding of privacy as the “secrecy paradigm.” This paradigm is

so embedded in our privacy discourse that privacy is often repre-

sented visually by a roving eye, an open keyhole, or a person peeking

through Venetian blinds.

kafka and orwell

▲

Information about an individual, however, is often not secret, but

is diﬀused in the minds of a multitude of people and scattered in var-

ious documents and computer ﬁles across the country. Few would be

embarrassed by the disclosure of much of the material they read, the

food they eat, or the products they purchase. Few would view their

race, ethnicity, marital status, or religion as conﬁdential. Of course,

databases may contain the residue of scandals and skeletons—illicit

websites, racy books, stigmatizing diseases—but since information in

databases is rarely publicized, few reputations are tarnished. For the

most part, the data is processed impersonally by computers without

ever being viewed by the human eye. The secrecy paradigm focuses

on breached conﬁdentiality, harmed reputation, and unwanted pub-

licity. But since these harms are not really the central problems of

databases, privacy law often concludes that the information in data-

bases is not private and is thus not entitled to protection. Indeed, one

commentator defended DoubleClick’s tracking of web browsing

habits by stating:

Over time, people will realize it’s not Big Brother who’s going to

show up [at] your door in a black ski mask and take your kids

away or dig deep into your medical history. This is a situation

where you are essentially dropped into a bucket with  million

people who look and feel a lot like you do to the advertising com-

pany.

This commentator, viewing privacy with the Big Brother metaphor,

focuses on the wrong types of harms and implicitly views only secret

information as private.

The problem with databases pertains to the uses and practices as-

sociated with our information, not merely whether that information

remains completely secret. Although disclosure can be a violation of

privacy, this does not mean that avoiding disclosure is the sum and

substance of our interest in privacy. What people want when they de-

mand privacy with regard to their personal information is the ability

to ensure that the information about them will be used only for the

purposes they desire. Even regarding the conﬁdentiality of informa-

tion, the understanding of privacy as secrecy fails to recognize that

individuals want to keep things private from some people but not

kafka and orwell

▲

others. The fact that an employee criticizes her boss to a co-worker

does not mean that she wants her boss to know what she said.

Helen Nissenbaum, a professor of information technology, is quite

right to argue that we often expect privacy even when in public.

Not

all activities are purely private in the sense that they occur in isolation

and in hidden corners. When we talk in a restaurant, we do not expect

to be listened to. A person may buy condoms or hemorrhoid medica-

tion in a store open to the public, but certainly expects these pur-

chases to be private activities. Contrary to the notion that any

information in public records cannot be private, there is a consider-

able loss of privacy by plucking inaccessible facts buried in some ob-

scure document and broadcasting them to the world on the evening

news. Privacy can be infringed even if no secrets are revealed and

even if nobody is watching us.

The Aggregation Effect

The digital revolution has enabled information to be easily amassed

and combined. Even information that is superﬁcial or incomplete can

be quite useful in obtaining more data about individuals. Information

breeds information. For example, although one’s SSN does not in and

of itself reveal much about an individual, it provides access to one’s

ﬁnancial information, educational records, medical records, and a

whole host of other information. As law professor Julie Cohen notes,

“[a] comprehensive collection of data about an individual is vastly

more than the sum of its parts.”

I refer to this phenomenon as the

“aggregation eﬀect.” Similar to a Seurat painting, where a multitude

of dots juxtaposed together form a picture, bits of information when

aggregated paint a portrait of a person.

In the Information Age, personal data is being combined to create

a digital biography about us. Information that appears innocuous can

sometimes be the missing link, the critical detail in one’s digital biog-

raphy, or the key necessary to unlock other stores of personal infor-

mation. But why should we be concerned about a biography that

includes details about what type of soap a person buys, whether she

prefers Pepsi to Coca-Cola, or whether she likes to shop at Macy’s

rather than Kmart? As legal scholar Stan Karas points out, the prod-

kafka and orwell

▲

ucts we consume are expressive of our identities.

We have many

choices in the products we buy, and even particular brands symbolize

certain personality traits and personal characteristics. Karas notes

that Pepsi has marketed itself to a younger, more rebellious consumer

than Coca-Cola, which emphasizes old-fashioned and traditional im-

ages in its advertisements.

Whether punk, yuppie, or hippie, people

often follow a particular consumption pattern that reﬂects the sub-

culture with which they identify.

Of course, the products we buy are not wholly reﬂective of our

identities. A scene from Henry James’s Portrait of a Lady best captures

the complexities of the situation. Madame Merle, wise in the ways of

the world yet jaded and selﬁsh, is speaking to Isabel Archer, a young

American lady in Europe full of great aspirations of living a bold and

exceptional life, far beyond convention. Merle declares: “What shall

we call our ‘self’? Where does it begin? Where does it end? It overﬂows

into everything that belongs to us—and then it ﬂows back again. I

know a large part of myself is the clothes I choose to wear. I’ve a great

respect for things!” Isabel disagrees: “nothing that belongs to me is

any measure of me.” “My clothes only express the dressmaker,” Isabel

says, “but they don’t express me. To begin with, it is not my own

choice that I wear them; they’ve been imposed upon me by society.”

Merle is obsessed by things, and she views herself as deeply inter-

twined with her possessions. The objects she owns and purchases are

deeply constitutive of her personality. Isabel, in her proud individual-

ism, claims that she is vastly distinct from what she owns and wears.

Indeed, for her, things are a tool for conformity; they do not express

anything authentic about herself.

Yet Madame Merle has a point—the information is indeed expres-

sive. But Isabel is right, too—this information is somewhat superﬁ-

cial, and it only partially captures who we are. Although the digital

biography contains a host of details about a person, it captures a dis-

torted persona, one who is constructed by a variety of external de-

tails.

Although the information marketers glean about us can be

quite revealing, it still cannot penetrate into our thoughts and often

only partially captures who we are.

Information about our property,

our professions, our purchases, our ﬁnances, and our medical history

does not tell the whole story. We are more than the bits of data we give

kafka and orwell

▲

oﬀ as we go about our lives. Our digital biography is revealing of our-

selves but in a rather standardized way. It consists of bits of informa-

tion pre-deﬁned based on the judgment of some entity about what

categories of information are relevant or important. We are partially

captured by details such as our age, race, gender, net worth, property

owned, and so on, but only in a manner that standardizes us into

types or categories. Indeed, database marketers frequently classify

consumers into certain categories based on stereotypes about their

values, lifestyle, and purchasing habits. As Julie Cohen observes, peo-

ple are not simply “reducible to the sum of their transactions, genetic

markers, and other measurable attributes.”

Our digital biography is thus an unauthorized one, only partially

true and very reductive. We must all live with these unauthorized bi-

ographies about us, the complete contents of which we often do not

get to see. Although a more extensive dossier might be less reductive

in capturing our personalities, it would have greater controlling

eﬀects on an individual’s life.

Not only are our digital biographies reductive, but they are often

inaccurate. In today’s bureaucratized world, one of the growing

threats is that we will be subject to the inadvertence, carelessness,

and mindlessness of bureaucracy. A scene from the darkly humorous

movie Brazil illustrates this problem.

The movie opens with an ex-

hausted bureaucrat swatting a ﬂy, which inconspicuously drops into

a typewriter, causes a jam, and results in him mistyping a letter in a

person’s name on a form. The form authorizes the arrest and interro-

gation of suspected rebels. In the next scene, an innocent man peace-

fully sits in his home with his family when suddenly scores of

armor-clad police storm inside and haul him away.

These dangers are not merely the imaginary stuﬀ of movies. The

burgeoning use of databases of public record information by the pri-

vate sector in screening job applicants and investigating existing em-

ployees demonstrates how errors can potentially destroy a person’s

career. For example, a Maryland woman wrongly arrested for a bur-

glary was not cleared from the state’s criminal databases. Her name

and SSN also migrated to a Baltimore County database relating to

child protective services cases. She was ﬁred from her job as a substi-

tute teacher, and only after she could establish that the information

kafka and orwell

▲

was in error was she rehired. When she later left that job to run a day

care center for the U.S. military, she was subjected to questioning

about the erroneous arrest. Later on, when employed at as a child

care director at a YMCA, she was terminated when her arrest record

surfaced in a background clearance check. Since she could not have

the error expunged in suﬃcient time, the job was given to another

person. Only after several years was the error ﬁnally cleared from the

public records.

As our digital biographies are increasingly relied

upon to make important decisions, the problems that errors can

cause will only escalate in frequency and magnitude.

To the extent that the digital biography is accurate, our lives are not

only revealed and recorded, but also can be analyzed and investi-

gated. Our digital biographies are being assembled by companies

which are amassing personal information in public records along

with other data. Collectively, millions of biographies can be searched,

sorted, and analyzed in a matter of seconds. This enables automated

investigations of individuals on a nationwide scale by both the gov-

ernment and the private sector. Increasingly, companies are conduct-

ing investigations which can have profound consequences on

people’s lives—such as their employment and ﬁnancial condition.

Employers are resorting to information brokers of public record infor-

mation to assist in screening job applicants and existing employees.

For example, the ﬁrm HireCheck serves over , employers to con-

duct background checks for new hires or current employees.

It con-

ducts a national search of outstanding arrest warrants; a SSN search

to locate the person’s age, past and current employers, and former ad-

dresses; a driver record search; a search of worker’s compensation

claims “to avoid habitual claimants or to properly channel assign-

ments”; a check of civil lawsuit records; and searches for many other

types of information.

These investigations occur without any exter-

nal oversight, and individuals often do not have an opportunity to

challenge the results.

Forms of Dehumanization: Databases and the Kafka Metaphor

Expounding on the Kafka metaphor, certain uses of databases foster a

state of powerlessness and vulnerability created by people’s lack of

kafka and orwell

▲

any meaningful form of participation in the collection and use of

their personal information. Bureaucracy and power is certainly not a

new problem. Databases do not cause the disempowering eﬀects of

bureaucracy; they exacerbate them—not merely by magnifying exist-

ing power imbalances but by transforming these relationships in pro-

found ways that implicate our freedom. The problem is thus old and

new, and its additional dimensions within the Information Age re-

quire extensive explication.

Impoverished Judgments. One of the great dangers of using information

that we generally regard as private is that we often make judgments

based on this private information about the person. As legal scholar

Kenneth Karst warned in the s, one danger of “a centralized, stan-

dardized data processing system” is that the facts stored about an in-

dividual “will become the only signiﬁcant facts about the subject of

the inquiry.”

Legal scholar Jeﬀrey Rosen aptly observes, “Privacy

protects us from being misdeﬁned and judged out of context in a

world of short attention spans, a world in which information can eas-

ily be confused with knowledge. True knowledge of another person is

the culmination of a slow process of mutual revelation.”

Increased reliance upon the easily quantiﬁable and classiﬁable in-

formation available from databases is having profound social eﬀects.

The nature and volume of information aﬀects the way people ana-

lyze, use, and react to information. Currently, we rely quite heavily on

quantiﬁable data: statistics, polls, numbers, and ﬁgures. In the law

alone, there is a trend to rank schools; to measure the inﬂuence of fa-

mous jurists by counting citations to their judicial opinions;

to as-

sess the importance of law review articles by tabulating citations to

them;

to rank law journals with an elaborate system of establishing

point values for authors of articles;

and to determine the inﬂuence

of academic movements by checking citations.

The goal of this use

of empirical data is to eliminate the ambiguity and incommensura-

bility of many aspects of life and try to categorize them into neat, tidy

categories. The computer has exacerbated this tendency, for the in-

crease in information and the way computers operate furthers this

type of categorization and lack of judgment.

Indeed, in legal schol-

kafka and orwell

▲

arship, much of this tendency is due to the advent of computer re-

search databases, which can easily check for citations and speciﬁc

terms.

In our increasingly bureaucratic and impersonal world, we are re-

lying more heavily on records and proﬁles to assess reputation. As H.

Jeﬀ Smith, a professor of management and information technology,

contends:

[D]ecisions that were formerly based on judgment and human

factors are instead decided according to prescribed formulas. In

today’s world, this response is often characterized by reliance on

a rigid, unyielding process in which computerized information is

given great weight. Facts that actually require substantial evalua-

tion could instead be reduced to discrete entries in preassigned

categories.

Certainly, quantiﬁable information can be accurate and serve as

the best way for making particular decisions. Even when quantiﬁable

information is not exact, it is useful for making decisions because of

administrative feasibility. Considering all the variables and a multi-

tude of incommensurate factors might simply be impossible or too

costly.

Nevertheless, the information in databases often fails to capture

the texture of our lives. Rather than provide a nuanced portrait of our

personalities, compilations of data capture the brute facts of what we

do without the reasons. For example, a record of an arrest without the

story or reason is misleading. The arrest could have been for civil dis-

obedience in the s—but it is still recorded as an arrest with some

vague label, such as “disorderly conduct.” It appears no diﬀerently

from the arrest of a vandal. In short, we are reconstituted in databases

as a digital person composed of data. The privacy problem stems par-

adoxically from the pervasiveness of this data—the fact that it en-

compasses much of our lives—as well as from its limitations—how it

fails to capture us, how it distorts who we are.

Powerlessness and Lack of Participation. Privacy concerns an individual’s

power in the elaborate web of social relationships that encompasses

kafka and orwell

▲

her life. Today, a signiﬁcant number of these relationships involve in-

teraction with public and private institutions. In addition to the myr-

iad of public agencies that regulate the products we purchase, the

environment, and the like, we depend upon private institutions such

as telephone companies, utility companies, Internet service

providers, cable service providers, and health insurance companies.

We also depend upon companies that provide the products we be-

lieve are essential to our daily lives: hygiene, transportation, enter-

tainment, news, and so on. Our lives are ensconced in these

institutions, which have power over our day-to-day activities

(through what we consume, read, and watch), our culture, politics,

education, and economic well-being. We are engaged in relationships

with these institutions, even if on the surface our interactions with

them are as rudimentary and distant as signing up for services, pay-

ing bills, and requesting repairs. With many ﬁrms—such as credit re-

porting agencies—we do not even take aﬃrmative steps to establish a

relationship.

Companies are beginning to use personal information to identify

what business experts call “angel” and “demon” customers.

Cer-

tain customers—the angels—are very proﬁtable, but others—the

demons—are not. Angel customers account for a large amount of a

company’s business whereas demon customers purchase only a small

amount of goods and services and are likely to cost the company

money. For example, a demon customer is one who uses up a com-

pany’s resources by frequently calling customer service. Some busi-

ness experts thus recommend that companies identify these types of

customers through the use of personal information and treat them

diﬀerently. For example, businesses might serve the angels ﬁrst and

leave the demons waiting; or they might oﬀer the angels cheaper

prices; or perhaps, they might even try to turn the demons away en-

tirely.

The result of companies moving in this direction is that people

will be treated diﬀerently and may never know why. Even before the

concept of angel and demon customers was articulated, one bank

routinely denied credit card applications from college students ma-

joring in literature, history, and art, based on the assumption that

they would not be able to repay their debts. The bank’s practice re-

mained a secret until the media ran a story about it.

kafka and orwell

▲

We are increasingly not being treated as equals in our relationships

with many private-sector institutions. Things are done to us; deci-

sions are made about us; and we are often completely excluded from

the process. With considerably greater frequency, we are ending up

frustrated with the outcome. For example, complaints about credit

reporting agencies to the Federal Trade Commission have been rap-

idly escalating, with , in  and over , in .

Privacy involves the ability to avoid the powerlessness of having

others control information that can aﬀect whether an individual gets

a job, becomes licensed to practice in a profession, or obtains a criti-

cal loan. It involves the ability to avoid the collection and circulation

of such powerful information in one’s life without having any say in

the process, without knowing who has what information, what pur-

poses or motives those entities have, or what will be done with that

information in the future. Privacy involves the power to refuse to be

treated with bureaucratic indiﬀerence when one complains about er-

rors or when one wants certain data expunged. It is not merely the

collection of data that is the problem—it is our complete lack of con-

trol over the ways it is used or may be used in the future.

Problematic Information Gathering Techniques. This powerlessness is

compounded by the fact that the process of information collection in

America is clandestine, duplicitous, and unfair. The choices given to

people over their information are hardly choices at all. People must

relinquish personal data to gain employment, procure insurance, ob-

tain a credit card, or otherwise participate like a normal citizen in to-

day’s economy. Consent is virtually meaningless in many contexts.

When people give consent, they must often consent to a total surren-

der of control over their information.

Collection of information is often done by misleading the con-

sumer. General Electric sent a supposedly anonymous survey to

shareholders asking them to rate various aspects of the company. Un-

beknownst to those surveyed, the survey’s return envelope was coded

so that the responses could be matched to names in the company’s

shareholder database.

Some information is directly solicited via registration question-

naires or other means such as competitions and sweepstakes. The

kafka and orwell

▲

warranty registration cards of many products—which ask a host of

lifestyle questions—are often sent not to the company that makes the

product but to National Demographics and Lifestyles Company at a

Denver post oﬃce box. This company has compiled information on

over  million people and markets it to other companies.

Often,

there is an implicit misleading notion that consumers must ﬁll out a

registration questionnaire in order to be covered by the warranty.

Frequent shopper programs and discount cards—which involve

ﬁlling out a questionnaire and then carrying a special card that pro-

vides discounts—enable the scanner data to be matched to data

about individual consumers.

This technique involves oﬀering sav-

ings in return for personal information and the ability to track a per-

son’s grocery purchases.

However, there are scant disclosures that

such an exchange is taking place, and there are virtually no limits on

the use of the data.

Conde Nast Publications Inc. (which publishes the New Yorker,

Vanity Fair, Vogue, and other magazines) recently sent out a booklet

of  questions asking detailed information about an individual’s

hobbies, shopping preferences, health (including medications used,

acne problems, and vaginal/yeast infections), and much more. Al-

most , people responded. In return for the data, the survey

said: “Just answer the questions below to start the conversation and

become part of this select group of subscribers to whom marketers

listen ﬁrst.” Conde Nast maintains a database of information on 

million people. Stephen Jacoby, the vice president for marketing and

databases, said: “What we’re trying to do is enhance the relationship

between the subscriber and their magazine. In a sense, it’s a beneﬁt to

the subscriber.”

There is no “conversation” created by supplying the data. Conde

Nast does not indicate how the information will be used. It basically

tries to entice people to give information for a vague promise of little

or no value. While the company insists that it will not share informa-

tion with “outsiders,” it does not explain who constitutes an “out-

sider.” The information remains in the control of the company, with

no limitations on use. Merely informing the consumer that data may

be sold to others is an inadequate form of disclosure. The consumer

kafka and orwell

▲

does not know how many times the data will be resold, to whom it

will be sold, or for what purposes it will be used.

Irresponsibility and Carelessness. A person’s lack of control is exacer-

bated by the often thoughtless and irresponsible ways that bureau-

cracies use personal information and their lack of accountability in

using and protecting the data. In other words, the problem is not sim-

ply a lack of individual control over information, but a situation

where nobody is exercising meaningful control over the information.

In bureaucratic settings, privacy policy tends to fall into drift and be

reactionary. In a detailed study of organizations such as banks, insur-

ance companies, and credit reporting agencies, H. Jeﬀ Smith con-

cluded that all of the organizations “exhibited a remarkably similar

approach: the policy-making process, which occurred over time, was

a wandering and reactive one.” According to a senior executive at a

health insurance company, “We’ve been lazy on the privacy [issues]

for several years now, because we haven’t had anybody beating us over

the head about them.” According to Smith, most executives in the sur-

vey were followers rather than leaders: “[M]ost executives wait until

an external threat forces them to consider their privacy policies.”

Furthermore, there have been several highly publicized instances

where companies violated their own privacy policies. Although prom-

ising its users that their information would remain conﬁdential, the

website GeoCities collected and sold information about children who

played games on the site.

RealNetworks, Inc. secretly collected per-

sonal information about its users in direct violation of its privacy pol-

icy. And a website for young investors promised that the data it

collected about people’s ﬁnances would remain anonymous, but in-

stead it was kept in identiﬁable form.

More insidious than drifting and reactionary privacy policies are

irresponsible and careless uses of personal information. For example,

Metromail Corporation, a seller of direct marketing information,

hired inmates to enter the information into databases. This came to

light when an inmate began sending harassing letters that were sexu-

ally explicit and ﬁlled with intimate details of people’s lives.

A televi-

sion reporter once paid $ to obtain from Metromail a list of over

kafka and orwell

▲

, children living in Pasadena, California. The reporter gave the

name of a well-known child molester and murderer as the buyer.

These cases illustrate the lack of care and accountability by the cor-

porations collecting the data.

McVeigh v. Cohen

best illustrates this problem. A highly decorated

-year veteran of the Navy sought to enjoin the Navy from discharg-

ing him under the statutory policy known as “Don’t Ask, Don’t Tell,

Don’t Pursue.”

When responding to a toy drive for the crew of his

ship, Tim McVeigh (no relation to the Oklahoma City bomber) acci-

dentally used the wrong email account, sending a message under the

alias “boysrch.” He signed the email “Tim” but included no other in-

formation. The person conducting the toy drive searched through the

member proﬁle directory of America Online (AOL), where she learned

that “boysrch” was an AOL subscriber named Tim who lived in Hawaii

and worked in the military. Under marital status, he had identiﬁed

himself as “gay.” The ship’s legal adviser began to investigate, suspect-

ing that “Tim” was McVeigh. Before speaking to McVeigh, and without

a warrant, the legal adviser had a paralegal contact AOL for more in-

formation. The paralegal called AOL’s toll-free customer service num-

ber and, without identifying himself as a Navy serviceman, concocted

a story that he had received a fax from an AOL customer and wanted

to conﬁrm who it belonged to. Despite a policy of not giving out per-

sonal information, the AOL representative told him that the customer

was McVeigh. As a result, the Navy sought to discharge McVeigh.

In Remsburg v. Docusearch, Inc.,

a man named Liam Youens be-

gan purchasing information about Amy Lynn Boyer from a company

called Docusearch. He requested Boyer’s SSN, and Docusearch ob-

tained it from a credit reporting agency and provided it to him.

Youens then requested Boyer’s employment address, so Docusearch

hired a subcontractor, who obtained it by making a “pretext” phone

call to Boyer. By lying about her identity and the reason for the call,

the subcontractor obtained the address from Boyer. Docusearch then

gave the address to Youens, who went to Boyer’s workplace and shot

and killed her. Docusearch supplied the information without ever

asking who Youens was or why he was seeking the information.

Within the past few years, explicit details of  psychotherapy pa-

tients’ sex lives, as well as their names, addresses, telephone num-

kafka and orwell

▲

bers, and credit card numbers, were inadvertently posted on the In-

ternet.

A banker in Maryland who sat on a state’s public health com-

mission checked his list of bank loans with records of people with

cancer in order to cancel the loans of the cancer suﬀerers.

A hacker

illegally downloaded thousands of patients’ medical ﬁles along with

their SSNs from a university medical center.

Due to a mix-up, a re-

tirement plan mailed ﬁnancial statements to the wrong people at the

same ﬁrm.

Extensive psychological records describing the condi-

tions of over  children were inadvertently posted on the University

of Montana’s website.

An employee of a company obtained ,

credit reports from a credit reporting agency and peddled them to

others for use in fraud and identity theft.

Health information and

SSNs of military personnel and their families were stolen from a mili-

tary contractor’s database.

In sum, the privacy problem created by the use of databases stems

from an often careless and unconcerned bureaucratic process—one

that has little judgment or accountability—and is driven by ends

other than the protection of people’s dignity. We are not just heading

toward a world of Big Brother or one composed of Little Brothers, but

also toward a more mindless process—of bureaucratic indiﬀerence,

arbitrary errors, and dehumanization—a world that is beginning to

resemble Kafka’s vision in The Trial.

kafka and orwell

▲

The Problems of

Information Privacy Law

A distinctive domain of law relating to information privacy has been

developing throughout the twentieth century. Although the law has

made great strides in dealing with privacy problems, the law of infor-

mation privacy has been severely hampered by the diﬃculties in for-

mulating a compelling theory of privacy. The story of privacy law is a

tale of changing technology and the law’s struggle to respond in eﬀec-

tive ways.

Information privacy law consists of a mosaic of various types of

law: tort law, constitutional law, federal and state statutory law, evi-

dentiary privileges, property law, and contract law. Much of privacy

law is interrelated, and as legal scholar Ken Gormley observes, “vari-

ous oﬀshoots of privacy are deeply intertwined at the roots, owing

their origins to the same soil.”

Information privacy law has made great strides toward protecting

privacy. Nevertheless, there are systematic deﬁciencies across the

spectrum of privacy law in addressing the special nature of the prob-

lem of digital dossiers.

▲

The Privacy Torts

Warren and Brandeis. Privacy law owes its greatest debt to Samuel War-

ren and Louis Brandeis. Warren and Brandeis practiced law together

in a Boston law ﬁrm. Brandeis later went on to become a Supreme

Court justice.

In , they wrote their profoundly inﬂuential article,

The Right to Privacy,

considered by many to be one of the primary

foundations of privacy law in the United States.

In the article, Warren

and Brandeis raised alarm at the intersection of yellow journalism,

with its increasing hunger for sensational human interest stories, and

the development of new technologies in photography. During the lat-

ter half of the nineteenth century, newspapers were the most rapidly

growing form of media, with circulation increasing about , per-

cent from  to . In , there were approximately  newspa-

pers with , readers. By , there were  papers with over 

million readers. This massive growth was due, in part, to yellow jour-

nalism, a form of sensationalistic reporting that focused on scandals

and petty crimes. Reaping the successes of yellow journalism, Joseph

Pulitzer and William Randolph Hearst became the barons of the

newspaper business. According to Warren and Brandeis: “The press is

overstepping in every direction the obvious bounds of propriety and

decency. Gossip is no longer the resource of the idle and of the vi-

cious, but has become a trade, which is pursued with industry as well

as eﬀrontery.”

Warren and Brandeis also expressed concern over what they called

“instantaneous” photography. Although photography had been

around before , recent developments made photography much

cheaper and easier. Cameras had been large, expensive, and not read-

ily portable. In , the Eastman Kodak Company came out with the

“snap camera,” a hand-held camera for the general public. For the

ﬁrst time, people could take candid photographs. Warren and Bran-

deis feared the intersection of this new photographic technology with

the gossip-hungry press: “Instantaneous photographs and newspa-

per enterprise have invaded the sacred precincts of private and do-

mestic life; and numerous mechanical devices threaten to make good

the prediction that ‘what is whispered in the closet shall be pro-

claimed from the house-tops.’”

the problems of information privacy law

▲

On the surface, observed Warren and Brandeis, the existing com-

mon law failed to aﬀord a remedy for privacy invasions. But it con-

tained the seeds to develop the proper protection of privacy. The

authors looked to existing legal rights and concluded that they were

manifestations of a deeper principle lodged in the common law—

“the more general right of the individual to be let alone.”

From this

principle, new remedies to protect privacy could be derived. Warren

and Brandeis suggested that the primary way to safeguard privacy

was through tort actions to allow people to sue others for privacy in-

vasions.

What Warren and Brandeis achieved was nothing short of magniﬁ-

cent. By pulling together various isolated strands of the common law,

the authors demonstrated that creating remedies for privacy inva-

sions wouldn’t radically change the law but would merely be an ex-

pansion of what was already germinating.

As early as , courts and legislatures responded to the Warren

and Brandeis article by creating a number of privacy torts to redress

the harms that Warren and Brandeis had noted.

These torts permit

people to sue others for privacy violations. In , William Prosser,

one of the most renowned experts on tort law, surveyed over  pri-

vacy cases in the  years since the publication of the Warren and

Brandeis article.

He concluded that the cases could be classiﬁed as

involving four distinct torts.

These torts are: () intrusion upon seclu-

sion; () public disclosure of private facts; () false light; and () ap-

propriation. Today, whether by statute or common law, most states

recognize some or all of the privacy torts.

The privacy torts emerged in response to the privacy problems

raised by Warren and Brandeis—namely, the incursions into privacy

by the burgeoning print media. Today, we are experiencing the rapid

rise of a new form of media—the Internet. Although the press still

poses a threat to privacy, and photography has become an indispen-

sable tool of journalism (as Warren and Brandeis accurately pre-

dicted), there are now many additional threats to privacy other than

the press. The privacy torts are capable of redressing speciﬁc harms

done to individuals—such as when the press discloses a deeply em-

barrassing secret about a private ﬁgure—but are not well adapted to

the problems of information privacy law

▲

regulating the ﬂow of personal information in computer databases

and cyberspace.

Intrusion upon Seclusion. The tort of intrusion upon seclusion protects

against the intentional intrusion into one’s “solitude or seclusion” or

“private aﬀairs or concerns” that “would be highly oﬀensive to a rea-

sonable person.”

Although this tort could be applied to the informa-

tion collection techniques of databases, most of the information

collection is not “highly oﬀensive to a reasonable person.” Each par-

ticular instance of collection is often small and innocuous; the danger

is created by the aggregation of information, a state of aﬀairs typically

created by hundreds of actors over a long period of time. Indeed,

courts have thrown out cases for intrusion involving the type of infor-

mation that would likely be collected in databases. For example,

courts have rejected intrusion actions based on obtaining a person’s

unlisted phone number, selling the names of magazine subscribers to

direct mail companies, and collecting and disclosing an individual’s

past insurance history.

Further, intrusion must involve an invasion

of “seclusion,” and courts have dismissed intrusion suits when plain-

tiﬀs have been in public places. With regard to databases, much infor-

mation collection and use occurs in public, and indeed, many parts

of cyberspace may well be considered public places. Therefore, the

tort of intrusion cannot provide an adequate safeguard against the

gathering of personal information for databases.

Public Disclosure of Private Facts. The tort of public disclosure of private

facts creates a cause of action when one makes public “a matter con-

cerning the private life of another” in a way that “(a) would be highly

oﬀensive to a reasonable person, and (b) is not of legitimate concern

to the public.”

Courts have sustained public disclosure suits for

printing a photograph of a woman whose dress was blown up invol-

untarily by air jets; for publishing an article describing an individual’s

unusual disease; and for posting a large sign in a window stating that

a person owed a debt.

Although this tort could conceivably be applied to certain uses of

databases, such as the sale of personal information by the database

the problems of information privacy law

▲

industry, the tort of private facts appears to be designed to redress ex-

cesses of the press, and is accordingly focused on the widespread dis-

semination of personal information in ways that become known to

the plaintiﬀ. In contrast, databases of personal information are often

transferred between speciﬁc companies, not broadcast on the

evening news. Even if marketers disclosed information widely to the

public, the tort is limited to “highly oﬀensive” facts, and most facts in

databases would not be highly oﬀensive if made public. Moreover,

some marketing data may already be in a public record, or by furnish-

ing data in the ﬁrst place, an individual may be deemed to have as-

sented to its dissemination.

Additionally, the disclosure of personal information through the

use and sale of databases is often done in secret. The trade in infor-

mation is done behind closed doors in a kind of underworld that

most people know little about. This secret trading of data is often

completely legal. Thus, it would be diﬃcult for a plaintiﬀ to discover

that such sales or disclosures have been made. Even if people are gen-

erally aware that their data is being transferred, they will often not be

able to ﬁnd out the speciﬁcs—what companies are receiving it and

what these companies plan to do with it. As a result, the public disclo-

sure tort is not well-adapted to combating the ﬂow of personal infor-

mation between various companies.

False Light. The tort of false light is primarily a variation on the

defamation torts of libel and slander, protecting against the giving of

“publicity to a matter concerning another that places the other before

the public in a false light” that is “highly oﬀensive to a reasonable per-

son.”

Like defamation, this tort has limited applicability to the types

of privacy harms created by the collection and use of personal infor-

mation by way of computer databases. Both defamation and false

light protect one’s reputation, but the type of information collected in

databases often is not harmful to one’s reputation.

Appropriation. The tort of appropriation occurs when one “appropri-

ates to his own use or beneﬁt the name or likeness of another.”

the courts, this tort has developed into a form of intellectual property

right in aspects of one’s personhood. The interest protected is the in-

the problems of information privacy law

▲

dividual’s right to “the exclusive use of his own identity, in so far as it

is represented by his name or likeness.”

For example, people can sue

under this tort when their names or images are used to promote a

product without their consent.

Appropriation could be applied to database marketing, which can

be viewed as the use of personal information for proﬁt. However, the

tort’s focus on protecting the commercial value of personal informa-

tion has often prevented it from being an eﬀective tool in grappling

with the database privacy problem. In Dwyer v. American Express Co.,

a court held there was no appropriation when American Express sold

its cardholders’ names to merchants because “an individual name has

value only when it is associated with one of defendants’ lists. Defen-

dants create value by categorizing and aggregating these names. Fur-

thermore, defendants’ practices do not deprive any of the

cardholders of any value their individual names may possess.”

Shibley v. Time, Inc., a court held that there was no action for appro-

priation when magazines sold subscription lists to direct mail com-

panies because the plaintiﬀ was not being used to endorse any

product.

The appropriation tort often aims at protecting one’s eco-

nomic interest in a form of property, and it is most eﬀective at pro-

tecting celebrities who have created value in their personalities. This

is not the same interest involved with privacy, which can be impli-

cated regardless of the economic value accorded to one’s name or

likeness.

An Overarching Problem. Even if it were possible to eliminate the above

diﬃculties with some minor adjustments to the privacy torts, the pri-

vacy problem with databases transcends the speciﬁc injuries and

harms that the privacy torts are designed to redress. By its nature, tort

law looks to isolated acts, to particular infringements and wrongs.

The problem with databases does not stem from any speciﬁc act, but

is a systemic issue of power caused by the combination of relatively

small actions, each of which when viewed in isolation would appear

quite innocuous. Many modern privacy problems are the product of

information ﬂows, which occur between a variety of diﬀerent entities.

There is often no single wrongdoer; responsibility is spread among a

multitude of actors, with a vast array of motives and aims, each doing

the problems of information privacy law

▲

diﬀerent things at diﬀerent times. For example, when a person un-

wittingly ﬁnds herself embroiled in a public news story, the invasive-

ness of the media is often not the product of one particular reporter.

Rather, the collective actions of numerous reporters camping outside

a person’s home and following her wherever she goes severely dis-

rupt her life. The diﬃculty in obtaining a legal remedy for this dis-

ruption is that no one reporter’s actions may be all that invasive or

objectionable. The harm is created by the totality of privacy inva-

sions, but the tort of intrusion upon seclusion only focuses on each

particular actor.

In sum, tort law often views privacy invasions separately and indi-

vidually; but the problems of digital dossiers emerge from the collec-

tive eﬀects of information transactions, combinations, lapses in

security, disclosures, and abusive uses. Therefore, solutions involving

the retooling of tort law will be severely limited in redressing the

problem.

Constitutional Law

The U.S. Constitution protects privacy in a number of ways even

though the word “privacy” does not appear in the document. Al-

though the Constitution does not explicitly provide for a right to pri-

vacy, a number of its provisions protect certain dimensions of privacy,

and the Supreme Court has sculpted a right to privacy by molding to-

gether a variety of constitutional protections. Beyond the U.S. Consti-

tution, many states protect privacy in their own constitutions—some

with an explicit right to privacy.

The U.S. Constitution only protects against state action, and many

databases belong to the private sector. However, since the govern-

ment is often a supplier of information to the private sector and is a

major source of databases, constitutional protection could serve as a

good potential tool for grappling with the problem.

The First Amendment. In addition to protecting free speech, the First

Amendment safeguards the right of people to associate with one an-

other. Freedom of association restricts the government’s ability to de-

mand organizations to disclose the names and addresses of their

the problems of information privacy law

▲

members or to compel people to list the organizations to which they

belong.

As the Supreme Court reasoned, privacy is essential to the

freedom to associate, for it enables people to join together without

having to fear loss of employment, community shunning, and other

social reprisals.

However, privacy of associations is becoming more

diﬃcult in a world where online postings are archived, where a list of

the people a person contacts can easily be generated from telephone

and email records, and where records reveal where a person travels,

what websites she visits, and so on. The Supreme Court has repeatedly

held that the First Amendment protects anonymous speech, and it

can restrict the government from requiring the disclosure of informa-

tion that reveals a speaker’s identity.

However, the First Amendment

only applies when the government plays a role in the compulsion of

the information,

and most of the gathering of personal information

by companies isn’t done under the pressure of any law.

The Fourth and Fifth Amendments. The Fourth Amendment restricts the

government from conducting “unreasonable searches and seizures.”

It typically requires that government oﬃcials ﬁrst obtain judicial au-

thorization before conducting a search. According to the Supreme

Court, “[t]he overriding function of the Fourth Amendment is to pro-

tect personal privacy and dignity against unwarranted intrusion by

the State.”

The Fifth Amendment provides for a privilege against

self-incrimination.

The government cannot compel individuals to

disclose incriminating information about themselves. In , the

Court articulated how the Fourth and Fifth Amendments worked in

tandem to protect privacy. The case was Boyd v. United States.

The

government sought to compel a merchant to produce documents for

use in a civil forfeiture proceeding. The Court held that the govern-

ment could not require the disclosure of the documents because “any

forcible and compulsory extortion of a man’s own testimony or of his

private papers to be used as evidence to convict him of crime or to

forfeit his goods” is an “invasion of his indefeasible right to personal

security, personal liberty and private property.”

As the administrative state blossomed throughout the twentieth

century, the Court sidestepped the broad implications of Boyd.

The administrative state spawned hundreds of agencies and a vast

the problems of information privacy law

▲

bureaucracy that maintained records of personal information. As

William Stuntz notes, “[g]overnment regulation required lots of infor-

mation, and Boyd came dangerously close to giving regulated actors a

blanket entitlement to nondisclosure. It is hard to see how modern

health, safety, environmental, or economic regulation would be pos-

sible in such a regime.”

Therefore, the Court abandoned Boyd, and it

increasingly curtailed the Fourth and Fifth Amendments from regu-

lating the burgeoning government record systems.

The Fourth and Fifth Amendments protect only against govern-

ment infringements, and do nothing to control the collection and use

of information by private bureaucracies. Although it does not apply to

the private sector, the Fourth Amendment does have the potential to

protect against one problem with digital dossiers. The rise of digital

dossiers in the private sector is becoming of increasing interest to law

enforcement oﬃcials. I will discuss this issue in great depth in part III

of this book. As I will demonstrate, the secrecy paradigm has made

the Fourth Amendment practically inapplicable when the govern-

ment seeks to tap into private-sector dossiers. In Smith v. Maryland,

the Court held that there was no reasonable expectation of privacy in

the phone numbers one dials. The Court reasoned that such phone

numbers were not secret because they were turned over to third par-

ties (phone companies).

Similarly, in United States v. Miller, the

Court held that ﬁnancial records possessed by third parties are not

private under the Fourth Amendment.

The Court’s focus—which

stems from the paradigm that privacy is about protecting one’s hid-

den world—leads it to the view that when a third party has access to

one’s personal information, there can be no expectation of privacy in

that information.

The Right to Privacy. Beyond speciﬁc constitutional provisions, the

Supreme Court has held that the Constitution implicitly protects

privacy. In ,inGriswold v. Connecticut, the Court held that a

state could not ban the use of or counseling about contraceptives

because it invaded the “zone of privacy” protected by the Constitu-

tion.

Although there is no part of the Bill of Rights that directly es-

tablishes a right to privacy, such a right is created by the

“penumbras” of many of the  amendments that form the Bill of

the problems of information privacy law

▲

Rights. In Roev.Wade, the Court held that the right to privacy “is

broad enough to encompass a woman’s decision whether or not to

terminate her pregnancy.”

In the  decision, Whalen v. Roe, the Supreme Court extended

substantive due process privacy protection to information privacy.

New York passed a law requiring that records be kept of people who

obtained prescriptions for certain addictive medications. Plaintiﬀs

argued that the statute infringed upon their right to privacy. The

Court held that the constitutionally protected “zone of privacy” ex-

tends to two distinct types of interests: () “independence in making

certain kinds of important decisions”; and () the “individual interest

in avoiding disclosure of personal matters.”

The former interest re-

ferred to the line of cases beginning with Griswold which protected

people’s right to make decisions about their health, bodies, and pro-

creation. The latter interest, however, was one that the Court had not

previously deﬁned.

The plaintiﬀs argued that they feared the greater accessibility of

their personal information and the potential for its disclosure. As a re-

sult of this fear, they argued, many patients did not get the prescrip-

tions they needed and this interfered with their independence in

making decisions with regard to their health. The Court, however,

held that the constitutional right to information privacy required only

a duty to avoid unreasonable disclosure, and that the state had taken

adequate security measures.

The plaintiﬀs’ argument, however, was not that disclosure was the

real privacy problem. Rather, the plaintiﬀs were concerned that the

collection of and greater access to their information made them lose

control over their information. A part of themselves—a very impor-

tant part of their lives—was placed in the distant hands of the state

and completely outside their control. This is similar to the notion of a

chilling eﬀect on free speech, which is not caused by the actual en-

forcement of a particular law but by the fear created by the very exis-

tence of the law. The Court acknowledged that the court record

supported the plaintiﬀs’ contention that some people were so dis-

traught over the law that they were not getting the drugs they needed.

However, the Court rejected this argument by noting that because

over , prescriptions had been ﬁlled before the law had been

the problems of information privacy law

▲

enjoined, the public was not denied access to the drugs.

The prob-

lem with the Court’s response is that the Court failed to indicate how

many prescriptions had been ﬁlled before the law had been passed.

Without this data, there is no way to measure the extent of the deter-

rence. And even if there were only a few who were deterred, the anxi-

ety caused by living under such a regime must also be taken into

account.

The famous case of Doe v. Southeastern Pennsylvania Transporta-

tion Authority (SEPTA) best illustrates how the constitutional right to

information privacy fails to comprehend the privacy problem of data-

bases.

The plaintiﬀ Doe was HIV positive and told two doctors (Dr.

Press and Dr. Van de Beek) at his work about his condition but no-

body else. He strove to keep it a secret. His employer, SEPTA, a self-in-

sured government agency, maintained a prescription drug program

with Rite-Aid as the drug supplier. SEPTA monitored the costs of its

program. Doe was taking a drug used exclusively in the treatment of

HIV, and he asked Dr. Press whether the SEPTA oﬃcials who reviewed

the records would see the names for the various prescriptions. Dr.

Press said no, and Doe had his prescription ﬁlled under the plan. Un-

fortunately, even though SEPTA never asked for the names, Rite-Aid

mistakenly supplied the names corresponding to prescriptions when

it sent SEPTA the reports. Pierce, the SEPTA oﬃcial reviewing the

records, became interested in Doe’s use of the drug and began to in-

vestigate. She asked Dr. Van de Beek about the drug, and he told her

what the drug was used for but would not answer any questions

about the person using the drugs. Pierce also asked questions of Dr.

Press, who informed Doe of Pierce’s inquiry.

This devastated Doe. Doe began to fear that other people at work

had found out. He began to perceive that people were treating him

diﬀerently. However, he was not ﬁred, and in fact, he was given a pro-

motion. The court of appeals held that the constitutional right to in-

formation privacy had not been violated because there had not been

any disclosure of conﬁdential information.

Pierce had merely in-

formed doctors who knew already. Doe oﬀered no proof that anybody

else knew, and accordingly, the court weighed his privacy invasion as

minimal.

the problems of information privacy law

▲

However, this missed the crux of Doe’s complaint. Regardless of

whether he was imagining how his co-workers were treating him, he

was indeed suﬀering a real, palpable fear. His injury was the power-

lessness of having no idea who else knew he had HIV, what his em-

ployer thought of him, or how the information could be used against

him. This feeling of unease changed the way he perceived everything

at his place of employment. The privacy problem wasn’t merely the

fact that Pierce divulged his secret or that Doe himself had lost con-

trol over his information, but rather that the information appeared to

be entirely out of anyone’s control. Doe was in a situation similar to

that of Kafka’s Joseph K.—waiting endlessly for the ﬁnal verdict. He

was informed that information about him had been collected; he

knew that his employer had been investigating; but the process

seemed to be taking place out of his sight. To some extent, he experi-

enced the desperation that Joseph K. experienced—he knew that in-

formation about him was out there in the hands of others and that

these people were in fact doing something with that information, but

he had no participation in the process.

Statutory Law

Since the early s, Congress has passed over  laws pertaining to

privacy. Unlike the European Union, which adopted a general direc-

tive providing for comprehensive privacy protection,

the United

States has not enacted measures of similar scope. Instead, Congress

has passed a series of statutes narrowly tailored to speciﬁc privacy

problems.

The Fair Credit Reporting Act (FCRA) of , which regulates

credit reporting agencies, fails to adequately restrict secondary uses

and disclosures of that information.

Although inspired by allega-

tions of abuse and lack of responsiveness of credit agencies, the FCRA

was severely weakened due to the eﬀective lobbying of the credit re-

porting industry.

The Act permits credit reporting companies to sell

the “credit header” portion of credit histories (which contains names,

addresses, former addresses, telephone number, SSN, employment

information, and birthdate) to marketers.

The FCRA does little to

the problems of information privacy law

▲

equalize the unbalanced power relationship between individuals and

credit reporting companies.

Congress’s most signiﬁcant piece of privacy legislation in the

s—the Privacy Act of —regulates the collection and use of

records by federal agencies, giving individuals the right to access and

correct information in these records.

The Privacy Act is a good be-

ginning, but it remains incomplete. In particular, it applies only to

agencies of the federal government, and has no applicability to the

use of databases by businesses and marketers.

The Family Educational Rights and Privacy Act of  (FERPA),

also known as the Buckley Amendment, regulates the accessibility of

student records. The FERPA remains quite narrow, only applying to a

subset of records in one limited context (education). Excluded are

campus security records and health and psychological records.

The Cable Communications Policy Act (CCPA) of  requires ca-

ble operators to inform subscribers about the nature and uses of per-

sonal information collected.

The law prohibits any disclosure that

reveals the subscriber’s viewing habits, and it is enforced with a pri-

vate cause of action. The statute, however, applies only to cable oper-

ators and it has a broad exception where personal data can be

disclosed for a “legitimate business activity.” Nevertheless, the CCPA

is an important ﬁrst step in giving consumers control over their cable

records.

In , Congress modernized electronic surveillance laws when it

passed the Electronic Communications Privacy Act (ECPA).

The

ECPA extends the protections of the federal wiretap law of  to new

forms of voice, data, and video communications, including cellular

phones and email. The ECPA restricts the interception of transmitted

communications and the searching of stored communications. The

focus of the law is on regulating surveillance. The diﬃculties of the

ECPA in responding to the challenges of computer databases is illus-

trated by the case In re DoubleClick, Inc. Privacy Litigation.

A group

of plaintiﬀs proﬁled by DoubleClick contended that DoubleClick’s

placing and accessing cookies on their hard drives constituted unau-

thorized access in violation of ECPA. The court concluded that the

ECPA didn’t apply to DoubleClick because its cookies were perma-

the problems of information privacy law

▲

nent and ECPA restricted unauthorized access only to communica-

tions in “temporary, intermediate storage.” Additionally, DoubleClick

didn’t illegally intercept a communication in violation of the ECPA

because DoubleClick was authorized to access the cookies by the

websites that people visited. The DoubleClick case illustrates that the

ECPA is not well-tailored to addressing a large portion of private-sec-

tor information gathering in cyberspace.

After reporters obtained Supreme Court Justice nominee Robert

Bork’s videocassette rental data, Congress passed the Video Privacy

Protection Act (VPPA) of ,

which has become known as the Bork

Bill. The VPPA prohibits videotape service providers from disclosing

the titles of the videos a person rents or buys. People are authorized

to sue if the statute is violated.

However, the Act only applies to

video stores, and no similar restrictions are placed on bookstores,

record stores, or any other type of retailer, magazine producer, or cat-

alog company.

The Telephone Consumer Protection Act (TCPA) of  permits in-

dividuals to sue a telemarketer for damages up to $ for each call

received after requesting not to be called again.

If the telemarketer

knowingly breaks the law, then the penalty is trebled. The TCPA, how-

ever, aims at redressing the aggravation of disruptive phone calls, and

it does not govern the collection, use, or sale of personal data.

In , Congress ﬁnally addressed the longstanding practice of

many states of selling personal information in their motor vehicle

records to marketers. The Driver’s Privacy Protection Act of 

(DPPA) limits this practice, forcing states to acquire a driver’s consent

before disclosing personal information to marketers.

Although the

DPPA is an important step in controlling government disclosures of

personal information to the private sector, it applies only in the con-

text of motor vehicle records. States are not limited in disclosing in-

formation contained in the numerous other forms of records they

maintain.

In , Congress passed the Health Insurance Portability and Ac-

countability Act (HIPAA) to help standardize medical information so

it could be transferred more easily between diﬀerent databases.

Since this raised privacy concerns, Congress ordered the Department

the problems of information privacy law

▲

of Health and Human Services (HHS) to regulate the privacy of med-

ical records. HHS’s regulations, among other things, require authori-

zation for all uses and disclosures beyond those for treatment,

payment, or health care operation (such as for marketing purposes).

The HIPAA regulations have apparently pleased nobody. Doctors and

hospitals complain that the regulations are too complicated, cumber-

some, and expensive to follow. Advocates for privacy ﬁnd the regula-

tions weak and ineﬀective.

The ﬁrst federal law directly addressing privacy in cyberspace, the

Children’s Online Privacy Protection Act (COPPA) of , regulates

the collection of children’s personal information on the Internet.

Websites targeted at children must post privacy policies and must ob-

tain parental consent in order to use children’s personal information.

But the law’s reach is limited. It applies only to children’s websites or

when the website operator “has actual knowledge that it is collecting

personal information from a child.”

Only children under age  are

covered. Additionally, as privacy law expert Anita Allen argues, the

law forces parents to become involved in their children’s Internet ac-

tivities when some parents “may want their children to have free ac-

cess to the Internet for moral or political reasons.” Allen concludes

that “COPPA is among the most paternalistic and authoritarian of the

federal privacy statutes thus far.”

The Gramm-Leach-Bliley (GLB) Act of  permits any ﬁnancial

institution to share “nonpublic personal information” with aﬃliated

companies.

However, people can opt-out when a company discloses

personal information to third parties.

In practice, the GLB Act

greatly facilitates the disclosure of people’s information. Given the

large conglomerates of today’s corporate world, aﬃliate sharing is

signiﬁcant. For example, Experian, one of the three largest credit re-

porting agencies, was purchased by Great Universal Stores, a British

retail corporation, which also acquired Metromail, Inc., a direct-mar-

keting company.

The Act applies only to “nonpublic” information,

and much of the information aggregated in databases (such as one’s

name, address, and the like) is often considered to be public. Addi-

tionally, the Act’s opt-out right is ineﬀective. As legal scholars Ted

Janger and Paul Schwartz argue, the ﬁnancial institution has “supe-

rior knowledge” and the GLB “leaves the burden of bargaining on the

the problems of information privacy law

▲

less informed party, the individual consumer.”

They conclude that

“[a]n opt-out default creates incentives for privacy notices that lead

to inaction by the consumer.”

In sum, the federal laws are a start, but they often give people only

a very limited form of control over only some of their information and

frequently impose no system of default control on other holders of

such information.

Although the statutes help in containing the

spread of information, they often fail to adequately address the un-

derlying power relationships and contain broad exceptions and loop-

holes that limit their eﬀectiveness.

Furthermore, the federal statutes cover only a small geography of

the database problem. As privacy law expert Joel Reidenberg has

pointed out, the laws are “sectoral” in nature, dealing with privacy in

certain contexts but leaving gaping holes in others.

“This mosaic ap-

proach,” he observes, “derives from the traditional American fear of

government intervention in private activities and the reluctance to

broadly regulate industry. The result of the mosaic is a rather haphaz-

ard and unsatisfactory response to each of the privacy concerns.”

Thus, the federal privacy statutes form a complicated patchwork of

regulation with signiﬁcant gaps and omissions. For example, federal

regulation covers federal agency records, educational records, cable

television records, video rental records, and state motor vehicle

records, but it does not cover most records maintained by state and

local oﬃcials, as well as a host of other records held by libraries, char-

ities, and merchants (i.e., supermarkets, department stores, mail or-

der catalogs, bookstores, and the like). The COPPA protects the

privacy of children under  on the Internet, but there is no protection

for adults. As political scientist Colin Bennett observes, “[t]he ap-

proach to making privacy policy in the United States is reactive rather

than anticipatory, incremental rather than comprehensive, and frag-

mented rather than coherent. There may be a lot of laws, but there is

not much protection.”

Second, many of Congress’s privacy statutes are hard to enforce. It

is often diﬃcult, if not impossible, for an individual to ﬁnd out if in-

formation has been disclosed. A person who begins receiving unso-

licited marketing mail and email may have a clue that some entity has

disclosed her personal information, but that person often will not be

the problems of information privacy law

▲

able to discover which entity was the culprit. Indeed, the trade in per-

sonal information is a clandestine underworld, one that is not ex-

posed suﬃciently by federal privacy regulation to enable eﬀective

enforcement.

The Kafka metaphor illustrates that the problem with digital

dossiers involves the fact that our personal information is not only

out of our control but also is often placed within a bureaucratic

process that lacks control and discipline in handling and using such

information. The federal statutes have certainly made advances in

protecting against this problem, and they demonstrate that Con-

gress’s resolve to protect privacy has remained strong for over 

years. But much more work remains to be done.

The FTC and Unfair and Deceptive Practices

Since , the Federal Trade Commission (FTC) has been bringing

actions against companies that violate their own privacy policies. The

FTC has interpreted the FTC Act, which prohibits “unfair or deceptive

acts or practices in or aﬀecting commerce,”

to be infringed when a

company breaks a promise it made in its privacy policy. The FTC can

bring civil actions and seek injunctive remedies. Since it began en-

forcing the Act in this manner, the FTC has brought several high-

proﬁle cases, almost all of which have resulted in settlements.

Yet, the FTC has been rather weak and reactive in its enforcement

of privacy policies.

In a number of cases involving companies engag-

ing in blatant breaches of their own privacy policies, the FTC has set-

tled, simply requiring companies to sin no more.

A recent case

involving Microsoft, however, suggests that the FTC might become

more proactive. Microsoft’s Passport maintains the personal informa-

tion of Internet users to allow them to use a single username and

password to access many diﬀerent websites without having to sign on

to each separately. Although Microsoft promised in its privacy policy

that it protected Passport information with “powerful online security

technology,” the FTC concluded that Microsoft did not provide ade-

quate security. Microsoft and the FTC agreed on a settlement where

Microsoft must create a better system of security.

Unlike most cases

the problems of information privacy law

▲

before the FTC, the security problems of Microsoft’s Passport had not

yet resulted in a major security breach.

In the end, however, the FTC is limited in its reach. It only ensures

that companies keep their promises. As Paul Schwartz notes, if a web-

site doesn’t make a promise about privacy, then it will “fall outside of

the FTC’s jurisdiction.”

Unfortunately, the FTC has only limited time

and resources, and its “privacy protection activities already are

dwarfed by its more aggressive investigations of fraud and deceptive

marketing practices on the Internet.”

A World of Radical Transparency: Freedom of Information Law

Some commentators suggest that there is little the law can do to pro-

tect privacy in the Information Age. In The Transparent Society, tech-

nology commentator David Brin argues that privacy is dead:

[I]t is already far too late to prevent the invasion of cameras and

databases. The djinn cannot be crammed back into its bottle. No

matter how many laws are passed, it will prove quite impossible

to legislate away the new surveillance tools and databases. They

are here to stay. Light is going to shine into every corner of our

lives.

Brin suggests that we abandon privacy in favor of a transparent soci-

ety, one where everything is out in the open, where we watch the

watchers, where we have the ability to monitor the elites—the politi-

cians and the corporate leaders—just as much as they have the ability

to monitor us. “[W]e may not be able to eliminate the intrusive glare

shining on citizens of the [twenty-ﬁrst century],” Brin observes, “but

the glare just might be rendered harmless through the application of

more light aimed in the other direction.”

We should thus regulate in

favor of mandating free access to information. According to Brin, a

truly transparent society would hold accountable those who would

violate our privacy.

Brin fails to realize that aﬀording mutuality of access to informa-

tion will do little to empower ordinary individuals. The reason is that

information is much more of an eﬀective tool in the hands of a large

the problems of information privacy law

▲

bureaucracy. Information is not the key to power in the Information

Age—knowledge is. Information consists of raw facts. Knowledge is

information that has been sifted, sorted, and analyzed. The mere pos-

session of information does not give one power; it is the ability to

process that information and the capability to use the data that mat-

ter. In order to solve the problem, a transparent society would have to

make each individual as competent as bureaucratic organizations in

processing information into knowledge.

The Law of Information Privacy and Its Shortcomings

As this chapter has demonstrated, the law of information privacy is

quite extensive. It developed in response to certain vexing privacy

problems, often created by new technologies. The Warren and Bran-

deis privacy torts were inspired by new photographic technology and

a rapidly growing media that was becoming very sensationalistic. The

types of injuries Warren and Brandeis had in mind were those caused

by intrusive newsgathering techniques and by publishing private in-

formation in the newspapers. In the mid-twentieth century, during

the Cold War, the law focused heavily on surveillance, which had be-

come one the central threats to privacy. These times witnessed the

growth of electronic communication along with new means of elec-

tronic espionage such as wiretapping, bugging devices, and video

cameras. Americans feared the terrible totalitarian regimes of Nazi

Germany, the Soviet Union, and Eastern Europe, all of which em-

ployed extensive monitoring of their citizens’ private lives as well as

secret police and spies to maintain strict control. Law enforcement

oﬃcials in the United States also increasingly resorted to the use of

surveillance, with the rapidly growing FBI leading the way. It is there-

fore certainly not surprising that the privacy law forged during these

times was devoted to ameliorating the kinds of harms so perfectly

captured in Orwell’s 1984.

However, the advent of the computer, the proliferation of data-

bases, and the birth of the Internet have created a new breed of pri-

vacy problems. The Orwellian dangers have certainly not

disappeared; nor have the harms created by the sensationalistic me-

dia. But the rise of digital dossiers has created new and diﬀerent

the problems of information privacy law

▲

problems. New privacy laws have been created in response. The con-

stitutional right to information privacy has emerged in the courts as a

spinoﬀ of the regular constitutional right to privacy. Congress and the

states have passed numerous statutes to regulate the collection and

use of personal information. The FTC has started to bring enforce-

ment actions against companies that fail to live up to their privacy

promises. All of these developments have been promising, but as I

have shown throughout this chapter, the law of privacy has not dealt

eﬀectively with the new problems created by digital dossiers. The rea-

son is that the law still harbors conceptions of privacy that are not re-

sponsive to the realities of the Information Age. These new privacy

problems are not isolated infringements, but are systematic and di-

ﬀuse. They are often not created by a single perpetrator, but by a com-

bination of actors often without sinister purposes. The problems

caused by digital dossiers are quite broad, and they apply to the entire

information economy, making the narrow federal statutes inapplica-

ble to a large portion of the ﬂow of personal information. Enforcing

rights and remedies against the collection and use of personal infor-

mation is very diﬃcult since much information ﬂow occurs without

people even knowing about it.

So what can be done? I have demonstrated some of the law’s short-

comings. Can the law adequately respond to these problems? This

question will be the focus of the next chapter and beyond.

the problems of information privacy law

▲

The Limits of

Market-Based Solutions

Many solutions to the problems of privacy and information are mar-

ket-based, relying on property rights or contractual default rules to

regulate the ﬂow of information. Does the market already adequately

protect privacy? Or can the market, with minor tinkering, develop

eﬀective privacy protection? Or must a more radical reconstruction of

the market be undertaken?

Market-Based Solutions

Property Rights and Contract. The notion of “control of personal infor-

mation” is one of the most dominant conceptions of privacy. As pri-

vacy expert Alan Westin declares: “Privacy is the claim of individuals,

groups, or institutions to determine for themselves when, how, and to

what extent information about them is communicated to others.”

Numerous other scholars embrace this deﬁnition.

Theorists who view privacy as control over information frequently

understand it within the framework of property and contract con-

cepts. This is not the only way control can be understood, but the

▲

leading commentators often deﬁne it in terms of ownership—as a

property right in information.

Understood in such terms, control

over something entails a bundle of legal rights of ownership, such as

rights of possession, alienability, exclusion of others, commercial ex-

ploitation, and so on.

This is what leads Westin to conclude: “[P]er-

sonal information, thought of as the right of decision over one’s

private personality, should be deﬁned as a property right.”

The mar-

ket discourse focuses the debate around who should own certain

kinds of information as well as what the appropriate contractual rules

should be for trading personal information.

Therefore, in addition to property rights, contract law plays an

important role in regulating privacy. Parties can make contractual

agreements about privacy at the outset of forming a relationship. In

certain instances, courts have held that even though the contract

did not speciﬁcally mention privacy, it is an implied term in the con-

tract. The common law tort of breach of conﬁdentiality embodies

this view. It enables people to sue for damages when a party

breaches a contractual obligation (often implied rather than ex-

press) to maintain conﬁdentiality. This tort primarily protects the

privacy of the patient-physician relationship.

The tort also has been

used to protect against banks breaching the conﬁdences of their

customers.

Implied contractual terms are a form of default rule in the con-

tract. Contractual default rules are the initial set of rules that regulate

market transactions. These rules are merely a starting point; they

govern only when the parties to a transaction do not negotiate for a

diﬀerent set of rules. As legal scholar Ian Ayres and economist Robert

Gertner explain, “default rules” are rules “that parties can contract

around by prior agreement” while “immutable rules” (or inalienabil-

ity rules) are rules that “parties cannot change by contractual agree-

ment.”

Most market proponents favor default rules that can be

bargained around. Market solution proponents, however, are cer-

tainly not in agreement over the types of property entitlements and

contractual default rules that should be required. But once these are

established, then the market can do the rest. People and companies

can buy and sell personal information and make contracts about

the protection of privacy. For example, a number of commentators

the limits of market-based solutions

▲

recommend contractual solutions to safeguard privacy, such as

where consumers license the use of their data to businesses.

Although some might argue that personal information is owned by

the individual to whom it pertains based on a natural rights theory or

some form of inherent connection, many commentators who ap-

proach privacy in terms of property rights assign initial entitlements

instrumentally. They claim that the market will achieve the ideal

amount of privacy by balancing the value of personal information to

a company (i.e., its commercial value in the marketplace) against the

value of the information to the individual and the larger social value

of having the information within the individual’s control.

The role of

law is to assign the initial entitlements. Thus, the debate in this dis-

course centers around who should own certain kinds of information.

So who should own personal information when people transact

with businesses? The individuals to whom the information pertains?

Or the companies that collect it?

Judge Richard Posner suggests that the law should often favor the

companies over the individuals. Posner translates control of informa-

tion into property concepts. Society should provide individuals a

property right in true information about themselves when it will fos-

ter more eﬃcient transactions.

With regard to the sale of customer

lists, Posner argues that “the costs of obtaining subscriber approval

would be high relative to the value of the list.” He concludes: “If,

therefore, we believe that these lists are generally worth more to the

purchasers than being shielded from possible unwanted solicitations

is worth to subscribers, we should assign the property right to the

[companies]; and the law does this.”

In contrast, law professor Richard Murphy concludes that in many

instances, contractual default rules mandating conﬁdentiality of per-

sonal information are more eﬃcient than default rules permitting

disclosure.

For Murphy, privacy has “substantial economic beneﬁts”

because “[u]nless a person can investigate without risk of reproach

what his own preferences are, he will not be able to maximize his own

happiness.”

Likewise, Jerry Kang views personal information as a form of prop-

erty and advocates for a market solution. He recognizes that there are

compelling non-market perceptions of privacy that view privacy as a

the limits of market-based solutions

▲

human value and that this way of understanding privacy is “poorly

translated, if at all, into eﬃciency terms.” Nevertheless, he favors the

market approach. Kang recognizes that merely assigning a default

rule as to the ownership of information will be ineﬀective because in-

dividuals lack convenient ways to ﬁnd out what information about

them is collected and how it is used. Thus, he advocates a contractual

default rule that “personal information may be processed in only

functionally necessary ways” and that parties are “free to contract

around the default rule.” Kang claims that inalienability rules would

be too paternalistic because individuals should be able to sell or dis-

close their information if they desire. Inalienability rules will risk “sur-

rendering control over information privacy to the state.”

Internet law expert Lawrence Lessig also recommends a market-

based approach. He argues that a property regime permits each indi-

vidual to decide for herself what information to give out and “protects

both those who value their privacy more than others and those who

value it less.” Lessig notes that our existing system of posting privacy

policies and enabling consumers to opt in or out has high transaction

costs because people do not have “the time or patience to read

through cumbersome documents describing obscure rules for con-

trolling data.” Therefore, Lessig recommends that computer software

be crafted to act akin to an “electronic butler,” negotiating our privacy

concerns: “The user sets her preferences once—speciﬁes how she

would negotiate privacy and what she is willing to give up—and from

that moment on, when she enters a site, the site and her machine ne-

gotiate. Only if the machines can agree will the site be able to obtain

her personal data.”

In other words, Lessig suggests a technological

implementation for a market system where people have property

rights in their information.

Self-Regulation. Some commentators—especially people in the data-

base industry—argue that the market is functioning optimally and is

already adequately accounting for privacy concerns.

The market,

they argue, is already treating personal information as a property

right owned by individuals. Companies have increasingly been

adopting privacy policies, which can operate as a form of contractual

promise limiting the future uses of the information. The exchange of

the limits of market-based solutions

▲

personal information for something of value is already beginning to

take place. Many websites require people to supply personal informa-

tion in order to gain access to information on the website. Under the

market approach, this practice can be justiﬁed as an information

trade.

In order to receive such services as book recommendations,

software upgrades, free email, and personal web pages, users must re-

linquish personal information not knowing its potential uses. In

short, useful information and services are being exchanged for per-

sonal information, and this represents the going “price” of privacy.

Moreover, there are market incentives for companies to keep their

data secret and to be honest about their data collection. There have

been a number of instances where companies have canceled various

initiatives due to public outcry over privacy. For example, in response

to privacy concerns, Yahoo! eliminated the reverse telephone number

search from its People Search site.

In the early s, in response to a

public outcry, Lotus Corporation scrapped plans to sell a database

containing the names, addresses, income brackets, and lifestyle data

of  million citizens.

In , Lexis-Nexis announced its P-TRAK

Personal Locator, which would provide addresses, maiden names,

and SSNs of millions of people. After an intensive -day outcry by In-

ternet users, Lexis-Nexis canceled P-TRAK.

In , AOL halted its

plans to sell customers’ phone numbers to direct marketing ﬁrms.

Furthermore, proponents of self-regulation argue that information

ﬂow has many beneﬁcial uses. Legal scholar Fred Cate contends that

information ﬂow makes the consumer credit system cheaper and

faster, “enhances customer convenience and service,” and enables

businesses “to ascertain customer needs accurately and meet those

needs rapidly and eﬃciently.”

Many people want some targeted

marketing and enjoy receiving information about products more tai-

lored to their tastes.

Cate points out that self-regulation is “more ﬂexible and more sen-

sitive to speciﬁc contexts and therefore allow[s] individuals to deter-

mine a more tailored balance between information uses and privacy

than privacy laws do.” The most eﬀective way for people to protect

their privacy, Cate contends, is to take actions themselves.

Law professor Eric Goldman argues that “consumers’ stated pri-

vacy concerns diverge from what consumers do.” People are quick to

the limits of market-based solutions

▲

say in the abstract that they want privacy, but when oﬀered money or

discounts in return for their personal information, they readily relin-

quish it. “[P]eople won’t take even minimal steps to protect them-

selves,” Goldman asserts, “[so] why should government regulation do

it for them?” Finally, Goldman argues, “online businesses will invest

in privacy when it’s proﬁtable.”

Thus, the self-regulation proponents conclude that to the extent

that consumers want their privacy protected, the market will respond

to this demand and appropriately balance it against other interests.

The fact that privacy is not aﬀorded much protection demonstrates

that people value other things more than privacy—such as eﬃcient

and convenient transactions.

Misgivings of the Market

Understanding the privacy problem of databases in terms of the

Kafka metaphor—our helplessness and vulnerability in the face of the

powerful bureaucracies that handle our personal data—reveals that

there are several deﬁciencies in market solutions.

The Limitations of Contract Law. Although contract law can protect pri-

vacy within relationships formed between parties, it does not redress

privacy invasions by third parties outside of the contractual bonds.

Warren and Brandeis recognized this problem back in  when they

spoke of new photographic technologies. Cameras had been quite

large, and people had to pose to have their picture taken. This would

likely require people to establish some sort of contractual relation-

ship with the photographer. But the development of cheaper portable

cameras in the s enabled strangers to take pictures without the

subject ever knowing.

Today, our personal information is increasingly obtained by people

and organizations that have never established any relationship with

us. For example, as public health law expert Lawrence Gostin notes,

the law of patient-physician conﬁdentiality “is premised on the exis-

tence of a relationship between a physician and a patient, although

most health information is not generated within this relationship.”

Information is often maintained not just by one’s physician, but one’s

the limits of market-based solutions

▲

health plan, government agencies, health care clearinghouse organi-

zations, and many others.

Problems with Bargaining Power. There are great inequalities in bargain-

ing power in many situations involving privacy, such as employment

contracts or contracts between big corporations and individuals.

How many people are able to bargain eﬀectively over their contracts

with their Internet Service Providers, cable providers, telephone com-

panies, and the like? Oscar Gandy observes that “individuals are

largely ‘contract term takers’ in the bulk of their economic relations

with organizations.”

People frequently accede to standardized con-

tract terms without putting up much of a ﬁght.

Nor does it appear that market competition is producing a wide

menu of privacy protections. Companies only rarely compete on the

basis of the amount of privacy they oﬀer. People often do not weigh

privacy policies heavily when choosing companies. For example,

people rarely choose phone companies based on their privacy poli-

cies.

Self-regulatory proponents would respond that this fact indicates

that privacy isn’t very important to most people. If people really cared

about privacy, the self-regulators argue, then they would refuse to

deal with companies oﬀering inadequate levels of privacy. But as Paul

Schwartz contends, there are coordination problems because “indi-

viduals may have diﬃculty ﬁnding eﬀective ways to express collec-

tively their relative preferences for privacy.”

Although more companies that routinely collect and use personal

information are posting privacy policies, these policies have several

diﬃculties. Privacy policies are often written in obtuse prose and

crammed with extraneous information.

But market proponents—

especially those favoring self-regulation—counter that many people

don’t bother to read privacy policies. This may not necessarily stem

from their turgid prose, but from the fact that consumers don’t want

to take the time to read them. Perhaps people just don’t care.

However, perhaps the lack of interest in privacy policies may stem

from the fact that the policies hardly amount to a meaningful con-

tract, where the parties bargain over the terms. Privacy policies are lit-

tle more than “notices” about a company’s policies rather than a

the limits of market-based solutions

▲

contract. Privacy policies tend to be self-indulgent, making vague

promises such as the fact that a company will be careful with data;

that it will respect privacy; that privacy is its number one concern.

These public relations statements are far from reliable and are often

phrased in a vague, self-aggrandizing manner to make the corpora-

tion look good. What consumers do not receive is a frank and detailed

description of what will and will not be done with their information,

what speciﬁc information security measures are being taken, and

what speciﬁc rights of recourse they have. People must rely on the

good graces of companies that possess their data to keep it secure

and to prevent its abuse. They have no say in how much money and

eﬀort will be allocated to security; no say in which employees get ac-

cess; and no say in what steps are taken to ensure that unscrupulous

employees do not steal or misuse their information. Instead, privacy

policies only vaguely state that the company will treat information se-

curely. Particular measures are not described, and individuals have

no control over those measures.

Most privacy policies provide no way for customers to prevent

changes in the policy, and they lack a binding enforcement mecha-

nism. Frequently, companies revise their privacy policies, making it

even more diﬃcult for an individual to keep track. Yahoo!’s privacy

policy indicates that it “may change from time to time, so please

check back periodically.”

AOL once told its subscribers that their pri-

vacy preferences had expired and that if they did not ﬁll out a new

opt-out form, then their personal information would be distributed

to marketers.

Further, personal information databases can be sold to

other businesses with less protective privacy policies, especially when

a company goes bankrupt. For example, in , Internet toy retailer

Toysmart.com ﬁled for bankruptcy and attempted to auction oﬀ its

personal information database of over , customers.

Dot-com

bankruptcies create a breakdown in the relationship between compa-

nies and consumers, resulting in little incentive for the bankrupt

company to take measures to protect consumer data. Personal infor-

mation databases are often a company’s most valuable asset and

could be sold to third parties at bankruptcy to pay oﬀ creditors.

Second, to the extent that privacy policies do provide individuals

with privacy protection, it is often provided with an opt-out system,

the limits of market-based solutions

▲

in which personal data can be collected and used unless the individ-

ual expressly says no. Opt-out systems require individuals to check a

box, send a letter, make a telephone call, or take other proactive steps

to indicate their preferences. However, these steps are often time-

consuming. There are too many collectors of information for a right

of opt-out to be eﬀective. Without a centralized mechanism for indi-

viduals to opt-out, individuals would have to spend much of their

time guarding their privacy like a hawk.

The Direct Marketing Association (DMA) has established a system

where consumers can be placed on a no-solicitation list. This is es-

sentially a database of people who do not want to be in databases.

The service records their preference, but does not remove their name

from any list.

The database is then sent to the subscribing compa-

nies so that they can stop mailings to those names.

However, many

people are unaware of this option, numerous companies are not

members of the DMA, and many members fail to comply with DMA

guidelines. As legal scholar Jeﬀ Sovern argues, opt-out systems pro-

vide little incentive to companies to make opting-out easy; “compa-

nies will incur transaction costs in notifying consumers of the

existence of the opt-out option and in responding to consumers who

opt out.”

Since companies want to use personal information, their

incentive in an opt-out system is to make opting-out more diﬃcult.

These problems arise because people often lack suﬃcient bargain-

ing power over their privacy. As privacy law expert Peter Swire ob-

serves, it is diﬃcult for consumers to bargain with large corporations

about their privacy because they lack expertise in privacy issues and

because it takes substantial time and eﬀort.

Information collection

is duplicitous, clandestine, and often coerced. The law currently does

not provide meaningful ability to refuse to consent to relinquish in-

formation. The FCRA, for example, mandates that individuals con-

sent before an employer can obtain their credit report. According to

Joel Reidenberg: “Frequently, individuals will be asked to sign blanket

consent statements authorizing inquiry into credit reporting agency

ﬁles and disclosures of information for any purpose. These consents

rarely identify the credit reporting agencies or all the uses to which

the personal information will be put.”

This consent is virtually

meaningless. When people seek medical care, among the forms they

the limits of market-based solutions

▲

sign are general consent forms which permit the disclosure of one’s

medical records to anyone with a need to see them. Giving people

property rights or default contract rules is not suﬃcient to remedy

the problem because it does not address the underlying power in-

equalities that govern information transactions. Unless these are ad-

dressed, any privacy protections will merely be “contracted” around,

in ways not meaningful either to the problem or to the contract no-

tions supposedly justifying such a solution. People will be given con-

sent forms with vague ﬁne-print discussions of the contractual

default privacy rules that they are waiving, and they will sign them

without thought. As Julie Cohen correctly contends, “[f]reedom of

choice in markets requires accurate information about choices and

other consequences, and enough power—in terms of wealth, num-

bers, or control over resources—to have choices.”

The bargaining

process must be made easier. The way things currently stand, most

people don’t know even know where to begin if they want to assert

their preference for privacy.

The One-Size-Fits-All Problem. Even assuming these problems could be

dealt with, a number of additional diﬃculties remain that prevent in-

dividuals from exercising their preferences to protect their privacy.

Aﬀording individuals a right to control their personal data improperly

assumes that individuals have the ability to exercise meaningful con-

trol over their information.

Paul Schwartz notes how consent

screens on a website asking users to relinquish control over informa-

tion often do so on a “take-it-or-leave-it basis” resulting in the “ﬁc-

tion” that people have “expressed informed consent to [the website’s]

data processing practices.”

Individuals are often presented with an

all-or-nothing choice: either agree to all forms of information collec-

tion and use or to none whatsoever. Such a limited set of choices does

not permit individuals to express their preferences accurately. Indi-

viduals frequently desire to consent to certain uses of their personal

information, but they do not want to relinquish their information for

all possible future uses.

For example, a person may want to purchase books from an online

bookseller. Suppose that the person’s privacy preferences consist of

the information being kept very secure, not being disclosed to the

the limits of market-based solutions

▲

government, and not being traded or disclosed to other companies

(even in the event that the company goes bankrupt). But the online

bookseller’s privacy policy is standardized and often does not address

these points with any reasonable degree of speciﬁcity. And since pri-

vacy policies are remarkably similar among many companies, many

other online bookstores oﬀer comparable terms. If the person de-

cides to purchase the book in a bricks-and-mortar bookstore, she

faces the same diﬃculties if she pays by credit card. There, the privacy

policies are not even readily available to the purchaser.

This state of aﬀairs exists partly because not many choices are

available to people regarding their privacy and partly because people

are often not aware of the problems, risks, and dangers about how

their information is handled. Even if they were, it is doubtful whether

a person could create a special deal with a company to provide

greater protections for her privacy.

Therefore, with regard to the level

of privacy protection oﬀered by companies, a person must simply

take it or leave it. People are not aﬀorded enough choices to exercise

their privacy preferences. A more complete range of choices must

permit individuals to express their preferences for how information

will be protected, how it will be used in the future, and with whom it

will be shared. Moreover, because companies controlling personal in-

formation are secretive about its uses and vague about their privacy

policies, people lack adequate knowledge to make meaningful

choices.

Market proponents might respond that it is not economically fea-

sible for companies to oﬀer customized privacy policies. This would

require companies to keep track of each particular customer’s privacy

preferences, which could be cumbersome and expensive. However,

companies maintain very complex databases, able to handle count-

less ﬁelds of data and multiple variables. Why can’t various privacy

preferences be recorded along with various pieces of information?

Inequalities in Knowledge. The argument that the market is already pro-

viding the optimal level of privacy protection fails because there are

vast inequalities in knowledge and much data collection is clandes-

tine. Despite the few instances where information collection initia-

tives were canceled due to public complaints over privacy, many new,

the limits of market-based solutions

▲

ambitious information gathering endeavors occur outside of the pub-

lic eye. At any given time, one of thousands of companies or govern-

ment agencies could decide on a new use of information or on a new

form of collection. People should not always have to be ready to

mount a large campaign anytime such an eruption could occur. Many

of the activities of the database industry are not well known to the

public, and will remain that way under default notions of corporate

privacy and trade secrets unless something is changed. Ironically,

corporate bureaucracies sometimes have more privacy rights than in-

dividuals.

The Value of Personal Information

A key aspect of property rights, observes information law scholar

Pamela Samuelson, is that property is alienable—people can readily

trade it away.

Market solutions, which view information as property

that can be traded in the market, depend upon the ability of people to

accurately assess the value of information. As legal scholar Katrin By-

ford aptly notes, assigning property rights in information “values pri-

vacy only to the extent it is considered to be of personal worth by the

individual who claims it.”

The value of personal information is de-

termined by how much it takes for a person to relinquish it. Since

people routinely give out their personal information for shopping

discount cards, for access to websites, and even for free, some market

proponents (especially the self-regulators) argue that the value of the

data is very low to the individuals. The market is thus already ade-

quately compensating individuals for the use of their information.

In a well-functioning market, assuming no market failure, the mar-

ket might work quite well in valuing personal information. But the

market in privacy is not a well-functioning market, and thus its valua-

tion determinations are suspect.

The Aggregation Effect. The aggregation eﬀect severely complicates the

individual’s ability to ascribe a value to personal information. An in-

dividual may give out bits of information in diﬀerent contexts, each

transfer appearing innocuous. However, when aggregated, the infor-

mation becomes much more revealing. As law professor Julie Cohen

the limits of market-based solutions

▲

observes, each instance in which we give out personal information

may seem “trivial and incremental,” which “tends to minimize its ulti-

mate eﬀect.”

It is the totality of information about a person and how

it is used that poses the greatest threat to privacy. From the stand-

point of each particular information transaction, individuals will not

have enough facts to make a truly informed decision.

Uncertain Future Uses. The potential future uses of personal informa-

tion are too vast and unknown to enable individuals to make the ap-

propriate valuation. The value of much personal information, such as

one’s SSN, does not stem from its intimacy, its immediate revelations

of selfhood, or the fact that the individual has authored it. Rather, the

value is in the ability to prevent others from gaining power and con-

trol over an individual; from revealing an individual’s private life; and

from making the individual vulnerable to fraud, identity theft, prying,

snooping, and the like. Because this value is linked to uncertain fu-

ture uses, it is diﬃcult, if not impossible, for an individual to ade-

quately value her information. Since the ownership model involves

individuals relinquishing full title to the information, they have little

idea how such information will be used when in the hands of others.

For example, a person who signs up for a discount supermarket

shopper card might have some vague knowledge that her personal in-

formation will be collected. In the abstract, this knowledge may not

be all that disconcerting. But what if the person were told that infor-

mation about the contraceptives and over-the-counter medications

she buys would be made available to her employer? Or given to the

government? Or used to send her advertisements or spam? Without

being informed about how the information will be used, the individ-

ual lacks the necessary knowledge to assess the implications of sur-

rendering her personal data.

Is Privacy a Property Right? When personal information is understood as

aproperty right, the value of privacy often is translated into the com-

bined monetary value of particular pieces of personal information.

Privacy becomes the right to proﬁtfrom one’s personal data, and the

harm to privacy becomes understood as not being adequately paid

the limits of market-based solutions

▲

for the use of this “property.” But is this really the harm? Can privacy

be translated into property concepts without losing some of its

meaning?

An initial diﬃculty with understanding personal information as a

form of property is that it is unclear who really creates the informa-

tion. Some pro-privacy commentators quickly assume that because

information pertains to a person, the person should have a right to

own it. However, information is often not created by the individual

alone. We often develop personal information through our relation-

ships with others. When a person purchases a product, information is

created through the interaction of seller and buyer.

Consider the case of Dwyer v. American Express Co. American Ex-

press cardholders sued American Express for renting their names to

merchants under both invasion of privacy and appropriation. The

court held that by using the credit card, “a cardholder is voluntarily,

and necessarily, giving information to defendants that, if analyzed,

will reveal a cardholder’s spending habits and shopping preferences.”

Thus, there was no invasion of privacy. As for appropriation, the court

reasoned:

Undeniably, each cardholder’s name is valuable to defendants.

The more names included on a list, the more that list will be

worth. However, a single, random cardholder’s name has little or

no intrinsic value to defendants (or a merchant). Rather, an indi-

vidual name has value only when it is associated with one of the

defendants’ lists. Defendants create value by categorizing and

aggregating these names. Furthermore, defendants’ practices do

not deprive any of the cardholders of any value their individual

names may possess.

This case indicates what is omitted when information privacy is re-

duced to property rights in information. The court only focused on

the value of the information to each individual, not on the systemic

harms to which American Express’s practices contributed—namely,

the powerlessness of the individuals to have any meaningful control

over information pertaining to their personal lives. The problem with

databases is not that information collectors fail to compensate people

the limits of market-based solutions

▲

for the proper value of personal information. The problem is people’s

lack of control, their lack of knowledge about how data will be used in

the future, and their lack of participation in the process. It is not

merely suﬃcient to allow people to sell their information, relinquish

all title to it, and allow companies to use it as they see ﬁt. This provides

people with an all-or-nothing type of exchange, which they are likely

to take when they are unaware of how information can or might be

used in the future. Nor is it enough to attach some default contractual

rights to information transactions such as nondisclosure obligations

or a requirement of notiﬁcation when a future use of information is

employed. These solutions cannot work eﬀectively in a situation

where the power relationship between individuals and public and

private bureaucracies is so greatly unbalanced. In other words, the

problem with market solutions is not merely that it is diﬃcult to com-

modify information (which it is), but also that a regime of default

rules alone (consisting of property rights in information and contrac-

tual defaults) will not enable fair and equitable market transactions in

personal information. As Julie Cohen warns, giving people property

rights in a defective market runs the risk of leading to more trade in

personal information, not less.

Due to the problems with ascribing a value to personal informa-

tion and because privacy is an issue about societal structure involving

our relationships with public and private bureaucracies, some form

of regulation is necessary that exceeds the narrow measures pro-

posed by proponents of a market solution. There are certain rights we

cannot bargain away because they are not mere individual posses-

sions but are important for the structure of society as a whole.

Too Much Paternalism?

Market proponents are wary of government regulation because it

threatens to usurp individual choice. They argue that people should

be free to contract as they see ﬁt. If people want to give up their pri-

vacy, the government shouldn’t paternalistically say that it knows

best. Market proponents contend that people are capable of making

rational decisions about their personal information and that the law

shouldn’t interfere.

the limits of market-based solutions

▲

This argument is quite compelling, for not all individuals want pri-

vacy. For example, people may want their names sold to other com-

panies because they like receiving catalogs. Market proponents thus

aim to preserve individual choice.

The problem, however, is that the market currently fails to provide

mechanisms to enable individuals to exercise informed meaningful

choices. Even market approaches favoring a more pro-privacy regime

of contractual default rules neglect to account for the core of the

database problem as illustrated by the Kafka metaphor—the power

inequalities that pervade the world of information transfers between

individuals and bureaucracies.

As a result of these problems, there is little economic incentive for

companies to adopt strong privacy protection in the absence of legal

regulation. Although the Direct Marketing Association (DMA) main-

tains standards for self-regulation, polls suggest that less than  per-

cent of DMA members adhere to self-regulatory practices.

The

individual’s lack of knowledge about the use of personal information

also makes companies less responsive to privacy concerns. One em-

ployee at a bank stated: “We joke about it all the time because we oﬃ-

cially say that we don’t reveal information and we treat it with the

utmost respect. What a crock. I hear people laughing in the elevator

about credit reports they’ve pulled!”

Unless people have greater

knowledge about the uses of their information and practices within a

company, they won’t be able even to raise an outcry.

I am not arguing that the market can’t protect privacy. The market

can work well, but not in the absence of structural legal protections. A

set of laws and rights is necessary to govern our relationship with bu-

reaucracies. These laws must consist of more than default rules that

can be contracted around or property entitlements that can be

bartered away. Market-based solutions work within the existing mar-

ket; the problem with databases is the very way that the market deals

with personal information—a problem in the nature of the market it-

self that prevents fair and voluntary information transactions.

Inalienability rules do not necessarily have to limit a person’s abil-

ity to disclose or sell certain information; nor must they limit many

forms of information collection. If the problem is understood with

the Kafka metaphor, the solution to regulating information ﬂow is not

the limits of market-based solutions

▲

to radically curtail the collection of information but to regulate uses.

For example, Amazon.com’s book recommendation service collects

extensive information about a customer’s taste in books. If the prob-

lem is surveillance, then the most obvious solution would be to pro-

vide strict limits on Amazon.com’s collection of information. This

solution, however, would curtail much data gathering that is neces-

sary for business in today’s society and that is put to beneﬁcial uses.

Indeed, many Amazon.com customers, myself included, ﬁnd Ama-

zon.com’s book recommendation service to be very helpful. In con-

trast, if the problem is understood as I have depicted it, then the

problem is not that Amazon is spying on its users or that it can use

personal data to induce its customers to buy more books. What is

troubling is the unfettered ability of Amazon.com to do whatever it

wants with this information. This problem was underscored when

Amazon.com abruptly changed its privacy policy to allow the transfer

of personal information to third parties in the event Amazon.com

sold any of its assets or went bankrupt.

As a customer, I had no say in

this change of policy; no ability to change it or bargain for additional

privacy protection; and no sense about whether it would apply

retroactively to the purchases I already made. And what’s to prevent

Amazon.com in the future from changing its policy once again, per-

haps retroactively?

Therefore, privacy regulations should focus on our relationships

with bureaucracies, for unless these relationships are restructured,

markets in information will not consist of fair, voluntary, and in-

formed information transactions. Markets can certainly work to pro-

tect privacy, but a precondition of a successful market is establishing

rules governing our relationships with bureaucracies.

the limits of market-based solutions

▲

Architecture and the

Protection of Privacy

Although information privacy law has taken some important steps to

protect privacy, it has thus far suﬀered numerous failures and diﬃ-

culties in addressing the privacy problems we are currently facing

with digital dossiers. Why has such a diverse body of law failed to be

eﬀective? In a world constantly being transformed by technology,

how can we erect a robust and eﬀective law of privacy when the

ground is constantly shifting?

Two Models for the Protection of Privacy

The Invasion Conception. The question of how to protect privacy was of

paramount importance to Samuel Warren and Louis Brandeis in 

when they wrote their profoundly inﬂuential article, The Right to Pri-

vacy. The primary remedy for privacy invasions, they suggested,

should be a tort action for damages, and to a limited extent, injunc-

tions and criminal penalties.

Warren and Brandeis’s conception of privacy problems has been

highly inﬂuential in the development of privacy law, and I will refer to

▲

this understanding as the “invasion conception.” Under this concep-

tion, privacy is understood as a series of discrete wrongs—inva-

sions—to speciﬁc individuals. These wrongs occur through the

actions of particular wrongdoers. The injury is experienced by the in-

dividuals who are wronged. For example, a privacy violation that

would ﬁt well into the invasion conception is a newspaper publishing

a photograph of a person in the nude without that person’s consent.

There is a particular wrongdoer (the newspaper) that engages in a

particular action (publishing the photograph) which causes harm to a

particular individual. This harm consists of mental distress and any

consequent physical or mental impairment.

Under the invasion conception, privacy protections safeguard

against these wrongs to individuals. Protection consists of rights and

remedies for each instance of harm, and in certain cases, criminal

punishments for the wrongdoers. Thus, the invasion conception is re-

active. It waits for harms to materialize in concrete form and then re-

acts. The invasion conception works to prevent future harms through

the deterrent eﬀects of civil liability and criminal penalties.

Another aspect of the invasion conception is that it often views pri-

vacy protections in the form of rights possessed and remedied at the

initiative of the individuals whose privacy has been invaded. The

value of protecting privacy is measured in terms of the value of pre-

venting harm to the individual. In the words of one court, “[p]rivacy is

inherently personal. The right to privacy recognizes the sovereignty of

the individual.”

According to the Restatement of Torts: “The right

protected by the action for invasion of privacy is a personal right, pe-

culiar to the individual whose privacy is invaded.”

Under this view,

privacy is enforced by allowing individuals to seek remedies for pri-

vacy invasions.

The privacy torts are designed to redress speciﬁc harms. In many

cases, however, damages are likely to be small, thus creating little in-

centive to sue. The result is that privacy is most protected in situa-

tions where damages can be deﬁned palpably, such as where

skeletons in the closet are revealed, where nudity is publicly dis-

closed, or where the press sneaks into a person’s home to obtain per-

sonal information.

architecture and the protection of privacy

▲

Like tort law, criminal law focuses on punishing speciﬁc wrongdo-

ers. It aims to deter crime by establishing penalties for privacy inva-

sions. Criminal law is often reactive, responding to crime with

punishments after its occurrence. Frequently, criminal law fails to be

proactive in preventing crime. Although criminal law certainly works

to deter crime, some crimes are diﬃcult to deter. Criminal law can

only reach a certain level of deterrence, which can be limited by diﬃ-

culties in catching and prosecuting the perpetrators. Crimes involv-

ing the use and dissemination of personal information present

complicated enforcement problems, since these crimes can occur

from anywhere in the world, are easy to conceal, and take a long time

to detect.

Although the invasion conception works for a number of privacy

problems, not all privacy problems are the same, and many do not

ﬁtwell into this model. In particular, the invasion conception does

not adequately account for many of the privacy problems arising to-

day. The problems of digital dossiers do not consist merely of a se-

ries of isolated and discrete invasions or harms, but are systemic in

nature, caused by a particular social or legal structure. Moreover, as

I explained earlier, the aggregation eﬀect complicates the applica-

tion of tort law in speciﬁc cases. In isolation, a particular piece of

information may not be very invasive of one’s privacy. But when

pieces of information are combined, they may form a detailed ac-

count of an individual. The whole may be greater than the sum of

the parts.

Further, the exchange of personal information between businesses

cannot be readily analogized to the widespread disclosure of infor-

mation by the media. When companies buy and sell information,

they disclose it to only a few other entities. How are damages to be as-

sessed? These harms do not translate well to tort law or criminal law,

which focus on isolated actors and address harms individually rather

than collectively.

The traditional view of privacy harms pervades much of the law

of information privacy. Courts often look for speciﬁc injuries. For

example, in U.S. West, Inc. v. Federal Communications Commission,

the court of appeals struck down FCC regulations requiring that

architecture and the protection of privacy

▲

consumers opt-in (by aﬃrmatively giving their consent) before

telecommunications carriers could use or disclose their personal in-

formation. The court reasoned that the governmental interest in pro-

tecting privacy wasn’t “substantial” because the government failed to

“show that the dissemination of the information desired to be kept

private would inﬂict speciﬁc and signiﬁcant harm on individuals,

such as undue embarrassment or ridicule, intimidation or harass-

ment, or misappropriation of sensitive personal information for the

purposes of assuming another’s identity.”

First Amendment scholar

Eugene Volokh epitomizes this view when he writes:

[M]any of the proposals to restrict communication of consumer

transactional data would apply far beyond a narrow core of

highly private information, and would cover all transactional in-

formation, such as the car, house, food, or clothes one buys. I

don’t deny that many people may ﬁnd such speech vaguely omi-

nous and would rather that it not take place, and I acknowledge

that some people get extremely upset about it. . . . If such rela-

tively modest oﬀense or annoyance is enough to justify speech

restrictions, then the compelling interest bar has fallen quite

low.

This way of viewing the harm to privacy fails to acknowledge the

larger systemic problems involved with information ﬂow. As I have

argued in chapter , the growing use and dissemination of personal

information creates a Kafkaesque world of bureaucracy, where we are

increasingly powerless and vulnerable, where personal information is

not only outside our control but also is subjected to a bureaucratic

process that is itself not adequately controlled. This generalized harm

already exists; we need not wait for speciﬁc abuses to occur.

Enforcement at the initiative of the individual also creates diﬃcul-

ties. Arguing from the invasion conception, Fred Cate contends that

although people claim they desire more privacy, their actions illus-

trate that they do not want to sacriﬁce much time or energy in obtain-

ing it.

The goal of the law, says Cate, should be to assist those who

want to protect their privacy rather than to thrust a uniform wall of

privacy around everyone: “The law should serve as a gap-ﬁller, facili-

tating individual action in those situations in which the lack of com-

architecture and the protection of privacy

▲

petition has interfered with private privacy protection.”

Further-

more, according to Cate, the purpose of privacy rights is to “facilitate

... the development of private mechanisms and individual choice as

a means of valuing and protecting privacy.”

However, enforcement mechanisms that rely upon individual ini-

tiative often fail because individuals lack the knowledge and re-

sources to use them. Individual remedies are only eﬀective to the

extent that individuals have power to exercise them. In the face of

forces created by social structure, individual remedies are often pow-

erless. A person may have the legal opportunity to bargain to modify

a contract, lease, or employment agreement or to sue for redress if

wronged. But unless that person has the knowledge and ability to

bargain or to sue, the opportunities are often not very empowering.

Rights to consent to the collection of data lack much meaning if peo-

ple can be readily pressured, misled, or coerced into relinquishing

their information.

Additionally, the invasion conception’s focus on privacy invasions

as harms to speciﬁc individuals often overlooks the fact that certain

privacy problems are structural—they aﬀect not only particular indi-

viduals but society as a whole. Privacy cannot merely be enforced at

the initiative of particular individuals. Privacy, as Paul Schwartz con-

tends, should be viewed as a “constitutive value” because “access to

personal information and limits on it help form the society in which

we live and shape our individual identities.”

Since certain privacy

problems are structural in nature, they aﬀect more than speciﬁc ag-

grieved individuals. As data privacy expert Spiros Simitis aptly ob-

serves, “privacy considerations no longer arise out of particular

individual problems; rather, they express conﬂicts aﬀecting every-

one.”

Architecture. If we look at privacy more as an aspect of social and legal

structure, then we begin to see that certain types of privacy harms are

systemic and structural in nature, and we need to protect against

them diﬀerently.

The concept of “architecture” is useful for understanding how cer-

tain privacy problems should be understood and dealt with. The term

“architecture” typically refers to the design of spaces—of buildings or

architecture and the protection of privacy

▲

cities. I use the term architecture in a broader way, similar to

Lawrence Lessig and Joel Reidenberg, who contend that architecture

does not merely describe the design of physical structures, but can be

constructed through computer code.

Our environment is not only

shaped spatially by the architecture of buildings and the layout of

cities, but by the design of information systems. This architecture has

similar eﬀects as spatial design on our behavior, attitudes, norms, so-

cial interaction, sense of freedom, and security. Both computer hard-

ware and software have architectures. Hardware is built with certain

capabilities and limitations; it only has so much memory, a limited

processing speed, and so on. Likewise, software has certain con-

straints—some that exist because programmers have reached the

range of their capabilities, but others that exist because they are cre-

ated by design. The Internet itself has a design, one that aﬀects the

way people communicate, the way data is transferred, and the extent

to which people can be anonymous.

Architecture creates certain psychological and social eﬀects.

Ac-

cording to Neal Katyal, physical architecture aﬀects human conduct.

Architecture can structure spaces to “facilitate unplanned social in-

teraction” by positioning door entrances so they face each other.

Ar-

chitecture also alters perception by its aesthetic design, by what it

expresses. Frank Lloyd Wright observed that architecture involves

“making structure express ideas.”

By inﬂuencing human behavior,

attitudes, thoughts, and interactions, architecture plays a profound

role in the structuring of society.

One of the ways in which architecture aﬀects society is by enhanc-

ing or diminishing privacy. Recall from chapter  Jeremy Bentham’s

design for a prison, the Panopticon. The Panopticon demonstrates

how architecture can shape the very constitution of society by aﬀect-

ing privacy. Through its design with a central observation tower, the

Panopticon creates a constant fear of observation, resulting in in-

creased obedience and discipline. As Michel Foucault observes,

“without any physical instrument other than architecture and geom-

etry, [the Panopticon] acts directly on individuals.”

Unlike dun-

geons, which served “to enclose, to deprive of light and to hide,” the

Panopticon achieves control through visibility.

The Panopticon is a

form of architecture that inhibits freedom; it is an architecture of so-

architecture and the protection of privacy

▲

cial control and discipline. For Foucault, the Panopticon is not

merely consigned to physical structures such as prisons; it is an ar-

chitecture that is increasingly built into the entire social structure.

Panoptic architecture is increasingly employed in modern society, in

both physical and non-physical forms. Surveillance cameras are a

prime example. Since ,Britain has overseen city streets through

the use of about . million surveillance cameras monitored by

closed circuit television (CCTV).

It is virtually impossible to walk

the streets of London without being captured on camera numerous

times throughout the day. Such a surveillance system replicates

Panoptic architecture.

Panoptic architecture, and the architecture Lessig and Reidenberg

discuss, are “architectures of control,”

for they function to exercise

greater dominion over individuals. Lessig observes that “[c]yberspace

does not guarantee its own freedom but instead carries an extraordi-

nary potential for control.”

Lessig is responding to the early buzz

about the Internet, which was hailed as a place of unprecedented

freedom, a freewheeling and uninhibited world. Although the Inter-

net certainly has the potential to be a realm of liberty, Lessig demon-

strates that it can be regulated—through law and computer code.

People can be traced; speech can be censored; access to information

can be limited; anonymity can be restricted. Therefore, the Internet

has the potential to become a realm of comprehensive control.

But beyond control, architecture can function in other problem-

atic ways. In addition to architectures of control, we are seeing the

development of what I call “architectures of vulnerability.” Architec-

ture can create a world where people are vulnerable to signiﬁcant

harm and are helpless to do anything about it. Architectures of vul-

nerability function diﬀerently than architectures of control. Architec-

tures of control are ways in which people are limited in their actions

and their freedom, where they are pressed into conformity to an-

other’s will. In contrast, architectures of vulnerability make people

weaker, expose them to a host of dangers, and take away their power.

Whereas architectures of control are central to Big Brother, architec-

tures of vulnerability pervade the world depicted by Kafka. As I will

discuss later, the rapid rise in identity theft is caused by architectures

of vulnerability.

architecture and the protection of privacy

▲

For problems that are architectural, the solutions should also be

architectural. Privacy must be protected by reforming the architec-

ture, which involves restructuring our relationships with businesses

and the government. In other words, the law should regulate the rela-

tionships. As I discussed earlier in this book, our relationships with

businesses and the government are becoming more bureaucratic in

nature, and it is this general development that must be addressed.

Thus, an architectural solution goes beyond treating the troublesome

symptoms that materialize from the use of digital dossiers. The law

often works at the surface of the problems, dealing with the overt

abuses and injuries that may arise in speciﬁc instances. But thus far

the law does not do enough to redeﬁne the underlying relationships

that cause these symptoms. Unless people’s relationships with bu-

reaucracies are placed on more equal footing, aﬀording people de-

fault property rights in information or other forms of information

control will not adequately protect privacy.

Architecture protects privacy diﬀerently than individual remedies.

It is more proactive than reactive; it involves creating structures to

prevent harms from arising rather than merely providing remedies

when harms occur. The invasion conception enforces privacy

through legal remedies employed at the initiative of individuals and

penalties to speciﬁc wrongdoers. Architectural remedies are more

systemic in nature, and they work by altering social structure to make

it harder for torts and crimes to occur. As Neal Katyal persuasively ar-

gues, architecture deals with crime diﬀerently than criminal penal-

ties; it can prevent crime, facilitate the capture of criminals, and can

even “shape individuals’ attitudes toward lawbreaking.”

I am not contending that aﬀording individuals with a cause of ac-

tion or a remedy for privacy invasions is completely ineﬀective. In-

deed, individual remedies must be a component of any architecture.

However, individual remedies alone are often not suﬃcient, for their

viability and eﬀectiveness depends upon the architecture in which

they are embedded.

I am also not arguing that the invasion conception is incorrect and

should be abandoned. The invasion conception was designed for the

privacy problems experienced when Warren and Brandeis wrote their

article. Although it still works for a number of privacy problems today,

100

architecture and the protection of privacy

▲

it does not work for all privacy problems. In fact, understanding pri-

vacy problems with the notion of architecture is not in conﬂict with

the view of privacy articulated by Warren and Brandeis. A critical part

of Warren and Brandeis’s argument was the importance of the law’s

ability to respond to new problems. Today, we face a host of diﬀerent

privacy problems. We need to recognize their diﬀerences and adapt

the law to grapple with them rather than continue to view them

through old lenses and attempt to resolve them in the same manner

as other problems.

Warren and Brandeis wrote long before the rise of massive record

systems and information networks. The problems created by the

growing accumulation, dissemination, and networking of personal

information are better understood architecturally than under the in-

vasion conception. Viewing these problems through architecture re-

veals that the problems are caused in a diﬀerent manner than we

might have originally supposed. It recognizes harm within design and

structure. And it alters the strategies by which we seek to adapt law to

solve the problems.

Thus, the viable protection of privacy must consist of more than a

set of protections for a series of isolated injuries. Rather, the protec-

tion of privacy depends upon an architecture that structures power,

aregulatory framework that governs how information is dissemi-

nated, collected, and networked. We need to focus on controlling

power. Often, new technology is introduced without adequate con-

trols, and as a result, it creates vulnerability and engenders trouble-

some shifts in power, even if the proposed uses of the technology do

not seem immediately troubling and even if the threat of abuse is not

imminent. The protection of privacy does not mean an all-or-noth-

ing tradeoﬀ between the total restriction of information gathering

versus the complete absence of regulation. Many privacy problems

can be ameliorated if information uses are carefully and thoughtfully

controlled.

Toward an Architecture for Privacy and the Private Sector

What should an architecture that regulates the relationships look

like? I propose an architecture that establishes controls over the data

101

architecture and the protection of privacy

▲

networking practices of institutions and that aﬀords people greater

participation in the uses of their information.

The ﬁrst step is to redeﬁne the nature of our relationships to busi-

nesses and government entities that maintain and use our personal

information. At present, the collectors and users of our data are often

not accountable to us. A company can collect a person’s data without

ever contacting that person, without that person ever ﬁnding out

about it. The relationship is akin to the relationship between

strangers—with one very important diﬀerence: One of the strangers

knows a lot about the other and often has the power to use this infor-

mation to aﬀect the other’s life. But the stranger with the knowledge

doesn’t have many obligations to the other. At other times, we estab-

lish a relationship with a company, a bank, or another institution. We

might buy a product online or open up an account and invest money.

We are no longer strangers, but the quality of our relationship is often

not dramatically improved. Companies collect and maintain our in-

formation; they often use it for a myriad of new purposes; and they

are frequently careless about the security of our data. As discussed

earlier, the law often doesn’t aﬀord people the ability to do much to

change the situation.

Our relationships with the collectors and users of our personal in-

formation thus need to be redeﬁned. Consider another set of rela-

tionships—those between us and our doctors and lawyers. Here, the

law imposes a number of obligations on doctors and lawyers to focus

on our welfare. Indeed, the patient-physician relationship has been

likened by courts to a ﬁduciary one.

A ﬁduciary relationship is a cen-

tral facet of the law of trusts. Trustees stand in a ﬁduciary relationship

to beneﬁciaries of the trust. The trustee has been entrusted with the

beneﬁciary’s money, and because of this position of special trust, the

trustee owes certain special duties to the beneﬁciary.

Justice Ben-

jamin Cardozo, then writing for the Court of Appeals of New York, de-

scribed ﬁduciary duties in a famous passage:

Many forms of conduct permissible in a workaday world for

those acting at arm’s length, are forbidden to those bound by

ﬁduciary ties. A trustee is held to something stricter than the

102

architecture and the protection of privacy

▲

morals of the market place. Not honesty alone, but the punctilio

of an honor the most sensitive, is then the standard of behavior.

The types of relationships that qualify as ﬁduciary ones are not

ﬁxed in stone. As one court has noted, courts “have carefully refrained

from deﬁning instances of ﬁduciary relations in such a manner that

other and perhaps new cases might be excluded.”

Examples of rec-

ognized ﬁduciary relationships include those between stockbrokers

and clients, lawyers and clients, physicians and patients, parents and

children, corporate oﬃcers and shareholders, and insurance compa-

nies and their customers.

Fiduciaries have a duty to disclose personal interests that could

aﬀect their professional judgment as well as a duty of conﬁdentiality.

For example, doctors who disclose a patient’s conﬁdential medical in-

formation have been successfully sued by patients for breach of

conﬁdentiality.

Likewise, banks and schools have been held to be

obliged to keep personal information conﬁdential.

I posit that the law should hold that companies collecting and us-

ing our personal information stand in a ﬁduciary relationship with

us. This is a radical proposal. Although the concept of a ﬁduciary re-

lationship is an open-ended and developing one, the concept has not

been extended nearly as far as I propose. Generally, courts examine a

number of factors to determine the existence of a ﬁduciary relation-

ship: “[T]he degree of kinship of the parties; the disparity in age,

health, and mental condition; education and business experience be-

tween the parties; and the extent to which the allegedly subservient

party entrusted the handling of ...business aﬀairs to the other and

reposed faith and conﬁdence in [that person or entity].”

Most of the

factors look at disparities in power and knowledge, and these lean in

favor of ﬁnding a ﬁduciary relationship between us and the collectors

and users of our data. The last factor, however, understands the rela-

tionship as one in which something has been explicitly entrusted to

the trustee. This will work in the context of companies that we do

business with, for we entrust them with our personal data. But it will

be a signiﬁcant expansion of the concept of ﬁduciary relationships

to extend it to third-party companies that gather our information

103

architecture and the protection of privacy

▲

without having done business with us. We don’t entrust anything to

these companies; they often take our data surreptitiously, without our

consent. Nevertheless, the law is ﬂexible and in the past has re-

sponded to new situations. The law should grow to respond here,

since all of the other factors for recognizing a ﬁduciary relationship

seem to counsel so strongly for the need to impose ﬁduciary obliga-

tions for the collectors and users of our personal information.

If our relationships with the collectors and users of our personal

data are redeﬁned as ﬁduciary ones, then this would be the start of a

signiﬁcant shift in the way the law understands their obligations to

us. The law would require them to treat us in a diﬀerent way—at a

minimum, with more care and respect. By redeﬁning relationships,

the law would make a signiﬁcant change to the architecture of the in-

formation economy.

More speciﬁcally, how should these relationships be recon-

structed? What duties and obligations should the collectors and users

of our personal information have? The foundations should be formed

by the Fair Information Practices, which, as privacy expert Marc

Rotenberg aptly observes, create an architecture for the handling and

use of personal information.

The Fair Information Practices origi-

nate with a  report by the U.S. Department of Housing, Educa-

tion, and Welfare. The report recommended the passage of a code of

Fair Information Practices:

There must be no personal-data record-keeping systems whose

very existence is secret.

There must be a way for an individual to ﬁnd out what informa-

tion about him is in a record and how it is used.

There must be a way for an individual to prevent information

about him obtained for one purpose from being used or made

available for other purposes without his consent.

There must be a way for an individual to correct or amend a

record of identiﬁable information about him.

Any organization creating, maintaining, using, or disseminating

records of identiﬁable personal data must assure the reliability of

the data for their intended use and must take reasonable precau-

tions to prevent misuse of the data.

▲▲▲▲▲

104

architecture and the protection of privacy

▲

Subsequently, in , the Organization for Economic Cooperation

and Development (OECD) established guidelines for the protection of

privacy based in large part on the Fair Information Practices.

Paul

Schwartz, Marc Rotenberg, Joel Reidenberg, and others have long con-

tended that the Fair Information Practices represent the most eﬀective

foundation for the protection of privacy in the Information Age.

The Fair Information Practices embody a particular understanding

of privacy and its protection. Understood broadly, the Fair Informa-

tion Practices establish an architecture that alters the power dynamic

between individuals and the various bureaucracies that process their

personal information. The Fair Information Practices focus on two

general concerns: participation and responsibility. They aim to struc-

ture the information economy so that people can participate mean-

ingfully in the collection and use of their personal information. This

does not necessarily mean that people are aﬀorded dominion over

their personal information; rather, people are to be kept informed

about the information gathered about them and the purposes of its

use; and people must have some say in the way their information is

processed. In other words, the Fair Information Practices aim to in-

crease individual involvement in personal information systems.

Additionally, the Fair Information Practices bring information pro-

cessing under better control. Currently, information processing is out

of control. Companies collecting and using personal information are

often doing so in careless ways with little concern for the welfare of

the individuals to whom the information pertains. The Fair Informa-

tion Practices recognize that personal data users have special respon-

sibilities and that they must be regulated in order to ensure that they

maintain accurate and secure records and use and disseminate infor-

mation responsibly.

Unfortunately, in the United States the Fair Information Practices

have only been selectively incorporated into various statutes in a lim-

ited number of contexts. A more comprehensive incorporation of the

Fair Information Practices would go far toward addressing the privacy

problem as I have characterized it.

Participation: Opting-Out versus Opting-In. The current self-regulatory

and legislative solution of enabling people to opt-out of having their

105

architecture and the protection of privacy

▲

data collected or disseminated is ineﬀectual. When people have to

opt-out, the default is that they relinquish signiﬁcant control over

their information unless they take steps (often time-consuming and

cumbersome) to indicate that they do not want a company to use or

disseminate their data. Providing people with opt-out rights and pri-

vacy policies does little to give individuals much control over their in-

formation. Regulation mandating that consumers opt-in rather than

opt-out will more eﬀectively control the ﬂow of information between

unequal parties. Under a system where individuals opt-in, the default

rule is that personal information cannot be collected or used about

an individual unless the individual provides consent. As Jeﬀ Sovern

contends, an opt-in system will place the incentive on entities that

use personal information to “make it as easy as possible for con-

sumers to consent to the use of their personal information.”

There-

fore, the law should require companies to adopt an opt-in system

rather than an opt-out system.

Even with an opt-in system, steps must be taken to ensure that

consent amounts to more than a “notice and choice” system, which,

as Marc Rotenberg argues, “imagines the creation of perfect market

conditions where consumers are suddenly negotiating over a range of

uses for personal information.”

Thus, eﬀective privacy regulation

must legally require an opt-in system which contains a meaningful

range of choices as well as addresses inequalities in knowledge and

power and other impediments to voluntary and informed consent.

For example, inequalities in knowledge—the fact that companies

know how they might use data whereas people have little awareness

of these plans—could be addressed by limiting such future uses of

personal data without ﬁrst obtaining people’s consent.

Limits on the Use of Data. A critical step toward addressing the prob-

lems of digital dossiers is providing limits on the use of data. Interna-

tionally, the OECD Guidelines provide that “[p]ersonal data should be

relevant to the purposes for which they are to be used, and, to the ex-

tent necessary for those purposes, should be accurate, complete, and

kept up-to-date.”

In , the European Union issued the European

Community Directive on Data Protection, which outlines the basic

principles for privacy legislation for European Union member coun-

106

architecture and the protection of privacy

▲

tries. The Directive provides for a comprehensive protection of per-

sonal information maintained by a broad range of entities. This om-

nibus approach exists in stark contrast to the United States’

approach, which regulates privacy “sectorally” in various narrow con-

texts.

Although the Directive is far from perfect, it recognizes some of the

dimensions of the problem that are neglected by U.S. privacy law. For

example, Article  provides:

Member States shall grant the right to every person not to be

subject to a decision which produces legal eﬀects concerning

him or signiﬁcantly aﬀects him and which is based solely on au-

tomated processing of data intended to evaluate certain per-

sonal aspects relating to him, such as his performance at work,

creditworthiness, reliability, conduct, etc.

Further, Article  prohibits, subject to a number of necessary ex-

ceptions, “the processing of personal data revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade-

union membership, and the processing of data concerning health or

sex life.”

These two provisions of the Directive limit the ways per-

sonal information can be used to make important decisions aﬀecting

people’s lives.

Enforcement. The Fair Information Practices are broad principles,

and they do not specify how they are to be carried out in practice or

enforced. As I discussed earlier, individual remedies can only go so

far. Of course, individual remedies are important, and people should

be able to sue when injured by companies that fail to follow the Fair

Information Practices. But with many of the new types of architec-

tural harms I described—such as making people more vulnerable to

fraud and identity theft—damages will be diﬃcult to calculate. When

a person actually suﬀers from identity theft, it is easy to comprehend

the harm. When a person is made more vulnerable—such as being

exposed to a greater risk of injury but not yet actually injured—it is

harder to establish damages because one can’t point to concrete eco-

nomic loss or physical pain and suﬀering. Nevertheless, increased

vulnerability is a palpable harm—just as weakening a person’s

107

architecture and the protection of privacy

▲

immune system would be, or disabling her home security system.

Part of the challenge for law is to begin to recognize the harms cre-

ated by increased vulnerability and powerlessness. But until the law

does this, enforcement must also occur through the work of govern-

ment agencies tasked with policing the corporate world of informa-

tion networking. Just as the Food and Drug Administration (FDA)

regulates food and drugs, just as the Securities and Exchange Com-

mission (SEC) regulates the securities markets, we need a federal

agency to regulate the collection and use of personal information.

As I discussed in chapter , the Federal Trade Commission (FTC) has

started to undertake this role, but it has a long way to go.

The FTC must receive expanded jurisdiction and resources to be

more proactive in policing the security practices of companies. In a

handful of cases thus far, the FTC has preemptively brought actions

against companies for maintaining shoddy security even before in-

formation was leaked or obtained improperly. As discussed in chap-

ter , the FTC brought an action against Microsoft for failing to

provide adequate security for its users’ personal data. In In re

Guess.com, Inc.,

the FTC reached a settlement with Guess, a com-

pany that sold clothing and accessories over the Internet, for main-

taining ﬂawed security of its customers’ personal information. Guess

promised that all personal information “including . . . credit card in-

formation and sign-in password, are stored in an unreadable, en-

crypted format at all times.” This statement was false, and the FTC

brought an action even before there was any evidence that hackers or

others improperly gained access to the data. Cases like these are

promising developments, but many more need to be brought.

As discussed before, one problem with the FTC’s jurisdiction is that

it is triggered when a company breaches its own privacy policy. But

what if a company doesn’t make explicit promises about security?

One hopeful development is the Gramm-Leach-Bliley (GLB) Act. The

GLB Act requires a number of agencies that regulate ﬁnancial institu-

tions to promulgate “administrative, technical, and physical safe-

guards for personal information.”

In other words, ﬁnancial

institutions must adopt a security system for their data, and the mini-

mum speciﬁcations of this system are to be deﬁned by government

agencies. A broader but similar provision must be passed to govern all

108

architecture and the protection of privacy

▲

the collectors and users of personal information. It must be enforced

by a federal agency that will examine each company’s security prac-

tices and ensure that they are adequate. As I will discuss later, the se-

curity practices at countless companies that collect and use our

personal data are notoriously insuﬃcient, a reality that has led to the

rapid growth of identity theft.

Reconceptualizing Identity Theft

Thus far, what I have said has been relatively abstract. In the remain-

der of this chapter, I will provide a speciﬁc demonstration of these

points through the example of one of the most rapidly growing and

troubling problems of the information economy—the problem of

identity theft. It is a privacy problem that resembles a Kafkaesque

nightmare.

The Identity Theft Problem. A person loses his wallet while on vacation

in Florida. His wallet contains his driver’s license and other personal

information. An identity thief uses the victim’s information for several

years to buy and sell property, open bank accounts, establish phone

service, and so on.

Pursuant to a Florida warrant based on the crimi-

nal conduct of the identity thief, the victim is arrested in California

and imprisoned for over a week. The victim also has civil judgments

issued against him.

The identity of a retired -year-old man is stolen. Debts continue

to amass on his credit reports. Although the victim lives in Maryland,

a Texas bank issues a car loan to the identity thief in Texas.

The vic-

tim continually ﬁghts to have the debts removed from his credit re-

ports, but he is told to take up the issues with the creditors who claim

that the debts are legitimate. Even after debts are removed, they reap-

pear on his credit reports because a diﬀerent collection agency re-

places them.

These are examples of what has come to be called “identity theft,”

which is a problem involving personal information. As deﬁned by the

U.S. General Accounting Oﬃce, “identity theft or identity fraud gen-

erally involves ‘stealing’ another person’s personal identifying infor-

mation . . . and then using that information to fraudulently establish

109

architecture and the protection of privacy

▲

credit, run up debt, or take over existing ﬁnancial accounts.”

Identity

theft is not the same as ordinary credit card fraud, where a thief steals

and uses a person’s credit card. In identity theft, the culprit obtains

personal information and uses it in a variety of fraudulent ways to im-

personate the victim. The thief gathers personal information from

database companies and public records, or by stealing wallets, pilfer-

ing mail, or rooting through trash to ﬁnd data on discarded docu-

ments.

Identity theft is the most rapidly growing type of white-collar crim-

inal activity.

According to an FTC estimate in September , “al-

most  million Americans have discovered that they were the victim

of some form of ID theft within the past year.”

Identity theft can be a

harrowing experience. According to estimates, a victim typically

spends over two years and close to  hours to repair the damage

that identity theft causes.

Victims often spend thousands of dollars

to remedy the harm, and many experience great anxiety.

They have

diﬃculty getting a loan, securing a mortgage, obtaining a security

clearance, or even being hired for a job.

And victims are sometimes

arrested based on warrants for the crimes of the identity thieves.

Identity theft creates these problems because our digital dossiers

are becoming so critical to our ability to function in modern life.

Credit reporting agencies construct dossiers about us to report our

ﬁnancial status to creditors. Without these reports, people can’t ob-

tain loans, mortgages, or leases. Personal information is also used to

establish accounts with merchants, ISPs, cable companies, phone

companies, and so on.

The identity thief not only pilfers victims’ personal information,

but also pollutes their dossiers by adding false information, such as

unpaid debts, traﬃc violations, parking tickets, and arrests. The harm

of identity theft is not solely ﬁnancial; it can seep into a person’s

everyday life. The victim cannot readily recover the personal informa-

tion in the way that stolen property can be recovered. The victim

must constantly defend against the identity thief’s next move. Even

after the victim cleans up her credit reports, if the identity thief re-

mains at large, there may be further pollution. This is another way in

which identity theft diﬀers from credit card fraud or the theft of an

ATM card or access card. Once the card is cancelled, the crime ends.

110

architecture and the protection of privacy

▲

With identity theft, the crime can continue, for personal information

works like an “access card” that cannot be readily deactivated.

Identity Theft and the Invasion Conception. Thus far, the law has viewed

identity theft under the invasion conception—as a harm to individu-

als by criminals. Identity theft unquestionably harms individuals and

certainly involves criminals. Therefore, it is no surprise that identity

theft is viewed under the invasion conception and that the solutions

to identity theft emerge from this model. As I will argue later, this

model is deeply ﬂawed and as a result, its solutions are ineﬀective.

In , Congress passed the Identity Theft and Assumption Deter-

rence Act, which erected a comprehensive penal regime for identity

theft.

Subsequently, the vast majority of states have passed laws to

criminalize identity theft.

Thus, it is only recently that policymakers

have turned their attention to identity theft, and the overwhelming

approach is to classify identity theft as a species of crime and to focus

on the actions of these criminals.

There are several problems with viewing identity theft exclusively

in this manner. First, law enforcement agencies have thus far not de-

voted adequate resources toward investigating and prosecuting iden-

tity theft cases. In a U.S. General Accounting Oﬃce survey of  states,

oﬃcials admitted that they have insuﬃcient resources to respond to

identity theft because violent crimes and drug oﬀenses consume

most of the resources. Additionally, the survey reported, “[i]dentity

theft cases require highly trained investigators, require longer-than-

usual eﬀorts, and often end without an arrest.” Identity theft often oc-

curs across diﬀerent jurisdictions, and law enforcement oﬃcials

“sometimes tend to view identity theft as being ‘someone else’s prob-

lem.’” As a result, most identity thefts remain unsolved.

Research

ﬁrm Gartner, Inc. estimates that less than  in  instances of iden-

tity theft result in a conviction.

Second, victims experience great diﬃculty in obtaining redress for

identity theft. Victims are often unaware that their identities have

been stolen until long after the identity theft has begun. A report

based on victim surveys estimates that it takes victims over a year to

discover that they have been victimized.

According to FTC esti-

mates,  percent of identity theft victims don’t learn of the theft until

111

architecture and the protection of privacy

▲

two years later.

One tip-oﬀ that a person is a victim of identity theft

is an unusual item on a credit report. The identity thief often takes out

loans and uses lines of credit which the thief never pays back. These

delinquencies show up on the victim’s credit report, and destroy the

victim’s credit rating. Unfortunately, the Fair Credit Reporting Act

(FCRA),

which regulates credit reporting agencies, fails to provide

people with adequate resources to discover that they are being vic-

timized or repair the damage done by identity theft. Although the

FCRA permits individuals to contest the accuracy of information in

their credit histories

and enables individuals to sue to collect dam-

ages for violations of the Act,

these rights often are ineﬀectual. One

problem is that people often are unaware of the information their

credit reports contain. To obtain such information, people must re-

quest a copy of their credit report from each of the three major credit

reporting agencies—Experian, Equifax, and Trans Union. And if indi-

viduals want to ensure that their credit reports remain accurate, they

must request reports regularly.

Credit reporting agencies have a duty to investigate consumer dis-

putes with the accuracy of their reports, but this often is ineﬀective in

cases of identity theft. In a compelling article, legal scholar Lynn LoP-

ucki observes that the “victim is asked to prove a negative: namely,

that he or she is not the person who borrowed from the creditor. The

victim’s evidence is likely to be complex and circumstantial.” Credi-

tors do not have a suﬃcient incentive to investigate, for if the victim is

correct, creditors cannot recover on the debt. LoPucki also aptly ar-

gues that the “victim lacks a forum in which to proceed. The victim

has no right to a hearing on the accuracy of the information re-

quested.” Moreover, the “FTC seldom acts on the complaint of a sin-

gle customer.”

The FCRA does not allow people to sue for “defamation, invasion of

privacy, or negligence” when the credit reporting agency discloses

false information or a creditor reports false information to a credit re-

porting agency unless the information is “furnished with malice or

willful intent to injure such consumer.” Instead, the FCRA provides a

cause of action for negligently failing to comply with its provisions,

but a victim must bring an action within two years “from the date on

which the liability arises.”

In TRW, Inc. v. Andrews, the Supreme Court

112

architecture and the protection of privacy

▲

held that the two-year statute of limitations period begins to run

when a violation occurs, even if the plaintiﬀ remains unaware of it.

In December , Congress passed a law, called the Fair and Ac-

curate Credit Transactions Act (FACTA), that revised the FCRA.

The

FACTA makes several improvements to the FCRA. It overturns An-

drews and expands the statute of limitations to ﬁve years from the vi-

olation or two years following the discovery of the violation. A person

can ask a credit reporting agency to place a “fraud alert” in her ﬁle,

and the agency must contact all the other credit reporting agencies to

do the same. The Act also makes it easier for identity theft victims to

obtain records from companies where the thief opened accounts or

purchased goods. People can request a free credit report each year

from all of the national credit reporting agencies. The Act provides

consumers with the ability to opt-out of oﬀers of prescreened credit.

However, the Act is still moored in the invasion conception. The

law does not allow individuals enough involvement in the uses and

dissemination of their personal information to quickly discover that

they are victims of identity theft or to obtain redress after identity

theft occurs. The FACTA makes it slightly easier for victims to repair

the damage from identity theft, but this is akin to a better bandage.

Many of the Act’s protections are already being carried out voluntarily

by credit reporting agencies. Prior to the FACTA, victims of identity

theft could call one credit reporting agency, which would voluntarily

alert the others to the fraud. Most victims could already obtain a free

credit report so long as they believed in good faith that they had been

defrauded. Consumers who had never been victimized had to pay

only $ for their credit report. Thus, the FACTA takes some forward

steps, but it does not progress very far. FACTA’s reforms are remedial;

the Act does little to proactively prevent identity theft.

More disturbingly, the FACTA also gives credit reporting agencies

and the companies that use our personal information a great be-

neﬁt—states are barred from passing stricter laws. The states, not the

federal government, had been providing stronger and more eﬀective

protection. The Act thus comes at the price of removing valuable pro-

tections to millions of individuals and preventing the states from fur-

ther experimentation in combating the mounting threat of identity

theft.

113

architecture and the protection of privacy

▲

Viewing identity theft under the invasion conception—as a series

of isolated thefts from particular individuals—results in commenta-

tors often urging individuals to take a variety of steps to avoid being

victimized. Fred Cate argues that identity theft could be greatly cur-

tailed if people exercised more care over their data:

Despite all the bills introduced to combat the theft of identity, in-

dividual action may provide the best defense: keeping a close

watch on account activity; reporting suspicious or unfamiliar

transactions promptly; properly destroying commercial solicita-

tions; storing valuable documents securely; protecting account

names and passwords; and never disclosing personal informa-

tion to unknown callers.

A report by the FDIC suggests several tips for people to “minimize”

the risk of identity theft:

Pay attention to your billing cycles.

Guard your mail from theft.

Do not give out personal information.

Keep items with personal information in a safe place.

Give your SSN only when absolutely necessary.

Don’t carry your SSN card; leave it in a secure place.

Order a copy of your credit report from each of the three major

credit reporting agencies every year.

The general advice is that if people take a number of steps, identity

theft will be minimized. However, personal data is often collected un-

wittingly, without consent; SSNs are frequently used, and refusal to

give out one’s SSN results in considerable inconvenience; and many

people cannot even name the three major credit reporting agencies,

let alone request a copy of their credit reports. Even if people did take

all these steps, the risks of identity theft are still not signiﬁcantly min-

imized. According to an oﬃcial at the FTC, “[t]here is no way you can

fully immunize yourself from identity theft because the information

is out there.”

I contend that the prevailing approach to dealing with identity

theft—by relying on criminal penalties and by depending upon indi-

viduals to take great lengths to try to protect themselves—has the

114

architecture and the protection of privacy

▲

wrong focus. Of course, identity thieves should be prosecuted and

people should avoid being careless with their data. The law has signi-

ﬁcant room to improve in prosecuting identity theft. But these solu-

tions fail to address the foundations of the problem.

Identity Theft as Architecture. The underlying cause of identity theft is

an architecture that makes us vulnerable to such crimes and unable

to adequately repair the damage. This architecture is not created by

identity thieves; rather, it is exploited by them. It is an architecture of

vulnerability, one where personal information is not protected with

adequate security, where identity thieves have easy access to data and

the ability to use it in detrimental ways. We are increasingly living

with digital dossiers about our lives, and these dossiers are not con-

trolled by us but by various entities, such as private-sector companies

and the government. These dossiers play a profound role in our exis-

tence in modern society. The identity thief taps into these dossiers

and uses them, manipulates them, and pollutes them. The identity

thief’s ability to so easily access and use our personal data stems from

an architecture that does not provide adequate security to our per-

sonal information and that does not aﬀord us with a suﬃcient degree

of participation in its collection, dissemination, and use. Conse-

quently, it is diﬃcult for the victim to ﬁgure out what is going on and

how to remedy the situation.

The traditional legal view of identity theft fails to address this ar-

chitecture, for it focuses on identity theft as a series of discrete in-

stances of crime rather than as a larger problem about the way our

personal information is handled. Even the term “identity theft” views

it as an instance of crime—a “theft” rather than the product of inade-

quate security.

The architecture enabling identity theft emerges from the govern-

ment and the private sector. With regard to the government part of

the structure, the SSN and public record systems create a regime

where identity is readily stolen and the consequences are severe.

SSNs are a key piece of information for identity theft, for they can un-

lock a wealth of other information held by the government and the

private sector.

Created in  as part of the Social Security System,

SSNs were not designed to be used as a general identiﬁer. Indeed, for

115

architecture and the protection of privacy

▲

many years, the Social Security card stated that it was “not for

identification.”

However, over time, numerous federal agencies

began using the SSN for identiﬁcation, as did state and local govern-

ments, schools, banks, hospitals, and other private-sector entities.

In the early s, the growing uses of the SSN raised serious con-

cerns that the SSN would become a de facto universal identiﬁer.

the Privacy Act of , Congress partially responded to these con-

cerns by prohibiting government agencies from denying any right,

beneﬁt, or privilege merely because an individual refused to disclose

her SSN. However, the Privacy Act did not restrict the use of SSNs by

the private sector.

The use of the SSN continued to escalate after the Privacy Act. As

one commentator has observed, “governmental dissemination of

personal identifying numbers is still widespread, and limits on pri-

vate actors are also virtually nonexistent.”

Today, the SSN functions

in the United States as a de facto identiﬁer, and there is scant protec-

tion on its use. SSNs are often widely available. Schools frequently use

student SSNs as student identiﬁers, which makes student SSNs avail-

able to a large number of university personnel. States often place

SSNs on driver’s licenses, which exposes SSNs to anyone who checks

a driver’s license for identiﬁcation. Additionally, SSNs are requested

on a wide variety of applications and forms, such as employment ap-

plications, hospital admittance forms, college applications, video

store membership applications, and credit card applications.

SSNs are used as passwords to obtain access to a host of personal

records from banks, investment companies, schools, hospitals, doc-

tors, and so on.

The SSN is a powerful number, for with it a person

can open and close accounts, change addresses, obtain loans, access

personal information, make ﬁnancial transactions, and more. In

short, the SSN functions as a magic key that can unlock vast stores of

records as well as ﬁnancial accounts, making it the identity thief’s

best tool.

Viewed in terms of architecture, the government has created an

identiﬁcation number without aﬀording adequate precautions

against its misuse. In so doing, the government has exposed every cit-

izen to signiﬁcant vulnerability to identity theft and other crimes

such as fraud and stalking.

116

architecture and the protection of privacy

▲

Not only are the uses of SSNs inadequately controlled, but SSNs

are relatively easy for the identity thief to obtain. SSNs are harvested

by database ﬁrms from a number of public and non-public sources,

such as court records or credit reports. It is currently legal for private

ﬁrms to sell or disclose SSNs. SSNs and other personal information

that assists identity thieves can be obtained from public records or

the database companies that market personal data mined from pub-

lic records.

SSNs are in fact required by law to be publicly disclosed

in bankruptcy records.

Identity thieves thus can plunder public

records, which are increasingly being made readily accessible on the

Internet, for personal information to carry out their crimes. For ex-

ample, recently the clerk of courts for Hamilton County, Ohio placed

the county’s public records on the Internet. From a speeding ticket

placed on the website, an identity thief accessed a victim’s SSN, ad-

dress, birth date, signature, and other personal information and

opened up credit card accounts in the victim’s name.

Further, iden-

tity thieves can obtain SSNs along with a detailed dossier about their

victims simply by paying a small fee to various database companies.

The problem of identity theft also stems from the private sector’s

inadequate security measures in handling personal information.

Companies lack adequate ways of controlling access to records and

accounts in a person’s name, and numerous companies engage in the

common practice of using SSNs, mother’s maiden names, and ad-

dresses for access to account information.

Additionally, creditors

give out credit and establish new accounts if the applicant supplies a

name, SSN, and address.

The credit reporting system also employs inadequate precautions

to ensure against inaccuracies in credit reports and improper access

to the system. Credit reporting agencies don’t work for the individuals

they report on; rather, they are paid by creditors. Even though the

FCRA gives people certain rights with regard to credit reporting agen-

cies, there is still a signiﬁcant lack of accountability because credit re-

porting agencies have no incentive to compete for the business of

those on whom they report. According to Lynn LoPucki, the problem

emerges because “creditors and credit-reporting agencies often lack

both the means and the incentives to correctly identify the persons

who seek credit from them or on whom they report.”

LoPucki aptly

117

architecture and the protection of privacy

▲

shifts the focus to the companies that control personal data and cor-

rectly contends that identity theft stems from the private sector’s use

of SSNs for identiﬁcation.

Viewed in terms of architecture, identity theft is part of a larger

problem, which is best articulated by using the Kafka metaphor. The

problem is that we have so little participation in the use of our per-

sonal data combined with the fact that it ﬂows so insecurely and care-

lessly without suﬃcient control. The harm is not simply measured in

the overt instances of identity theft and abuse, but in the fact that we

are made more vulnerable to a series of errors, abuses, and dangers.

Indeed, with ever more frequency, we are hearing stories about se-

curity glitches and other instances of personal data being leaked and

abused. For example, in , identity thieves improperly used Ford

Motor Credit Company’s code to access the credit ﬁles of , of

Ford’s customers, which were maintained by Experian, a major credit

reporting agency.

Citibank employed a database marketing com-

pany to collect the email addresses of its credit card customers and

send them emails oﬀering them access to their ﬁnancial informa-

tion.

This was done without verifying whether the email addresses

actually belonged to the particular customers.

The problems of information handling are most vividly illustrated

by an incident involving Princeton University oﬃcials who improp-

erly accessed personal information in a Yale University database. Yale

established a website enabling undergraduate applicants to ﬁnd out

whether they had been accepted or denied admission.

The website

invited students to enter additional information, such as their inter-

ests and hobbies.

To access the website, the students were asked

their name, birth date, and SSN.

However, in April , a Princeton

admissions oﬃcial accessed certain applicants’ accounts on Yale’s

website by using their SSNs.

After discovering the unauthorized ac-

cess by Princeton, Yale reported the incident to the FBI.

Although

the shady actions of the Princeton oﬃcial grabbed the most atten-

tion, the problem was created by Yale’s inept security measures, ones

that resemble in many ways those used by companies that hold even

more sensitive personal data.

The identity thief, then, is only one of the culprits in identity theft.

The government and businesses bear a signiﬁcant amount of respon-

118

architecture and the protection of privacy

▲

sibility, yet this is cloaked in the conception of identity theft as a dis-

crete crime that the victim could have prevented had she exercised

more care over her personal data. Identity theft does not merely hap-

pen; rather, it is manufactured by a legally constructed architecture.

Further, the architecture contributes to the harm caused to victims

of identity theft. Identity theft plunges people into a bureaucratic

nightmare. The identity theft injury to victims is often caused by the

frustration and sense of helplessness in attempting to stop and repair

the damage caused by the identity thief. Victims experience profound

diﬃculty in dealing with credit reporting agencies,

and often ﬁnd re-

curring fraudulent entries on their credit reports even after contact-

ing the agencies.

Identity theft laws do not adequately regulate the

bureaucratic system that injures victims. The bureaucracies control-

ling personal information are often indiﬀerent to the welfare of the

individuals to whom the information pertains.

Forging a New Architecture

If we see the problem architecturally, we see an architecture of vul-

nerability, one with large holes, gaps, and weak spots. The harm is

caused by the architecture itself. Living in a dilapidated structure—a

building with ﬂimsy walls, no locks, peepholes, inadequate ﬁre pro-

tection, and no emergency exits—is harmful, even without a disaster

occurring. Modern society is built on expectations that we will be

kept secure, that our money will not be stolen, that our homes will

not be invaded, that we will be protected against violence. It is diﬃ-

cult to imagine how we could maintain a free society if we did not

have protection against rape, assault, murder, and theft. If these pro-

tections are inadequate, there is harm even without being victimized.

Eﬀective safety is thus partly a design question. According to legal

scholar Neal Katyal, physical architecture can be proactive in com-

bating crime, for it can prevent crime. For example, “cleanliness and

aesthetic appeal” can make people perceive that a place is safe and

orderly, and make miscreants less likely to disrupt it.

In a similar

manner, the architecture of information ﬂows can be redesigned to

prevent identity theft and ameliorate its eﬀects. Identity theft is the

product of an architecture that creates vulnerability and insecurity, so

119

architecture and the protection of privacy

▲

the most eﬀective way to combat identity theft is to reconstruct this

faulty architecture. But what should an appropriate architecture look

like?

Participation and Responsibility. The problem of identity theft can be ad-

dressed with an architecture built around participation and responsi-

bility, the key concepts of the Fair Information Practices. At the most

basic level, the Fair Information Practices place the burden of ad-

dressing the identity theft problem on the entities that cause it—

those using personal information. The eﬀectiveness of the Fair

Information Practices depends upon how they are applied to particu-

lar privacy problems and how they are enforced. In what follows, I will

discuss how the two general aims of the Fair Information Practices—

participation and responsibility—can be implemented to help grap-

ple with the identity theft problem.

First, the architecture should allow for people to have greater par-

ticipation in the collection and use of their personal information.

Currently, information can be readily disseminated and transferred

without a person’s knowledge or consent. Few requirements exist for

how secure information must be kept, and information can be used

for whatever purpose the entity possessing it desires.

I recommend an architecture that requires companies gathering

personal information about people to keep individuals informed

about their information. Presently, even with the FCRA, credit report-

ing agencies are not responsive enough to the people whose informa-

tion they collect and disseminate. The recently passed FACTA allows

people to access their credit reports on a yearly basis, but identity

theft can occur in the interim and can cause much damage even in a

few months. People should be allowed to more regularly access their

credit reports for free.

But LoPucki fears that increasing a person’s

ability to access information held by credit reporting agencies will

also increase the identity thief’s ability to gain access.

A more radical

change in the credit reporting system may be necessary to ﬁx this

diﬃculty. An opt-in regime to credit reporting would signiﬁcantly

curtail problems of improper access to credit records. Currently,

credit reporting agencies need not establish any relationship with the

people on whom they report. In an opt-in regime, credit reporting

120

architecture and the protection of privacy

▲

agencies would have to contact individuals and would be legally ac-

countable for improper access to credit records. Individuals could ac-

cess their credit records through passwords or account numbers

rather than by supplying SSNs or other personal data.

When there is an unusual change in the behavior of a record sub-

ject, such as when a person who regularly repays her loans suddenly

starts defaulting, credit reporting agencies should notify that person.

The architecture should empower people with an easy, quick, and

convenient way to challenge inaccuracies about their personal infor-

mation as well as fraudulent entries in their credit reports. Disputes

can be resolved with a special arbitration system that can function

quickly and inexpensively rather than resorting to expensive court

proceedings.

If these measures are taken, victims will be able to discover more

quickly the existence of identity theft since they will be better in-

formed about the data collected about them and how it is being used.

The architecture should also be premised on the notion that the

collection and use of personal information is an activity that carries

duties and responsibilities. The law should establish speciﬁc meas-

ures of control over entities maintaining systems of personal data. For

example, if a company is providing background check information

about a person, it should be held responsible for any inaccuracies or

deﬁciencies in the information.

To establish greater responsibility, the law would regulate private-

sector security practices. Minimum security practices must be estab-

lished for handling people’s personal information or accounts. Use of

a SSN, mother’s maiden name, and birth date as the means of gaining

access to accounts should be prohibited. Identity theft can be cur-

tailed by employing alternative means of identiﬁcation, such as pass-

words.

This solution does not come without diﬃculties, as passwords can

be easily forgotten or discovered. The use of multiple questions and

answers supplied by the customer at the time the account is created

can be eﬀective. Questions might include favorite songs, places a per-

son has visited, and so on, and these questions must vary from insti-

tution to institution. If varying methods of identiﬁcation are used, an

identity thief will no longer be able to use a few pieces of information

121

architecture and the protection of privacy

▲

to access everything, which will minimize the severity of the impact

of identity theft. The thief may be able to access one or two accounts,

but not all of them. Unfortunately, so much personal information is

already maintained by various database companies that a person’s

answers may exist in these databases. For example, a person might

use as a password the name of her college, spouse, pet, or child.

Therefore, unique and less common questions and answers will pro-

vide better security against identity theft.

The possibility that databases will eventually include the types of

information that people generally use for these questions demon-

strates the importance of thinking architecturally. The problem of

identity theft is part of a larger structure in which companies are not

eﬀectively regulated in the collection, use, and dissemination of per-

sonal information. If database companies are regulated to prohibit

the dissemination of certain types of information, then this data can

be better protected from falling into the hands of an identity thief.

Of course, this method of identiﬁcation is far from foolproof. But

the level of sophistication and diﬃculty required to carry out an iden-

tity theft would be increased. Additionally, identity theft can be more

readily halted. It is currently a diﬃcult and cumbersome process to

change one’s SSN.

100

And a person cannot change her height, birth

date, or mother’s maiden name. Passwords, however, can easily be

changed. Thus, once discovered, identity theft will be easier to stop

and will not continue long after the victim becomes aware of it.

These suggestions pertain to already established accounts. Much

identity theft, however, occurs through the identity thief opening up

new accounts in the victim’s name. Currently, it is far too easy to es-

tablish a new account through the mail and the Internet.

101

Pre-ap-

proved credit card applications, for example, enable the recipient to

easily establish an account and change addresses. Companies that

want to open a new account through the mail should verify an appli-

cant’s address, date of birth, and phone number with a credit report-

ing agency, and then send written conﬁrmation both to the address

listed on the application and to the address that the credit reporting

agency has. Further, the company should follow-up by calling the ap-

plicant’s telephone number listed with the credit reporting agency. In

the event of any discrepancies in the information held by the credit

122

architecture and the protection of privacy

▲

reporting agency and the individual, the individual should be noti-

ﬁed. Of course, this solution would only work well if people had

greater participation in the collection and use of their information by

credit reporting agencies. Many attempts at identity theft can be

halted if creditors take greater care scrutinizing applications. Al-

though the identity thief can still intercept the notiﬁcation,

102

it re-

quires additional steps to carry out the identity theft, ones that can

increase the chances of the thief getting caught.

The solutions just discussed are only recommendations of the

types of solutions that can be employed once we recognize that we

need to focus on architecture. Viewing identity theft under the inva-

sion conception has diverted attention from these architectural con-

cerns. If the architecture recognizes the responsibilities of companies

maintaining personal data, it will provide a strong incentive for com-

panies to devise creative solutions and better security.

Understanding certain privacy problems as architectural demon-

strates that protecting privacy involves more than protecting against

isolated infractions. It is about establishing a particular social struc-

ture, one that ensures individual participation in the collection and

use of personal information and responsibilities for entities that con-

trol that data. The problem of identity theft may never be completely

eradicated, but in a world with the appropriate architecture, its preva-

lence and negative eﬀects will be signiﬁcantly curtailed.

123

architecture and the protection of privacy

▲

public

records

010

1010

01010

101010

0101010

101010

01010

1010

010

The Problem of

Public Records

From the beginning of the twentieth century, we have witnessed a

vast proliferation in the number of government records kept about

individuals as well as a signiﬁcant increase in public access to these

records. These trends together have created a problematic state of

aﬀairs—a system where the government extracts personal informa-

tion from the populace and places it in the public domain, where it is

hoarded by private-sector corporations that assemble dossiers on al-

most every American citizen.

Records from Birth to Death

Today, federal, state, and local government entities maintain a smor-

gasbord of public records.

State public records cover one’s life from

birth to death. Birth records can contain one’s name, date of birth,

place of birth, full names and ages of one’s parents, and mother’s

maiden name.

In particular, mother’s maiden names are important

because many companies use them as passwords to access more

sensitive data. Shortly after birth, the federal government stamps an

127

▲

individual with a SSN, which will be used throughout her life to iden-

tify her and consolidate records about her. States also maintain other

records relating to one’s personal life, such as records about mar-

riages, divorces, and death. These are often referred to collectively as

“vital records.” Records of marriages, which are public in most states,

contain maiden names, the date and place of birth of both spouses,

as well as their residential addresses.

Beyond vital records, states keep records for almost every occasion

an individual comes into contact with the state bureaucracy. Accident

reports and traﬃc citation records are made publicly available by

many states. Voting records can reveal one’s political party aﬃliation,

date of birth, place of birth, email address, home address, telephone

number,

and sometimes SSN.

In many states, this information is

publicly available.

An individual’s profession and place of employment often generate

a number of records. Many professions require licenses, such as doc-

tors, lawyers, engineers, insurance agents, nurses, police, account-

ants, and teachers. If an individual is injured at work, worker’s

compensation records may disclose the date of birth, type of injury,

and SSN.

If a person is a public employee, many personal details are

released to the public by way of personnel records, including home

address, phone number, SSN, salary, sick leave, and sometimes even

email messages.

In Massachusetts, government oﬃcials are required

by law to maintain “street lists” containing the names, addresses,

dates of birth, veteran statuses, nationalities, and occupations of all

residents. These lists, which organize residents by the streets they live

on, are made available to the police, to all political committees and

candidates, and to businesses and other organizations.

One’s home and property are also a matter of public record. Prop-

erty tax assessment records contain a detailed description of the

home, including number of bedrooms and bathrooms, amenities

such as swimming pools, the size of the house, and the value. Other

property ownership records unveil lifestyle information such as

whether one owns a boat, and if so, its size and type.

Often, any contact with law enforcement oﬃcials will yield a

record. Arrest records can include a person’s name, occupation, phys-

ical description, date of birth, and the asserted factual circumstances

128

the problem of public records

▲

surrounding the arrest.

Police records also contain information

about victims of crime.

Court records can be very revealing. In almost all states, court

records are presumed to be public.

Although current practice and

existing physical constraints limit the extent to which personal infor-

mation in court documents can be accessed, new technologies are on

the verge of changing this reality.

In civil cases, court ﬁles may contain medical histories, mental

health data, tax returns, and ﬁnancial information.

For example, in

an ordinary civil lawsuit over an automobile accident, the plaintiﬀ

must submit medical information, including any pre-existing condi-

tions that might be responsible for her symptoms. This data could

even include psychological information. To establish damages, the

plaintiﬀ must also reveal details about her lifestyle, activities, and em-

ployment. If this information is contained in a document ﬁled with

the court or is mentioned in a hearing or at trial, it can potentially be-

come accessible to the public unless protected by a protective order.

In addition to plaintiﬀs, civil defendants must also yield personal in-

formation in many instances.

Witnesses and other third parties who are involved in cases can

have deeply personal details snared by discovery and later exposed in

court documents. If a person serves as a juror, her name, address,

spouse’s name, occupation, place of employment, and answers to

voir dire questions may become part of the court record.

Some

courts have held that the public may have access to questionnaires

given to jurors as part of voir dire.

Voir dire questions can involve

sensitive matters such as whether a juror was the victim of a crime,

the juror’s political and religious beliefs, any medical and psychologi-

cal conditions that might aﬀect the juror’s performance, and other

private details.

Beyond ordinary civil lawsuits, special civil proceedings, such as

appeals from the denial of Social Security beneﬁts, release much in-

formation into court records, including a person’s disability, work per-

formance, SSN, birth date, address, phone number, and medical

records.

In federal bankruptcy courts, any “paper ﬁled . . . and the

dockets of a bankruptcy court are public records and open to exami-

nation by an entity at reasonable times without charge.”

Information

129

the problem of public records

▲

involved in bankruptcy proceedings includes one’s SSN, account

numbers, employment data, sources of income, expenses, debts

owed, and other ﬁnancial information.

Additionally, in certain cir-

cumstances, employees of a company that declares bankruptcy can

have their personal information divulged in public bankruptcy

records.

In some states, family court proceedings are public. For example, a

divorce proceeding can unmask the intimacies of marital relation-

ships. As the New Hampshire Supreme Court held, “[a] private citizen

seeking a divorce in this State must unavoidably do so in a public fo-

rum, and consequently many private family and marital matters be-

come public.”

Parties in criminal cases have even less privacy. Beyond the per-

sonal details about a defendant released at trial or in the govern-

ment’s indictment or charging papers, conviction records are made

public.

Information about victims—their lifestyles, medical data,

and occupation—can also be found in court records. Pre-sentence re-

ports prepared by probation oﬃcers about convicted defendants fac-

ing sentence are used by judges in arriving at the appropriate

sentence. These reports contain a summary of the defendant’s prior

criminal conduct, social history, character, family environment, edu-

cation, employment and income, and medical and psychological in-

formation.

Although in many states and in federal court,

pre-sentence reports remain conﬁdential, in some states, such as Cal-

ifornia, the pre-sentence report becomes part of the court ﬁle after

sentencing.

Community notiﬁcation laws for sex oﬀenders, often referred to as

“Megan’s Laws,” require the maintenance of databases of information

about prior sex oﬀenders and disclosure of their identities and where

they live. All  states have enacted some version of Megan’s Law.

Sex oﬀender records often contain SSNs, photographs, addresses,

prior convictions, and places of employment.

A number of states

have placed their sex oﬀender records on the Internet.

Some localities are even publicizing records about individuals ar-

rested, but not yet convicted, of certain crimes. In  Kansas City

initiated “John TV,” broadcasting on a government-owned television

station the names, photographs, addresses, and ages of people who

130

the problem of public records

▲

had merely been arrested (not convicted) for soliciting prostitutes,

and other cities have initiated similar programs.

Additionally, a

growing number of states are furnishing online databases of all of

their current inmates and parolees.

The Impact of Technology

For a long time, public records have been accessible only in the vari-

ous localities in which they were kept. A person or entity desiring to

ﬁnd out about the value of an individual’s home would have to travel

to the town or county where the property was located and search

through the records at the local courthouse. Depending upon local

practice, the seeker of a record might be able to obtain a copy through

the mail. Court records, such as bankruptcy records, would typically

be obtained by visiting a courthouse or engaging in a lengthy corre-

spondence with the clerk’s oﬃce.

The seeker of a record could not

obtain records en masse; records could only be obtained for speciﬁc

individuals.

This reality is rapidly changing. As records are increasingly com-

puterized, entire record systems rather than individual records can be

easily searched, copied, and transferred. Private-sector organizations

sweep up millions of records from record systems throughout the

country and consolidate them into gigantic record systems. Many

websites now compile public records from across the country.

There

are more than  companies oﬀering public record information over

the Internet.

These companies have constructed gigantic databases

of public records that were once dispersed throughout diﬀerent agen-

cies, oﬃces, and courthouses—and with the click of a mouse, mil-

lions of records can be scoured for details.

The increasing digitization of documents and the use of electronic

ﬁling will soon result in much greater accessibility to court records

online. Currently, most courts post only court rulings and schedules

on their websites. Only a handful of courts now post complaints and

other legal documents.

However, states are beginning to require

documents to be ﬁled electronically and to convert existing records

into digital format. For example, in New Jersey, bankruptcy records

(including a debtor’s bankruptcy petition) are scanned into electronic

131

the problem of public records

▲

format and can be accessed through the Internet.

Some companies

are beginning to make digital images of records available over the In-

ternet.

The federal court system is currently developing a system

that makes full case ﬁles accessible via the Internet.

Beyond greater accessibility, technology may also lead to the reten-

tion of greater amounts of personal information in public records.

Under current practice, due to storage space constraints, clerks’

oﬃces often do not maintain copies of exhibits and other documents

related to trials. However, as court documents such as pleadings and

exhibits are ﬁled in digital format, they will become easier to store.

Further, under current practice, transcripts are typically produced

only when a case is appealed. New technology enables transcripts of

court proceedings to be made instantaneously without having to be

transcribed. The increased use of such technology could result in the

existence of more transcripts of trials, which can potentially include

personal information about many parties and witnesses.

In sum, the increasing digitization of documents enables more

documents to be retained by eliminating storage constraints, in-

creases the ability to access and copy documents, and permits the

transfer of documents en masse. Personal information in public

records, once protected by the practical diﬃculties of gaining access

to the records, is increasingly less obscure.

The Regulation of Public Records

As it currently stands, public records law is a complicated and diverse

hodge-podge of various statutes, court practices, and common law

rights that vary from state to state and leave much personal informa-

tion unprotected. A broad overview of the law that governs public

records reveals that it is disconnected, often outdated, and inade-

quate to meet the challenges of the new technologies of the Informa-

tion Age.

The Common Law, Court Records, and Protective Orders. At common law,

English courts rarely encountered cases involving an individual seek-

ing to gain access to government records.

Only in unusual circum-

stances could individuals inspect government records, such as when

132

the problem of public records

▲

people needed them for court proceedings.

Access to court records,

as opposed to other public records, was broader. When documents

were introduced into evidence, individuals were permitted access.

Early U.S. courts followed the English practice.

Only if a person

had a “special interest” in examining records would access be

granted.

Later on, the common law evolved to expand the “interest”

required for inspection to include redressing public wrongs and mon-

itoring government functions.

The law then broadened even further

to include all purposes that were not improper or harmful to others.

One of the most commonly mentioned improper purposes was “to

satisfy idle curiosity or for the purpose of creating a public scandal.”

In contrast to public records, the right to inspect court records was

generally broader and was shaped by the supervisory authority of the

courts.

The courts had a long tradition of permitting open access to

court records, and access was rarely limited based on the purposes

for which the records were sought.

In , in Nixon v. Warner Com-

munications, Inc., the Supreme Court noted that “[i]t is clear that the

courts of this country recognize a general right to inspect and copy

public records and documents, including judicial records and docu-

ments.”

The right is justiﬁed by “the citizen’s desire to keep a watch-

ful eye on the workings of public agencies, and in a newspaper

publisher’s intention to publish information concerning the opera-

tion of government.” The common law right of access isn’t absolute,

especially for court records, because “[e]very court has supervisory

power over its own records and ﬁles,” and can deny access when

records reveal embarrassing personal information or cause harm.

The decision over whether to permit access “is one best left to the

sound discretion of the trial court.”

In the federal court system, pursuant to Federal Rule of Civil Proce-

dure (c), judges have discretion “for good cause shown” to issue

protective orders to shield information from disclosure where it

might cause a party “annoyance, embarrassment, oppression, or un-

due burden or expense.”

Protective orders allow documents to be

used by parties to a case, but restrict public access. Most states have a

rule similar to Rule (c).

Since court records are presumed to be

publicly accessible, a party seeking a protective order must overcome

the presumption.

Courts balance a party’s interest in privacy against

133

the problem of public records

▲

the public interest in disclosure.

If a court decides to deny access, it

“must set forth substantial reasons.”

Courts also retain discretion to issue special orders to keep certain

proceedings and information conﬁdential. A court will sometimes,

under very limited circumstances, seal court proceedings such as tri-

als.

A court can allow a plaintiﬀ to proceed anonymously with the

use of a pseudonym.

Courts can also permit anonymous juries when

jurors might otherwise be placed in danger. These decisions, how-

ever, are within the discretion of the trial court, and courts diﬀer

greatly in the exercise of their discretion. For example, one court per-

mitted a woman who had been raped at a train station and was suing

Amtrak to keep her identity secret because of the potential embar-

rassment she would suﬀer if the details of her rape became known in

her community.

In contrast, another court held that a victim of sex-

ual assault could not sue her assailant for civil damages under a pseu-

donym because “[f]airness requires that she be prepared to stand

behind her charges publicly” and because she was “seeking to vindi-

cate primarily her own interests.”

In sum, under modern American common law, there is a limited

right to access public records so long as one’s purpose is not im-

proper. For court records, the common law right to access follows the

supervisory authority of the courts, and judges have signiﬁcant dis-

cretion in granting or denying access.

Freedom of Information Laws. State legislatures gradually replaced or

supplemented the common law right of access with open records

statutes, which generally mandated broad access.

These statutes are

called “freedom of information,” “open access,” “right to know,” or

“sunshine” laws. States were initially slow in enacting statutory public

access rights; by , only  states had open records statutes.

, Congress passed the Freedom of Information Act (FOIA), pro-

viding substantial public access to records of the federal government.

When he signed the FOIA into law, President Lyndon Johnson de-

clared that “democracy works best when the people have all the infor-

mation that the security of the Nation permits. No one should be able

to pull curtains of secrecy around decisions which can be revealed

without injury to the public interest.”

Under FOIA, “any person” (in-

134

the problem of public records

▲

cluding associations, organizations, and foreign citizens) may request

“records” maintained by an executive agency.

Requesters of records

don’t need to state a reason for requesting records.

FOIA does not

apply to records kept by Congress or the Judiciary.

Today, all  states have open records statutes, a majority of which

are modeled after the FOIA.

Like the federal FOIA, state FOIAs are

justiﬁed by a strong commitment to openness and transparency.

Following FOIA, many states eliminated the common law require-

ment that requesters establish an interest in obtaining the records.

Most state FOIAs contain a presumption in favor of disclosure.

Open access laws never mandate absolute disclosure. They con-

tain exemptions, typically (although not always) including an exemp-

tion to protect individual privacy. The federal FOIA contains nine

enumerated exemptions to disclosure, two of which pertain to pri-

vacy. One applies generally to records which “would constitute a

clearly unwarranted invasion of personal privacy”; the other applies

to law enforcement records that could “constitute an unwarranted in-

vasion of personal privacy.”

If possible, private information can be

deleted from records, and the redacted records disclosed to the re-

quester.

The federal FOIA doesn’t require that a person be given notice that

his or her personal information is encompassed within a FOIA re-

quest. Even if an individual ﬁnds out about the request, she has no

right under FOIA to prevent or second-guess an agency’s decision to

disclose the records. FOIA does not require that the government with-

hold information; it is up to the government agency to assert and to

litigate the individual’s privacy interest.

State FOIA privacy exemptions come in myriad shapes and sizes.

Many state FOIAs contain privacy exemptions similar to those found

in the federal FOIA, applying when disclosure would constitute a

“clearly unwarranted” invasion of privacy.

However, not all state

FOIAs have privacy exemptions. Pennsylvania’s Right to Know Act

does not contain a privacy exemption; it prohibits only access to

records “which would operate to the prejudice or impairment of a

person’s reputation or personal security.”

As one court stated, “the

phrase ‘personal security’ does not mean ‘personal privacy.’”

Ohio’s

Public Records Act does not contain any privacy exemption.

135

the problem of public records

▲

In applying FOIA privacy exemptions, many states follow the fed-

eral FOIA approach and balance interests of privacy against the inter-

ests of public access.

However, states have adopted widely diﬀering

approaches often stemming from vastly diﬀerent judicial concep-

tions of privacy.

Privacy Acts. The Privacy Act of  regulates the record systems of

federal agencies. The Act prohibits the disclosure of personal infor-

mation; requires records to be kept secure; and gives people the right

to review their records and to ask the agency to correct any errors.

People can sue if they are harmed by an agency’s failure to comply

with the Act. The Privacy Act has signiﬁcant limitations. It is limited

only to the public sector. It applies to federal, not state and local

agencies. Further, the Act has been eroded by about a dozen excep-

tions. For example, agencies can disclose information without the

consent of individuals to the Census Bureau, to law enforcement enti-

ties, to Congress, and to credit reporting agencies. When FOIA re-

quires that information be released, the Privacy Act does not apply.

Nor does the Privacy Act apply to court records.

The broadest exception is that information may be disclosed for

any “routine use” if disclosure is “compatible” with the purpose for

which the agency collected the information.

The “routine use” ex-

ception has repeatedly been criticized as being a gigantic loophole.

As privacy law expert Robert Gellman writes, “[t]his vague formula

has not created much of a substantive barrier to external disclosure of

personal information.”

Although the Privacy Act requires an individual’s permission be-

fore his or her records can be disclosed, redress for violations of the

Act is virtually impossible to obtain.

The Privacy Act provides indi-

viduals with a monetary remedy for disclosures of personal informa-

tion only if the disclosure was made “willfully and intentionally.”

This restriction on recovery of damages fails to redress the most com-

mon form of mistakes—those due to carelessness. This leaves little

incentive to bring suit against violators.

For example, in Andrews v.

Veterans Administration, the Veterans Administration released inade-

quately redacted personnel records of nurses, resulting in what the

136

the problem of public records

▲

court called a “substantial” violation of nurses’ privacy. However, the

agency could not be sued under the Privacy Act because it acted neg-

ligently, not willfully.

Moreover, less than a third of the states have

enacted a general privacy law akin to the Privacy Act.

Paul Schwartz

observes that most states lack “omnibus data protection laws” and

have “scattered laws [that] provide only limited protections for per-

sonal information in the public sector.”

Access and Use Restrictions. Confronted with increased information

trade, some states have attempted to restrict access to personal infor-

mation in public records as well as certain uses of personal informa-

tion obtained from public records. In the last decade, a number of

states have enacted access restrictions for some of their public

records, often excluding access for commercial uses, such as solicit-

ing business or marketing services or products. For example, Georgia

amended its public records law in , making it unlawful to access

law enforcement or motor vehicle accident records “for any commer-

cial solicitation of such individuals or relatives of such individuals.”

In , Louisiana restricted access to accident records for commer-

cial solicitation purposes.

Kentucky, in response to “a public

groundswell [that] developed against the release of accident reports

to attorneys and chiropractors,”

amended its public records law in

 to restrict access for these and other commercial uses.

In ,

Florida barred the access of driver information in traﬃc citations

from those seeking it for commercial solicitation purposes.

Col-

orado curtailed access to criminal justice records unless those seek-

ing access signed a statement that such records would not be used

“for the direct solicitation of business for pecuniary gain.”

California

restricted access to arrest records by providing that the records “shall

not be used directly or indirectly to sell a product or service . . . and

the requester shall execute a declaration to that eﬀect under penalty

of perjury.”

Almost half of the states prohibit the commercial use of

voter registration records.

The federal government also has certain access and use restric-

tions for its public records. Pursuant to the Federal Election Cam-

paign Act (FECA), reports of contributors to political committees are

137

the problem of public records

▲

“available for public inspection . . . except that any information

copied from such reports . . . may not be sold or used by any person

for the purpose of soliciting contributions or for commercial pur-

poses.”

In sum, although in certain contexts laws are beginning to limit ac-

cess to public records for some purposes, the vast majority of public

records remain virtually unrestricted in access.

Restrictions on State Information Practices. In a rare instance, the federal

government has directly regulated the states’ use of public records. In

, Congress passed the Driver’s Privacy Protection Act (DPPA) to

curtail states’ selling their motor vehicle records to marketers.

Reno v. Condon, the Supreme Court concluded that DPPA was a

proper exercise of Congress’s authority to regulate interstate com-

merce. Further, the Court concluded that DPPA “regulates the States

as the owners of databases” and does not require them to enact regu-

lation or to assist in enforcing federal statutes concerning private in-

dividuals.

Although DPPA is an important ﬁrst step in bringing state

public records systems under control, DPPA applies only to motor ve-

hicle records and does not forbid the dissemination of all the other

public records states maintain.

The Regulatory Regime of Public Records. As illustrated throughout this

chapter, states vary signiﬁcantly in what information they make pub-

licly available. Often such decisions are made by agencies and bu-

reaucrats or left to the discretion of the courts. Decisions as to the

scope of access—whether one must obtain a record by physically go-

ing to a local agency oﬃce, by engaging in correspondence by mail, or

by simply downloading it from the Internet—are often made by local

bureaucrats. Frequently, it is up to the individual to take signiﬁcant

steps to protect privacy, such as overcoming the presumption of ac-

cess to court records. In many instances, individuals are never even

given notice or an opportunity to assert a privacy interest when

records containing their personal information are disclosed.

Diﬀering protection of personal information with no minimum

ﬂoor of protection presents signiﬁcant problems in today’s age of in-

creasing mobility and information ﬂow. There is no federal law estab-

138

the problem of public records

▲

lishing a baseline for the regulation of public records. Thus, personal

information is regulated by a bewildering assortment of state statu-

tory protections, which vary widely from state to state.

This chaotic state of aﬀairs is troublesome in an Information Age

where information so ﬂuidly passes throughout the country and is

being made more widely available through the Internet. The privacy

protection that currently exists for public records is largely designed

for a world of paper records and has been slow to adapt to an age

where information can be downloaded from the Internet in an in-

stant.

139

the problem of public records

▲

Access and Aggregation

Rethinking Privacy

and Transparency

The Tension between Transparency and Privacy

A  episode of the television newsmagazine Dateline illustrates

one way that the tension between transparency (open access to pub-

lic records) and privacy can arise.

A man, imprisoned for murder, ob-

tained under a state FOIA the address of a former girlfriend. When she

learned that her ex-boyfriend obtained her address, the woman be-

came quite scared because her ex-boyfriend was prone to losing his

temper and held a grudge against her. She lived in fear, knowing that

someday he would be released and might come after her. The pris-

oner, however, claimed that he was the father of her child and needed

the address because he wanted to ﬁle a paternity suit. This story illus-

trates why it is important for people to be able to obtain certain infor-

mation about others, yet also demonstrates the dangers and threat to

privacy caused by the ready availability of information.

There are at least four general functions of transparency: () to shed

light on governmental activities and proceedings; () to ﬁnd out in-

formation about public oﬃcials and candidates for public oﬃce; ()

to facilitate certain social transactions, such as selling property or ini-

tiating lawsuits; and () to ﬁnd out information about other individu-

als for a variety of purposes.

140

▲

First, and perhaps most importantly, transparency provides the

public with knowledge about the government and an understanding

of how it functions. By promoting awareness of the workings of gov-

ernment, transparency serves a “watchdog” function. Open access to

government proceedings ensures that they are conducted fairly. Open

access exposes the government to public scrutiny and enables a

check on abuse and corruption. “Sunlight is said to be the best of dis-

infectants,” declared Justice Brandeis, “electric light the most eﬃcient

policeman.”

Making arrest records public, for example, protects

against secret arrests and government abuses.

Open access to public

court records “allows the citizenry to monitor the functioning of our

courts, thereby insuring quality, honesty, and respect for our legal sys-

tem.”

As James Madison observed: “A popular Government, without

popular information, or the means of acquiring it, is but a Prologue to

a Farce or a Tragedy; or, perhaps both. Knowledge will forever govern

ignorance: And a people who mean to be their own Governors, must

arm themselves with the power which knowledge gives.”

According

to Justice Oliver Wendell Holmes:

It is desirable that the trial of [civil] causes should take place un-

der the public eye not because the controversies of one citizen

with another are of public concern, but because it is of the high-

est moment that those who administer justice should always act

under the sense of public responsibility, and that every citizen

should be able to satisfy himself with his own eyes as to the

mode in which a public duty is performed.

Access to court records permits people to examine the information

considered by courts making decisions aﬀecting the public at large.

Issues raised in a product liability case could have signiﬁcance for

millions of others who use a product. Information about how certain

types of cases are resolved—such as domestic abuse cases, medical

malpractice cases, and others—is important for assessing the compe-

tency of the judicial system for resolving important social matters.

Scholars and the media need to look beyond a judicial decision or a

jury verdict to scrutinize the records and evidence in a case. The abil-

ity to identify jurors enables the media to question them about the

reasons for their verdict. Courts and commentators have pointed out

141

access and aggregation

▲

that the Watergate Scandal might never have been uncovered if the

original bail hearing had been closed to the press because reporters

Bob Woodward and Carl Bernstein would not have been suspicious

that expensive attorneys were representing the burglars.

The second function of transparency is to enable the scrutiny of

public oﬃcials or candidates for public oﬃce. Information about a

politician’s criminal history might be informative to many voters. In-

formation about a politician’s property may provide insight into the

politician’s wealth, a factor that might shape the politician’s values

and public decisions. Some voters may ﬁnd a politician’s divorce

records and marital history illustrative of the person’s character.

Other possibly informative information about a politician could in-

clude that she was sued many times or sued others many times; that

she once declared bankruptcy; that she never voted in any elections;

that she was formerly registered in another political party; that she

owns property in other states; and so on. Open access to public

records enables voters to ﬁnd out such information so they may make

more informed choices at the polls.

Third, transparency facilitates certain social transactions. Access to

public records is an essential function for the sale and transfer of

property, as it enables people to trace ownership and title in land.

Public record information is useful in locating witnesses for judicial

proceedings as well as locating heirs to estates. Further, access to

public records can allow individuals and entities to track down indi-

viduals they want to sue and to obtain the necessary information to

serve them with process.

The fourth function of transparency is to enable people to ﬁnd out

information about individuals for various other purposes. Public

records can help verify individual identity, investigate fraud, and lo-

cate lost friends and classmates. Public records enable law enforce-

ment oﬃcials to locate criminals and investigate crimes, and can

assist in tracking down deadbeat parents. Public records can permit

people to investigate babysitters or child care professionals. Employ-

ers can use public record information to screen potential employees,

such as examining the past driving records of prospective truck driv-

ers or taxicab drivers. Criminal history information might be relevant

when hiring a worker in a child care facility or a kindergarten teacher.

142

access and aggregation

▲

Transparency, however, can come into tension with privacy. Can

both of these important values be reconciled? Before turning to this

question, I must ﬁrst address how the privacy problem to which pub-

lic records contribute should be understood. We must rethink certain

longstanding notions about privacy before we can reach an appropri-

ate balance between transparency and privacy.

Conceptualizing Privacy and Public Records

Access: The Public Is Private. The secrecy paradigm, as discussed in

chapter , is deeply entrenched in information privacy law. In addi-

tion to focusing on whether information is completely secret or not,

the paradigm categorizes information as either public or private.

When information is private, it is hidden, and as long as it is kept se-

cret, it remains private. When it is public, it is in the public domain

available for any use. Information is seen in this black-and-white

manner; either it is wholly private or wholly public.

This paradigm is outmoded in the Information Age. Unless we live

as hermits, there is no way to exist in modern society without leaving

information traces wherever we go. Therefore, we must abandon the

secrecy paradigm. Privacy involves an expectation of a certain degree

of accessibility of information. Under this alternative view, privacy

entails control over and limitations on certain uses of information,

even if the information is not concealed. Privacy can be violated by

altering levels of accessibility, by taking obscure facts and making

them widely accessible. Our expectation of limits on the degree of ac-

cessibility emerges from the fact that information in public records

has remained relatively inaccessible until recently. Our personal in-

formation in public records remained private because it was a needle

in a haystack, and usually nobody would take the time to try to ﬁnd it.

This privacy is rapidly disappearing as access to information is in-

creasing.

In limited contexts, some courts are beginning to abandon the se-

crecy paradigm, although most courts still cling to it. In United States

Department of Justice v. Reporters Committee for Freedom of the Press,

the Supreme Court held that the release of FBI “rap sheets” was an in-

vasion of privacy within the privacy exemption of FOIA. The FBI rap

143

access and aggregation

▲

sheets contained the date of birth, physical description, and a history

of arrests, charges, and convictions on over  million people. The re-

porters argued that the rap sheet wasn’t private because it was merely

a collection of data that had previously been publicly disclosed. The

Court didn’t agree, noting that “there is a vast diﬀerence between the

public records that might be found after a diligent search of court-

house ﬁles, county archives, and local police stations throughout the

country and a computerized summary located in a single clearing-

house of information.”

In cases involving the privacy torts, a few courts have recognized a

privacy interest in information exposed to the public. In Melvin v.

Reid, a former prostitute who was once criminally prosecuted for

murder had left the prostitution business long ago and got married.

When the movie The Red Kimono, depicted her life story and used her

maiden name, she sued under the tort of public disclosure. The court

held that although she could not claim that the facts about her life

were private because they were in the public record, there was no

need for the movie to use her real name.

Likewise, in Briscoe v. Reader’s Digest Ass’n, an article in Reader’s Di-

gest magazine about hijacking disclosed that the plaintiﬀ had hi-

jacked a truck  years earlier. Briscoe had rehabilitated himself, and

his new friends, family, and young daughter weren’t aware of his

crime. The court held that although the facts of the crime could be

disclosed, Briscoe could sue for the use of his name, which had no rel-

evance to the article.

Generally, however, most courts still adhere to the secrecy para-

digm and do not recognize a privacy interest when information is ex-

posed to the public. As a result, most courts have rejected the Reid

and Briscoe approach.

In Forsher v. Bugliosi,

the court considered

Briscoe “anexception to the more general rule that ‘once a man has

become a public ﬁgure, or news, he remains a matter of legitimate re-

call to the public mind to the end of his days.’”

Likewise, the Re-

statement for the tort of public disclosure explains: “There is no

liability when the defendant merely gives further publicity to infor-

mation about the plaintiﬀ that is already public. Thus there is no lia-

bility for giving publicity to facts about the plaintiﬀ’s life which are

matters of public record.”

Similarly, for the tort of intrusion upon

144

access and aggregation

▲

seclusion, the Restatement provides that “there is no liability for the

examination of a public record concerning the plaintiﬀ.”

Further,

Briscoe seems foreclosed by the Supreme Court’s decision in Cox

Broadcasting Corp. v. Cohn, which held that when information is dis-

closed in documents open to the public, the press cannot be pun-

ished for publishing it.

In a number of cases, courts applying the constitutional right to in-

formation privacy have become mired in the secrecy paradigm.

Courts have refused to ﬁnd a constitutional right to information pri-

vacy for data exposed to the public. In Scheetz v. Morning Call, Inc., a

court held that a husband and wife had no constitutional right to in-

formation privacy in a police report disclosed to the press containing

the wife’s allegations of spousal abuse. Although her complaint to the

police did not result in charges, “[t]he police could have brought

charges without her concurrence, at which point all the information

would have wound up on the public record, where it would have been

non-conﬁdential.”

In Cline v. Rogers, the court held that police

records weren’t private “since arrest and conviction information are

matters of public record.”

In Walls v. City of Petersburg, public em-

ployees were questioned about the criminal histories of their family

members, their complete marital history, including marriages, di-

vorces, and children, and any outstanding debts or judgments against

them. According to the court, the information wasn’t private because

it was already available in public records.

Courts have also adhered to the secrecy paradigm in challenges to

Megan’s Laws, which mandate the public disclosure of information

about prior sex oﬀenders. In Russell v. Gregoire, convicted sex oﬀen-

ders challenged the disclosure of their picture, name, age, date of

birth, crimes, and neighborhoods in which they lived. The court held

that the information wasn’t private because it was “already fully avail-

able to the public.”

Likewise, in Paul P. v. Verniero, the court held

there was no privacy interest in the names and physical descriptions

of previously convicted sex oﬀenders.

In sum, although divided, most courts adhere to the secrecy para-

digm. Unless the secrecy paradigm is abandoned, people will lose any

ability to claim a privacy interest in the extensive personal informa-

tion in public records.

145

access and aggregation

▲

Aggregation: The Digital Biography. Another longstanding notion of pri-

vacy—the invasion conception, which I discussed in chapter —

doesn’t recognize an infringement of privacy unless there is a

palpable invasion. Information protected as private must be embar-

rassing or harmful to one’s reputation. The problem with the invasion

conception is that public record information often consists of fairly

innocuous details—such as one’s birth date, address, height, weight,

and so on.

Following the invasion conception, a number of courts have re-

jected claims that certain information falls within state FOIA privacy

exemptions because the information didn’t pose immediate harms to

reputation or security. One court reasoned that “[n]ames and ad-

dresses are not ordinarily personal, intimate, or embarrassing pieces

of information.”

Another court held that police payroll records con-

taining each employee’s name, gender, date of birth, salary, and other

data could be disclosed because the records didn’t harm their reputa-

tions.

Information about teacher salaries, according to one court,

didn’t fall within the privacy exemption because “[t]he salaries of

public employees and schoolteachers are not ‘intimate details . . . the

disclosure of which might harm the individual.’”

If the release of certain information in public records doesn’t make

one blush or reveal one’s deepest secrets, then what is the harm? The

harm stems from the aggregation eﬀect discussed in chapter .

Viewed in isolation, each piece of our day-to-day information is not

all that telling; viewed in combination, it begins to paint a portrait

about our personalities. Moreover, these digital biographies greatly

increase our vulnerability to a variety of dangers. As public record in-

formation becomes more readily available, criminals can use it to

gain access to a person’s ﬁnancial accounts. For example, one indus-

trious criminal gained access to the ﬁnancial accounts of a number of

individuals on Forbes magazine’s list of the  richest people in

America such as Oprah Winfrey and George Lucas.

Identity thieves

frequently obtain personal information necessary for their criminal

activity through information brokers, who sell reports about individ-

uals based on public record data combined with other information.

As discussed in chapter , the SSN is the most useful tool of the iden-

tity thief, and SSNs are often available in various public records.

146

access and aggregation

▲

Public record information also can expose people to violence. In

, a fan obsessed with actress Rebecca Shaeﬀer located her home

address with the help of a private investigator who obtained it from

California motor vehicles records. The fan murdered her outside her

home. This killing spurred Congress to pass the Driver’s Privacy Pro-

tection Act (DPPA), which restricts the states’ ability to release motor

vehicle records.

In another example, an Internet site known as the

“Nuremberg Files” posted information about doctors working in

abortion clinics, including names, photos, SSNs, home addresses, de-

scriptions of their cars, and information about their families.

Doc-

tors who were killed had a black line drawn through their names.

Names of wounded doctors were shaded in gray. The doctors sued. At

trial, they testiﬁed as to how their lives became riddled with fear, how

some wore bulletproof vests and wigs in public. They won the suit

and were able to block the use of their personal information on the

website.

This case demonstrates the dangers from increased access

to personal information, even relatively non-intimate information

such as one’s address.

At a more abstract level, the existence of digital dossiers alters the

nature of the society we live in. In

, in his highly inﬂuential book,

The A

ssault on Privacy,

law pr

ofessor Arthur Miller warned of the

“possibility of constructing a sophisticated data center capable of

generating a comprehensive womb-to-tomb dossier on every indi-

vidual and transmitting it to a wide range of data users over a national

network.”

On a number of occasions, the federal government has

ﬂirted with the idea of creating a national database of personal infor-

mation. The Johnson administration contemplated creating a Na-

tional Data Center that would combine information collected by

various federal agencies into one large computer database, but the

plan was scrapped after a public outcry arose.

Again, in the early

s

, an o

ﬃcial in the G

ener

al S

ervices Administration proposed

that all of the federal government’s computer systems be connected

in a network called FEDNET. Responding to a public outcry, Vice

President Gerald Ford stopped the plan.

Although these

oposals

hav

been halted due to public outcries,

we have been inching toward a system of de facto national identi

ﬁca-

tion for some

time and are precariously close to having one.

The

147

ccess and aggregation

Immigration Reform and Control Act of  requires new employees

to supply identiﬁcation and proof of U.S. citizenship before obtaining

a new job.

In arecent eﬀort to track down parents who fail to pay

child support, the federal government has created a vast database

consisting of information about all people who obtain a new job any-

where in the nation. The database contains their SSNs, addresses,

and wages.

The ready availability of one’s SSN and the ability to

combine it with a host of other information about individuals will

make increasingly more possible a reality where typing an individ-

ual’s name into a searchable database will pull up a “womb-to-tomb”

dossier.

Such a reality can pose signiﬁcant dangers. “Identity systems and

documents,” observes political scientist Richard Sobel, “have a long

history of uses and abuses for social control and discrimination.”

Slaves were required to carry identifying papers to travel; identiﬁca-

tion cards were used by the Nazis in locating Jews; and the slaughter

of Tutsis in Rwanda was aided by a system of identiﬁers.

In addition

to facilitating the monitoring and control of individuals, such a

dossier may make a person a “prisoner of his recorded past.”

Records of personal information can easily be used by government

leaders and oﬃcials for improper monitoring of individuals. Data can

be exploited for whatever task is at hand—a tool available to anyone

in power in government to use in furtherance of the current passion

or whim of the day. For example, in , the Census Bureau used its

data from the  census to assist in the eﬀort to intern Japanese

Americans during World War II.

Currently, we do not know the full

consequences of living in a dossier society, but we are rapidly moving

toward becoming such a society without suﬃcient foresight and

preparation.

The problems and dangers just illustrated are not merely the prod-

uct of the actions of the government. Rather, these troubles are

caused by the way that both public- and private-sector entities are

using personal information. The issue concerns more than isolated

threats and harms, but is fundamentally about the structure of our

society. Not only are public records altering the power that the gov-

ernment can exercise over people’s lives, but they are also contribut-

ing to the growing power of businesses. As I discussed earlier in this

148

access and aggregation

▲

book, although people may be aware that dossiers are being assem-

bled about them, they have no idea what information the dossiers

contain or how the dossiers are being used. This reality leads to un-

ease, vulnerability, and powerlessness—a deepening sense that one is

at the mercy of others, or, perhaps even more alarming, at the mercy

of a bureaucratic process that is arbitrary, irresponsible, opaque, and

indiﬀerent to people’s dignity and welfare.

The problem with information collection and use today is not

merely that individuals are no longer able to exercise control over

their information; it is that their information is subjected to a bureau-

cratic process that is itself out of control. Without this process being

subject to regulation and control and without individuals having

rights to exercise some dominion over their information, individuals

will be routinely subjected to the ills of bureaucracy.

Public records contribute to this privacy problem because they are

often a principal source of information for businesses in the con-

struction of their databases. Marketers stock their databases with

public record information, and the uses to which these databases are

put are manifold and potentially limitless. The personal information

in public records is often supplied involuntarily and typically for a

purpose linked to the reason why particular records are kept. The

problem is that, often without the individual’s knowledge or consent,

the information is then used for a host of diﬀerent purposes by both

the government and businesses.

Therefore, the privacy problem caused by public records concerns

the structure of information ﬂow—the way that information circu-

lates throughout our society. The problem is not necessarily the dis-

closure of secrets or the injury of reputations, but is one created by

increased access and aggregation of data. Privacy is an issue that con-

cerns what type of society we want to construct for the future. Do we

want to live in a Kafkaesque world where dossiers about individuals

circulate in an elaborate underworld of public- and private-sector

bureaucracies without the individual having notice, knowledge, or

the ability to monitor or control the ways the information is used?

149

access and aggregation

▲

Transparency and Privacy: Reconciling the Tension

How can the tension between transparency and privacy be recon-

ciled? Must access to public records be sacriﬁced at the altar of pri-

vacy? Or must privacy evaporate in order for government to be

disinfected by sunlight?

Both transparency and privacy can be balanced through limita-

tions on the access and use of personal information in public records.

Of course, we must rethink what information belongs in public

records. But we must also regulate the uses of our digital dossiers. The

government is not doing enough to protect against the uses of the in-

formation that it routinely pumps into the public domain. If we aban-

don the notion that privacy is an exclusive status, and recognize that

information in public records can still remain private even if there is

limited access to it, then we can ﬁnd a workable compromise for the

tension between transparency and privacy. We can make information

accessible for certain purposes only. When government discloses in-

formation, it can limit how it discloses that information by preventing

it from being amassed by companies for commercial purposes, from

being sold to others, or from being combined with other information

and sold back to the government.

Much of the personal information in public records is not neces-

sary to shed light on the way government carries out its functions.

Rather, this information reveals more about the people who are the

subjects of the government’s regulatory machinery. Although the fed-

eral FOIA has served to shed light on government activities and has

supplied critical information for hundreds of books and articles, it

has also been used as a tool for commercial interests. The vast major-

ity of FOIA requests are made by businesses for commercial pur-

poses.

According to Judge Patricia Wald, FOIA turns agencies into

“information brokers” rather than “a window for public assessment of

how government works.”

When weighing interests under the privacy

exceptions to the federal FOIA, although courts can’t consider the

identity and purpose of the requester, they can take into account the

relationship of the requested document to the purposes of FOIA.

Unlike the federal FOIA, many states routinely permit access by infor-

150

access and aggregation

▲

mation brokers without looking to the purposes of their open access

laws or the public interest.

State FOIAs generally do not permit any discrimination among re-

questers. In a number of cases, oﬃcials wanting to restrict access to

people requesting records for commercial use had no statutory au-

thority to do so. In Dunhill v. Director, District of Columbia Depart-

ment of Transportation, a marketer of personal information about

individuals sought a listing on computer tape of the names, ad-

dresses, birth dates, gender, and expiration date of drivers’ permits of

all people holding valid District of Columbia drivers’ permits. The

court held that the government had to release the information be-

cause the statute didn’t authorize the government to look to the mo-

tives of the request.

In In re Crawford, a preparer of bankruptcy

petitions for debtors challenged the requirement that he divulge his

SSN on the petition, which would then be made public. The court rec-

ognized that although disclosure of his SSN exposed him to potential

fraud and identity theft, the interest in public access “is of special im-

portance in the bankruptcy arena, as unrestricted access to judicial

records fosters conﬁdence among creditors regarding the fairness of

the bankruptcy system.”

Thus, the court formalistically invoked the

principle of transparency, relying on the vague argument that total

transparency fosters “conﬁdence.”

The danger with any principle is that it can drift to diﬀerent uses

over time. Jack Balkin identiﬁes this problem as “ideological drift.”

“Ideological drift in law means that legal ideas and symbols will

change their political valence as they are used over and over again in

new contexts.”

Laws fostering transparency are justiﬁed as shedding

light into the dark labyrinths of government bureaucracy to expose its

inner workings to public scrutiny, and preventing the harrowing situ-

ation in Kafka’s The Trial—a bureaucracy that worked in clandestine

and mysterious ways, completely unaccountable and unchecked.

These are certainly laudable goals, for they are essential to democ-

racy and to the people’s ability to keep government under control.

However, freedom of information laws are increasingly becoming a

tool for powerful corporations to collect information about individu-

als to further their own commercial interests, not to shed light on the

151

access and aggregation

▲

government. A window to look in on the government is transforming

into a window for the government and allied corporations to peer in

on individuals. The data collected about individuals is then subject to

a bureaucratic process that is often careless, uncontrolled, and clan-

destine. Because private-sector bureaucracies lack the transparency

of government bureaucracies, there is a greater potential for personal

information to be abused. Paradoxically, a right of access designed to

empower individuals and protect them from the ills of bureaucracy

can lead to exactly the opposite result.

There are certainly instances where information about individuals

can illuminate government functioning. Examination of accident re-

ports may reveal widespread problems with particular vehicles.

Scrutiny of police records may indicate problems in police investiga-

tion and enforcement. Information about the salaries of public oﬃ-

cials and employees allows the public to assess whether they are

being over- or under-compensated. Disciplinary information about

public employees allows taxpayers to scrutinize the performance of

those who are earning their tax dollars. However, many of these pur-

poses can be achieved through evaluating aggregate statistical data or

by examining records with redacted personal identifying information.

The solution is not to eliminate all access to public records, but to

redact personal information where possible and to regulate speciﬁc

uses of information. Real property information must be made avail-

able for certain purposes, but it should not be available for all pur-

poses. A person may need to obtain the address of a celebrity to serve

process in a lawsuit; however, disclosing the address to fans or on the

Internet is diﬀerent.

Use restriction laws, such as those discussed in chapter , are a

step in the right direction. These laws attempt to navigate the tension

between transparency and privacy by permitting the use of public

record information for certain purposes but not all purposes. One of

the longstanding Fair Information Practices is purpose speciﬁca-

tion—that personal information obtained for one purpose cannot be

used for another purpose without an individual’s consent.

Often the

purposes for the government collection of personal information vary

widely from the purposes for which the data is used after it is dis-

closed in public records. Governments collecting personal informa-

152

access and aggregation

▲

tion should limit such uncontrolled drift in use. Access should be

granted for uses furthering traditional functions of transparency such

as the watchdog function; access should be denied for commercial

solicitation uses because such uses do not adequately serve the func-

tions of transparency. Rather, these uses make public records a cheap

marketing tool, resulting in the further spread of personal informa-

tion, which is often resold among marketers.

Use restriction laws must go beyond basic restrictions on access

for commercial solicitation. The use of public records by information

brokers or other entities that aggregate personal information and sell

it to others is deeply problematic for the reasons discussed earlier in

this chapter. Although information brokers have brought a new level

of accessibility to public records, they have also contributed greatly to

the creation of digital dossiers. This type of aggregated public record

information is often not used for the purposes of checking govern-

mental abuse or monitoring governmental activities. Rather, it is used

to investigate individuals. This investigation is at the behest of other

individuals, private detectives, employers, and law enforcement oﬃ-

cials. Information brokers such as ChoicePoint collect public record

information and supplement it with a host of other personal informa-

tion, creating a convenient investigation tool for government entities.

The use of information brokers by the government to investigate citi-

zens runs directly counter to the spirit of freedom of information

laws, which were designed to empower individuals to monitor their

government, not vice versa.

Certain information should be restricted from public records com-

pletely. The proposal by the Administrative Oﬃce of the U.S. Court

System to separate both paper and electronic documents into a pub-

lic and private ﬁle for civil cases and to restrict access to certain docu-

ments in criminal proceedings such as pre-sentence reports is a step

in the right direction.

One example of information that should be ex-

cluded from public records is a person’s SSN.

SSNs serve as a gate-

way to highly sensitive information such as ﬁnancial accounts, school

records, and a host of other data. As a routine practice, SSNs should

be redacted from every document before being disclosed publicly.

Jurors, parties to litigation, and witnesses should all be informed of

the extent to which their personal information could become a public

153

access and aggregation

▲

record and must be given an opportunity to voice their privacy con-

cerns and have information redacted.

Of course, provisions in the law can be made for people who want

to consent to the disclosure of their personal information. If the re-

quester desires personal information about a speciﬁc individual in a

speciﬁc case, the agency or court can contact the individual, inform

her of the purpose of the request, and ask if she consents to disclo-

sure. People may want to consent if the data is being used by a re-

searcher, but may not if the information is requested for marketing

purposes.

The federal Privacy Act must be amended to provide more mean-

ingful protection. Its restrictions on the use of SSNs must be strength-

ened to regulate and restrict the use of SSNs by the private sector.

Thus, the Privacy Act should prohibit the use of SSNs as identiﬁers by

businesses, schools, and hospitals. Further, the Privacy Act should

contain meaningful remedies for violations. People should be permit-

ted to sue for negligent infringements of the Act—not just willful

ones. Rarely do government agencies willfully disclose personal infor-

mation in violation of the Privacy Act; most disclosures occur because

of carelessness and inadvertence. By expanding the Act in this way,

agencies will have a strong incentive to treat their record systems with

more care and to provide greater security for the personal informa-

tion they maintain. Government agency information-handling prac-

tices should be routinely audited by a governmental oversight agency.

Moreover, the “routine use” exception must be signiﬁcantly tight-

ened.

Finally, more laws like the Driver’s Privacy Protection Act are nec-

essary to ensure that states maintain adequate privacy protection in

their public records law. A federal baseline should not preempt states

from adopting stricter protections of privacy, but it must provide a

meaningful ﬂoor of protection. Although each state should adopt its

own statute akin to the federal Privacy Act, one option would be to ex-

tend the federal Privacy Act to the states.

We may never be able to achieve complete secrecy of information

in many situations and, in some situations, complete secrecy would

be undesirable. But we can limit accessibility and use.

154

access and aggregation

▲

Public Records and the First Amendment

Do the access and use restrictions I propose pass muster under the

First Amendment? Understood broadly, the First Amendment pro-

tects openness in information ﬂow. First, the Court has held that the

First Amendment provides certain rights of access to at least some

government proceedings. Restrictions on the information available in

public records might infringe upon this right. Second, freedom of

speech prevents the government from restricting the disclosure and

dissemination of information. A close analysis of the Court’s deci-

sions, however, reveals that access and use restrictions are constitu-

tional.

The Right of Access. The Supreme Court has held that the First Amend-

ment mandates that certain government proceedings be open to the

public. In Richmond Newspapers, Inc. v. Virginia, a plurality of the

Court concluded that the public had a First Amendment right of ac-

cess to criminal trials.

Two years later, in Globe Newspaper Co. v. Su-

perior Court, the Court struck down a law closing criminal trials when

juvenile sexual assault victims testiﬁed. According to the Court, a

“major purpose” of the First Amendment is “to protect the free dis-

cussion of governmental aﬀairs.” The Court articulated a two-

pronged test to determine whether the right to access applies, ﬁrst

looking to whether the proceeding “historically has been open to the

press and general public” and then examining whether access “plays

a particularly signiﬁcant role in the functioning of the judicial process

and the government as a whole.”

Shortly after Globe, the Court ex-

tended the right to access beyond the immediate criminal trial to jury

selection and to pretrial proceedings.

Lower courts have proclaimed

that the right of access applies to hearings for pretrial suppression,

due process, entrapment, and bail.

Although the Court has never squarely addressed whether the right

of access applies beyond the criminal arena, several lower courts have

extended it to civil cases. For example, in Publicker Industries, Inc. v.

Cohen, the court reasoned that “the civil trial, like the criminal trial,

plays a particularly signiﬁcant role in the functioning of the judicial

155

access and aggregation

▲

process and the government as a whole.”

Several courts have even

concluded that the right to access “extends to at least some categories

of court documents and records,” but not all courts agree.

Although

courts have rarely applied the right of access beyond court records,

since the rationale for the right is to provide knowledge about the

workings of the government, the right might logically extend to other

public records. Even under such an expansive view, however, the right

of access shouldn’t prohibit many access and use restrictions. When

public records illuminate government functioning, access to them is

generally consistent with the rationale for the right of access. How-

ever, the grand purposes behind the right are not present in the con-

text of much information gathering from public records today. Public

records are becoming a tool for powerful companies to use in further-

ance of commercial gain. These uses do not shed light on the govern-

ment.

In fact, the Constitution does not simply require open informa-

tion ﬂow;italso establishes certain responsibilities for the way that

the government uses the information it collects. The Court has held

that there are circumstances where the government cannot force in-

dividuals to disclose personal information absent a compelling gov-

ernment interest. In NAACP v. Alabama, the Court struck down a

statute requiring the NAACP to disclose a list of its members because

this could expose them to potential economic reprisal and physical

violence, thus chilling their freedom of association.

Similarly, in

Greidinger v. Davis, the Fourth Circuit held that Virginia’s voter regis-

tration system was unconstitutional because it forced people to pub-

licly disclose their SSNs in order to vote, thus deterring people from

voting by exposing them to potential harms such as identity theft and

fraud.

These cases establish that government disclosure of personal

information it has collected can be unconstitutional when it inter-

feres with the exercise of fundamental rights.

Further, under the constitutional right to privacy, the Court has

held that government has a duty to protect privacy when it collects

personal data. In Whalen v. Roe, which I discussed in chapter , the

Court held that the right to privacy encompassed the protection of

personal information:

156

access and aggregation

▲

We are not unaware of the threat to privacy implicit in the accu-

mulation of vast amounts of personal information in computer-

ized data banks or other massive government ﬁles. . . . The right

to collect and use such data for public purposes is typically ac-

companied by a concomitant statutory or regulatory duty to

avoid unwarranted disclosures. . . . [I]n some circumstances that

duty arguably has its roots in the Constitution.

Whalen recognized that when the government collects personal in-

formation, it has a responsibility to keep it secure and conﬁdential.

Since its creation in Whalen, the constitutional right to informa-

tion privacy has begun to evolve in the courts, but it is still in the early

stages of growth.

The full extent of the government’s responsibilities

in handling personal data awaits further development. Based on the

cases decided thus far, the Constitution requires public access when

information will shed light on the functioning of the government, and

it requires conﬁdentiality when information pertains to the personal

lives of individuals.

Freedom of Speech. The First Amendment more directly fosters infor-

mation ﬂow about government activities by forbidding restrictions on

freedom of speech. Understanding how use and access restrictions

on public record information interact with the First Amendment re-

quires a diﬃcult navigation through a number of cases. In one series

of cases, the Court has struck down statutes prohibiting the disclo-

sure of information gleaned from public records. In Cox Broadcasting

Corp. v. Cohn, the Court held that a state could not impose civil liabil-

ity based upon publication of a rape victim’s name obtained from a

court record: “Once true information is disclosed in public court doc-

uments open to public inspection, the press cannot be sanctioned for

publishing it.” Punishing the press for publishing public record infor-

mation would “invite timidity and self-censorship and very likely lead

to the suppression of many items that would otherwise be published

and that should be made available to the public.”

In Smith v. Daily

Mail, the Court struck down a statute prohibiting the publication of

the names of juvenile oﬀenders: “[I]f a newspaper lawfully obtains

157

access and aggregation

▲

truthful information about a matter of public signiﬁcance then state

oﬃcials may not constitutionally punish publication of the informa-

tion, absent a need to further a state interest of the highest order.”

This line of cases culminated in Florida Star v. B.J.F. in which a

newspaper published the name of a rape victim, which it obtained

from a publicly released police report. The report was in a room with

signs stating that rape victims’ names weren’t part of the public

record and weren’t to be published. The reporter even admitted that

she knew she wasn’t allowed to report on the information. When the

story ran, many of the victim’s friends learned about her rape, and a

man made threatening calls to her home. As a result, she had to

change her phone number and residence, seek police protection, and

obtain mental health counseling. Based upon a Florida law prohibit-

ing the disclosure of rape victims’ names, a jury found the paper li-

able. The Supreme Court, however, held that the verdict ran afoul of

the newspaper’s First Amendment rights.

Taken together, these

cases support the premise that once the government makes informa-

tion public, the government cannot subsequently sanction its further

disclosure.

However, in Los Angeles Police Department v. United Reporting

Publishing Co., the Court upheld a law restricting access for public ar-

restee information. Requesters of the information had to declare un-

der penalty of perjury that the address information would not be used

“directly or indirectly to sell a product or service.” Rejecting a chal-

lenge that the law infringed upon commercial speech, the Court rea-

soned that the statute was not “prohibiting a speaker from conveying

information that the speaker already possesses” but was merely “a

governmental denial of access to information in its possession.” As

long as the government doesn’t have a duty to provide access to infor-

mation, it can selectively determine who can obtain it.

The Court’s jurisprudence thus creates a distinction between pre-

access conditions on obtaining information and post-access restric-

tions on the use or disclosure of the information. If the government is

not obligated to provide access to certain information by the First

Amendment, it can amend its public access laws to establish pre-ac-

cess conditions, restricting access for certain kinds of uses. Govern-

ments can make a public record available on the condition that

158

access and aggregation

▲

certain information is not disclosed or used in a certain manner.

However, once the information is made available, governments can-

not establish post-access restrictions on its disclosure or use.

The Court’s distinction between pre-access and post-access re-

strictions seems rather tenuous. States can easily redraft their statutes

to get around Florida Star. For example, Florida could rewrite its law

to make rape victims’ names available on the condition that the press

promise the names not be disclosed. Conditional access and use re-

strictions thus appear to be an end-run around Florida Star. Can the

Court’s distinction between pre- and post-access restrictions be de-

fended?

I believe it can. First, in Florida Star, the Court was concerned

about the government’s failure “to police itself in disseminating infor-

mation.” The mistake was made by the police department in failing to

redact the name, and thus it was unfair “to sanction persons other

than the source of its release.”

In contrast, with pre-access restric-

tions, the government is taking the appropriate care to protect the in-

formation itself.

Second, in both Cox and Florida Star, the Court was concerned

about the chilling eﬀects to speech from the uncertainty over whether

certain public record information could be disclosed. Pre-access re-

strictions alleviate these concerns. Since the recipient of the informa-

tion has to expressly agree to any restrictions on using the

information beforehand, she will be on clear notice as to her obliga-

tions and responsibilities in handling the data.

Third, and most importantly, the distinction is a good practical

compromise. Without a distinction between post- and pre-access

conditions, the government would be forced into an all-or-nothing

tradeoﬀ between transparency and privacy. The government could

make records public, allowing all uses of the personal information, or

the government could simply not make records available at all. By

making access conditional on accepting certain responsibilities when

using data, the public can have access to a wide range of records

while privacy remains protected at the same time.

Has the Court too quickly dispatched with the free speech implica-

tions of conditional or limited access regulation? For example, some

argue that restrictions on commercial access are unconstitutional

159

access and aggregation

▲

content-based restrictions on free speech because they single out

speciﬁc messages and viewpoints—namely, commercial ones. Dis-

senting in United Reporting Publishing Corp., Justice Stevens argued

that the California access and use restriction improperly singled out

“a narrow category of persons solely because they intend to use the

information for a [commercial] purpose.”

However, commercial ac-

cess restrictions are not being applied because of disagreement with

the message that commercial users wish to send. Nor do they favor a

particular speaker or speciﬁc ideas. Although particular categories of

use (i.e., commercial) are being singled out, avoiding viewpoint dis-

crimination does not entail avoiding all attempts to categorize or

limit uses of information. Indeed, the First Amendment constitu-

tional regime depends upon categorizing speech. The Supreme Court

protects certain categories of speech much less stringently than other

forms of speech. Obscene speech, words that incite violence, and

defamatory speech about private ﬁgures all receive minimal protec-

tion.

Commercial speech is also singled out, safeguarded with only

an intermediate level of scrutiny.

Although there is no bright line

that distinguishes when certain categories map onto particular view-

points to such a degree as to constitute discrimination based on view-

point, the category of commercial speech is broad enough to

encompass a multitude of viewpoints and is a category that forms

part of the architecture of the current constitutional regime.

Therefore, governments should be able to restrict access for cer-

tain purposes or condition access on an enforceable promise not to

engage in certain uses of information. Of course, it would be im-

proper for the government to single out particular viewpoints. Thus,

for example, governments should not restrict access to public records

to those who wish to use the information to advocate for certain

causes rather than others. Nor could the government restrict access

based on the particular beliefs or ideas of the person or entities seek-

ing access to the information. In short, the government can’t single

out certain uses because it dislikes the ideas or views of a particular

speaker. A limitation on commercial use is broad enough to encom-

pass a diverse enough range of viewpoints, and the government is

merely limiting uses of information rather than the expression of par-

ticular ideas.

160

access and aggregation

▲

Public Records in the Information Age. Public records are increasingly

posing a serious threat to privacy in the Information Age. To under-

stand this threat, our conceptions of privacy must be adapted to to-

day’s technological realities. We must abandon the secrecy paradigm

and recognize that what is public can be private—not in the sense

that it is secret, but in the limitation of the uses and disclosures of the

information. Privacy is about degrees of accessibility. The threat to

privacy is not in isolated pieces of information, but in increased ac-

cess and aggregation, the construction of digital dossiers and the uses

to which they are put. States must begin to rethink their public record

regimes, and the federal government should step in to serve as the

most eﬃcient mechanism to achieve this goal. It is time for the public

records laws of this country to mature to meet the problems of the In-

formation Age.

161

access and aggregation

▲

government

access

010

1010

01010

101010

0101010

101010

01010

1010

010

Government

Information Gathering

Thus far, I have discussed how personal information is being more

readily collected, stored, transferred, and combined with other infor-

mation. Part I of this book discussed the problems of information

ﬂow among various businesses, and part II focused on information

ﬂows from the government to the private sector. But there is another

problematic type of information ﬂow that is rapidly escalating—data

transfers from the private sector to the government. The vast digital

dossiers being constructed by businesses are becoming an increas-

ingly desirable resource for law enforcement oﬃcials. And this threat-

ens to transform the relationship between government and citizen in

some very troubling ways.

Third Party Records and the Government

Earlier in this book, I described the extensive amount of informa-

tion that companies are stockpiling about us. To live in the modern

world, we must enter into numerous relationships with other people

and businesses: doctors, lawyers, businesses, merchants, magazines,

165

▲

newspapers, banks, credit card companies, employers, landlords,

ISPs, insurance companies, phone companies, and cable companies.

The list goes on and on. Our relationships with all of these entities

generate records containing personal information necessary to estab-

lish an account and record our transactions and preferences. We are

becoming a society of records, and these records are not held by us,

but by third parties.

These record systems are becoming increasingly useful to law en-

forcement oﬃcials. Personal information can help the government

detect fraud, espionage, fugitives, drug distribution rings, and terror-

ist cells. Information about a person’s ﬁnancial transactions, pur-

chases, and religious and political beliefs can assist the investigation

of suspected criminals and can be used to proﬁle people for more

thorough searches at airports.

The government, therefore, has a strong desire to obtain personal

information found in records maintained by third parties. For in-

stance, from pen registers and trap and trace devices, the government

can obtain a list of all the phone numbers dialed to or from a particu-

lar location, potentially revealing the people with whom a person as-

sociates. From bank records, which contain one’s account activity and

check writing, the government can discover the various companies

and professionals that a person does business with (ISP, telephone

company, credit card company, magazine companies, doctors, attor-

neys, and so on). Credit card company records can reveal where one

eats and shops. The government can obtain one’s travel destinations

and activities from travel agent records. From hotel records, it can

discover the numbers a person dialed and the pay-per-view movies a

person watched.

The government can obtain one’s thumbprint from

car rental companies that collect them to investigate fraud.

From

video stores, the government can access an inventory of the videos

that a person has rented.

The government can also glean a wealth of information from the

extensive records employers maintain about their employees.

Em-

ployers frequently monitor their employees.

Some use software to

track how employees surf the Internet.

Employers often record infor-

mation about an employee’s email use, including back-up copies of

the contents of email. A number of employers also conduct drug test-

166

government information gathering

▲

ing, and many require prospective employees to answer question-

naires asking about drug use, ﬁnances, psychological treatment, mar-

ital history, and sexuality.

Some even require prospective hires to

take a psychological screening test.

Landlords are another fertile source of personal information.

Landlord records often contain ﬁnancial, employment, and pet infor-

mation, in addition to any tenant complaints. Many landlords also

maintain log books at the front desk where visitors sign in. Some

apartment buildings use biometric identiﬁcation devices, such as

hand scanners, to control access to common areas such as gyms.

Increasingly, companies and entities that we have never estab-

lished any contact with nevertheless have dossiers about us. Credit

reporting agencies maintain information relating to ﬁnancial trans-

actions, debts, creditors, and checking accounts. The government can

also ﬁnd out details about people’s race, income, opinions, political

beliefs, health, lifestyle, and purchasing habits from the database

companies that keep extensive personal information on millions of

Americans.

Beyond the records described here, the Internet has the potential

to become one of the government’s greatest information gathering

tools. There are two signiﬁcant aspects of the Internet that make it

such a revolutionary data collection device. First, it gives many indi-

viduals a false sense of privacy. The secrecy and anonymity of the In-

ternet is often a mirage. Rarely are people truly anonymous because

ISPs keep records of a subscriber’s screen name and pseudonyms. ISP

account information includes the subscriber’s name, address, phone

numbers, passwords, information about web surﬁng sessions and

durations, and ﬁnancial information.

By learning a person’s screen

name, the government can identify who posted messages in news-

groups or conversed in chatrooms.

At the government’s request, an ISP can keep logs of the email ad-

dresses with which a person corresponds. Further, if a person stores

email that is sent and received with the ISP, the government can ob-

tain the contents of those emails.

Second, the Internet is unprecedented in the degree of information

that can be gathered and stored. It is one of the most powerful gener-

ators of records in human history. As discussed in chapter , websites

167

government information gathering

▲

often accumulate a great deal of information about their users, from

transactional data to information collected through cookies. The gov-

ernment can glean a substantial amount of information about visi-

tors to a particular website. From Internet retailers, the government

can learn about the books, videos, music, and electronics that one

purchases. Some Internet retailers, such as Amazon.com, record all

the purchases a person has made throughout many years. Based on

this information, the government can discover a consumer’s interests,

political views, religious beliefs, and lifestyle.

The government may also obtain information from websites that

operate personalized home pages. Home pages enable users to keep

track of the stocks they own, favorite television channels, airfares for

favorite destinations, and news of interest. Other websites, such as

Microsoft Network’s calendar service, allow users to maintain their

daily schedule and appointments. Further, as discussed in chapter ,

there are database companies that amass extensive proﬁles of peo-

ple’s websurﬁng habits.

While life in the Information Age has brought us a dizzying amount

of information, it has also placed a profound amount of information

about our lives in the hands of numerous entities. As discussed ear-

lier, these digital dossiers are increasingly becoming digital biogra-

phies, a horde of aggregated bits of information combined to reveal a

portrait of who we are based upon what we buy, the organizations we

belong to, how we navigate the Internet, and which shows and videos

we watch. This information is not held by trusted friends or family

members, but by large bureaucracies that we do not know very well or

sometimes do not even know at all.

Government–Private-Sector Information Flows

In late , the news media reported that the Department of De-

fense was planning a project known as Total Information Awareness

(TIA). The project was to be run by John Poindexter, who had been

convicted in  for his activities during the Iran-contra scandal. TIA

envisioned the creation of a gigantic government database of per-

sonal information, including data culled from private-sector entities

concerning ﬁnances, education, travel, health, and so on. This infor-

168

government information gathering

▲

mation would then be analyzed under various models to detect pat-

terns and proﬁles for terrorist activities.

The website for the project

contained the symbol of a pyramid with beams of light emanating

from an eye at the top. Next to the pyramid was a globe, illuminated

by the light. Underneath the image were the words scientia est poten-

tia—“knowledge is power.”

When TIA broke as a major news story, civil liberties groups and

many commentators and politicians voiced stinging criticism. In a

New York Times editorial, William Saﬁre wrote that Poindexter “is de-

termined to break down the wall between commercial snooping and

secret government intrusion. . . . And he has been given a $ mil-

lion budget to create computer dossiers on  million Americans.”

After these outcries, the pyramid and eye logo was quickly removed

from the Department of Defense website. The Senate amended its

spending bill in January  to temporarily suspend funding for TIA

until the details of the program were explained to Congress.

In May

, the Department of Defense issued its report to Congress, re-

naming the program “Terrorism Information Awareness” and declar-

ing (without specifying how) that it would protect privacy. Later on, in

July, the Senate voted unanimously to stop funding for TIA. The pro-

gram had been killed.

But TIA is only one part of the story of government access to per-

sonal information and its creation of dossiers on American citizens.

In fact, for quite some time, the government has been increasingly

contracting with businesses to acquire databases of personal infor-

mation. Database ﬁrms are willing to supply the information and the

government is willing to pay for it. Currently, government agencies

such as the FBI and IRS are purchasing databases of personal infor-

mation from private-sector companies.

A private company called

ChoicePoint, Inc. has amassed a database of  billion records and

has contracts with at least  federal agencies to share the data with

them. In , the Justice Department signed an $ million contract

with ChoicePoint, and the IRS reached a deal with the company for

between $ and $ million. ChoicePoint collects information from

public records from around the country and then combines it with

information from private detectives, the media, and credit reporting

ﬁrms. This data is indexed by people’s SSNs. The Center for Medicare

169

government information gathering

▲

and Medicaid Services uses ChoicePoint’s data to help it identify

fraudulent Medicare claims by checking health care provider ad-

dresses against ChoicePoint’s list of “high-risk and fraudulent busi-

ness addresses.” ChoicePoint’s information is not only used by

government agencies but also by private-sector employers to screen

new hires or investigate existing employees.

ChoicePoint’s information is a mixture of fact and ﬁction. There are

a number of errors in the records, such as when a ChoicePoint report

falsely indicated that a woman was a convicted drug dealer and

shoplifter, resulting in her being ﬁred from her job.

ChoicePoint also

had a hand in the  presidential election problems in Florida.

ChoicePoint supplied Florida oﬃcials with a list of , “ex-felons”

to eliminate from their voter lists.

However, many of the , were

not guilty of felonies, only misdemeanors, and were legally eligible to

vote. Although the error was discovered prior to the election and oﬃ-

cials tried to place the individuals back on the voter rolls, the error

may have led to some eligible voters being turned away at the polls.

Additionally, many states have joined together to create a database

system called Multi-State Anti-Terrorism Information Exchange, or

MATRIX for short. Run by SeisInt, Inc., a private-sector company in

Florida, MATRIX contains personal information gathered from public

records and from businesses. In its vast ﬁelds of data, MATRIX in-

cludes people’s criminal histories, photographs, property ownership,

SSNs, addresses, bankruptcies, family members, and credit informa-

tion. The federal government has provided $ million to help support

the program.

A second form of information ﬂow from the private sector to the

government emerges when the government requests private-sector

records for particular investigations or compels their disclosure by

subpoena or court order. Voluntary disclosure of customer informa-

tion is within the third party company’s discretion. Further, whether a

person is notiﬁed of the request and given the opportunity to chal-

lenge it in court is also within the company’s discretion.

The September ,  terrorist attacks changed the climate for

private sector-to-government information ﬂows. Law enforcement

oﬃcials have a greater desire to obtain information that could be

helpful in identifying terrorists or their supporters, including infor-

170

government information gathering

▲

mation about what people read, the people with whom they associ-

ate, their religion, and their lifestyle. Following the September  at-

tack, the FBI simply requested records from businesses without a

subpoena, warrant, or court order.

Recently, Attorney General John

Ashcroft has revised longstanding guidelines for FBI surveillance

practices. Under the previous version, the FBI could monitor public

events and mine the Internet for information only when “facts or cir-

cumstances reasonably indicate that a federal crime has been, is be-

ing, or will be committed.”

Under the revised version, the FBI can

engage in these types of information gathering without any require-

ment that it be part of a legitimate investigation or related in any

manner to criminal wrongdoing. The FBI can now collect “publicly

available information, whether obtained directly or through services

or resources (whether nonproﬁt or commercial) that compile or ana-

lyze such information; and information voluntarily provided by pri-

vate entities.”

Further, the FBI can “carry out general topical

research, including conducting online searches and accessing online

sites and forums.”

In conjunction with the government’s greater desire for personal

information, the private sector has become more willing to supply it.

Background check companies, for instance, experienced a large

boost in business after September .

Several large ﬁnancial compa-

nies developed agreements to provide information to federal law en-

forcement agencies.

Indeed, in times of crisis or when serious

crimes are at issue, the incentives to disclose information to the gov-

ernment are quite signiﬁcant. Shortly after September ,around 

universities admitted to giving the FBI access to their records on for-

eign students—often without a subpoena or court order.

In violation

of its privacy policy, JetBlue Airlines shared the personal data of  mil-

lion customers with Torch Concepts, an Alabama company contract-

ing with the Defense Department to proﬁle passengers for security

risks. Torch combined the JetBlue data with SSNs, employment infor-

mation, and other details obtained from Acxiom, Inc., a database

marketing company.

In a similar incident, Northwest Airlines se-

cretly turned over to NASA its customer data—including addresses,

phone numbers, and credit card information—for use in a govern-

ment data mining project.

InaDecember  survey of nearly 

171

government information gathering

▲

chief security oﬃcers, almost  percent said that they would supply

information to the government without a court order, with  percent

doing so in cases involving national security.

When businesses refuse to cooperate, the government can compel

production of the information by issuing a subpoena or obtaining a

court order. These devices are very diﬀerent from warrants because

they oﬀer little protection to the individual being investigated. Notiﬁ-

cation of the target of the investigation is often within the discretion

of the third party. Further, it is up to the third party to challenge the

subpoena. So, rather than spend the money and resources to chal-

lenge the subpoena, companies can simply turn it over or permit the

government to search their records. Since September , AOL and

Earthlink, two of the largest ISPs, have readily cooperated with the in-

vestigation of the terrorist attacks.

Often, ISPs have their own tech-

nology to turn over communications and information about targets

of investigations. If they lack the technology, law enforcement oﬃ-

cials can install devices such as “Carnivore” to locate the informa-

tion.

Carnivore, now renamed to the more innocuous “DCS,” is

a computer program installed by the FBI at an ISP.

It can monitor all

ISP email traﬃc and search for certain keywords in the content or

headers of the email messages.

These developments are troubling because private-sector compa-

nies often have weak policies governing when information may be

disclosed to the government. The privacy policy for the MSN network,

an aﬃliation of several Microsoft, Inc. websites such as Hotmail (an

email service), Health, Money, Newsletters, eShop, and Calendar,

states:

MSN Web sites will disclose your personal information, without

notice, only if required to do so by law or in the good faith belief

that such action is necessary to: (a) conform to the edicts of the

law or comply with legal process served on Microsoft or the site.

Though somewhat unclear, this privacy policy appears to require a

subpoena or court order for the government to obtain personal data.

Amazon.com’s privacy policy reads: “We release account and other

personal information when we believe release is appropriate to com-

ply with law . . . or protect the rights, property, or safety of

172

government information gathering

▲

Amazon.com, our users, or others.”

It is unclear from this policy the

extent to which Amazon.com, in its discretion, can provide informa-

tion to law enforcement oﬃcials.

EBay, a popular online auction website, has a policy stating that

[it] cooperates with law enforcement inquiries, as well as other

third parties to enforce laws, such as: intellectual property rights,

fraud and other rights. We can (and you authorize us to) disclose

any information about you to law enforcement or other govern-

ment oﬃcials as we, in our sole discretion, believe necessary or

appropriate, in connection with an investigation of fraud, intel-

lectual property infringements, or other activity that is illegal or

may expose us or you to legal liability.

This policy gives eBay almost complete discretion to provide the gov-

ernment with whatever information it deems appropriate.

Truste.com, a nonproﬁt organization providing a “trustmark” for

participating websites that agree to abide by certain privacy princi-

ples, has drafted a model privacy statement that reads: “We will not

sell, share, or rent [personal] information to others in ways diﬀerent

from what is disclosed in this statement.”

The statement then says

that information may be shared with “an outside shipping company

to ship orders, and a credit card processing company to bill users for

goods and services.” Personal data is also shared with third parties

when the user signs up for services that are provided by those third

parties. This policy, however, does not contain any provision about

supplying information to the government. Further, the policy does

not inform people that under existing law, information must be dis-

closed to the government pursuant to a subpoena or court order.

The government is also increasing information ﬂow from the pri-

vate sector by encouraging it to develop new information gathering

technologies. Private-sector ﬁrms stand to proﬁtfrom developing

such technologies. Since September , companies have expressed

an eagerness to develop national identiﬁcation systems and face-

recognition technology.

In addition, the federal government has

announced a “wish list” for new surveillance and investigation tech-

nologies.

Companies that invent such technologies can obtain lu-

crative government contracts.

173

government information gathering

▲

The government has also funded private-sector information gath-

ering initiatives. For instance, a company that began assembling a

national database of photographs and personal information as a tool

to guard against consumer fraud has received $. million from the

Secret Service to aid in the development of the database.

In certain circumstances, where institutions do not willingly coop-

erate with the government, the law requires their participation. For

example, the Bank Secrecy Act of  forces banks to maintain

records of ﬁnancial transactions to facilitate law enforcement

needs—in particular, investigations and prosecutions of criminal,

tax, or regulatory matters.

All federally insured banks must keep

records of each customer’s ﬁnancial transactions and must report to

the government every ﬁnancial transaction in excess of $,.

The

Personal Responsibility and Work Opportunity Reconciliation Act of

 requires employers to report personal information from all new

employees including SSNs, addresses, and wages.

The Communica-

tions Assistance for Law Enforcement Act of  requires telecom-

munications service providers to develop technology to assist

government surveillance of individuals.

Passed in , the USA-PA-

TRIOT Act authorizes the FBI to obtain a court order to inspect or

seize “books, records, papers, documents, or other items” for use in

an investigation for terrorism or intelligence activities.

This provi-

sion contains a gag order, prohibiting anybody from disclosing that

the FBI has sought or obtained anything.

All of this suggests that businesses and government have become

allies. When their interests diverge, the law forces cooperation. The

government can increasingly amass gigantic dossiers on millions of

individuals, conduct sweeping investigations, and search for vast

quantities of information from a wide range of sources, without any

probable cause or particularized suspicion. Information is easier to

obtain, and it is becoming more centralized. The government is in-

creasingly gaining access to the information in our digital dossiers. As

Justice Douglas noted in his dissent when the Court upheld the con-

stitutionality of the Bank Secrecy Act:

These [bank records] are all tied to one’s SSN; and now that we

have the data banks, these other items will enrich that store-

174

government information gathering

▲

house and make it possible for a bureaucrat—by pushing one

button—to get in an instant the names of the  million Ameri-

cans who are subversives or potential and likely candidates.

Thus, we are increasingly seeing collusion, partly voluntary, partly

coerced, between the private sector and the government. While pub-

lic attention has focused on the Total Information Awareness project,

the very same goals and techniques of the program continue to be

carried out less systematically by various government agencies and

law enforcement oﬃcials. We are already closer to Total Information

Awareness than we might think.

The Orwellian Dangers

Although there are certainly many legitimate needs for law enforce-

ment oﬃcials to obtain personal data, there are also many dangers to

unfettered government access to information. There are at least two

general types of harms, some best captured by the Orwell metaphor

and others that are more ﬁttingly described with the Kafka metaphor.

I turn ﬁrst to the Orwellian dangers.

Creeping toward Totalitarianism. Historically, totalitarian governments

have developed elaborate systems for collecting data about people’s

private lives.

Although the possibility of the rise of a totalitarian state

is remote, if our society takes on certain totalitarian features, it could

signiﬁcantly increase the extent to which the government can exer-

cise social control. Justice Brandeis was prescient when he observed

that people “are naturally alert to repel invasion of their liberty by

evil-minded rulers. The greatest dangers to liberty lurk in the insidi-

ous encroachment by men of zeal, well-meaning but without under-

standing.”

Democracy and Self-Determination. Even if government entities are not

attempting to engage in social control, their activities can have col-

lateral eﬀects that harm democracy and self-determination. Paul

Schwartz illustrates this with his theory of “constitutive privacy.” Ac-

cording to Schwartz, privacy is essential to both individuals and

175

government information gathering

▲

communities: “[C]onstitutive privacy seeks to create boundaries

about personal information to help the individual and deﬁne terms of

life within the community.” As a form of regulation of information

ﬂow, privacy shapes “the extent to which certain actions or expres-

sions of identity are encouraged or discouraged.” Schwartz contends

that extensive government oversight over an individual’s activities

can “corrupt individual decision making about the elements of one’s

identity.”

Likewise, Julie Cohen argues that a “realm of autonomous,

unmonitored choice . . . promotes a vital diversity of speech and be-

havior.” The lack of privacy “threatens not only to chill the expression

of eccentric individuality, but also, gradually, to dampen the force of

our aspirations to it.”

Freedom of Association. Government information collection interferes

with an individual’s freedom of association. The Court has held that

there is a “vital relationship between freedom to associate and pri-

vacy in one’s associations.”

In a series of cases, the Court has re-

stricted the government’s ability to compel disclosure of membership

in an organization.

In Baird v. State Bar,

for example, the Court has

declared: “[W]hen a State attempts to make inquiries about a person’s

beliefs or associations, its power is limited by the First Amendment.

Broad and sweeping state inquiries into these protected areas . . . dis-

courage citizens from exercising rights protected by the Constitu-

tion.”

The government’s extensive ability to glean information about

one’s associations from third party records without any Fourth

Amendment limitations threatens the interests articulated in these

cases.

Anonymity. Extensive government information gathering from third

party records also implicates the right to speak anonymously. In Tal-

ley v. California, the Court struck down a law prohibiting the distribu-

tion of anonymous handbills as a violation of the First Amendment.

The Court held that “[p]ersecuted groups and sects from time to time

throughout history have been able to criticize oppressive practices

and laws either anonymously or not at all.” Further, the Court rea-

soned, “identiﬁcation and fear of reprisal might deter perfectly

peaceful discussions of public matters of importance.”

The Court

176

government information gathering

▲

has reiterated its view of the importance of protecting anonymous

speech in subsequent cases.

From third parties, especially ISPs, the

government can readily obtain an anonymous or pseudonymous

speaker’s identity. Only computer-savvy users can speak with more

secure anonymity. Although private parties attempting to identify an

anonymous speaker through subpoenas have been required to satisfy

heightened standards,

no such heightened standards have yet been

applied when the government seeks to obtain the information.

Further, beyond typical anonymity is the ability to receive informa-

tion anonymously. As Julie Cohen persuasively contends: “The free-

dom to read anonymously is just as much a part of our tradition, and

the choice of reading materials just as expressive of identity, as the

decision to use or withhold one’s name.”

The lack of suﬃcient con-

trols on the government’s obtaining the extensive records about how

individuals surf the web, the books and magazines they read, and the

videos or television channels they listen to can implicate this interest.

Additionally, the increasing information ﬂow between the private

sector and the government not only impacts the privacy of the target

of an investigation, but can also aﬀect the privacy of other individu-

als. The names, addresses, phone numbers, and a variety of data

about a number of individuals can be ensnared in records pertaining

to the target.

These types of harms can inhibit individuals from associating with

particular people and groups and from expressing their views, espe-

cially unpopular ones. This kind of inhibition is a central goal of Or-

well’s Big Brother. Although it certainly does not approach the same

degree of oppressiveness as Big Brother, it reduces the robustness of

dissent and weakens the vitality of our communication.

The Kafkaesque Dangers

The second general type of danger promoted by government infor-

mation gathering consists of the harms routinely arising in bureau-

cratic settings: decisions without adequate accountability, dangerous

pockets of unfettered discretion, and choices based on short-term

goals without consideration of the long-term consequences or the

larger social eﬀects. These bureaucratic harms have similarities to

177

government information gathering

▲

those I discussed earlier when discussing the Kafka metaphor, al-

though these harms take on some new dimensions with government

law enforcement bureaucracy. As in Kafka’s The Trial, dossiers circu-

late throughout a large government bureaucracy, and individuals are

not informed how their information is used and how decisions are

made based on their data. The existence of dossiers of personal infor-

mation in government bureaucracies can lead to dangers such as

hasty judgment in times of crisis, the disparate impact of law enforce-

ment on particular minorities, cover-ups, petty retaliation for criti-

cism, blackmail, framing, sweeping and disruptive investigations,

racial or religious proﬁling, and so on.

The most frequent problem is not that law enforcement agencies

will be led by corrupt and abusive leaders, although this arguably

happened for nearly  years when J. Edgar Hoover directed the FBI.

The problem is the risk that judgment will not be exercised in a care-

ful and thoughtful manner. In other words, it stems from certain

forms of government information collection shifting power toward a

bureaucratic machinery that is poorly regulated and susceptible to

abuse. This shift has profound social eﬀects because it alters the bal-

ance of power between the government and the people, exposing in-

dividuals to a series of harms, increasing their vulnerability and

decreasing the degree of power they exercise over their lives.

When the Fourth Amendment was ratiﬁed, organized police forces

did not exist.

Colonial policing was the “business of amateurs.”

Sheriﬀs did not have a professional staﬀ; they relied heavily on ordi-

nary citizens to serve as constables or watchmen, whose primary

duties consisted of patrolling rather than investigating.

The govern-

ment typically became involved in criminal investigations only after

an arrest was made or a suspect was identiﬁed, and in ordinary crimi-

nal cases, police rarely conducted searches prior to arrest.

Organized police forces developed during the nineteenth century,

and by the middle of the twentieth century, policing reached an un-

precedented level of organization and coordination.

At the center of

the rise of modern law enforcement was the development of the FBI.

When the FBI was being formed in , there was signiﬁcant opposi-

tion in Congress to a permanent federal police force.

Members of

Congress expressed trepidation over the possibility that such an in-

178

government information gathering

▲

vestigatory agency could ascertain “matters of scandal and gossip”

that could wind up being used for political purposes.

These con-

cerns related to the potential dangers of the agency’s information

gathering capabilities, and as will be discussed later, the fears eventu-

ally became realities.

Today, we live in an endless matrix of law and regulation, adminis-

tered by a multitude of vast government bureaucracies. Like most

everything else in modern society, law enforcement has become bu-

reaucratized. There are large police departments armed with sophis-

ticated technology that coordinate with each other. There are massive

agencies devoted entirely to investigation and intelligence gathering.

One of the distinctive facets of law enforcement bureaucracy in the

United States is that low-ranking oﬃcials exercise a profound degree

of discretion, and most of their discretionary decisions are undocu-

mented.

Many factors make it diﬃcult for law enforcement oﬃcials to strike

a delicate balance between order and liberty. Among them, there are

tremendous pressures on law enforcement agencies to capture crimi-

nals, solve notorious crimes, keep crime under control, and prevent

acts of violence and terrorism. This highly stressful environment can

lead to short cuts, bad exercises of discretion, or obliviousness and in-

sensitivity to people’s freedom. One of the most crucial aspects of

keeping government power under control is a healthy scrutiny. Most

law enforcement oﬃcials, however, are unlikely to view themselves

with distrust and skepticism. Police and prosecutors are too en-

veloped in the tremendous responsibilities and pressures of their jobs

to remain completely unbiased.

In short, one need not fear the rise of a totalitarian state or the in-

hibition of democratic activities to desire strong controls on the

power of the government in collecting personal information. The

Kafka metaphor more aptly captures what is harmful about these

types of bureaucratic realities. The harm is that our personal data is

stored within a bureaucratic system, where we are vulnerable to

abuses, careless errors, and thoughtless decisions.

Leaks, Lapses, and Vulnerability. As more private-sector data becomes

available to the government, there could be a de facto national

179

government information gathering

▲

database, or a large database of “suspicious” individuals.

Federal

governmental entities have engaged in extensive data gathering cam-

paigns on various political groups throughout the twentieth century.

From  through , for example, the FBI and CIA conducted a se-

cret domestic intelligence operation, reading the mail of thousands of

citizens. The FBI’s investigations extended to members of the

women’s liberation movement and prominent critics of the Vietnam

War, and the FBI obtained information about personal and sexual re-

lationships that could be used to discredit them. During the Mc-

Carthy era and again in the s, the FBI sought information from

libraries about the reading habits of certain individuals. Between 

and , the U.S. Army conducted wide-ranging surveillance, amass-

ing extensive personal information about a broad group of individu-

als. The impetus for the Army’s surveillance was a series of riots that

followed Dr. Martin Luther King, Jr.’s assassination. The information

collected involved data about ﬁnances, sexual activity, and health. In

, Congress signiﬁcantly curtailed the Army’s program, and the

records of personal information were eventually destroyed.

The danger of these information warehousing eﬀorts is not only

that it chills speech or threatens lawful protest, but also that it makes

people more vulnerable by exposing them to potential future dangers

such as leaks, security lapses, and improper arrests. For example, dur-

ing the late s and early s, the Philadelphia Police Department

(PPD) compiled about , ﬁles on various dissident individuals

and groups. During a national television broadcast, PPD oﬃcials dis-

closed the names of some of the people on whom ﬁles were kept.

Automated Investigations and Profiling. Government agencies are using

personal information in databases to conduct automated investiga-

tions. In , in order to detect fraud, the federal government began

matching its computer employee records with those of people receiv-

ing federal beneﬁts.

With the use of computers to match records of

diﬀerent government entities, the government investigated millions

of people. Some matching programs used data obtained from mer-

chants and marketers to discover tax, welfare, and food stamp fraud

as well as to identify drug couriers.

This sharing of records between

diﬀerent government agencies, ordinarily a violation of the Privacy

180

government information gathering

▲

Act, was justiﬁed under the “routine use” exception.

Computer

matching raised signiﬁcant concerns, and in , Congress ﬁnally

passed a law regulating this practice.

The law has been strongly criti-

cized as providing scant substantive guidance and having little practi-

cal eﬀect.

This type of automated investigation is troubling because it alters

the way that government investigations typically take place. Usually,

the government has some form of particularized suspicion, a factual

basis to believe that a particular person may be engaged in illegal

conduct. Particularized suspicion keeps the government’s profound

investigative powers in check, preventing widespread surveillance

and snooping into the lives and aﬀairs of all citizens. Computer

matches, Priscilla Regan contends, investigate everyone, and most

people who are investigated are innocent.

With the new information supplied by the private sector, there is

an increased potential for more automated investigations, such as

searches for all people who purchase books about particular topics

or those who visit certain websites, or perhaps even people whose

personal interests ﬁtaproﬁle for those likely to engage in certain

forms of criminal activity. Proﬁles work similarly to the way that

Amazon.com predicts which products customers will want to buy.

They use particular characteristics and patterns of activity to predict

how people will behave in the future. Of course, proﬁles can be mis-

taken, but they are often accurate enough to tempt people to rely on

them. But there are even deeper problems with proﬁles beyond inac-

curacies. Proﬁles can be based on stereotypes, race, or religion. A

proﬁle is only as good as its designer. Proﬁles are often kept secret,

enabling prejudices and faulty assumptions to exist unchecked by

the public. As Oscar Gandy observes, the use of proﬁling to form pre-

dictive models of human behavior incorrectly assumes that “the

identity of the individual can be reduced, captured, or represented by

measurable characteristics.” Proﬁling is an “inherently conservative”

technology because it “tends to reproduce and reinforce assessments

and decisions made in the past.”

Spiros Simitis explains that a

proﬁled individual is “necessarily labeled and henceforth seen as a

member of a group, the peculiar features of which are assumed to

constitute her personal characteristics. Whoever appears in the lists

181

government information gathering

▲

as a ‘tax-evader,’ ‘assistance-chiseler,’ or ‘porno-ﬁlm viewer’ must be

constantly aware of being addressed as such.”

Proﬁling or automated investigations based on information gath-

ered through digital dossiers can result in targets being inappropri-

ately singled out for more airport searches, police investigations, or

even arrest or detention. Indeed, the federal government recently an-

nounced the creation of CAPPS II, the Computer Assisted Passenger

Prescreening System, which employs computer databases to proﬁle

individuals to determine their threat level when ﬂying. Based on their

proﬁles, airline passengers are classiﬁed as green, yellow, or red. Pas-

sengers labeled green are subject to a normal security check; those in

the yellow category receive additional searching; and those branded

as red are not permitted to ﬂy.

The government has not released de-

tails about what information is gathered, how people are proﬁled,

whether race or nationality is a factor, or what ability, if any, people

will have to challenge their classiﬁcation.

People ensnared in the system face considerable hassle and delay.

For example, in , a -year-old member of the U.S. national row-

ing team was stopped at the gate when ﬂying from Newark to Seattle.

Although born in the United States, the young rower had a Muslim

last name, which was probably a factor that led him to be placed on

the no-ﬂy list. When oﬃcials investigated, they cleared him, but it was

too late—his ﬂight had already left. This wasn’t an isolated incident; it

happened to him a few months earlier as well.

With no way to clear

his name, he remains at risk of being detained, hassled, and delayed

every time he goes to an airport.

Overreacting in Times of Crisis. The government can use dossiers of

personal information in mass roundups of distrusted or suspicious

individuals whenever the political climate is ripe. As legal scholar

Pamela Samuelson observed: “One factor that enabled the Nazis to

eﬃciently round up, transport, and seize assets of Jews (and others

they viewed as ‘undesirables’) was the extensive repositories of per-

sonal data available not only from the public sector but also from pri-

vate sector sources.”

In the United States, information archives

greatly assisted the roundups of disfavored groups, including Japan-

ese Americans during World War II. Following the bombing of Pearl

182

government information gathering

▲

Harbor on December , , the FBI detained thousands of Japanese

American community leaders in internment camps. These initial

roundups were facilitated by an index of potentially subversive peo-

ple of Japanese descent compiled by the Justice Department begin-

ning in the late s. In , in the name of national security, about

, people of Japanese descent living on the West Coast were im-

prisoned in internment camps. The Census Bureau prepared special

tabulations of Japanese Americans, which assisted in the relocation.

The acquisition of personal data also facilitated the Palmer Raids

(or “Red Scare”) of –. A bomb blew up at the doorstep of At-

torney General A. Mitchell Palmer’s home.

Shortly thereafter, bombs

went oﬀ in eight other cities. Letter bombs were mailed to many

elites, but most were halted at the post oﬃce due to inadequate

postage.

In a climate rife with fear of “Reds,” anarchists, and labor

unrest, Congress tasked the Bureau of Investigation (the organization

that became the FBI in ) with addressing these terrorist threats.

Under the direction of a young J. Edgar Hoover, the Bureau of Investi-

gation developed an extensive index of hundreds of thousands of rad-

icals.

This data was used to conduct a massive series of raids, in

which over , individuals suspected of being Communists were

rounded up, many without warrants.

The raids resulted in a number

of deportations, many based solely on membership in certain organi-

zations.

When prominent ﬁgures in the legal community such as

Roscoe Pound, Felix Frankfurter, and Zechariah Chafee, Jr., criticized

the raids, Hoover began assembling a dossier on each of them.

Additionally, personal information gathered by the FBI enabled the

extensive hunt for Communists during the late s and s—a pe-

riod of history that has since been criticized as a severe over-reaction,

resulting in the mistreatment of numerous individuals, and impeding

the reform agenda begun in the New Deal.

According to historian

Ellen Schrecker, federal agencies’ “bureaucratic interests, including

the desire to present themselves as protecting the community against

the threat of internal subversion, inspired them to exaggerate the

danger of radicalism.”

Senator Joseph R. McCarthy, the ﬁgure who

epitomized the anti-Communism of the s, received substantial

assistance from Hoover, who secretly released information about sus-

pected Communists to McCarthy.

Further, the FBI supplied a steady

183

government information gathering

▲

stream of names of individuals to be called before the House Un-

American Activities Committee (HUAC).

As historian Richard Pow-

ers observes, “information derived from the [FBI’s] ﬁles was clearly

the lifeblood of the Washington anti-communist establishment.”

The FBI also leaked information about suspected individuals to em-

ployers and the press.

Public accusations of being a Communist car-

ried an immense stigma and often resulted in a severe public

backlash.

Individuals exposed as Communists faced retaliation in

the private sector. Numerous journalists, professors, and entertainers

were ﬁred from their jobs and blacklisted from future employment.

In short, government entities have demonstrated substantial abili-

ties to gather and store personal information. Combined with the ex-

tensive data available about individuals in third party records, this

creates a recipe for similar or greater government abuses in the fu-

ture.

Changing Purposes and Uses. Information obtained by the government

for one purpose can readily be used for another. For example, sup-

pose the government is investigating whether a prominent critic of

the war against terrorism has in any way assisted terrorists or is en-

gaged in terrorism. In tracking an individual’s activities, the govern-

ment does not discover any criminal activity with regard to terrorism,

but discovers that a popular website for downloading music ﬁles has

been visited and that copyright laws have been violated. Such infor-

mation may ultimately be used to prosecute copyright violations as a

pretext for the government’s distaste for the individual’s political

views and beliefs. Further, dossiers maintained by law enforcement

organizations can be selectively leaked to attack critics.

Indeed, it is not far-fetched for government oﬃcials to amass data

for use in silencing or attacking enemies, critics, undesirables, or rad-

icals. For example, J. Edgar Hoover accumulated an extensive collec-

tion of ﬁles with detailed information about the private lives of

numerous prominent individuals, including presidents, members of

Congress, Supreme Court justices, celebrities, civil rights leaders, and

attorney generals.

Hoover’s data often included sexual activities.

Hoover used this information to blackmail people or to destroy their

reputations by leaking it. Often, however, he did not even have to

184

government information gathering

▲

make any explicit threats. Politicians—and even presidents—feared

that Hoover had damaging information about them and would avoid

criticizing Hoover or attempting to remove him as FBI director. In-

deed, on one of the tapes President Nixon recorded in the Oval Oﬃce,

he declared that he could not ﬁre Hoover because Hoover knew too

much information about him.

We live in a world of mixed and changing motives. Data that is ob-

tained for one purpose can be used for an entirely diﬀerent purpose

as motives change. For example, for several years, the FBI extensively

wiretapped Martin Luther King, Jr.

They wiretapped his home, his

oﬃce, and the hotel rooms that he stayed at when traveling.

100

Based

on the wiretaps, the FBI learned of his extensive partying, extramari-

tal aﬀairs, and other sexual activities. A high-level FBI oﬃcial even

anonymously sent him a tape with highlights of the FBI’s recordings,

along with a letter that stated:

King, there is only one thing left for you to do. You know what it

is. You have just  days in which to do (this exact number has

been selected for a speciﬁc reason, it has deﬁnite practical signi-

ﬁcant [sic]). You are done. There is but one way out for you. You

better take it before your ﬁlthy, abnormal fraudulent self is bared

to the nation.

101

Hoover’s motive is disputed. One theory is that King was wire-

tapped because he was friendly with a person who had previously

been a member of the Communist Party.

102

Another theory is that

Hoover despised King personally. Hoover’s longstanding hatred of

King is evidenced by his nasty public statements about King, such as

calling King “the most notorious liar” in the nation.

103

This was proba-

bly due, in part, to King’s criticism of the FBI for inadequately ad-

dressing the violence against blacks in the South, Hoover’s

overreaction to any criticism of the FBI, and the FBI’s practice of con-

sistently targeting its critics.

104

As David Garrow hypothesizes, the

original reason that the FBI began collecting information about King

was due to fears of Communist ties; however, this motivation

changed once these fears proved unfounded and several powerful in-

dividuals at the FBI expressed distaste for King’s sexual activities and

moral behavior.

105

185

government information gathering

▲

Protecting Privacy with Architecture

The dangers discussed previously illustrate why privacy is integral to

freedom in the modern state. As I discussed in chapter , we should

move away from the invasion conception and seek to protect privacy

through architectural solutions that regulate power in our various re-

lationships. Protecting privacy through architecture diﬀers from pro-

tecting it as an individual right. Viewing privacy as an individual right

against government information gathering conceives of the harm to

privacy as emanating from the invasion into the lives of particular

people. But many of the people asserting a right to privacy against

government information gathering are criminals or terrorists, people

we do not have a strong desire to protect. In modern Fourth Amend-

ment law, privacy protection is often initiated at the behest of speciﬁc

individuals, typically those accused of crimes. Often these individu-

als’ rights conﬂict with the need for eﬀective law enforcement and the

protection of society. Why should one individual’s preference for pri-

vacy trump the social goals of security and safety? This question is

diﬃcult to answer if privacy is understood as a right possessed by

particular people.

In contrast, architecture protects privacy diﬀerently and is based

on a diﬀerent conception of privacy. Privacy is not merely a right pos-

sessed by individuals, but is a form of freedom built into the social

structure. It is thus an issue about the common good as much as it is

about individual rights. It is an issue about social architecture, about

the relationships that form the structure of our society.

One might dismiss the abuses of government information gather-

ing as caused by a few rogue oﬃcials. But according to David Garrow,

the FBI that targeted Martin Luther King, Jr. was not a “deviant insti-

tution in American society, but actually a most representative and

faithful one.”

106

In other words, the FBI reﬂected the mindset of many

Americans, embodying all the ﬂaws of that mindset. We like to blame

individuals, and certainly the particular abusers are worthy of admo-

nition, but we cannot overlook the fact that the causes of abuse often

run deeper than the corrupt oﬃcial. Abuse is made possible by a bu-

reaucratic machinery that is readily susceptible to manipulation.

Thus, the problem lies in institutional structures and architectures of

186

government information gathering

▲

power. In the latter half of the twentieth century, and continuing to

the present, one of the aspects of this architecture has been the lack

of control over government information gathering.

What is the most eﬀective architecture to structure the way that the

government can access personal information held by third parties? In

the next chapter, I discuss two architectures, that of the Fourth

Amendment, which the Court has concluded doesn’t apply to data

held by third parties, and that of the statutory regime which has

arisen in its place.

187

government information gathering

▲

The Fourth Amendment,

Records, and Privacy

The Architecture of the Fourth Amendment

The Purposes and Structure of the Fourth Amendment. For better or for

worse, we currently regulate law enforcement in the United States

with a constitutional regime, comprised primarily by the Fourth,

Fifth, and Sixth Amendments. A signiﬁcant part of this regime applies

to government information gathering. The Fifth Amendment aﬀords

individuals a privilege against being compelled to testify about in-

criminating information. The Fourth Amendment regulates the gov-

ernment’s power to obtain information through searches and

seizures. Speciﬁcally, the Amendment provides:

The right of the people to be secure in their persons, houses, pa-

pers, and eﬀects, against unreasonable searches and seizures,

shall not be violated, and no warrants shall issue, but upon prob-

able cause, supported by oath or aﬃrmation, and particularly

describing the place to be searched, and the persons or things to

be seized.

Although the Fourth Amendment applies to government activity in

both the civil and criminal contexts,

it is limited to activities that

constitute “searches” and “seizures.” Certain activities, such as seeing

things exposed openly to public view, are not searches.

The Fourth

188

▲

Amendment only governs searches where an individual has “a rea-

sonable expectation of privacy.”

If the Fourth Amendment applies, a search or seizure must be “rea-

sonable.” Although technically the two clauses of the Fourth Amend-

ment are separate, the Court has interpreted the requirement that a

search or seizure be reasonable as related to the warrant requirement.

To obtain a warrant, the police must demonstrate to a neutral judge

or magistrate that they have “probable cause,” which means they

must provide “reasonably trustworthy information” that the search

will reveal evidence of a crime.

Generally, searches and seizures with-

out a warrant are per se unreasonable—which means that they are

deemed invalid.

This has become known as the “per se warrant

rule.”

The Court has made numerous exceptions to the per se warrant

rule.

For example, the Court held in Terry v. Ohio that the police

could stop and frisk an individual without a warrant or probable

cause.

Further, the Court has held that “special needs” in schools and

workplaces make the warrant and probable cause requirements im-

practicable.

In the words of legal scholars Silas Wasserstrom and

Louis Michael Seidman, the per se warrant rule “is so riddled with ex-

ceptions, complexities, and contradictions that it has become a trap

for the unwary.”

The Fourth Amendment is enforced primarily through the exclu-

sionary rule. Evidence obtained in violation of the Amendment must

be excluded from trial.

Without the exclusionary rule, Justice

Holmes observed, the Fourth Amendment would be a mere “form of

words.”

According to law professor Arnold Loewy: “The exclusionary

rule protects innocent people by eliminating the incentive to search

and seize unreasonably.”

The exclusionary rule, however, has long

been a sore spot in Fourth Amendment jurisprudence, engendering

extensive debate over its desirability and eﬃcacy.

Fourth Amendment Scope: Privacy. As applied by the Court, the Fourth

Amendment has focused on protecting against invasions of privacy,

although some commentators contend this focus is misguided. Ac-

cording to legal scholar William Stuntz, criminal procedure is “ﬁrmly

anchored in a privacy value that had already proved inconsistent with

189

the fourth amendment, records, and privacy

▲

the modern state.”

For Stuntz, privacy vis-à-vis the government is

impracticable given the rise of the administrative state, with its exten-

sive health and welfare regulation. Stuntz asserts that robust Fourth

Amendment protection of privacy will prevent the government from

regulating industry, uncovering white-collar crime, and inspecting in-

dustrial facilities. The government must collect information to en-

force certain regulations, such as securities laws and worker safety

protections.

“By focusing on privacy,” Stuntz argues, “Fourth

Amendment law has largely abandoned the due process cases’ con-

cern with coercion and violence.”

“The problem,” argues Stuntz, “is

not information gathering but [police] violence.”

Legal scholar Scott Sundby oﬀers a diﬀerent critique of the Fourth

Amendment’s focus on privacy. Although designed to expand Fourth

Amendment protection, privacy has “turned out to contain the seeds

for the later contraction of Fourth Amendment rights.”

“The Fourth

Amendment as a privacy-focused doctrine has not fared well with the

changing times of an increasingly nonprivate world and a judicial re-

luctance to expand individual rights.”

However, Sundby assumes that “privacy” means what the Court

says it means. Many current problems in Fourth Amendment ju-

risprudence stem from the Court’s failure to conceptualize privacy

adequately, both in method and substance. Methodologically, the

Court has attempted to adhere to a uniﬁed conception of privacy.

Conceptualizing privacy by attempting to isolate its essence or com-

mon denominator has inhibited the Court from conceptualizing pri-

vacy in a way that can adapt to changing technology and social

practices.

Substantively, the Court originally conceptualized privacy

in physical terms as protecting tangible property or preventing tres-

passes. The Court then shifted to viewing privacy with the secrecy

paradigm. In each of these conceptual paradigms, the Court has

rigidly adhered to a single narrow conception and has lost sight of the

Fourth Amendment’s larger purposes.

In contrast, I contend that the Fourth Amendment provides for an

architecture, a structure of protection that safeguards a range of diﬀ-

erent social practices of which privacy forms an integral dimension.

Those like Stuntz and Sundby who contend that the Fourth Amend-

ment should not concern itself with privacy fail to see the importance

190

the fourth amendment, records, and privacy

▲

of privacy in the relationship between the government and the Peo-

ple. The private life is a critical point for the exercise of power. Privacy

shields aspects of our lives and social practices where people feel vul-

nerable, uneasy, and fragile, where social norms and judgment are

particularly oppressive and abrasive. It is also implicated when infor-

mation relates to our basic needs and desires: ﬁnances, employment,

entertainment, political activity, sexuality, and family. Indeed, the

great distopian novels of the twentieth century—George Orwell’s

1984, Aldous Huxley’s Brave New World, and Franz Kafka’s The Trial—

all illustrate how government exercises of power over the private life

stiﬂe freedom and well-being.

Although Stuntz contends that the Fourth Amendment must for-

sake privacy because of the rise of the administrative state, this is the

very reason why protecting privacy is imperative. The administrative

state threatens to equip the government with excessive power that

could destroy the Framers’ careful design to ensure that the power of

the People remains the strongest.

In particular, the extensive power

of modern bureaucracies over individuals depends in signiﬁcant part

on the collection and use of personal information. While Stuntz is

correct that the Fourth Amendment should not be cabined exclu-

sively to protecting privacy and should address other values such as

coercion and violence, he errs in treating privacy and police coercion

as mutually exclusive.

Robust Fourth Amendment protection need not be inconsistent

with the administrative state, as a signiﬁcant amount of modern ad-

ministrative regulation concerns business and commercial activities

which lack Fourth Amendment rights equivalent to those guaranteed

to individuals.

Stuntz retorts that for individuals to have a meaning-

ful protection of privacy, they must be provided with privacy within

institutions, which “is almost the same as giving the institution itself a

protectible privacy interest.”

Beyond this, Stuntz contends, “a great

deal of government information gathering targets individuals,” such

as the information that is gathered in tax forms.

However, one need

not adopt an all-or-nothing approach to Fourth Amendment privacy.

The Fourth Amendment does not categorically prohibit the govern-

ment from compelling certain disclosures by individuals or institu-

tions. If it did, then the tax system and much corporate regulation

191

the fourth amendment, records, and privacy

▲

would be nearly impossible to administer. But the fact that the gov-

ernment can compel certain disclosures does not mean that it can

compel people to disclose the details of their sexual lives or require

them to send in their diaries along with their tax forms. The govern-

ment’s power to inspect factories for safety violations does not mean

that the government should be able to search every employee’s oﬃce,

locker, or bag. Therefore, although misconceptualizing privacy, the

Court has correctly made it a focal point of the Fourth Amendment.

Fourth Amendment Structure: Warrants. Before eroding it with dozens of

exceptions, the Court made the Fourth Amendment’s warrant re-

quirement one of the central mechanisms to ensure that the govern-

ment was responsibly exercising its powers of information collection.

Some critics, however, view warrants as relatively unimportant in the

Fourth Amendment scheme. According to constitutional law expert

Akhil Amar, the Fourth Amendment “does not require, presuppose, or

even prefer warrants—it limits them. Unless warrants meet certain

strict standards, they are per se unreasonable.”

Amar contends that

the colonial revolutionaries viewed warrants with disdain because

judges were highly inﬂuenced by the Crown and warrants immunized

government oﬃcials from civil liability after conducting a search.

Therefore, according to Amar, “[t]he core of the Fourth Amendment,

as we have seen, is neither a warrant nor probable cause, but reason-

ableness.”

Amar is too dismissive of warrants. Merely looking to colonial

precedents is insuﬃcient, because the Fourth Amendment did not

follow colonial precedents (since general searches were rampant) but

rejected them.

My aim, however, is not to quarrel about original in-

tent. Even if Amar is right about the Framers’ intent, warrants are an

important device in our times since, as Scott Sundby observes, “the

Founders could not have foreseen the technological and regulatory

reach of government intrusions that exists today.”

The warrant requirement embodies two important insights of the

Framers that particularly hold true today. First, the warrant require-

ment aims to prevent searches from turning into “ﬁshing expedi-

tions.”

Accordingly, the warrant clause circumscribes searches and

192

the fourth amendment, records, and privacy

▲

seizures. As the Fourth Amendment states, a warrant must describe

with “particular[ity] . . . the place to be searched and the persons or

things to be seized.”

The Framers included the warrant clause because of their experi-

ence with writs of assistance and general warrants.

A writ of assis-

tance was a document that allowed British customs oﬃcials to force

local oﬃcials and even private citizens to search and seize prohibited

goods.

Writs of assistance didn’t need to specify a particular person

or place to be targeted; anyone could be searched under their author-

ity; and they resulted in “sweeping searches and seizures without any

evidentiary basis.”

Like writs of assistance, general warrants had a

very broad scope, and they did not need to mention speciﬁc individu-

als to target or speciﬁc locations to be searched. They “resulted in

‘ransacking’ and seizure of the personal papers of political dissenters,

authors, and printers of seditious libel.”

As Patrick Henry declared:

“They may, unless the general government be restrained by a bill of

rights, or some similar restrictions, go into your cellars and rooms,

and search, ransack, and measure, everything you eat, drink, and

wear. They ought to be restrained within proper bounds.”

Second, warrants reﬂect James Madison’s vision of the appropriate

architecture for a society in which the power of the People remains

paramount. Writing about separation of powers in Federalist No. 51,

Madison observed:

But what is government itself but the greatest of all reﬂections on

human nature? If men were angels, no government would be

necessary. If angels were to govern men, neither external nor in-

ternal controuls on government would be necessary. In framing

a government which is to be administered by men over men, the

great diﬃculty lies in this: You must ﬁrst enable the government

to controul the governed; and in the next place, oblige it to con-

troul itself. A dependence on the people is no doubt the primary

controul on the government; but experience has taught mankind

the necessity of auxiliary precautions.

The profound insight of Madison and the Framers was that by sep-

arating government powers between diﬀerent entities and pitting

193

the fourth amendment, records, and privacy

▲

them against each other, government could be controlled. As legal

scholar Raymond Ku aptly observes, the Framers adopted the Fourth

Amendment based on concerns about limiting executive power.

Madison was acutely aware that the “parchment barriers” of the Con-

stitution would fail to check government encroachments of power,

and he explained how both the legislative and executive branches

could overstep their bounds.

He arrived at an architectural solution:

Power should be diﬀused among diﬀerent departments of govern-

ment, each aﬀorded “the necessary constitutional means, and per-

sonal motives, to resist encroachments of the others.” Government

will be kept in check only if its parts consist of “opposite and rival in-

terests.”

As historian Gordon Wood describes the Madisonian vision:

It was an imposing conception—a kinetic theory of politics—

such a crumbling of political and social interests, such an atom-

ization of authority, such a parceling of power, not only in the

governmental institutions but in the extended sphere of the soci-

ety itself, creating such a multiplicity and a scattering of designs

and passions, so many checks, that no combination of parts

could hold, no group of evil interests could long cohere. Yet out

of the clashing and checking of this diversity, Madison believed

the public good, the true perfection of the whole, would some-

how arise.

The warrant requirement reﬂects Madison’s philosophy of govern-

ment power by inserting the judicial branch in the middle of the exec-

utive branch’s investigation process.

Although warrants have been

criticized as ineﬀective because judges and magistrates often defer to

the police and prosecutor’s determination, criminal procedure expert

Christopher Slobogin aptly contends that warrants raise the “stan-

dard of care” of law enforcement oﬃcials by forcing them to “docu-

ment their requests for authorization.”

According to Stuntz,

warrants make searching more expensive, because they require law

enforcement oﬃcials to “draft aﬃdavits and wait around court-

houses.”

Because oﬃcers must devote time to obtaining a warrant,

they are unlikely to use them unless they think it is likely that they will

ﬁnd what they are looking for.

As Justice Douglas has explained for

the Court:

194

the fourth amendment, records, and privacy

▲

[T]he Fourth Amendment has interposed a magistrate between

the citizen and the police. This was done neither to shield crimi-

nals nor to make the home a safe haven for illegal activities. It

was done so that an objective mind might weigh the need to in-

vade that privacy in order to enforce the law. The right of privacy

was deemed too precious to entrust to the discretion of those

whose job is the detection of crime and the arrest of criminals.

Power is a heady thing; and history shows that the police acting

on their own cannot be trusted. And so the Constitution requires

a magistrate to pass on the desires of the police before they vio-

late the privacy of the home.

Further, the requirement of prior approval prevents government

oﬃcials from “dreaming up post hoc rationalizations”

and judges

from experiencing hindsight bias when evaluating the propriety of a

search after it has taken place.

My purpose is not to defend the existing structure of the Fourth

Amendment as perfect. For the purposes of this discussion, it is suﬃ-

cient to agree () that the Fourth Amendment regime serves an impor-

tant function by establishing an architecture that aims to protect

privacy in addition to other values, and () that one of the central fea-

tures of this architecture requires neutral and external oversight of

the executive branch’s power to gather and use personal information.

Even if its eﬃcacy is limited, the structure of the Fourth Amend-

ment is better than a void. Few commentators have suggested that

the Fourth Amendment be repealed or that its larger purposes in con-

trolling government power are inimical to a well-functioning society.

Outside the realm of the Fourth Amendment is a great wilderness, a

jungle of government discretion and uncontrolled power. Thus, the

issue of the applicability of the Fourth Amendment is an important

one, and to that issue I now turn.

The Shifting Paradigms of Fourth Amendment Privacy

Some notion of privacy has always been the trigger for Fourth

Amendment protection, at least since the late nineteenth century. In

, in Boyd v. United States,

an early case delineating the meaning

195

the fourth amendment, records, and privacy

▲

of the Fourth and Fifth Amendments, the government attempted to

subpoena a person’s private papers for use in a civil forfeiture pro-

ceeding. The Court held that the subpoena violated the Fourth and

Fifth Amendments, since it invaded the individual’s “indefeasible

right of personal security, personal liberty and private property.”

Commentators have characterized Boyd as protecting property

and as consistent with the exaltation of property and contract during

the Lochner era.

The Lochner era was a period of Supreme Court ju-

risprudence lasting from about  through . The case that epit-

omized this era was Lochner v. New York, where the Court struck

down a law restricting the number of hours that bakery employees

could work to  a week. The Court concluded that the law infringed

upon the constitutional guarantee of liberty of contract.

When the

Court also nulliﬁed many other progressive laws and New Deal

statutes for similar reasons, it was denounced for adhering too strictly

to an ideology of laissez faire and unbridled commercial activity.

Although Boyd certainly furthers the ideology of the Lochner Court,

it should not merely be dismissed as the product of Lochner-like ac-

tivism. Boyd follows a conception of privacy that the Court consis-

tently adhered to in the late nineteenth century and the ﬁrst half of

the twentieth century. Under this conception, the Court viewed inva-

sions of privacy as a type of physical incursion. For example, nine

years prior to Boyd, in , the Court held in Ex Parte Jackson that the

Fourth Amendment applied to the opening of letters sent through the

postal system: “The constitutional guaranty of the right of the people

to be secure in their papers against unreasonable searches and

seizures extends to their papers, thus closed against inspection,

wherever they may be.”

Additionally, privacy also concerned physi-

cal bodily intrusions. In Union Paciﬁc Railway Company v. Botsford,

an  case concerning privacy but not directly involving the Fourth

Amendment, the Court held that a court could not compel a female

plaintiﬀ in a civil action to submit to a surgical examination:

The inviolability of the person is as much invaded by a compul-

sory stripping and exposure as by a blow. To compel any one,

and especially a woman, to lay bare the body, or to submit it to

196

the fourth amendment, records, and privacy

▲

the touch of a stranger, without lawful authority, is an indignity,

an assault, and a trespass.

Consistent with Boyd and Ex Parte Jackson, the Court readily rec-

ognized the injury caused by physical intrusions such as trespass-

ing into homes, rummaging through one’s things, seizing one’s

papers, opening and examining one’s letters, or physically touching

one’s body. Indeed, in , when Warren and Brandeis authored

their famous article The Right to Privacy, they observed that the law,

which had long recognized physical and tangible injuries, was just

beginning to recognize incorporeal ones.

Warren and Brandeis ar-

gued that privacy was more than simply a physical intrusion, a view

increasingly recognized in the common law of torts in the early

twentieth century. However, in its Fourth Amendment jurispru-

dence, the Court held fast to its physical intrusion conception of

privacy.

The Court’s view that Fourth Amendment privacy constituted pro-

tection from physical intrusions came to a head in  in Olmstead v.

United States.

There, the Court held that the tapping of a person’s

home telephone outside a person’s house did not run afoul of the

Fourth Amendment because it did not involve a trespass inside a per-

son’s home: “The Amendment does not forbid what was done here.

There was no searching. There was no seizure. The evidence was se-

cured by the use of the sense of hearing and that only. There was no

entry of the houses or oﬃces of the defendants.”

Olmstead relied

upon the Court’s physical intrusion conception of privacy. Since there

was no trespassing, opening, or rummaging, there was no invasion of

Fourth Amendment privacy.

Justice Louis Brandeis vigorously dissented, chastising the Court

for failing to adapt the Constitution to new problems. He observed:

“When the Fourth and Fifth Amendments were adopted, the form

that evil had theretofore taken had been necessarily simple.”

The

government “could secure possession of [a person’s] papers and other

articles incident to his private life—a seizure eﬀected, if need be, by

breaking and entry.”

But technological developments, Brandeis ar-

gued, have created new threats to privacy:

197

the fourth amendment, records, and privacy

▲

[T]ime works changes, brings into existence new conditions and

purposes. Subtler and more far-reaching means of invading pri-

vacy have become available to the government. Discovery and

invention have made it possible for the government, by means

far more eﬀective than stretching upon the rack, to obtain dis-

closure in court of what is whispered in the closet.

The Court, however, continued to follow the Olmstead conception

of privacy in subsequent cases. In Goldman v. United States, for exam-

ple, the police placed a device called a “detectaphone” on the wall

next to a person’s oﬃce, enabling them to eavesdrop on the conversa-

tions inside the oﬃce. The Court concluded that since there had been

no physical trespass into the oﬃce, the Fourth Amendment had not

been violated.

In , nearly  years after Olmstead, the Court in Katz v. United

States ﬁnally abandoned the physical intrusion conception of privacy

and adopted the Fourth Amendment approach employed today. Katz

involved the electronic eavesdropping of a telephone conversation

made by a person in a phone booth. Explicitly overruling Olmstead

and Goldman, the Court declared: “What a person knowingly exposes

to the public, even in his own home or oﬃce, is not a subject of

Fourth Amendment protection. But what he seeks to preserve as pri-

vate, even in an area accessible to the public, may be constitutionally

protected.”

The Court’s approach to determining the applicability of the

Fourth Amendment emerged from Justice Harlan’s concurrence in

Katz. The “reasonable expectation of privacy test” looks to whether ()

a person exhibits an “actual or subjective expectation of privacy” and

() “the expectation [is] one that society is prepared to recognize as

‘reasonable.’”

Brandeis’s dissent in Olmstead only partially won the day in Katz.

Instead of adopting a conception of privacy that was adaptable to

new technology, as the reasonable expectation of privacy test initially

promised to be, the Court rigidiﬁed its approach with a particular

conception of privacy—the secrecy paradigm. The Court based this

new conception on the language in Katz that privacy turned on what

a person exposed to the public. In this way, privacy was conceptual-

198

the fourth amendment, records, and privacy

▲

ized as a form of secrecy, and people couldn’t have a reasonable ex-

pectation of privacy in information that was not kept secret.

The full implications of this new conception of privacy are dis-

cussed in the next section. Before turning to this issue, it is important

to observe the eﬀects of the Court’s failure to reconceptualize privacy

in Olmstead. As a result of the nearly  years between Olmstead and

Katz, there was little control over the burgeoning use of electronic

surveillance, one of the most powerful technological law enforce-

ment tools developed during the twentieth century. The Fourth

Amendment stood by silently as this new technology proliferated.

At the time of Olmstead, many viewed wiretapping with great un-

ease. Justice Holmes called it a “dirty business.”

Even J. Edgar

Hoover, who later became one of the greatest abusers of wiretapping,

testiﬁed in  that wiretapping was “unethical” and that he would

ﬁre any FBI employee who engaged in it.

In , just six years after Olmstead, Congress enacted § of the

Federal Communications Act, making wiretapping a federal crime.

However, § was practically impotent. It did not apply to wiretap-

ping by state police or private parties. Nor did it apply to bugging.

Further, it only precluded the disclosure of tapped communications

in court proceedings.

Thus, the FBI could wiretap so long as it didn’t

try to use any of the results in court.

Gradually, presidents gave the FBI increasing authority to wire-

tap.

In World War II, the FBI gained authorization to engage in wire-

tapping to investigate national security threats. Later, the

authorization expanded to encompass domestic security. The fear of

communism during the s allowed the FBI to intensify its use of

electronic surveillance.

Widespread abuses began to occur. Hoover’s misconduct was

egregious. He wiretapped critics of the FBI, enemies of his political

allies, and practically anybody whose political views he disliked. As

discussed earlier, he engaged in massive electronic surveillance of

Martin Luther King, Jr. Presidents also misused the FBI’s wiretap-

ping power for their own political purposes. President Nixon or-

dered extensive wiretapping, including surveillance of his own

speechwriter, William Saﬁre.

Presidents Kennedy and Johnson also

ordered electronic surveillances inappropriately.

With regard to

199

the fourth amendment, records, and privacy

▲

pre-Katz wiretapping by the states, an inﬂuential study led by Samuel

Dash concluded that  percent of state wiretapping lacked court au-

thorization and that state regulation of wiretapping had been largely

ineﬀective against abuses.

Thus, for  years, the government’s power to engage in electronic

surveillance fell outside of the reach of the Fourth Amendment, and

the legislation that ﬁlled the void was ineﬀective. Today, history is

in the process of repeating itself. The Court has made a mistake

similar to Olmstead, and it is one with severe and far-reaching im-

plications.

The New Olmstead

Although we have moved from the Olmstead physical intrusion con-

ception of privacy to a new regime based upon expectations of pri-

vacy, there is a new Olmstead, one that is just as shortsighted and

rigid in approach. The Court’s new conception of privacy is the se-

crecy paradigm. If any information is exposed to the public or if law

enforcement oﬃcials can view something from any public vantage

point, then the Court has refused to recognize a reasonable expecta-

tion of privacy.

For example, in Florida v. Riley, the Court held that a person did

not have a reasonable expectation of privacy in his enclosed green-

house because a few roof panels were missing and the police were

able to ﬂy over it with a helicopter.

In California v. Greenwood, the

police searched plastic garbage bags that the defendant had left on

the curb to be collected by the trash collector. The Court held that

there was no reasonable expectation of privacy in the trash because

“[i]t is common knowledge that plastic bags left on or at the side of a

public street are readily accessible to animals, children, scavengers,

snoops, and other members of the public.”

Trash is left at the curb

“for the express purpose of conveying it to a third party, the trash col-

lector, who might himself have sorted through [the] trash or permit-

ted others, such as the police, to do so.”

Consistent with this conception of privacy, the Court held that

there is no reasonable expectation in privacy for information known

or exposed to third parties. In United States v. Miller, federal agents

200

the fourth amendment, records, and privacy

▲

presented subpoenas to two banks to produce the defendant’s ﬁnan-

cial records. The defendant argued that the Fourth Amendment re-

quired a warrant, not a subpoena, but the Court concluded that the

Amendment didn’t apply. There is no reasonable expectation of pri-

vacy in the records, the Court reasoned, because the information is

“revealed to a third party.”

Thus, “checks are not conﬁdential com-

munications but negotiable instruments to be used in commercial

transactions. All of the documents obtained, including ﬁnancial

statements and deposit slips, contain only information voluntarily

conveyed to the banks and exposed to their employees in the ordi-

nary course of business.”

The Court used similar reasoning in Smith v. Maryland. Without a

warrant, the police asked a telephone company to use a pen register,

which is a device installed at the phone company to record the num-

bers dialed from the defendant’s home. The Court concluded that

since people “know that they must convey numerical information to

the phone company,” they cannot “harbor any general expectation

that the numbers they dial will remain secret.”

Miller and Smith establish a general rule that if information is in

the hands of third parties, then an individual lacks a reasonable ex-

pectation of privacy in that information, which means that the Fourth

Amendment does not apply.

Individuals thus probably do not have a

reasonable expectation of privacy in communications and records

maintained by ISPs or computer network administrators.

The third

party record doctrine stems from the secrecy paradigm. If informa-

tion is not completely secret, if it is exposed to others, then it loses its

status as private. Smith and Miller have been extensively criticized

throughout the past several decades. However, it is only recently that

we are beginning to see the profound implications of the third party

doctrine. Smith and Miller are the new Olmstead and Goldman. Gath-

ering information from third party records is an emerging law en-

forcement practice with as many potential dangers as the

wiretapping in Olmstead. “The progress of science in furnishing the

government with means of espionage is not likely to stop with wire-

tapping,” Justice Brandeis observed in his Olmstead dissent. “Ways

may some day be developed by which the government, without re-

moving papers from secret drawers, can reproduce them in court,

201

the fourth amendment, records, and privacy

▲

and by which it will be enabled to expose to a jury the most intimate

occurrences of the home.”

That day is here. The government’s harvesting of information from

the extensive dossiers being assembled with modern computer tech-

nology poses one of the most signiﬁcant threats to privacy of our

times.

The Emerging Statutory Regime and Its Limits

Throughout the twentieth century, when the Supreme Court held that

the Fourth Amendment was inapplicable to new practices or technol-

ogy, Congress often responded by passing statutes that aﬀorded some

level of protection. Through a series of statutes, Congress has estab-

lished a regime regulating government access to third party records.

This regime erects a particular architecture signiﬁcantly diﬀerent

from that of the Fourth Amendment. Unfortunately, this regime is

woefully inadequate.

Procedural Requirements to Obtain Information. The most signiﬁcant

deﬁciency is that a majority of the statutes permit government access

to third party records with only a court order or subpoena—a signiﬁ-

cant departure from the Fourth Amendment, which generally re-

quires warrants supported by probable cause to be issued by a

neutral and detached judge. Unlike warrants, subpoenas do not re-

quire probable cause and can be issued without judicial approval.

Prosecutors, not neutral judicial oﬃcers, can issue subpoenas.

Ac-

cording to Stuntz: “[W]hile searches typically require probable cause

or reasonable suspicion and sometimes require a warrant, subpoenas

require nothing, save that the subpoena not be unreasonably burden-

some to its target. Few burdens are deemed unreasonable.”

Accord-

ing to legal scholar Ronald Degnan, subpoenas are not issued “with

great circumspection” and are often “handed out blank in batches

and ﬁlled in by lawyers.”

As Stuntz contends, federal subpoena

power is “akin to a blank check.”

Prosecutors can also use grand jury subpoenas to obtain third

party records.

Grand jury subpoenas are “presumed to be reason-

able” and may only be quashed if “there is no reasonable possibility

202

the fourth amendment, records, and privacy

▲

that the category of materials the Government seeks will produce in-

formation relevant to the general subject of the grand jury investiga-

tion.”

As Stuntz observes, grand jury subpoenas “are much less

heavily regulated” than search warrants:

As long as the material asked for is relevant to the grand jury’s in-

vestigation and as long as compliance with the subpoena is not

too burdensome, the subpoena is enforced. No showing of prob-

able cause or reasonable suspicion is necessary, and courts

measure relevance and burden with a heavy thumb on the gov-

ernment’s side of the scales.

Therefore, courts “quash or modify” subpoenas only “if compli-

ance would be unreasonable or oppressive.”

Further, “judges decide

these motions by applying vague legal standards case by case.”

Court orders under most of the statutes are not much more con-

strained than subpoenas. They typically require mere “relevance” to

an ongoing criminal investigation, a standard signiﬁcantly lower and

looser than probable cause.

The problem with subpoenas and court orders is that they supply

the judiciary with greatly attenuated oversight powers. The role of the

judge in issuing or reviewing subpoenas is merely to determine

whether producing records is overly burdensome. With this focus,

ﬁnancial hardship in producing information would give courts more

pause when reviewing subpoenas than would threats to privacy. The

role of the judiciary in court orders is also quite restricted. Instead of

requiring probable cause, court orders require the government to

demonstrate that records are “relevant” to a criminal investigation, a

much weaker standard. In short, judicial involvement with subpoe-

nas and court orders amounts to little more than a rubber stamp of

judicial legitimacy.

Wiretapping and Bugging. When the Court held in Olmstead that the

Fourth Amendment did not apply to wiretapping, Congress re-

sponded six years later by enacting § of the Federal Communica-

tions Act of . As discussed earlier, § was far too narrow and

limited. In , a year after the Court in Katz declared that the Fourth

Amendment applied to wiretapping, Congress enacted Title III of the

203

the fourth amendment, records, and privacy

▲

Omnibus Crime Control and Safe Streets Act,

which greatly strength-

ened the law of wiretapping, extending its reach to state oﬃcials and

private parties. In , Congress amended Title III with the Elec-

tronic Communications Privacy Act (ECPA). The ECPA restructured

Title III into three parts, known as the “Wiretap Act,” which governs

the interception of communications; the “Stored Communications

Act,” which covers access to stored communications and records; and

the “Pen Register Act,” which regulates pen registers and trap and

trace devices.

The Wiretap Act covers wiretapping and bugging. It applies when a

communication is intercepted during transmission. The Act has strict

requirements for obtaining a court order to engage in electronic sur-

veillance.

In certain respects, the Wiretap Act’s requirements are

stricter than those for a Fourth Amendment search warrant.

100

It also

requires that the surveillance “minimize the interception of commu-

nications” not related to the investigation. The Act is enforced with an

exclusionary rule.

101

However, the interception of electronic communications not in-

volving the human voice (such as email) is not protected with an ex-

clusionary rule. Although the Wiretap Act has substantial protections,

it covers ground already protected by the Fourth Amendment. In ar-

eas not protected by the Fourth Amendment, the architecture of the

statutory regime is much weaker and more porous.

Stored Communications. Communications service providers frequently

store their customers’ communications. ISPs temporarily store email

until it is downloaded by the recipient. Many ISPs enable users to

keep copies of previously read email on the ISP’s server, as well as

copies of their sent emails. Since a third party maintains the informa-

tion, the Fourth Amendment may not apply.

102

The Stored Communications Act provides some protection, but

unfortunately it is quite confusing and its protection is limited. Elec-

tronic storage is deﬁned as “any temporary, intermediate storage of a

wire or electronic communication incidental to the electronic trans-

mission thereof,” and “any storage of such communication by an

electronic communication service for purposes of backup protec-

tion.”

103

This deﬁnition clearly covers email that is waiting on the ISP’s

204

the fourth amendment, records, and privacy

▲

server to be downloaded. But what about previously read email that

remains on the ISP’s server? According to the Department of Justice’s

(DOJ) interpretation of the Act, the email is no longer in temporary

storage, and is therefore “simply a remotely stored ﬁle.”

104

The Act per-

mits law enforcement oﬃcials to access it merely by issuing a sub-

poena to the ISP.

105

And in contrast to the Wiretap Act, the Stored

Communications Act does not have an exclusionary rule.

Communications Service Records. The Stored Communications Act also

regulates government access to a customer’s communications service

records, which consist of the customer’s name, address, phone num-

bers, payment information, and services used.

106

One of the most im-

portant pieces of information in ISP records is the customer’s

identity. An ISP may have information linking a customer’s screen

name to her real name. Thus, an ISP often holds the key to one’s abil-

ity to communicate anonymously on the Internet. The government

often wants to obtain this information to identify a particular

speaker. To access customer records, the government must obtain a

court order, which requires “speciﬁc and articulable facts showing

that there are reasonable grounds to believe that . . . the records or

other information sought, are relevant and material to an ongoing

criminal investigation.”

107

Further, since the Act lacks an exclusionary

rule, information obtained in violation of the law can still be intro-

duced in court.

108

Pen Registers, Email Headers, and Websurfing. The Pen Register Act at-

tempts to ﬁll the void left by Smith v. Maryland by requiring a court

order to use a pen register or trap and trace device.

109

Whereas a pen

trap and trace device creates a list of the telephone numbers of in-

coming calls. The USA-PATRIOT Act, passed in  shortly after the

September th attacks, expanded the scope of the Pen Register Act.

The deﬁnition of a pen register now extends beyond phone num-

bers to also encompass addressing information on emails and IP

addresses. An IP address is the unique address assigned to a particu-

lar computer connected to the Internet. All computers connected to

the Internet have one. Consequently, a list of IP addresses accessed

205

the fourth amendment, records, and privacy

▲

reveals the various websites that a person has visited. Because web-

sites are often distinctively tailored to particular topics and interests,

a comprehensive list of them can reveal a lot about a person’s life. The

court order to obtain this information, however, only requires the

government to demonstrate that “the information likely to be ob-

tained . . . is relevant to an ongoing criminal investigation.”

110

Courts

cannot look beyond the certiﬁcation nor inquire into the truthfulness

of the facts in the application. Once the government oﬃcial makes

the proper certiﬁcation, the court must issue the order.

111

As one court

has observed, the “judicial role in approving use of trap and trace de-

vices is ministerial in nature.”

112

Finally, there is no exclusionary rule

for Pen Register Act violations.

Financial Records. Two years after United States v. Miller, Congress

ﬁlled the void with the Right to Financial Privacy Act (RFPA) of ,

which requires the government to obtain a warrant or subpoena to

access records from banks or other ﬁnancial institutions.

113

However,

the subpoena merely requires a “reason to believe that the records

sought are relevant to a legitimate law enforcement inquiry.”

114

When

subpoena authority is not available to the government, the govern-

ment need only submit a formal written request for the informa-

tion.

115

In addition to banks, credit reporting agencies have detailed

records for nearly every adult American consumer. Under the Fair

Credit Reporting Act (FCRA) of , a consumer reporting agency

“may furnish identifying information respecting any consumer, lim-

ited to his name, address, former addresses, places of employment, or

former places of employment, to a governmental agency.”

116

Thus, the

government can simply request this information without any court

involvement. And the government can obtain more information with

a court order or grand jury subpoena.

117

Since the FCRA focuses on

credit reporting agencies, it doesn’t prohibit the recipients of credit

reports from disclosing them to the government.

Although the RFPA and FCRA protect ﬁnancial information main-

tained by banks and credit reporting agencies, the government can

obtain ﬁnancial information from employers, landlords, merchants,

creditors, and database companies, among others. Therefore, ﬁnan-

206

the fourth amendment, records, and privacy

▲

cial records are protected based only on which entities possess them.

Thus, the statutory regime merely provides partial protection of

ﬁnancial data.

Electronic Media Entertainment Records. The statutory regime protects

records pertaining to certain forms of electronic media entertain-

ment. Under the Cable Communications Policy Act (Cable Act) of

,

118

a government oﬃcial must obtain a court order in order to ob-

tain cable records. The government must oﬀer “clear and convincing

evidence that the subject of the information is reasonably suspected

of engaging in criminal activity and that the information sought

would be material evidence in the case.”

119

People can “appear and

contest” the court order.

120

This standard is more stringent than the

Fourth Amendment’s probable cause and warrant requirements.

However, there is no exclusionary rule under the Cable Act.

In addition to cable records, the statutory regime also protects

videotape rental records. The Video Privacy Protection Act (VPPA) of

 states that a videotape service provider may disclose customer

records to law enforcement oﬃcials “pursuant to a warrant . . . , an

equivalent State warrant, a grand jury subpoena, or a court order.”

121

Unlike the Cable Act, the level of protection under the VPPA is much

less stringent.

Although the statutory regime protects the records of certain forms

of electronic media entertainment, it fails to protect the records of

many others. For example, records from music stores, electronics

merchants, and Internet media entities are aﬀorded no protection.

Medical Records. Our medical records are maintained by third parties.

Could the third party doctrine extend to medical records? On the one

hand, given the considerable privacy protection endowed upon the

patient-physician relationship, the third party doctrine may stop at

the hospital door.

122

On the other hand, the doctrine applies to

records of ﬁnancial institutions, which also have a tradition of main-

taining the conﬁdentiality of their customers’ information.

123

Unless

the patient-physician relationship is distinguished from banks, the

third party doctrine logically could apply to medical records. How-

ever, the Supreme Court has yet to push the doctrine this far.

207

the fourth amendment, records, and privacy

▲

The federal health privacy rules under the Health Insurance Porta-

bility and Accountability Act (HIPAA) of  apparently view medical

records as falling under the third party doctrine. The rules permit law

enforcement oﬃcials to access medical records with a mere sub-

poena.

124

Health information may also be disclosed “in response to a

law enforcement oﬃcial’s request for such information for the pur-

pose of identifying or locating a suspect, fugitive, material witness, or

missing person.”

125

Moreover, not all health records are covered by HIPAA. Only

records maintained by health plans, health care clearinghouses, and

health care providers are covered.

126

Although doctors, hospitals,

pharmacists, health insurers, and HMOs are covered, not all third

parties possessing our medical information fall under HIPAA. For ex-

ample, the sale of nonprescription drugs and the rendering of med-

ical advice by many Internet health websites are not covered by

HIPAA.

127

Therefore, while certain health records are protected, others

are not.

Holes in the Regime. Federal statutes provide some coverage of the

void left by the inapplicability of the Fourth Amendment to records

held by third parties. Although the statutes apply to communication

records, ﬁnancial records, entertainment records, and health records,

these are only protected when in the hands of particular third parties.

Thus, the statutory regime does not protect records based on the type

of information contained in the records, but protects them based on

the particular types of third parties that possess them.

Additionally, there are gaping holes in the statutory regime of pro-

tection, with classes of records not protected at all. Such records in-

clude those of merchants, both online and oﬄine. Records held by

bookstores, department stores, restaurants, clubs, gyms, employers,

and other companies are not protected. Additionally, all the personal

information amassed in proﬁles by database companies is not cov-

ered. Records maintained by Internet retailers and websites are often

not considered “communications” under the ECPA; the government

can access these records and the ECPA doesn’t apply. Thus, the statu-

tory regime is limited in its scope and has glaring omissions and gaps.

Further, the statutes are often complicated and confusing, and their

208

the fourth amendment, records, and privacy

▲

protection turns on technical distinctions that can leave wide ﬁelds of

information virtually unprotected.

Therefore, the current statutory regime is inadequate. As warrants

supported by probable cause are replaced by subpoenas and court

orders supported by “articulable facts” that are “relevant” to an inves-

tigation, the role of the judge in the process is diminished to nothing

more than a decorative seal of approval. And since there are numer-

ous holes in the regime, there are many circumstances when neither

court orders nor subpoenas are required. The government can simply

ask for the information. An individual’s privacy is protected only by

the vague and toothless privacy policies of the companies holding

their information.

209

the fourth amendment, records, and privacy

▲

Reconstructing

the Architecture

Today, much of our personal information is ﬁnding its way into the

hands of third parties. Moreover, given the Court’s current conception

of privacy under the Fourth Amendment, the architecture that regu-

lates many of the government’s information gathering practices is in-

creasingly that of a confusing and gap-riddled statutory regime.

One solution to ﬁll the void is for the Court to reverse Smith v.

Maryland and United States v. Miller. Although Fourth Amendment

architecture is signiﬁcantly more protective than that of the statutory

regime, the problem of how to regulate government access to third

party records is not adequately addressed by Fourth Amendment ar-

chitecture alone. As discussed earlier, the principal remedy for Fourth

Amendment violations is the exclusionary rule, which prevents the

government from introducing improperly obtained data during a

criminal prosecution. However, many information acquisition abuses

often occur in the absence of prosecutions. Therefore, the exclusion-

ary rule alone is not suﬃciently protective.

A better architecture to regulate government information gather-

ing from third parties should be constructed. In particular, such an

210

▲

architecture should prevent the types of problems associated with

government information gathering discussed earlier in chapter . An

architecture should strive for three goals: minimization, particular-

ization, and control.

First, government information gathering should be minimized.

Sweeping investigations and vast stores of personal data in the hands

of government entities present signiﬁcant opportunities for the prob-

lematic uses discussed earlier.

Second, eﬀorts at amassing data should be particularized to

speciﬁc individuals suspected of criminal involvement. Particulariza-

tion requires law enforcement oﬃcials to exercise care in selecting

the individuals who should be investigated, and it prevents dragnet

investigations that primarily involve innocent people. One of the

most important aspects of keeping the government under control is

to prevent its investigatory powers from being turned loose on the

population at large.

Third, government information gathering and use must be con-

trolled. There must be some meaningful form of supervision over the

government’s information gathering activity to ensure that it remains

minimized and particularized. The government’s use of information

must be controlled to prevent abuses and security lapses.

The aims of the architecture, however, are not the most diﬃcult is-

sue. Substantively, the architecture needs a scope. Which information

gathering activities should be regulated? Procedurally, the architec-

ture needs a mechanism for carrying out its aims. What type of struc-

tural controls should an architecture adopt?

Scope: System of Records

An architecture begins with substance. It must provide guidance

about which information gathering activities it governs. What is the

appropriate scope of an architecture that regulates government infor-

mation gathering? In particular, should the architecture cover all in-

stances where the government gathers personal data from third

parties? Restricting all information collection from third parties

would prevent law enforcement oﬃcials from eliciting initial infor-

mation essential to develop suﬃcient evidence to establish probable

211

reconstructing the architecture

▲

cause. In the early stages of an investigation, the police frequently talk

to victims, witnesses, friends, and neighbors. The police often ﬁnd

out about a crime when people voluntarily report suspicious activity.

These examples all involve third parties who possess information

about the person being investigated. If the architecture encompasses

all third parties, then it might unduly constrain police investigations.

Consequently, a line must be drawn to distinguish the instances

where third parties can voluntarily supply information to the govern-

ment and where the government will be prohibited from accessing

information. Although we may want to prevent Amazon.com from di-

vulging to the government the log of books a person bought, we may

not want to prohibit a person’s neighbor or a stranger from telling the

police which books she happened to observe the person reading.

Where should we draw the line? One way is to focus on the type of

data involved, distinguishing between “private” and “nonprivate” in-

formation. The architecture would protect all personal information

that is private. But how is privacy to be deﬁned?

Following the se-

crecy paradigm, the Court has deﬁned privacy as total secrecy. But

this deﬁnition obviously doesn’t work since it would exclude informa-

tion held by third parties.

Another way to deﬁne private information is to focus on “intimate”

information. A number of commentators, such as philosophers Julie

Inness and Tom Gerety, have contended that intimacy is the essential

characteristic of privacy.

But what constitutes “intimate” informa-

tion? Without an adequate deﬁnition, “intimate” becomes nothing

more than a synonym for “private.” Some commentators, such as In-

ness, deﬁne “intimacy” as involving loving and caring relationships.

However, much private information, such as ﬁnancial and health

data, doesn’t pertain to these types of relationships.

The more fundamental problem with focusing on whether infor-

mation is private is that privacy is contextual and historically contin-

gent. Easy distinctions such as intimate versus nonintimate and

secret versus nonsecret fail to account for the complex nature of what

is considered private. Privacy is a dimension of social practices, activ-

ities, customs, and norms that are shaped by history and culture. The

matters that are considered private and public have changed

throughout history. Privacy is not an inherent property of particular

212

reconstructing the architecture

▲

forms of information, since even the most sensitive and revealing in-

formation is not private under all circumstances. Even if ordinarily a

person’s sex life or medical history is private, it wouldn’t be private if

that person were a public ﬁgure who routinely discussed these mat-

ters openly in public. Certainly, public disclosure does not eliminate

the privacy of information; indeed, even information that is exposed

to others may retain its private character. Nevertheless, privacy de-

pends upon degrees of accessibility of information, and under cer-

tain circumstances, even highly sensitive information may not be

private.

Additionally, focusing on the type of information does not solve

the problem of distinguishing between the neighbor’s telling the po-

lice what books he sees a person reading and Amazon.com’s provid-

ing the police with a complete inventory of the books the person has

purchased. By attempting to draw a line based upon the type of infor-

mation, these two instances would be treated similarly. Another ex-

ample more radically illustrates the problem. Many would deem

information about a person’s genitals to be private information.

Should the police be required to obtain a warrant before talking to a

victim of a sexual assault about an assailant’s genitals? This would be

absurd. On the other hand, many would express serious objections if

the police, without probable cause, could simply compel information

from the person’s doctor.

Another way a line could be drawn is based upon people’s expecta-

tions. Such an approach would draw from the Court’s notion of “rea-

sonable expectations of privacy.” The problem with this approach,

however, is that an empirical evaluation of expectations alone could

gradually lead to the diminishment of privacy as more and more peo-

ple come to expect that the records held by third parties can be read-

ily obtained by the government.

If a line cannot be drawn based upon the type of information in-

volved or people’s expectations of privacy, then how should the line

be drawn? The answer must focus on relationships. Privacy is not in-

dependent of the relationships in which it is a part. Individuals read-

ily share information in certain private relationships, such as the

family. In particular relationships people undertake certain risks, in-

cluding the risk of betrayal by one with whom conﬁdences are shared.

213

reconstructing the architecture

▲

The fact that there are expectations and risks, however, does not

mean that they must be the exclusive focus of our inquiry.

The issue is not the conceivable risk of betrayal, but rather which

risks people ought to assume and which risks people should be in-

sured against. This determination has a normative dimension. When

a patient discloses an ailment to a doctor, arguably the patient as-

sumes the risk that the doctor will disclose the information to the

public. However, there are several protections against this risk. Pa-

tient-physician conﬁdentiality is protected by ethical rules, which if

violated could result in the loss of the doctor’s license to practice

medicine.

Conﬁdentiality is also protected with an evidentiary privi-

lege.

Courts have created tort law causes of action against physicians

who disclose personal information.

Finally, states have passed laws

that protect against the disclosure of medical information.

Thus, in

numerous ways, the law structures the patient-physician relationship

to protect against the risk of disclosure. Similarly, the law of evidence

has recognized the importance of protecting the privacy of commu-

nications between attorney and client, priest and penitent, husband

and wife, and psychotherapist and patient.

Our expectations in these

relationships are the product of both existing norms and the norm-

shaping power of the law. As Christopher Slobogin notes, “in a real

sense, we only assume those risks of unregulated government intru-

sion that the courts tell us we have to assume.”

Therefore, the scope of the architecture should be shaped by con-

siderations regarding social relationships. The architecture’s scope

should encompass all instances when third parties share personal in-

formation contained within a “system of records.” This term is taken

from the Privacy Act, which deﬁnes a “system of records” as “a group

of any records . . . from which information is retrieved by the name of

the individual or by some identifying number, symbol, or other iden-

tifying particular assigned to the individual.”

A “system of records” is

used to distinguish between collecting information by speaking with

speciﬁc individuals versus obtaining it through the vast stores of

records held by companies.

Focusing on systems of records targets at least two sets of relation-

ships that must be regulated: our relationships with the government

214

reconstructing the architecture

▲

and our relationships with the companies, employers, and other enti-

ties that possess personal information.

In relationships with the government, the focus should be on what

society wants the government to be able to know rather than whether

certain matters are public or private based on the extent of their ex-

posure to others. The Court’s conception of privacy assumes that the

government stands in the same shoes as everybody else, which is

clearly not the case. If we allow a loved one to read our diary, do we

also want the government to be able to read it? As Anthony Amster-

dam has observed: “For the tenement dweller, the diﬀerence between

observation by neighbors and visitors who ordinarily use the com-

mon hallways and observation by policemen who come into hallways

to ‘check up’ or ‘look around’ is the diﬀerence between all the privacy

that his condition allows and none.”

Indeed, the existence of Fourth Amendment protection indicates

that the government stands in a diﬀerent position than ordinary citi-

zens or private-sector organizations. The possibility of aggregation

and the rise of digital dossiers argue in favor of regulating the govern-

ment’s access to information.

The focus should be on the goals of the architecture rather than on

technical distinctions over whether information is intimate enough

or secret enough. These questions should not derail attention from

the important issue of whether government information gathering

activities present suﬃcient actual and potential dangers to warrant

protection. The problems discussed earlier regarding information

ﬂows from the private sector to the government stem from the exten-

siveness of the personal information that businesses are reaping to-

day. Focusing on “systems of records” targets the type of information

ﬂow that raises concern. Because the problem of modern govern-

ment information gathering is caused by the increasing dossiers

maintained in private-sector record systems, the architecture targets

those third parties that store data in record systems.

Our relationships with the entities that maintain record systems

about us diﬀer from other social relationships. Though it is possible

for the government to obtain personal data by interviewing friends

and others, the information in records is more permanent in nature

215

reconstructing the architecture

▲

and is readily aggregated. Record systems are particularly dangerous

because of how easily data can be gathered, combined, stored, and

analyzed.

Further, entities that maintain systems of records collect data in a

power dynamic where information disclosure is often not consen-

sual. A person can take considerable steps to prevent a stranger from

collecting data without consent. For example, a person who is

overzealous in gathering information can be subject to laws prohibit-

ing stalking or harassment.

Relationships to employers and landlords, however, are diﬀerent

than those with our friends, neighbors, and even strangers. Currently,

employers and landlords have a substantial amount of power to ex-

tort personal information. They often stand in an unequal position to

that of the individual employees or tenants. The nature of the rela-

tionship with employers and landlords provides them with a signiﬁ-

cantly greater amount of power and control. If people aren’t willing to

supply the information, then they may not be hired or approved as a

tenant.

Relationships with merchants and communications providers

might not be as directly coercive as those with the entities that govern

our livelihoods and dwellings. Because these relationships are more

impersonal, should it be left up to the market to decide this issue?

Some might argue that if consumers demanded that companies pro-

tect their information from the government, then the market would

reﬂect these demands.

Thus far, however, the market has not been responsive to this issue.

As discussed earlier, privacy policies are often vague about informa-

tion ﬂows to the government. Individuals are usually unaware of the

extent to which information about them is collected. People have

diﬃculty bargaining over privacy, and the market fails to aﬀord suﬃ-

cient incentives to rectify this problem.

Further, many companies

have never established a relationship with the people whose data

they have collected—and thus, there isn’t even the opportunity to

bargain.

Even if people are informed, they have little choice but to hand

over information to third parties. Life in the Information Age depends

upon sharing information with a host of third party companies. The

216

reconstructing the architecture

▲

Supreme Court in Smith and Miller has suggested that if people want

to protect privacy, they should not share their information with third

parties. However, refraining from doing so may result in people living

as Information Age hermits, without credit cards, banks, Internet

service, phones, and television. The market does not seem to oﬀer a

wide array of choices for people about the amount of privacy they

would like to protect. As discussed in chapter , there is little hope

that the market alone will achieve the appropriate level of protection.

Therefore, the scope of the architecture must be deﬁned broadly to

encompass any third party that maintains a “system of records.” This

deﬁnition of scope is not perfect, and there may be hard cases that

call for exceptions. However, this rule would provide clear guidance

to law enforcement oﬃcials when gathering information from third

parties. Clarity is a virtue. Unlike the existing statutory architecture,

which is complicated and often full of notable gaps, this architecture

has clear and simple boundaries.

Structure: Mechanisms of Oversight

Many diﬀerent procedural mechanisms are available to control gov-

ernment information gathering, and they fall on a spectrum from no

control to complete restriction. In the middle of the spectrum are

mechanisms of oversight—where the government can access infor-

mation only if it can make certain showings before a neutral and ex-

ternal party. This middle course will work the best.

No Control. On the “no control” end of the spectrum, businesses may

voluntarily disclose personal information to the government. If it so

desired, Amazon.com could connect its computers to the FBI’s. If a

private-sector entity does not volunteer information, then the gov-

ernment can compel its production with a mere subpoena. The entity

need not contest the subpoena or provide notice to the person to

whom the information pertains. Whether the entity does so would be

left up to market forces—to contracts between the entity and the con-

sumer or privacy policies. The problem with “no control” is that it

does nothing to solve the problems caused by government informa-

tion gathering.

217

reconstructing the architecture

▲

Mechanisms of Restriction. On the other end of the spectrum are archi-

tectural mechanisms of restriction—prohibitions on government col-

lection and use of information. These mechanisms are embodied in

the architecture of the Fifth Amendment.

The Fifth Amendment pro-

vides that “[n]o person ...shall be compelled in any criminal case to be

a witness against himself.”

The Fifth Amendment’s privilege against

self-incrimination prevents the government from compelling individ-

uals to testify against themselves, and completely bars use of the infor-

mation obtained in violation of the right at trial. In contrast, under

current Fourth Amendment architecture, evidence is admissible at

trial so long as the government obtains it with a valid search warrant.

At one point in its history, the Fourth Amendment used to rely

heavily on mechanisms of restriction. Early cases, such as Boyd v.

United States,

and Gouled v. United States,

held that the govern-

ment could seize a person’s private papers only if they were instru-

mentalities of a crime—in other words, only if they were actually used

to commit the crime. If they were merely evidence of a crime, how-

ever, the government couldn’t obtain them—even with a warrant.

This rule became known as the “mere evidence” rule. The Court later

overturned it.

Perhaps the mere evidence rule should be resurrected and applied

to third party records. This would eﬀectively bar the government from

obtaining the records. The problem with this solution is that it would

cripple modern criminal investigation. As William Stuntz observes:

“Government regulation require[s] lots of information, and Boyd

came dangerously close to giving regulated actors a blanket entitle-

ment to nondisclosure. It is hard to see how modern health, safety,

environmental, or economic regulation would be possible in such a

regime.”

Because Boyd rested in part on the Fifth Amendment, it

completely prevented the government from obtaining and using the

papers against the defendant no matter what procedure the govern-

ment had used to obtain them. This approach is far too restrictive

when it comes to most personal information maintained in third

party records.

Mechanisms of Oversight. In the middle of the spectrum are mecha-

nisms of oversight. An architecture containing this type of mecha-

218

reconstructing the architecture

▲

nism is preferable to regulate government access of records held by

third parties maintaining “systems of records.” Mechanisms of over-

sight allow the government to gather information, but the govern-

ment must ﬁrst justify its need to do so by presenting facts and

evidence before a neutral detached judge or magistrate. Oversight is

embodied in the Fourth Amendment’s per se warrant rule. The war-

rant requirement achieves the aims of minimization, particulariza-

tion, and control. Collection is minimized by the requirement that

the government justify that its information gathering is legitimate

and necessary. The warrant ensures particularization with its require-

ment that there be probable cause that a particular person be en-

gaged in criminal activity or that particular place contains evidence

of a crime. Finally, the warrant achieves control (at least over the col-

lection eﬀorts) by having a neutral and detached party authorize the

collection.

In many cases, warrants are the best regulatory device for govern-

ment information gathering. Often, at the point during an investiga-

tion when certain information from third parties becomes important

to obtain, there is already enough evidence to support a warrant. In

both Smith and Miller there was probably suﬃcient evidence for the

police to secure warrants. Therefore, the requirement of a warrant

prevents cases of illegitimate abuses—such as large-scale informa-

tion sweeps and investigations without particularized suspicion—

without unduly interfering with legitimate law enforcement

activities. Further, third party records have few of the dangers that

make warrants ineﬃcient. For example, because third parties main-

tain the records, there are fewer opportunities for a suspect to hide or

destroy documents during the time law enforcement oﬃcials obtain

a warrant.

However, as discussed previously, merely applying the Fourth

Amendment to government access to third party records proves inad-

equate. The exclusionary rule only provides a remedy at trial, and

many of the abuses associated with government information gather-

ing extend far beyond criminal trials. Therefore, I recommend a fu-

sion between warrants and subpoenas.

Despite being far more permissive for government information col-

lection purposes, subpoenas have certain protections not available

219

reconstructing the architecture

▲

with search warrants. Unlike warrants, they can be challenged prior

to the seizure of the documents. The subpoenaed party can refuse to

comply and make a motion to quash before a judge. Further, subpoe-

nas permit the target to produce the documents rather than have

government agents rummage through a person’s home or belong-

ings.

The advantages of subpoenas over search warrants are best il-

lustrated in Zurcher v. The Stanford Daily,

where the police searched

a newspaper’s oﬃces for evidence relating to a criminal suspect. The

newspaper was not involved in the alleged crime; it merely possessed

evidence. The Court upheld the search because the police obtained a

valid warrant. Dissenting justices contended that there were First

Amendment concerns with searches of newspaper oﬃces because

they would disrupt journalistic activities and result in “the possibility

of disclosure of information received from conﬁdential sources, or of

the identity of the sources themselves.”

Congress responded to

Zurcher by passing the Privacy Protection Act of , which restricts

the use of search warrants for oﬃces of newspapers and other media

entities for evidence of crimes of other parties.

In eﬀect, the Act re-

quires the use of subpoenas in addition to warrants to obtain such ev-

idence.

The beneﬁts of subpoenas, however, often do not apply when they

are issued on the third parties to produce an individual’s records. The

third party does not need to notify the individual or may not have any

incentive to challenge the subpoena in court. Further, as discussed

earlier, subpoenas have many weaknesses compared to warrants,

such as a lack of requiring particularized suspicion and little protec-

tion by way of oversight by the judiciary.

Therefore, the Fourth Amendment architecture should be resur-

rected statutorily, by creating a requirement that the government ob-

tain a special court order—a fusion between a warrant and a

subpoena. From warrants, the standard of probable cause should be

used. This threshold would require government oﬃcials to go before

a judge with speciﬁc facts and evidence that a particular person is in-

volved in criminal activity. For example, a probable cause standard

would prevent government oﬃcials from scouring through databases

to locate all people who bought books about bomb making or drug

manufacturing. Such a search is akin to the types of general searches

220

reconstructing the architecture

▲

that the Framers wanted to forbid. From subpoenas, advance notice

should be provided to the person whose records are involved, and

that person should be able to challenge the order in court. This statu-

tory regime would incorporate the exclusionary rule, a minimum

statutory damages provision, and a framework for disciplining

oﬀending law enforcement oﬃcials.

Moreover, third parties maintaining personal information in a

“system of records” should be restricted from voluntarily disclosing

an individual’s personal information to the government except under

special circumstances. Exceptions might include allowing disclosure

to prevent an imminent threat of harm to another. Another exception

would allow the individual to whom the records pertain to authorize

the government to obtain them from the third party. For example, if a

victim of computer hacking wanted to permit the government to ac-

cess the victim’s own ISP records, the victim could authorize the gov-

ernment to do so.

Regulating Post-Collection Use of Data

Another problem that must be addressed is the way personal infor-

mation is used once it has been collected. As Stuntz astutely observes:

“Fourth Amendment law regulates the government’s eﬀorts to un-

cover information, but it says nothing about what the government

may do with the information it uncovers. Yet as the Clinton investiga-

tion shows, often the greater privacy intrusion is not the initial disclo-

sure but the leaks that follow.”

Legal scholar Carol Steiker notes:

“Unlike other countries in North America and Western Europe, the

United States [has] never developed a national plan to organize a ‘sys-

tem’ of policing or to provide for centralized control over police au-

thority.”

Once information is collected, the Fourth Amendment’s

architecture of oversight no longer applies. This is problematic, as

many of the abuses of information by the government occur after the

information has been collected.

The Privacy Act of  provides some limited regulation of records

maintained by law enforcement entities. But as discussed earlier in

chapter , the Act contains many exceptions and loopholes that

have limited its eﬀectiveness. Government entities often can share

221

reconstructing the architecture

▲

information widely with each other.

Additionally, the Act applies

only to the federal government.

The Privacy Act is an important ﬁrst step in reining in the vast

stores of data that government entities collect. There remains, how-

ever, much room for the Privacy Act to be improved and strength-

ened. One possible safeguard is to mandate the destruction of data

after a certain period of time or, mandate the transfer of data to the

judicial branch after a certain period of time for access only under

special circumstances. Another way is to adopt a meaningful purpose

speciﬁcation restriction. This means that, with certain reasonable ex-

ceptions, information collected from third party records may only be

used for the particular purpose for which it is collected.

Developing an Architecture

The government’s increasing access to our digital dossiers is one of

the most signiﬁcant threats to privacy of our times, and it is inade-

quately regulated. The Court’s Fourth Amendment jurisprudence has

been mired in the diﬃculties of conceptualizing privacy, thus pre-

venting the application of the Fourth Amendment. A statutory regime

has arisen to ﬁll the void, but it is severely ﬂawed. A new architecture

must be constructed, one that eﬀectively regulates the government’s

collection and use of third party records. The process toward develop-

ing an appropriate architecture should begin by regulating both the

government’s acquisition of personal data and its downstream uses of

it. As for acquiring personal information stored in a system of records,

the government should be required to obtain a special court order

that combines the beneﬁts of subpoenas and warrants. As for down-

stream uses, speciﬁc limits must be established for how long the gov-

ernment can keep personal information and for what the government

can do with it. The task of developing an architecture is not easy in a

rapidly changing society that is adjusting to the new dimensions of

the Information Age. This proposed solution is thus a beginning of

the process.

222

reconstructing the architecture

▲

Conclusion

The problems arising from the emergence of digital dossiers are pro-

foundly important. They aﬀect the power of individuals, institutions,

and the government; and they pervade numerous relationships that

form the framework of modern society. The way we respond to these

problems will signiﬁcantly shape the type of society we are construct-

ing. Digital dossiers will aﬀect our freedom and power; they will

deﬁne the very texture and tenor of our lives.

Ideally, technology empowers us, gives us greater control over our

lives, and makes us more secure. But digital technologies of data

gathering and use are having the opposite eﬀect. Increasingly, com-

panies and the government are using computers to make important

decisions about us based on our dossiers, and we are frequently not

able to participate in the process.

As discussed throughout this book, the law of information privacy

has not yet eﬀectively grappled with these problems. Certainly, infor-

mation privacy law has had positive eﬀects. It would be far too simple

to conclude that the law has failed. But the law has not been suﬃ-

ciently successful, and the problems have grown much more trou-

bling during the law’s watch.

223

▲

One response to these developments is a cynical one. Some com-

mentators argue that things have already progressed too far for law

to grapple with the problems of digital dossiers. Scott McNealy, CEO

of Sun Microsystems, famously quips: “You already have zero pri-

vacy. Get over it.”

Amitai Etzioni observes that “as long as Americans

wish to enjoy the convenience of using credit cards and checks (as

opposed to paying cash) and of ordering merchandise over the phone

and the Internet (rather than shopping in person), they will leave

data trails that are diﬃcult to erase or conceal.”

“Toberealistic,”

Etzioni states, “the probability of returning the genie to the bottle

is nil.”

Too often, discussions of privacy parade a horde of horribles, rais-

ing fears of new technologies developing too fast for the law to han-

dle. We are left with a sense of hopelessness—technology will

continue to erode privacy and there is little we can do to stop it. To the

contrary, I believe that there is much cause for optimism. We are still

in the early days of the Information Age, and we still have the ability

to shape the networks of information ﬂow.

In fact, technology isn’t the primary culprit—many of the privacy

problems I discussed are caused in large part because of the law. The

law plays a profound role not just in solving the problems of digital

dossiers, but in manufacturing them as well. The law is not merely re-

active to new technologies that threaten privacy, but is also a shaping

force behind these technologies as well as the amount of privacy we

experience today. We often see privacy as naturally occurring and

threatened by rapidly developing technology. Law must intervene to

protect privacy. However, law creates and constructs the world we live

in. This is particularly true with privacy. To a signiﬁcant degree, pri-

vacy is legally constructed. Law already shapes our ability to hide in-

formation and it shapes information accessibility. Law makes certain

information publicly available; it keeps places (such as the home) pri-

vate by enforcing trespass and property laws. Law also shapes our ex-

pectations of privacy in many contexts.

The law also inﬂuences much of the loss of privacy. Many privacy

problems are the product of legal decisions that have been made over

the past century as we have shaped our modern information econ-

omy. Once we understand the full extent of the legal construction of

224

conclusion

▲

privacy, we will realize that privacy is not passively slipping away but

is being actively eliminated by the way we are constructing the infor-

mation economy through the law.

In the nineteenth century, Americans faced many signiﬁcant pri-

vacy problems. For example, since colonial times, the privacy of the

mail was a vexing problem. Sealing letters was diﬃcult.

Benjamin

Franklin, who was in charge of the colonial mails, required his em-

ployees to swear an oath not to open mail.

Nevertheless, signiﬁcant

concerns persisted about postal clerks reading people’s letters.

Thomas Jeﬀerson, Alexander Hamilton, and George Washington fre-

quently complained about the lack of privacy in their letters, and they

would sometimes write in code.

As Thomas Jeﬀerson wrote: “[T]he

inﬁdelities of the post oﬃce and the circumstances of the times are

against my writing fully and freely.”

These problems persisted in the nineteenth century. As Ralph

Waldo Emerson declared, it was unlikely that “a bit of paper, contain-

ing our most secret thoughts, and protected only by a seal, should

travel safely from one end of the world to the other, without anyone

whose hands it had passed through having meddled with it.”

The law

responded to these problems. Congress passed several strict laws

protecting the privacy of the mail.

And in , in Ex Parte Jackson,

the Supreme Court held that the Fourth Amendment prohibited gov-

ernment oﬃcials from opening letters without a warrant.

In the nineteenth century, one might have simply concluded that

people shouldn’t expect privacy in their letters, and that they should

“get over it.” But privacy isn’t just found but constructed. It is the

product of a vision for a future society. By erecting a legal structure to

protect the privacy of letters, our society shaped the practices of let-

ter-writing and using the postal system. It occurred because of the

desire to make privacy an integral part of these practices rather than

to preserve the status quo.

Similar examples abound in the nineteenth and early twentieth

centuries. When the increasing amount of information collected by

the U.S. census sparked a public outcry, Congress took action by

passing powerful laws to safeguard the conﬁdentiality of census in-

formation.

After Warren and Brandeis’s  article, The Right to Pri-

vacy,

raised concern over new technologies in photography and an

225

conclusion

▲

increasingly sensationalistic press, courts and legislatures responded

by creating many new privacy laws.

Today, we face new technological challenges. Many of the prob-

lems we currently encounter are created by the profound growth in

the creation and use of digital dossiers. Part of the diﬃculty we are

experiencing in dealing with these problems is that they are not as

easy to capture in a soundbite, and they often do not quickly materi-

alize as concrete injuries. When a scandalous secret is disclosed or a

hidden video camera is installed in one’s bedroom, we can easily rec-

ognize and describe the privacy harms. The troubles caused by digi-

tal dossiers are of a diﬀerent sort. These harms are complex and

abstract, which is why I invoked the metaphor of Kafka’s The Trial,

since Kafka was so adept at depicting these types of harms. Today,

like the all-encompassing Court system that assembled a dossier

about Joseph K., large organizations we know little about are produc-

ing digital dossiers about us. The dossiers capture a kind of digital

person—a personality translated into digitized form, composed of

records, data fragments, and bits of information. Our digital dossiers

remain woefully insecure, at risk of being polluted by identity thieves

or riddled with careless errors. And all the while, we are like Joseph

K.—powerless, uncertain, and uneasy—constantly kept on the out-

side while important decisions about us are being made based on

our dossiers.

I have argued that we need to rethink traditional notions of pri-

vacy in order to solve these problems. Protecting privacy in the Infor-

mation Age is a question of social design. It is about designing an

architecture for the information networks that are increasingly con-

stitutive of modern society. The law must restructure our relation-

ships with the entities collecting and using our personal information.

These relationships are not naturally occurring—it is the law that has

deﬁned our relationships to various businesses and institutions, and

it is thus the law that is at least partly responsible for our powerless-

ness and vulnerability. Changing our relationships with bureaucra-

cies can’t be achieved through isolated lawsuits. We need a regulatory

system, akin to the ones we have in place regulating our food, envi-

ronment, and ﬁnancial institutions.

226

conclusion

▲

The law actively contributes to the creation of our dossiers by com-

pelling people to give up personal data, placing it in public records,

and then allowing it to be amassed by database companies. The solu-

tion is for the law to place greater controls on its public records by

limiting the degree to which personal information in these records

can be accessed and used.

The increasing government access and use of our digital dossiers is

also the product of legal decisions made during the past century. The

Supreme Court has interpreted the Fourth Amendment in a short-

sighted way, and the use of dossiers threatens a profound end-run

around Fourth Amendment protections. The law that ﬁlls the void

fails to adequately control the government’s tapping into our digital

dossiers. The solution is to create a legal structure for keeping govern-

ment access to our digital dossiers in check. The government should

be required to obtain a special court order when it wants to access

personal data that is maintained in a business’s record systems.

All of these solutions are not absolutist ones. I am not advocating

that businesses be forbidden from collecting personal data or that

public records be made inaccessible or that the government be pro-

hibited from obtaining personal information. These absolutist solu-

tions are not practical in an information society. In this respect, those

that say the genie can’t be stuﬀed back into the bottle are correct. We

will not suddenly turn into Luddites and throw away our credit cards,

stop surﬁng the Internet, and return to using paper records. We are in

an Information Age, and there is no turning back. But this does not

mean that privacy is destined for extinction. We can have the beneﬁts

of an information-driven world without sacriﬁcing privacy. The solu-

tions I propose do not stop the ﬂow of data. Companies can still

gather information; public records can be made widely available; and

the government can obtain personal information. But when compa-

nies collect our data, the law should impose weighty responsibilities

and should allow people to have greater participation in how the data

is used. When public records are made available, the law should do so

along with demanding restrictions on access and use. When the gov-

ernment wants to obtain personal data, the law should mandate that

it demonstrate before a neutral judicial oﬃcial that it has a factual

227

conclusion

▲

basis that the search will reveal evidence of a particular person’s crim-

inal activity.

The law can protect privacy. This does not require that the law be-

come involved in areas in which it currently has been absent—the law

is already involved. The choices we make in shaping the law are of

critical importance. The law is currently making choices, and it is at-

tempting to balance privacy against countervailing interests such as

eﬃciency, transparency, free speech, and safety. As I have demon-

strated throughout this book, however, our understandings of privacy

must be signiﬁcantly rethought. Once privacy is reconceptualized, we

can ﬁnd ways to accommodate both privacy and its opposing inter-

ests. With an understanding of privacy appropriate for the problems

we now face, the law will be better able to build privacy into our bur-

geoning information society.

228

conclusion

▲

Notes

Notes to Chapter 1

1. See generally Joel R. Reidenberg, “Resolving Conﬂicting International Data Pri-

vacy Rules in Cyberspace,”  Stan. L. Rev.  ().

2. Marcia Stepanek, “How the Data-Miners Want to Inﬂuence Your Vote,” Busi-

ness Week Online, Oct. , , at http://www.businessweek.com/bwdaily/dnﬂ-

ash/oct/nf_.htm.

3. http://www.acxiom.com.

4. John Dewey, Logic: The Theory of Inquiry (), in  Later Works ,  (Jo Ann

Boydston ed., )

Notes to Chapter 2

1. For example, in the eleventh century, William the Conqueror collected infor-

mation about his subjects for taxation in the Doomsday Book. See Priscilla M. Re-

gan, Legislating Privacy: Technology, Social Values, and Public Policy  ().

2. Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Ply-

mouth Rock to the Internet  (). Record-keeping by state and local govern-

ments became increasingly prevalent during the nineteenth century. Note, “The

Right to Privacy in Nineteenth Century America,”  Harv. L. Rev. , –

().

3. See Regan, Legislating Privacy, .

4. Id., .

5. See id., .

6. Martin Campbell-Kelly & William Aspray, Computer: A History of the Informa-

tion Machine  ().

7. Simson Garﬁnkel, Database Nation: The Death of Privacy in the 21st Century

– ().

8. Campbell-Kelly & Aspray, Computer, .

229

▲

9. Id., –; Garﬁnkel, Database Nation, .

10. See Campbell-Kelly & Aspray, Computer, .

11. Garﬁnkel, Database Nation, .

12. Arthur R. Miller, The Assault on Privacy  ().

13. Philippa Strum, Privacy: The Debate in the United States since 1945, at 

().

14. Id., ; Charles J. Sykes, The End of Privacy  (). For a listing of the in-

creasing authorized uses of SSNs, see Garﬁnkel, Database Nation, –.

15. See, e.g., Vance Packard, The Naked Society (); Alan Westin, Privacy and

Freedom (); Arthur Miller, The Attack on Privacy (); Kenneth L. Karst, “‘The

Files’: Legal Controls over the Accuracy and Accessibility of Stored Personal Data,”

 L. & Contemp. Probs.  (); Symposium, “Computers, Data Banks, and In-

dividual Privacy,”  Minn. L. Rev. – ().

16. See Regan, Legislating Privacy, .

17. U.S. Department of Health, Education, and Welfare, Records, Computers, and

the Rights of Citizens: Report of the Secretary’s Advisory Comm. on Automated

Personal Data Systems  ().

18. See Beth Givens, The Privacy Rights Handbook  ().

19. See Personal Responsibility and Work Opportunity Reconciliation Act of ,

Pub. L. No. -,  Stat.  ().

20. Roland Marchand, “Customer Research as Public Relations: General Motors

in the s,” in Getting and Spending: European and American Consumer Soci-

eties in the Twentieth Century ,  (Susan Strasser, Charles McGovern, &

Matthias Judt eds., ).

21. Id., –.

22. Arthur M. Hughes, The Complete Database Marketer  (d ed. ).

23. Id., .

24. See id., –, –.

25. See id., .

26. Cliﬀ Allen, Deborah Kania, & Beth Yaeckel, Internet World Guide to One-to-

One Web Marketing  ().

27. Erik Larson, The Naked Consumer: How Our Private Lives Become Public Com-

modities  (). The connection between the Census Bureau and marketers re-

mains a very close one. Presidents have frequently appointed former marketers to

serve as the head of the Census Bureau. Since the s, the Census Bureau has been

runbyaformer director of marketing at General Motors, an executive at a political

polling ﬁrm,aresearch manager for Sears, and a past president of the American

Marketing Association. Id., .Companies have made special deals with the Census

Bureau to ask certain questions and to perform tabulations of census data in ways

that will be useful to marketers. Indeed, the Census Bureau has been accused of be-

ing too inﬂuenced by the needs and wants of corporate America. Id., –.

28. See Allen, Kania, & Yaeckel, One-to-One, ; Hughes, Database Marketer, .

29. Hughes, Database Marketer, –.

30. See id., .

31. Id., .

32. Michael McCarthy, “Direct Marketing Gets Cannes Do Spirit; ‘It’s About Time’

Advertising Sector Recognized, Says a Founding Father,” USA Today, June , ,

at B. See generally William J. Fenrich, Note, “Common Law Protection of Individ-

230

notes to chapter 2

▲

uals’ Rights in Personal Information,”  Fordham L. Rev. ,  (); Ian Ayres

& Matthew Funk, “Marketing Privacy,”  Yale J. on Reg.  ().

33. Susan Headden, “The Junk Mail Deluge,” U.S. News & World Rep., Dec. , ,

at . Junk mail sent to each home averages about  pounds per year. Id. See also

Givens, Privacy Rights, .

34. Headden, “Junk Mail.”

35. Wendy Melillo, “Can You Hear Me Now? With the Help of the FTC, Consumers

Prepare to Hit Back at Telemarketers,” Adweek, Apr. , , at .

36. Board of Governors of the Federal Reserve System, Report to the Congress

Concerning the Availability of Consumer Identifying Information and Financial

Fraud  (Mar. ).

37. See Hughes, Database Marketer,  ( cents to  dollar per name); Headden,

Junk Mail (– cents per name).

38. Susan E. Gindin, “Lost and Found in Cyberspace: Informational Privacy in the

Age of the Internet,”  San Diego L. Rev. ,  (). For more background

about the companies that mine for personal data and the processes they use to do

it, see Tal Z. Zarsky, “‘Mine Your Own Business!’: Making the Case for the Implica-

tions of the Data Mining of Personal Information in the Forum of Public Opinion,”

 Yale J. L. & Tech.  ().

39. Fenrich, “Common Law,” .

40. Anne Wells Branscomb, Who Owns Information? From Privacy to Public Ac-

cess  ().

41. Robert O’Harrow, Jr., “Behind the Instant Coupons, a Data-Crunching Power-

house,” Wash. Post, Dec. , , at A.

42. Leslie Wayne, “Voter Proﬁles Selling Briskly as Privacy Issues Are Raised,” N.Y.

Times, Sept. , , at A.

43. Marcia Stepanek, “How the Data-Miners Want to Inﬂuence Your Vote,” Busi-

ness Week Online, Oct. , , at http://www.businessweek.com/bwdaily/dnﬂ-

ash/oct/nf_.htm.

44. Hughes, Database Marketer, .

45. See, e.g., Garﬁnkel, Database Nation, ; Givens, Privacy Rights, .

46. See Peter P. Swire, “Financial Privacy and the Theory of High-Tech Govern-

ment Surveillance,”  Wash. U. L.Q. , – ().

47. Smith, Franklin’s Web Site, .

48. Steven L. Nock, The Costs of Privacy: Surveillance and Reputation in America 

().

49. For example, Experian has information on  million Americans. See

http://www.experian.com/corporate/factsheet.html.

50. See Givens, Privacy Rights, .

51. http://www.regulatorydatacorp.com/ourservices.html.

52. Tyler Hamilton, “Getting to Know You: Opening a Bank Account Gives Regula-

tory DataCorp a Window on Your Life,” Toronto Star, June , .

53. http://www.focus-usa-.com/lists_az.html.

54. Id.

55. Id.

56. http://www.datacardcentral.com/dataindex-r.cfm

57. http://www.hippodirect.com/ListSubjectsN_.asp?lSubject=. For a terriﬁc

discussion of various databases such as the ones discussed in this section, see

231

notes to chapter 2

▲

Electronic Privacy Information Center, “Privacy and Consumer Proﬁling,”

http://www/epic.org/privacy/proﬁling/.

58. See Standards for Privacy of Individually Identiﬁable Health Information: Pre-

amble,  Fed. Reg.  (Dec. , ).

59. Jim Sterne, What Makes People Click: Advertising on the Web  ().

60. For more background on cookies, see A. Michael Froomkin, “The Death of

Privacy?”  Stan. L. Rev. , – (). For a discussion of data collection

about women on the Internet, see Ann Bartow, “Our Data, Ourselves: Privacy,

Propertization, and Gender,”  U.S.F. L. Rev.  ().

61. Heather Green, “Privacy Online: The FTC Must Act Now,” Bus. Wk., Nov. ,

, at .

62. See Robert O’Harrow, Jr., “Fearing a Plague of ‘Web Bugs’; Invisible Fact-Gath-

ering Code Raises Privacy Concerns,” Wash. Post, Nov. , , at E.

63. See Leslie Walker, “Bugs That Go through Computer Screens,” Wash. Post,

Mar. , , at E; see also Richard M. Smith, “FAQ: Web Bugs,” http://www.priva-

cyfoundation.org/resources/webbug.asp.

64. James R. Hagerty & Dennis K. Berman, “Caught in the Net: New Battleground

over Web Privacy: Ads That Snoop,” Wall St. J., Aug. , .

65. Julie E. Cohen, “DRM and Privacy,”  Berkeley Tech. L.J. ,  (); see

also Julie E. Cohen, “The Right to Read Anonymously: A Closer Look at ‘Copyright

Management’ in Cyberspace,”  Conn. L. Rev.  ().

66. Chris Gulker, “The View from Silicon Valley,” The Independent, May , .

67. Mike Crissey, “In War with Bad Bots, A Secret Weapon: Humans,” Miami Her-

ald, Dec. , .

68. Sterne, People Click, .

69. J.D. Lasica, “The Net NEVER Forgets,” Salon, Nov. , , at http://www.sa-

lon.com/st/feature///feature.html.

Notes to Chapter 3

1. See, e.g., Florida v. Riley,  U.S. ,  () (Brennan, J., dissenting) (quot-

ing passage from 1984 to criticize the majority’s holding that viewing the defen-

dant’s greenhouse from a low-ﬂying helicopter wasn’t a search); United States v.

Kyllo,  F. d ,  (th Cir. ) rev’d  S. Ct.  (Noonan, J., dissenting)

(“The ﬁrst reaction when one hears of the Agema  [thermal imaging device

used to detect heat emissions from the home] is to think of George Orwell’s

1984.”); Lorenzana v. Superior Court,  P. d ,  (Cal. ) (en banc) (“Surely

our state and federal Constitutions and the cases interpreting them foreclose a re-

gression into an Orwellian society”).

2. See, e.g., United States v. Falls,  F. d ,  (th Cir. ) (video surveil-

lance “results in a very serious, some say Orwellian, invasion of privacy.”);

United States v. Cuevas-Sanchez,  F. d ,  (th Cir. ) (stating that “in-

discriminate video surveillance raises the spectre of the Orwellian state.”);

United States v. Marion,  F. d ,  (d Cir. )(Congress enacted Title III

of the Omnibus Crime Control and Safe Streets Act of  to “guard against the

realization of Orwellian fears.”); People v. Teicher,  N.E.d ,  (N.Y. )

(“Certainly the Orwellian overtones involved in this activity demand that close

scrutiny be given to any application for a warrant permitting video electronic

surveillance”).

232

notes to chapter 2

▲

3. See, e.g., Capua v. City of Plainﬁeld,  F. S upp. ,  (D.N.J. ) (stating

that drug testing is “George Orwell’s ‘Big Brother’ Society come to life”); Edward

M. Chen, Pauline T. Kim, & John M. True, “Common Law Privacy: A Limit on an

Employer’s Power to Test for Drugs,”  Geo. Mason L. Rev. ,  () (charac-

terizing drug testing as “George Orwell’s ‘Big Brother’ Society come to life”).

4. Steven L. Winter, A Clearing in the Forest: Law, Life, and Mind  ().

5. George Lakoﬀ & Mark Johnson, Metaphors We Live By – ().

6. Id., .

7. J.M. Balkin, Cultural Software: A Theory of Ideology ,  ().

8. Winter, Clearing,  (metaphor is a cognitive “process by which the mind proj-

ects a conceptual mapping from one knowledge domain to another”).

9. Balkin, Software, , .

10. See, e.g., A. Michael Froomkin, “The Metaphor Is the Key: Cryptography, the

Clipper Chip, and the Constitution,”  U. Pa. L. Rev. ,  () (Internet law

“depends critically on the legal metaphors used to understand the Internet”); Orin

S. Kerr, “The Problem of Perspective in Internet Law,”  Geo. L.J. – ().

11. Richard A. Posner, “Orwell versus Huxley: Economics, Technology, Privacy,

and Satire,”  Philosophy and Literature ,  ().

12. See, e.g., William Branigin, “Employment Database Proposal Raises Cries of

‘Big Brother,’” Wash. Post, Oct. , , at A; James Gleick, “Big Brother Is Us: Our

Privacy Is Disappearing, But Not by Force. We’re Selling It, Even Giving It Away,”

N.Y. Times Magazine, Sept. , , at ; Priscilla M. Regan, Legislating Privacy

 () (a House committee held hearings called “ and the National Security

State” to examine the growing computerization of records);  Cong. Rec. H,

H (statement of Rep. Kennedy) (“the promise of the information highway has

given way to an Orwellian nightmare of erroneous and unknowingly disseminated

credit reports”); J. Roderick MacArthur Found. v. FBI,  F. d ,  (D.C. Cir.

) (Tatel, J., dissenting) (“Congress passed the Privacy Act to give individuals

some defenses against governmental tendencies towards secrecy and ‘Big

Brother’ surveillance.”); McVeigh v. Cohen,  F. S upp. ,  (D.D.C. ) (“In

these days of ‘big brother,’ where through technology and otherwise the privacy

interests of individuals from all walks of life are being ignored or marginalized, it is

imperative that statutes explicitly protecting these rights be strictly observed”).

13. George Orwell, 1984, at  ().

14. Id., .

15. Id., .

16. Dennis H. Wrong, Power: Its Forms, Bases and Uses  ().

17. David Lyon, The Electronic Eye: The Rise of the Surveillance Society  ().

18. Michel Foucault, Discipline and Punish: The Birth of the Prison  (Alan

Sheridan trans., Pantheon Books ed. ).

19. Id., .

20. Sampson v. Murray,  U.S. ,  n. () (Douglas, J., dissenting) (quoting

Arthur Miller, “Computers, Data Banks and Individual Privacy: An Overview,” 

Colum. Hum. Rts. L. Rev. ,  []).

21. White v. California,  Cal. Rptr. ,  (Cal. Ct. App. ) () (Friedman, J.,

concurring in part and dissenting in part).

22. See, e.g., Charles N. Faerber, “Book versus Byte: The Prospects and Desirabil-

ity of a Paperless Society,”  J. Marshall J. Computer & Info. L. ,  ()

(“Many are terriﬁed of an Orwellian linkage of databases.”); Bryan S. Schultz,

233

notes to chapter 3

▲

“Electronic Money, Internet Commerce, and the Right to Financial Privacy: A Call

for New Federal Guidelines,”  U. Cin. L. Rev. ,  () (“As technology pro-

pels America toward a cashless marketplace . . . society inches closer to fulﬁlling

George Orwell’s startling vision.”); Alan F. Westin, “Privacy in the Workplace: How

Well Does American Law Reﬂect American Values,”  Chi.-Kent L. Rev. , 

() (stating that Americans would view the idea of government data protection

boards to regulate private sector databases as “calling on ‘Big Brother’ to protect

citizens from ‘Big Brother.’”); Wendy Wuchek, “Conspiracy Theory: Big Brother En-

ters the Brave New World of Health Care Reform,”  DePaul J. Health Care L. ,

 ().

23. William G. Staples, The Culture of Surveillance: Discipline and Social Control

in the United States – ().

24. Abbe Mowshowitz, “Social Control and the Network Marketplace,” in Com-

puters, Surveillance, and Privacy , – (David Lyon & Elia Zureik eds., ).

25. See, e.g., Dorothy Glancy, “At the Intersection of Visible and Invisible Worlds:

United States Privacy Law and the Internet,”  Santa Clara Computer & High

Tech. L.J. ,  () (describing privacy problem created by the private sector

as the “little brother” problem); Marsha Morrow McLauglin & Suzanne Vaupel,

“Constitutional Right of Privacy and Investigative Consumer Reports: Little

Brother Is Watching You,”  Hastings Const. L.Q.  (); Hon. Ben F. Overton &

Katherine E. Giddings, “The Right of Privacy in Florida in the Age of Technology

and the Twenty-First Century: A Need for Protection from Private and Commer-

cial Intrusion,”  Fla. St. U.L.Rev.,  ()(“In his book, ,wewere

warned by George Orwell to watch out for ‘Big Brother.’ Today, we are cautioned to

look out for ‘little brother’ and ‘little sister.’”); Thomas L. Friedman, “Foreign

Aﬀairs: Little Brother,” N.Y. Times, Sept. , ;Wendy R. Leibowitz, “Personal

Privacy and High Tech: Little Brothers Are Watching You,” Nat’l L.J., Apr. , ,at

B.

26. David Lyon, The Electronic Eye: The Rise of the Surveillance Society  ().

27. Katrin Schatz Byford, “Privacy in Cyberspace: Constructing a Model of Privacy

for the Electronic Communications Environment,”  Rutgers Computer & Tech.

L.J. ,  ().

28. Reg Whitaker, The End of Privacy: How Total Surveillance Is Becoming a Reality

– ().

29. Paul M. Schwartz, “Privacy and Democracy in Cyberspace,”  Vand. L. Rev.

,  n. ().

30. David H. Flaherty, Protecting Privacy in Surveillance Societies  ().

31. Oscar H. Gandy, Jr., The Panoptic Sort: A Political Economy of Personal Infor-

mation  ().

32. Jerry Kang, “Information Privacy in Cyberspace Transactions,”  Stan. L. Rev.

,  ().

33. Roger Clarke, “Information Technology and Dataveillance,”  (), at

http://www.anu.edu.au/people/Roger.Clarke/DV/CACM.html.

34. Colin J. Bennet, “The Public Surveillance of Personal Data: A Cross-National

Analysis,” in Computers, Surveillance, and Privacy  (David Lyon & Elia Zureik

eds., ).

35. Kang, “Information Privacy,” .

36. Paul M. Schwartz, “Privacy and Participation: Personal Information and Pub-

lic Sector Regulation in the United States,”  Iowa L. Rev. ,  ().

234

notes to chapter 3

▲

37. Foucault, Discipline and Punish, .

38. In an early paper describing the problem of computer databases, Paul

Schwartz aptly quoted from Kafka’s The Trial. See Paul Schwartz, “Data Processing

and Government Administration: The Failure of the American Legal Response to

the Computer,”  Hastings L.J.  ().

39. Kafka, The Trial, –.

40. Id., .

41. Id., .

42. Id., –.

43. Id., –, .

44. See, e.g., Max Weber, From Max Weber: Essays in Sociology  (H. H. Gerth &

C. Wright Mills, trans. & eds., ); see also Max Weber, The Theory of Social and

Economic Organization – (A.M. Henderson & Talcott Parsons trans., ).

45. Max Weber, Economy and Society – (Guenther Roth & Claus Wittich eds.,

).

46. Id. at .

47. Schwartz, “Data Processing,” .

48. Weber, From Max Weber, .

49. Id., , .

50. Weber, “Economy and Society,” .

51. See Aldous Huxley, Brave New World – (). For Huxley’s own commen-

tary on his novel, see Aldous Huxley, Brave New World Revisited (). For an in-

sightful comparison between Huxley and Orwell, see Neil Postman, Amusing

Ourselves to Death vii ().

52. John Gilliom, Overseers of the Poor: Surveillance, Resistance, and the Limits of

Privacy ().

53. Friedrich Dürrenmatt, The Assignment  (Joel Agee trans., ).

54. John Schwartz, “DoubleClick Takes It on the Chin; New Privacy Lawsuit

Looms; Stock Price Drops,” Wash. Post, Feb. , , at E (quoting Dana Sher-

man).

55. Helen Nissenbaum, “Protecting Privacy in the Information Age: The Problem

of Privacy in Public,”  Law & Phil.  (); see also Anita L. Allen, Uneasy Ac-

cess: Privacy for Women in a Free Society – ().

56. Julie E. Cohen, “Examined Lives: Informational Privacy and the Subject as Ob-

ject,”  Stan. L. Rev. ,  ().

57. Stan Karas, “Privacy, Identity, Databases,”  Am. U. L. Rev. , – ().

58. See id., .

59. See id., –.

60. Henry James, Portrait of a Lady  () (Penguin ed. ).

61. As legal scholar Arthur Miller observes, an “individual who is asked to provide

a simple item of information for what he believes to be a single purpose may omit

explanatory details that become crucial when his ﬁle is surveyed for unrelated

purposes.” Miller, Assault on Privacy, .

62. W.H. Auden’s poem, “The Unknown Citizen” aptly describes this phenome-

non. A person’s life is chronicled through the various records kept about him; we

learn a lot about the person, but at the end of the poem, Auden demonstrates that

the records reveal little about his happiness or quality of life. W.H. Auden, “The

Unknown Citizen,” in Collected Poems  (Edward Mendelson ed., ).

63. Cohen, “Information Privacy,” .

235

notes to chapter 3

▲

64. Brazil (Universal Pictures ).

65. Eugene L. Meyer, “Md. Woman Caught in Wrong Net; Data Errors Link Her to

Probes, Cost  Jobs,” Wash. Post, Dec. , , at C.

66. Hire Check, “Welcome to Hirecheck,” at http://www.hirecheck.com/ ﬂashin-

tro/index.html (last viewed July , ).

67. Hire Check, “Background Screening,” at http://www.hirecheck.com/Product-

sAndServices/backgroundScreening.html (last viewed July , ).

68. Kenneth L. Karst, “‘The Files’: Legal Controls over the Accuracy and Accessi-

bility of Stored Personal Data,”  L. & Contemp. Probs. ,  ().

69. Jeﬀrey Rosen, The Unwanted Gaze: The Destruction of Privacy in America 

().

70. See, e.g., Richard A. Posner, Cardozo: A Study in Reputation – ()

(measuring Benjamin Cardozo’s reputation by a Lexis search counting mentions

of his name).

71. See, e.g., Fred R. Shapiro, “The Most-Cited Law Review Articles Revised,” 

Chi-Kent L. Rev. ,  () (listing the “one hundred most-cited legal articles

of all time”). For a humorous critique of this enterprise, see J.M. Balkin & Sanford

Levinson, “How to Win Cites and Inﬂuence People,”  Chi-Kent L. Rev. 

().

72. See, e.g., Robert M. Jarvis & Phyllis G. Coleman, “Ranking Law Reviews: An

Empirical Analysis Based on Author Prominence,”  Ariz. L. Rev.  ().

73. See, e.g., Jane B. Baron, “Law, Literature, and the Problems of Interdisciplinar-

ity,”  Yale L.J. ,  n. () (comparing Westlaw search of law reviews for

terms “law and economics” and “law and literature” to measure comparative inﬂ-

uence of each of these academic movements).

74. See Oscar H. Gandy, Jr., “Exploring Identity and Identiﬁcation in Cyberspace,”

 Notre Dame J.L. Ethics & Pub. Pol’y ,  () (arguing that proﬁles are

“inherently conservative” because such proﬁles “reinforce assessments and deci-

sions made in the past”).

75. H. Jeﬀ Smith, Managing Privacy: Information Technology and Corporate

America  ().

76. See Larry Selden & Geoﬀrey Colvin, Angel Customers and Demon Customers

().

77. See Bruce Mohl, “Facing Their Demons,” Boston Globe, July , , at F.

78. Smith, Managing Privacy, .

79. Chris Jay Hoofnagle, Letter to Senator Richard Shelby Regarding Senate Bank-

ing Committee Hearing on the Accuracy of Credit Report Information and the Fair

Credit Reporting Act (July , ).

80. Robert O’Harrow, Jr., “Survey Says: You’re Not Anonymous,” Wash. Post, June

, , at E.

81. See, e.g., Givens, Privacy Rights, ; Hughes, Database Marketer, .

82. See Erik Larson, The Naked Consumer: How Our Private Lives Become Public

Commodities – ().

83. Robert O’Harrow, Jr., “Bargains at a Price: Shoppers’ Privacy; Cards Let Super-

markets Collect Data,” Wash. Post, Dec. , , at A.

84. Robert O’Harrow, Jr., “Survey Asks Readers to Get Personal, and , Do,”

Wash. Post, Dec. , , at C.

85. Smith, Managing Privacy, , , .

236

notes to chapter 3

▲

86. See In re Geocities,  FTC LEXIS  (Feb. , ).

87. In re Liberty Financial Companies, No. ,  FTC LEXIS  (May ,

).

88. Whitaker, End of Privacy, –; Nina Bernstein, “Lives on File: The Erosion of

Privacy—A Special Report,” N.Y. Times, June , , at A.

89. Givens, Privacy Rights, .

90.  F. S upp.  (D.D.C. ).

91.  U.S.C. § .

92.  A.d  (N.H. ).

93. Barb Albert, “Patients’ Medical Records Inadvertently Posted on Net,” Indi-

anapolis Star, Mar. , , at A.

94. Charles J. Sykes, The End of Privacy: Personal Rights in the Surveillance Society

 ().

95. Robert O’Harrow, Jr., “Hacker Accesses Patient Records,” Wash. Post, Dec. ,

, at E.

96. See FTC v. Eli Lilly, No. -, available at http://www.ftc.gov/opa//

/elililly.com.

97. See Charles Pillar, “Web Mishap: Kids’ Psychological Files Posted,” L.A. Times,

Nov. , .

98. Chris Jay Hoofnagle, Testimony before the Subcomm. on Social Security of

the Comm. on Ways and Means, U.S. House of Representatives, Hearing on Use

and Misuse of the Social Security Number (July , ).

99. Id.

Notes to Chapter 4

1. Ken Gormley, “One Hundred Years of Privacy,”  Wis. L. Rev. ,  ().

2. For more background about Warren and Brandeis, see Philippa Strum, Bran-

deis: Beyond Progressivism (); Lewis J. Paper, Brandeis (); Daniel J. Solove &

Marc Rotenberg, Information Privacy Law – (); Dorothy Glancy, “The In-

vention of the Right to Privacy,”  Ariz. L. Rev. , – ().

3. Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,”  Harv. L. Rev. 

().

4. According to legal philosopher Roscoe Pound, the article did “nothing less than

add a chapter to our law.” Alpheus Mason, Brandeis: A Free Man’s Life  ().

First Amendment scholar Harry Kalven, Jr. called it the “most inﬂuential law re-

view article of all.” Harry Kalven, Jr., “Privacy in Tort Law—Were Warren and Bran-

deis Wrong?”  L. & Contemp. Probs. ,  ().

5. William L. Prosser, “Privacy,” in Philosophical Dimensions of Privacy: An An-

thology ,  (Ferdinand David Schoeman ed., ).

6. Warren & Brandeis, “Right to Privacy,” –.

7. Id., .

8. Id., , .

9. See, e.g., Irwin R. Kramer, “The Birth of Privacy Law: A Century since Warren

and Brandeis,”  Cath. U. L. Rev. ,  ().

10. Prosser, “Privacy,” .

11. See Restatement (Second) of Torts §§ B, C, D, E () (dis-

cussing intrusion, appropriation, publicity of private facts, and false light).

237

notes to chapter 4

▲

12. See Lake v. Wal-Mart Stores, Inc.,  N.W.d ,  (Minn. ) (recognizing

a common law tort action for invasion of privacy and noting that Minnesota had

remained one of the few hold-outs).

13. Restatement (Second) of Torts § B ().

14. Seaphus v. Lilly,  F. S upp. ,  (N.D. Ill. ) (unlisted number); Shibley

v. Time, Inc.,  N.E.d ,  (Ohio Ct. App. ) (subscription list); Tureen v.

Equifax, Inc.,  F. d ,  (th Cir. ) (insurance history).

15. Restatement (Second) of Torts § D ().

16. Daily Times Democrat v. Graham,  So.d  (Ala. ) (dress); Barber v.

Time, Inc.,  S.W.d  (Mo. ) (unusual disease); Brents v. Morgan,  S.W.

 (Ky. ) (debt).

17. Restatement (Second) of Torts § E ().

18. Restatement (Second) of Torts § C ().

19. Restatement (Second) of Torts § C cmt. a (). According to legal scholar

Jonathan Kahn, the “early association of appropriation claims with such intangi-

ble, non-commensurable attributes of the self as dignity and the integrity of one’s

persona seems to have been lost, or at least misplaced, as property-based concep-

tions of the legal status of identity have come to the fore.” Jonathan Kahn, “Bring-

ing Dignity Back to Light: Publicity Rights and the Eclipse of the Tort of

Appropriation of Identity,”  Cardozo Arts & Ent. L.J. ,  ().

20. Because their identities are lucrative for marketing purposes, celebrities often

sue under this tort. For an interesting illustration, see Carson v. Here’s Johnny

Portable Toilets, Inc.,  F. d  (th Cir. ), where Johnny Carson successfully

sued a portable toilet company that used the name“Here’s Johnny PortableToilets.”

21.  N.E.d ,  (Ill. App. Ct. ).

22.  N.E.d  (Ohio Ct. App. ).

23. As legal scholar Bruce Sanford contends: “A stake-out by a group of unrelated

reporters should be viewed as no more than the sum of its separate parts.” Bruce

W. Sanford, Libel and Privacy § ., at  (d ed. ).

24. See, e.g., Alaska Const. art. I, § ; Cal. Const. art. I, § ; Fla. Const. art. I, § ;

Ariz. Const. art. II, § ; Mont. Const. art. II, § ; Haw. Const. art. I, § ; Ill. Const.

art. I, §§ , ; La. Const. art. I, § ; S.C. Const. art. I, § ; Wash. Const. art. I, § .

25. See NAACP v. Alabama,  U.S.  (); Shelton v. Tucker,  U.S. 

().

26. NAACP v. Alabama,  U.S. ,  (); Bates v. City of Little Rock,  U.S.

,  ().

27. See McIntyre v. Ohio Election Comm’n,  U.S.  (); Watchtower Bible &

Tract Society v. Village of Stratton,  S. Ct.  ().

28. See Julie E. Cohen, “The Right to Read Anonymously: A Closer Look at ‘Copy-

right Management’ in Cyberspace,”  Conn. L. Rev. ,  () (arguing that

when federal law punishes people for modifying copyright management technol-

ogy to preserve their anonymity, this may constitute state action).

29. U.S. Const. Amend. IV.

30. Schmerber v. California,  U.S. ,  ().

31. U.S. Const. Amend. V.

32.  U.S.  ().

33. Id., .

34. William J. Stuntz, “Privacy’s Problem and the Law of Criminal Procedure,” 

Mich. L. Rev. ,  ().

238

notes to chapter 4

▲

35. See Warden v. Hayden,  U.S.  () (overturning the mere evidence rule

in Boyd); Shapiro v. United States,  U.S.  () (holding that the Fifth Amend-

ment does not prohibit the government from requiring that a person produce her

records).

36.  U.S.  ().

37. Id., .

38.  U.S. , – ().

39.  U.S.  ().

40.  U.S.  ().

41.  U.S. , – ().

42. Id., –.

43. Id., .

44.  F. d  (d Cir. ).

45. Id., –.

46. Directive of the European Parliament and the Council of Europe on the Pro-

tection of Individuals with Regard to the Processing of Personal Data and on the

Free Movement of Such Data (). For an analysis of the Directive, see Peter P.

Swire & Robert E. Litan, None of Your Business: World Data Flows, Electronic Com-

merce, and the European Privacy Directive ().

47.  U.S.C. § .

48. Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Ply-

mouth Rock to the Internet  (); Priscilla M. Regan, Legislating Privacy: Tech-

nology, Social Values, and Public Policy  ().

49. See Susan E. Gindin, “Lost and Found in Cyberspace: Informational Privacy in

the Age of the Internet,”  San Diego L. Rev. ,  ().

50. Pub. L. No. -,  Stat.  (codiﬁed at  U.S.C. § a).

51. Pub. L. No. -,  Stat.  (codiﬁed at  U.S.C. § g).

52.  U.S.C. § .

53.  U.S.C. §§ –; –.

54.  F. S upp.d  (S.D.N.Y. ).

55. Pub. L. No. -,  Stat.  (codiﬁed at  U.S.C. §§ -).

56. §§ (b)(), (c)().

57. Pub. L. No. -,  Stat.  (codiﬁed at  U.S.C. § ).

58. See  U.S.C. § (b)().

59. Pub. L. No. -,  Stat.  ().

60.  C.F.R. § .(a).

61.  U.S.C. §§ –.

62. § (b)()(A).

63. Anita L. Allen, “Minor Distractions: Children, Privacy and E-Commerce,” 

Houston L. Rev. , ,  ().

64. Pub. L. No. -,  Stat.  (codiﬁed at  U.S.C. §§ –).

65.  U.S.C. § (a), (b).

66. See Smith, Franklin’s Web Site, at .

67. Edward J. Janger & Paul M. Schwartz, “The Gramm-Leach-Bliley Act, Infor-

mation Privacy, and the Limits of Default Rules,”  Minn. L. Rev. , 

().

68. Id., . But see Peter P. Swire, “The Surprising Virtues of the New Financial

Privacy Law,”  Minn. L. Rev. , – () (arguing that the GLB Act works

quite well and forces ﬁnancial institutions to take stock of their privacy practices).

239

notes to chapter 4

▲

69. As Paul Schwartz observes, “personal information in the private sector is of-

ten unaccompanied by the presence of basic legal protections. Yet, private enter-

prises now control more powerful resources of information technology than ever

before.” Paul M. Schwartz, “Privacy and Democracy in Cyberspace,”  Vand. L.

Rev. ,  ().

70. See Joel Reidenberg, “Setting Standards for Fair Information Practice in the

U.S. Private Sector,”  Iowa L. Rev.  ().

71. Joel R. Reidenberg, “Privacy in the Information Economy: A Fortress or Fron-

tier for Individual Rights?”  Fed. Comm. L.J.  ().

72. Colin J. Bennett, “Convergence Revisited: Toward a Global Policy for the Pro-

tection of Personal Data?” in Technology and Privacy: The New Landscape , 

(Philip E. Agre & Marc Rotenberg eds., ).

73.  U.S.C. § .

74. See Daniel J. Solove & Marc Rotenberg, Information Privacy Law –

(). Legal scholar Steven Hetcher notes that the FTC has inﬂuenced many

websites to create privacy policies. Steven Hetcher, “The FTC as Internet Privacy

Norm Entrepreneur,”  Vand. L. Rev.  (); see also Steven Hetcher,

“Changing the Social Meaning of Privacy in Cyberspace,”  Harv. J. L. & Tech. 

(); Steven A. Hetcher, “Norm Proselytizers Create a Privacy Entitlement in Cy-

berspace,”  Berkeley Tech. L.J.  ().

75. For a discussion of FTC jurisprudence over privacy policies, see Jeﬀ Sovern,

“Protecting Privacy with Deceptive Trade Practices Legislation,”  Fordham L.

Rev.  ().

76. See, e.g., In re Liberty Financial Companies, No. ,  FTC LEXIS 

(May , ) (operator of website falsely promised that personal data collected

from children and teens would be kept anonymous); FTC v. ReverseAuction.com,

Inc., No. -CV- (D.D.C. Jan. , ) (company improperly obtained personal

information from eBay and used it to spam eBay customers); In re GeoCities, 

FTC LEXIS  (Feb. , ) (website falsely promised that it never provided infor-

mation to others without customer permission).

77. SeeIn the Matter of Microsoft Corp., No. -.

78. Schwartz, “Privacy and Democracy,” . The relatively recent GLB Act pro-

vides a rare exception, for it requires ﬁnancial institutions to develop “safeguards

for personal information.” See  U.S.C. §§ (b); (b)(). This is a rather gen-

eral mandate, and the agency regulations do not provide much greater speciﬁcity.

Ultimately, the strength of the GLB Act’s security protections will depend upon

how they are enforced.

79. Schwartz, “Privacy and Democracy,” .

80. David Brin, The Transparent Society – ().

81. Id., .

82. Id., –.

Notes to Chapter 5

1. Alan Westin, Privacy and Freedom  ().

2. See, e.g., Arthur Miller, The Assault on Privacy  () (“[T]he basic attribute

of an eﬀective right to privacy is the individual’s ability to control the circulation

of information relating to him”). Randall P. Bezanson, “The Right to Privacy Revis-

ited: Privacy, News, and Social Change, –,”  Calif. L. Rev. ,  ()

240

notes to chapter 4

▲

(“I will advance a concept of privacy based on the individual’s control of informa-

tion . . .”).

3. See Jessica Litman, “Information Privacy/Information Property,”  Stan. L.

Rev. ,  () (“The proposal that has been generating the most buzz, re-

cently, is the idea that privacy can be cast as a property right.”); Pamela Samuel-

son, “Privacy as Intellectual Property,”  Stan. L. Rev. ,  () (“In recent

years, a number of economists and legal commentators have argued that the law

ought now to grant individuals property rights in their personal data”).

4. See Litman, “Information Privacy,”  (“The raison d’etre of property is alien-

ability”).

5. Westin, Privacy and Freedom, .

6. See McCormick v. England,  S.E.d  (S.C. Ct. App. ); Simonsen v.

Swenson,  N.W.  (Neb. ).

7. See Peterson v. Idaho First National Bank,  P. d  (Idaho ); Milohnich

v. First National Bank,  So.d  (Fla. Dist. Ct. App. ). For a discussion of

the breach of conﬁdence tort, see Note, “Breach of Conﬁdence: An Emerging

To rt ,”  Colum. L. Rev.  ().

8. Ian Ayres & Robert Gertner, “Filling Gaps in Incomplete Contracts: An Eco-

nomic Theory of Default Rules,”  Yale L.J. ,  ().

9. See Scott Shorr, “Personal Information Contracts: How to Protect Privacy with-

out Violating the First Amendment,”  Cornell L. Rev. ,  (); Steven A.

Bibas, “A Contractual Approach to Data Privacy,”  Harv. J.L. & Pub. Pol’y , 

(); Kalinda Basho, “The Licensing of Our Personal Information: Is It a Solution

to Internet Privacy?”  Cal. L. Rev. ,  (); Patricia Mell, “Seeking Shade

in a Land of Perpetual Sunlight: Privacy as Property in the Electronic Wilderness,”

 Berkeley Tech. L.J. ,  ().

10. See, e.g., John Hagel III & Marc Singer, Net Worth: Shaping Markets When Con-

sumers Make the Rules – () (advocating for an “infomediary” between

consumers and vendors who would broker information to companies in ex-

change for money and goods to the consumer); Paul Farhi, “Me Inc.: Getting the

Goods on Consumers,” Wash. Post, Feb. , , at H.

11. Richard A. Posner, The Economics of Justice, – ().

12. Richard A. Posner, “The Right of Privacy,”  Ga. L. Rev. ,  ().

13. Richard S. Murphy, “Property Rights in Personal Information: An Economic

Defense of Privacy,”  Geo. L.J. ,  ().

14. Id., , .

15. Jerry Kang, “Information Privacy in Cyberspace Transactions,”  Stan. L.

Rev. , , –, ,  (). To be fair, Kang recognizes that in some

limited circumstances (emergency room data), inalienability rules are prefer-

able.

16. Lawrence Lessig, Code and Other Laws of Cyberspace – ().

17. SeePrivacy in Commercial World, th Cong. () (statement of Paul

H. Rubin), at http://www.house.gov/commerce/hearings//Rubin

.htm.; Direct Marketing Ass’n, Inc., Consumer Privacy Comments concerning the

Direct Marketing Association before the Federal Trade Commission (July , ).

18. For a justiﬁcation of this practice, see Justin Matlick, “Don’t Restrain Trade in

Information,” Wall St. J., Dec. , , at A.

19. Susan E. Gindin, “Lost and Found in Cyberspace: Informational Privacy in the

Age of the Internet,”  San Diego L. Rev. ,  ().

241

notes to chapter 5

▲

20. Erik Larson, The Naked Consumer: How Our Private Lives Become Public Com-

modities – ().

21. See Laura J. Gurak, Persuasion and Privacy in Cyberspace: The Online Protests

over Lotus Marketplace and the Clipper Chip ().

22. Charles J. Sykes, The End of Privacy – ().

23. Fred H. Cate, Privacy in Perspective – ().

24. Id., , –; see also Fred H. Cate, Privacy in the Information Age –

().

25. Eric Goldman, “The Privacy Hoax,” Forbes (Oct. , ), at http://eric_gold-

man.tripod.com/articles/privacyhoax.htm.

26. Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,”  Harv. L. Rev.

,  ().

27. Lawrence O. Gostin, “Health Information Privacy,”  Cornell L. Rev. 

().

28. Oscar H. Gandy, Jr., The Panoptic Sort: A Political Economy of Personal Infor-

mation  (). See also Julie E. Cohen, “Examined Lives: Informational Privacy

and the Subject as Object,”  Stan. L. Rev. , – (); Paul M. Schwartz,

“Internet Privacy and the State,”  Conn. L. Rev. , – (); Anita L. Allen,

“Privacy-as-Data-Control: Conceptual, Practical, and Moral Limits of the Para-

digm,”  Conn. L. Rev.  ().

29. Schwartz, “Internet Privacy,” –.

30. Paul M. Schwartz, “Privacy and the Economics of Personal Health Care Infor-

mation,”  Tex. L. Rev. , – ().

31. Jeﬀ Sovern, “Opting In, Opting Out, or No Options at All: The Fight for Control

of Personal Information,”  Wash. L. Rev. , – (); Edward Janger &

Paul M. Schwartz, “The Gramm-Leach-Bliley Act, Information Privacy, and the

Limits of Default Rules,”  Minn. L. Rev. , – (); John Schwartz, “Pri-

vacy Policy Notices Are Called Too Common and Too Confusing,” N.Y. Times, May

, .

32. Yahoo!, Privacy Policy, available at http://docs.yahoo.com/info/privacy/us.

33. Doug Brown, “AOL to Users: Opt Out Again,” Yahoo! News at http://dai-

lynews.yahoo.com/h/zd//tc/.html.

34. See Stephanie Stoughton, “FTC Sues Toysmart.com to Halt Data Sale, Bank-

rupt E Retailer Made Privacy Vow to Customers,” Boston Globe, July , , at E.

For an extensive discussion of privacy and dot-com bankruptcies, see Edward J.

Janger, “Muddy Property: Generating and Protecting Information Privacy Norms

in Bankruptcy,”  Wm. & Mary L. Rev.  ().

35. See Susan Stellin, “Dot-Com Liquidations Put Consumer Data in Limbo,” N.Y.

Times, Dec. , , at C.

36. William J. Fenrich, Note, “Common Law Protection of Individuals’ Rights in

Personal Information,”  Fordham L. Rev. , – ().

37. See Beth Givens, The Privacy Rights Handbook  ().

38. Sovern, “Opting In,” .

39. See id., .

40. See Peter P. Swire, “Markets, Self-Regulation, and Government Enforcement

in the Protection of Personal Information,” at http://www.osu.edu/units/law/

swire/psntia.htm, at  (containing the draft submitted to NTIA on Dec. ,

).

242

notes to chapter 5

▲

41. Joel R. Reidenberg, “Privacy in the Information Economy: A Fortress or Fron-

tier for Individual Rights?”  Fed. Comm. L.J. ,  n. ().

42. Cohen, “Information Privacy,” .

43. Paul M. Schwartz, “Privacy and Democracy in Cyberspace,”  Vand. L. Rev.

, – ().

44. Id., .

45. Russell Korobkin, “Inertia and Preference in Contract Negotiation: The Psy-

chological Power of Default Rules and Form Terms,”  Vand. L. Rev.  ()

(noting that most people accept default terms rather than bargain).

46. Pamela Samuelson, “Privacy as Intellectual Property,”  Stan. L. Rev. , 

().

47. Katrin Schatz Byford, “Privacy in Cyberspace: Constructing a Model of Privacy

for the Electronic Communications Environment,”  Rutgers Computer & Tech.

L.J. ,  ().

48. Cohen, “Information Privacy,” .

49. Of course, not all attempts to translate privacy into property rights will

threaten the protection of privacy. For an example of a helpful use of property

rights to protect privacy, see Janger, “Muddy Property.”

50.  N.E.d , ,  (Ill. App. Ct. ).

51. Cohen, “Information Privacy,” .

52. Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law  ().

53. H. Jeﬀ Smith, Managing Privacy: Information Technology and Corporate

America  ().

54. See Richard Hunter, World without Secrets: Business, Crime, and Privacy in the

Age of Ubiquitous Computing  (); “Amazon Draws Fire for DVD-Pricing Test,

Privacy-Policy Change,” Wall St. J., Sept. ,  at B.

Notes to Chapter 6

1. Samuel D. Warren & Louis D. Brandeis, “The Right to Privacy,”  Harv. L. Rev.

,  ().

2. Smith v. City of Artesia,  P. d ,  (N.M. Ct. App. ).

3. Restatement (Second) of Torts § (I) comment (a).

4.  F. d , – (th Cir. ).

5. Eugene Volokh, “Freedom of Speech and Information Privacy: The Troubling

Implications of a Right to Stop People from Speaking about You,”  Stan. L. Rev.

,  ().

6. Fred Cate, Privacy in the Information Age  ().

7. Id., .

8. Id.

9. See Paul M. Schwartz, “Privacy and Democracy in Cyberspace,”  Vand. L. Rev.

, – ().

10. Paul M. Schwartz, “Internet Privacy and the State,”  Conn. L. Rev. , 

().

11. Spiros Simitis, “Reviewing Privacy in an Information Society,”  U. Pa. L. Rev.

,  ().

12. See Lawrence Lessig, Code and Other Laws of Cyberspace –,  (); Joel

R. Reidenberg, “Rules of the Road for Global Electronic Highways: Merging Trade

243

notes to chapter 6

▲

and Technical Paradigms,”  Harv. J. L. & Tech. ,  (); see also Joel R. Rei-

denberg, “Lex Informatica: The Formulation of Information Policy Rules through

Technology,”  Tex. L. Rev.  ().

13. Yi-Fu Tuan, Space and Place: The Perspective of Experience ,  ().

14. Neal Kumar Katyal, “Architecture as Crime Control,”  Yale L.J.  ().

15. Id., ; see also Thomas A. Markus, Buildings and Power: Freedom and Con-

trol in the Origin of Modern Building Types  ().

16. Quoted in John Nivala, “The Architecture of a Lawyer’s Operation: Learning

from Frank Lloyd Wright,”  J. Legal Prof. ,  ().

17. Michel Foucault, Discipline and Punish: The Birth of the Prison  (Alan

Sheridan trans., ).

18. Id., .

19. Id., .

20. Clive Norris & Gary Armstrong, The Maximum Surveillance Society: The Rise

of CCTV (); Jeﬀrey Rosen, “A Cautionary Tale for a New Age of Surveillance,”

N.Y. Times Magazine (Oct. , ).

21. Lessig, Code, .

22. Id., .

23. Katyal, “Architecture,” –.

24. Hammonds v. Aetna Casualty & Surety Co.,  F. S upp.  (D. Ohio ); Mc-

Cormick v. England,  S.E. d  (S.C. Ct. App. ).

25. As one court has aptly explained the relationship: “A ﬁduciary relationship is

one founded on trust or conﬁdence reposed by one person in the integrity and

ﬁdelity of another. Out of such a relation, the laws raise the rule that neither party

may exert inﬂuence or pressure upon the other, take selﬁsh advantage of his

trust[,] or deal with the subject matter of the trust in such a way as to beneﬁt him-

self or prejudice the other except in the exercise of utmost good faith.” Mobile Oil

Corp. v. Rubenfeld,  N.Y.S.d ,  ().

26. Meinhard v. Salmon,  N.E. ,  (N.Y. ).

27. Swerhun v. General Motors Corp.,  F. S upp. ,  (M.D. Fla. ).

28. Stephen P. Groves, Sr., “Fiduciary Duties in Common Commercial Relation-

ships: The Plaintiﬀ’s Perspective,”  Brief ,  ().

29. Moore v. Regents of the University of California,  P. d  (Cal. ) (doctor

has a ﬁduciary duty to disclose personal interests that could aﬀect the doctor’s

professional judgment).

30. Hammonds v. Aetna Casualty & Surety Co.,  F. S upp.  (D. Ohio ); Mc-

Cormick v. England,  S.E. d  (S.C. Ct. App. ). In a very interesting pro-

posal, Jessica Litman proposes that the breach of conﬁdentiality tort remedy

apply to companies that misuse information. See Jessica Litman, “Information

Privacy/Information Property,”  Stan. L. Rev. , – ().

31. Peterson v. Idaho First National Bank,  P. d  (Idaho ) (bank); Blair v.

Union Free School District,  N.Y.S.d  (N.Y. Dist. Ct. ) (school).

32. Pottinger v. Pottinger,  N.E.d ,  (Ill. App. ).

33. See generally, Marc Rotenberg, “Fair Information Practices and the Architec-

ture of Privacy (What Larry Doesn’t Get),”  Stan. Tech. L. Rev. .

34. U.S. Dep’t of Health, Education, and Welfare (HEW), Report of the Secretary’s

Advisory Committee on Automated Personal Data Systems: Records, Computers,

and the Rights of Citizens – ().

244

notes to chapter 6

▲

35. Organisation for Economic Cooperation and Development, OECD Recom-

mendation Concerning and Guidelines Governing the Protection of Privacy and

Transborder Flows of Personal Data (). For a comparison of U.S. Privacy law to

the OECD Guidelines, see Joel R. Reidenberg, “Restoring Americans’ Privacy in

Electronic Commerce,”  Berkeley J. L. & Tech.  ().

36. See Schwartz, “Privacy and Democracy,” –; Rotenberg, “Fair Informa-

tion Practices,” –; see generally, Joel Reidenberg, “Setting Standards for Fair

Information Practices in the U.S. Private Sector,”  Iowa L. Rev.  ().

37. Jeﬀ Sovern, “Opting In, Opting Out, or No Options at All: The Fight for Control

of Personal Information,”  Wash. L. Rev. ,  ().

38. Rotenberg, “Fair Information Practices,” .

39. OECD Guidelines.

40. See Reidenberg, “Setting Standards,” –.

41. Directive of the European Parliament and the Council of Europe on the Pro-

tection of Individuals with Regard to the Processing of Personal Data and on the

Free Movement of Such Data ().

42. Id.

43. For a compelling discussion of the need for a federal privacy agency, see

Robert Gellman, “A Better Way to Approach Privacy Policy in the United States: Es-

tablish a Non-Regulatory Privacy Protection Board,”  Hastings L.J.  ().

44. No. - (July , ).

45.  U.S.C. §§ (b); (b)().

46. U.S. General Accounting Oﬃce (GAO), Report to the Honorable Sam Johnson

House of Representatives, Identity Theft: Greater Awareness and Use of Existing

Data Are Needed  (June ).

47. Id.

48. See Albert B. Crenshaw, “Victims of Identity Theft Battle Creditors as Well as

Crooks,” Wash. Post, July , , at H.

49. Id.

50. GAO Identity Theft Report, . For more background, see generally Beth

Givens, The Privacy Rights Handbook – ().

51. See Beth Givens, “Identity Theft: How It Happens, Its Impact on Victims, and

Legislative Solutions,” Testimony for U.S. Senate Judiciary Committee on Technol-

ogy, Terrorism, and Government Information – (July , ), at

http://www.privacyrights.org/ar/id_theft.htm; see also John R. Vacca, Identity

Theft – ().

52. See Jennifer . Lee, “Fighting Back When Someone Steals Your Name,” N.Y.

Times, April , .

53. Federal Trade Commission, Identity Theft Survey Report  (Sept. ).

54. See Janine Benner, Beth Givens, & Ed Mierzwinski, “Nowhere to Turn: Victims

Speak Out on Identity Theft: A CALPIRG/Privacy Rights Clearinghouse Report,”

(May ), at http://www.privacyrights.org/ar/idtheft.htm; see also Lee,

“Fighting Back”; Brandon McKelvey, “Financial Institutions’ Duty of Conﬁdential-

ity to Keep Personal Information Secure from the Threat of Identity Theft,”  U.C.

Davis L. Rev. , – ().

55. Christopher P. Couch, Commentary, “Forcing the Choice between Commerce

and Consumers: Application of the FCRA to Identity Theft,”  Ala. L. Rev. , 

().

245

notes to chapter 6

▲

56. McKelvey, “Financial Institutions,” .

57. Lynn M. LoPucki, “Human Identiﬁcation Theory and the Identity Theft Prob-

lem,”  Tex. L. Rev. ,  (); see also Privacy Rights Clearinghouse & Identity

Theft Resource Center, “Criminal Identity Theft” (May ), at http://www.priva-

cyrights.org/fs/fsg-CrimIdTheft.htm.

58.  U.S.C. § .

59. GAO Identity Theft Report, .

60. Id., –.

61. Stephen Mihm, “Dumpster Diving for Your Identity,” N.Y. Times Magazine,

Dec. , .

62. Benner, Givens, & Mierzwinski, “Nowhere to Turn,” .

63. Jane Black, “Who’s Policing the Credit Cops?” Bus. Week Online (Aug.

, ), http://www.businessweek.com/print/technology/content/aug/

tc_.htm.

64.  U.S.C. § .

65. See  U.S.C. § i.

66.  U.S.C. § n.

67. LoPucki, “Human Identiﬁcation,” , .

68.  U.S.C. § h(e), § o, § p.

69.  S. Ct.  ().

70. H.R.  (th Cong, st Sess.) ().

71. Fred H. Cate, Privacy in Perspective  ().

72. Federal Deposit Insurance Corporation, “ID Theft: When Bad Things Happen

to Your Good Name,” – (), at http://www.ftc.gov/bcp/conline/pubs/credit/

idtheft.htm.

73. Lee, “Fighting Back.”

74. GAO Identity Theft Report, .

75. Robert Ellis Smith, Ben Franklin’s Web Site  ().

76. See, e.g., U.S. General Accounting Oﬃce, Report to the Chairman, Subcomm.

on Social Security, Comm. on Ways and Means, House of Representatives: Social

Security: Government and Commercial Use of the SSN Is Widespread (Feb. );

Simson Garﬁnkel, Database Nation – ().

77. HEW, “Records, Computers, and the Rights of Citizens,” xxxii.

78. Flavio L. Komuves, “We’ve Got Your Number: An Overview of Legislation and

Decisions to Control the Use of SSNs as Personal Identiﬁers,”  J. Marshall J.

Computer & Info. L. ,  ().

79. For example, an identity thief purchased the SSNs of several top corporate ex-

ecutives from Internet database companies. The thief then used the SSNs to ob-

tain more personal information about the victims. Benjamin Weiser, “Identity

Theft, and These Were Big Identities,” N.Y. Times, May , .

80. See Robert O’Harrow Jr., “Identity Thieves Thrive in Information Age: Rise of

Online Data Brokers Makes Criminal Impersonation Easier,” Wash. Post, May ,

, at A.

81. See  U.S.C. § (a) (Any “paper ﬁled . . . and the dockets of a bankruptcy

court are public records and open to examination by an entity at a reasonable

time without charge”).

82. Jennifer . Lee, “Dirty Laundry for All to See: By Posting Court Records, Cincin-

nati Opens a Pandora’s Box of Privacy Issues,” N.Y. Times, Sept. , ,atG.

246

notes to chapter 6

▲

83. Robert O’Harrow, Jr., “Identity Thieves Thrive in the Information Age,” Wash.

Post, May , , at A.

84. Robert O’Harrow, Jr., “Concerns for ID Theft Often Are Unheeded,” Wash.

Post, July , , at A.

85. LoPucki, “Human Identiﬁcation,” .

86. Id., –.

87. Bruce Mohl, “Large-Scale Identity Theft Is Painful Reminder of Risk,” Boston

Globe, May , , at C.

88. See Yochi J. Dreazen, “Citibank’s Email Data Oﬀer Raises Online-Privacy Con-

cerns,” Wall St. J., Sept. , , at D.

89. See id.

90. Elise Jordan & Arielle Levin Becker, “Princeton Oﬃcials Broke Into Yale Online

Admissions Decisions,” Yale Daily News, Jul. , ; Susan Cheever, “A Tale of Ivy

Rivalry Gone Awry,” Newsday, Jul. , .

91. Jordan & Becker, “Princeton Oﬃcials.”

92. Tom Bell, “Princeton Punishes Hacker of Yale Site,” Chi. Sun-Times, Aug. ,

, at .

93. Patrick Healy, “Princeton Says Curiosity Led to Yale Files, Admissions Oﬃcial

Will Be Reassigned,” Boston Globe, Aug. , , at A.

94. Cheever, “Ivy Rivalry.”

95. Vacca, Identity Theft, .

96. Benner, Givens, & Mierzwinski, “Nowhere to Turn,” –.

97. Katyal, “Architecture,” .

98. In her testimony before Congress, Beth Givens recommended that “[a]ll con-

sumers should be able to receive one free copy of their credit report annually,”

and noted that six states have enacted this measure into law. See Givens, “Identity

Theft,” U.S. Senate Testimony.

99. See Lynn LoPucki, “Did Privacy Cause Identity Theft?”  Hastings L.J. 

().

100. See Linda Foley, “Fact Sheet (L): Should I Change My SSN?” (May ), at

http://www.privacyrights.org/fs/fs-ssn.htm.

101. Billions of pre-approved credit oﬀers are made to consumers each year, and

there is vigorous competition among creditors to ﬁnd new customers. See Beth

Givens, “Identity Theft,” U.S. Senate Testimony.

102. See LoPucki, “Privacy,” .

Notes to Chapter 7

1. For an excellent discussion of public records, see Robert Gellman, “Public

Records: Access, Privacy, and Public Policy,” http://www.cdt.org/privacy/pub-

recs/pubrec.html.

2. See, e.g., Cal. Health & Safety Code § (a)()–().

3. See, e.g., Cal. Health & Safety Code § .

4. See, e.g., id. § .

5. See Cal. Elec. Code §§ , (a)()–(); Carole A. Lane, Naked in Cyber-

space: How to Find Personal Information Online  ().

6. Edmund J. Pankau, Check It Out!  ().

247

notes to chapter 6

▲

7. See Lane, Naked, . Seven states make workers’ compensation records pub-

licly accessible. See Public Records Online  (Michael L. Sankey et al. eds., d ed.

).

8. See, e.g., Ind. Code Ann. § ---(b)()(A)–(C) (requiring disclosure of partic-

ular information in public employees’ personnel records including salary, educa-

tion, prior work experience, and any disciplinary troubles); Braun v. City of Taft,

 Cal. Rptr. , – (Cal. Ct. App. ) (permitting disclosure of an em-

ployee’s SSN, home address, and birth date); Eskaton Monterey Hosp. v. Myers, 

Cal. Rptr. ,  (Cal. Ct. App. ) (permitting disclosure of a state employee’s

personnel ﬁle); Moak v. Phila. Newspapers, Inc.,  A.d , ,  (Pa.

Commw. Ct. ) (permitting disclosure of payroll records that contained em-

ployees’ names, gender, date of birth, annual salary, and other personal data). But

see Idaho Code §-C() (exempting personnel records from public disclosure).

9. See Mass. Ann. Laws ch. , §§ , ; see also Pottle v. Sch Comm. of Braintree,

 N.E.d ,  (Mass. ).

10. See Lane, Naked, –.

11. See, e.g., Cal. Gov’t Code § (f)().

12. See, e.g., Cal. R. .(c) (“Unless conﬁdentiality is required by law, court

records are presumed to be open”). Not all court records are public; in most states,

adoption records, grand jury records, and juvenile criminal court records are not

public. See, e.g., David S. Jackson, “Privacy and Ohio’s Public Records Act,”  Cap.

U. L. Rev. ,  (). Beyond pleadings and motions (which are, for the most

part, always contained in the court ﬁle), other documents (such as exhibits) and

transcripts may or may not be contained in the ﬁle. For example, typically a trial

transcript will only be contained in the court ﬁle if an appeal is taken. The avail-

ability of other documents in the court ﬁle is controlled by local practice. Local

practices vary greatly depending on limited storage capacities in clerks’ oﬃces.

Often, exhibits are kept by the parties.

13. Lane, Naked, .

14. See, e.g., Unabom Trial Media Coalition v. United States Dist. Court,  F. d

,  (th Cir. ); United States v. Antar,  F. d , – (d Cir. ).

15. Lesher Communications, Inc. v. Superior Court,  Cal. Rptr. , – (Cal.

Ct. App. ).

16. In practice, juror information is rarely sought out except in high-proﬁle cases.

17. If Social Security information is disclosed in court ﬁlings, conﬁdentiality is

lost.  C.F.R. § ..

18.  U.S.C. § (a).

19. Mary Jo Obee & William C. Plouﬀe, Jr., “Privacy in the Federal Bankruptcy

Courts,”  Notre Dame J.L. Ethics & Pub. Pol’y ,  ().

20. See Jerry Markon, “Curbs Debated as Court Records Go Public on Net,” Wall

St. J., Feb. , , at B.

21. In re Keene Sentinel,  A.d , – (N.H. ); see also Barron v. Fla.

Freedom Newspapers, Inc.,  So. d ,  (Fla. ).

22. See Lane, Naked, .

23. See, e.g., Cal. Penal Code § .; Cal. Ct. R. ..(a)().

24. See, e.g., Cal. Penal Code § d.

25. Jane A. Small, “Who Are the People in Your Neighborhood? Due Process, Pub-

lic Protection, and Sex Oﬀender Notiﬁcation Laws,”  N.Y.U. L. Rev. , 

().

248

notes to chapter 7

▲

26. See, e.g., Paul P. v. Verniero,  F. d ,  (d. Cir. ); Russell v. Gregoire,

 F. d ,  (th Cir. ).

27. Edward Walsh, “Kansas City Tunes In as New Program Aims at Sex Trade: ‘John

TV,’” Wash. Post, July , , at A.

28. D. Ian Hopper, “Database, Protection, or a Kind of Prison? Web Registries of

Inmates, Parolees Prompt a Debate,” Wash. Post, Dec. , , at A.

29. See Obee & Plouﬀe, “Bankruptcy Courts,” .

30. See Susan E. Gindin, “Lost and Found in Cyberspace: Informational Privacy in

the Age of the Internet,”  San Diego L. Rev. , – ().

31. See Public Records Online, .

32. For example, KnowX.com states that it has amassed millions of public

records, which are updated regularly. See http://www.knowx.com. Search Systems

contains over , searchable public record databases. See http://www.pac-

info.com. Locateme.com permits its users to search public records such as driver

registrations, voter registrations, and credit headers. See

http://www.locateme.com.

33. See Joanna Glasner, “Courts Face Privacy Conundrum,” Wired News, Feb. ,

, at http://www.wired.com/news/politics/,,,.html.

34. U.S. Bankruptcy Court for the Dist. of N.J., “Case Information,” at

http://www.njb.uscourts.gov/caseinfo/.

35. See http://www.courthousedirect.com.

36. The system under development, called Case Management/Electronic Case

Files (“CM/ECF”), is designed to be in place by . See Administrative Oﬃce of

the U.S. Courts, “News Release,” at http://privacy.uscourts.gov/Press.htm (Feb. ,

).

37. See Harold L. Cross, The People’s Right to Know  ().

38. See, e.g., Nowack v. Fuller,  N.W. , – (Mich. ).

39. See Cross, Right to Know, ; William Ollie Key, Jr., “The Common Law Right

to Inspect and Copy Judicial Records: In Camera or On Camera,”  Ga. L. Rev. ,

 ().

40. See Cross, Right to Know, .

41. See Nowack v. Fuller,  N.W. ,  (Mich. ); Comment, “Public Inspec-

tion of State and Municipal Documents: ‘Everybody, Practically Everything, Any-

time, Except . . . ,’”  Fordham L. Rev. ,  ().

42. See Cross, Right to Know, ; “Public Inspection,” .

43. See Cross, Right to Know, .

44. City of St. Matthews v. Voice of St. Matthews, Inc.,  S.W.d ,  (Ky. Ct.

App. ); Husband, C. v. Wife, C.,  A.d ,  (Del. ) (characterizing the

common law approach as permitting access to judicial records if a person “has an

interest therein for some useful purpose and not for mere curiosity”); Matthew D.

Bunker et al., “Access to Government-Held Information in the Computer Age: Ap-

plying Legal Doctrine to Emerging Technology,”  Fla. St. U. L. Rev. ,  ()

(“The common law had varied among states, with most courts requiring a person

requesting a record to have a legitimate interest in, and a useful purpose for, the

requested record”).

45. See Key, “Common Law,” .

46. See Cross, Right to Know, –.

47.  U.S. ,  ().

48. Id., –.

249

notes to chapter 7

▲

49. Fed. R. Civ. P. (c).

50. Seattle Times Co. v. Rhinehart,  U.S. ,  ().

51. FTC v. Standard Fin. Mgmt. Corp.,  F. d , – (st Cir. ).

52. See, e.g., Nixon, v. Warner Communications, Inc.,  U.S. ,  ().

53. See, e.g., United States v. Beckham,  F. d ,  (th Cir. ).

54. See, e.g., Unabom Trial Media Coalition v. United States Dist. Court for E. Dist.

of Cal.,  F. d ,  (th Cir. ).

55. See, e.g., Doe v. Frank,  F. d ,  (th Cir. ) (“It is the exceptional

case in which a plaintiﬀ may proceed under a ﬁctitious name”).

56. See Doe v. Nat’l R.R. Passenger Corp., No. CIU.A. -,  WL , at *

(E.D. Pa. Mar. , ).

57. Doe v. Shakur,  F.R.D. ,  (S.D.N.Y. ); see also Bell Atl. Bus. Sys.

Servs.,  F.R.D. at  (D. Mass. ) (rejecting use of pseudonym for plaintiﬀ al-

leging a sexual assault by her supervisor at work and that she might have been in-

fected with HIV).

58. See, e.g., United States v. McVeigh,  F. d , – (th Cir. ).

59. See Jason Lawrence Cagle, Note, “Protecting Privacy on the Front Page: Why

Restrictions on Commercial Use of Law Enforcement Records Violate the First

Amendment,”  Vand. L. Rev. ,  n. (). While some states’ FOIAs re-

placed the common law, courts in some states have held that the state’s FOIA op-

erates as an additional right of access to the common law. See id.

60. See Note, “Public Inspection,” .

61.  Public Papers of the Presidents of the United States: Lyndon B. Johnson 

(), quoted in H.R. Rep. No. -, at  (), reprinted in  U.S.C.C.A.N.

, .

62.  U.S.C. § (a)()(A).

63. See, e.g., United States Dep’t of Justice v. Reporters Comm. for Freedom of the

Press,  U.S. ,  ().

64.  U.S.C. § (f).

65. Jackson, “Ohio’s Public Records,” .

66. See, e.g., Del. Code Ann. tit. , §  (stating that “it is vital that citizens

have easy access to public records in order that the society remain free and demo-

cratic”);  Ill. Comp. Stat. Ann. / () (stating that the right to inspect public

records “is necessary to enable the people to fulﬁll their duties of discussing pub-

lic issues fully and freely”).

67. Roger A. Nowadzky, “A Comparative Analysis of Public Records Statutes,” 

Urb. Law. ,  & n. () (conducting a comprehensive survey of all state

FOIAs as to the presumption of disclosure).

68.  U.S.C. §§ (b)(); (b)()(C).

69. In contrast, companies seeking to protect trade secrets can initiate actions on

their own to protect their information in what is known as a “reverse-FOIA” law-

suit. See Heather Harrison, Note, “Protecting Personal Information from Unau-

thorized Government Disclosures,”  Memphis St. U. L. Rev. ,  ().

70. See, e.g., D.C. Code Ann. § -(a)(); Mich. Comp. Laws Ann. § .()(a).

71. Pa. Cons. Stat. Ann. § .().

72. Kanzelmeyer v. Eger,  A.d ,  (Pa. Commw. Ct. ).

73. See  Ohio Rev. Code Ann. § .(A)(); see also State ex rel. Plain Dealer Pub.

Co. v. Cleveland,  N.E.d , – (Ohio ) (Resnick, J., concurring) (criti-

cizing the lack of a privacy exception in Ohio’s Public Records Act).

250

notes to chapter 7

▲

74. Nowadzky, “Comparative Analysis,” .

75.  U.S.C. § a.

76. Warth v. Dep’t of Justice,  F. d , – (th Cir. ).

77.  U.S.C. §§ a(b)().

78. See Paul M. Schwartz, “Privacy and Participation: Personal Information and

Public Sector Regulation in the United States,”  Iowa L. Rev. , – ().

79. Robert Gellman, “Does Privacy Law Work?” in Technology and Privacy: The

New Landscape ,  (Philip E. Agre & Marc Rotenberg, eds., ).

80. See id.; Harrison, “Protecting Personal Information,” .

81.  U.S.C. § a(g)().

82. Schwartz, “Privacy and Participation,”  (“[I]ndividuals who seek to enforce

their rights under the Privacy Act face numerous statutory hurdles, limited dam-

ages, and scant chance to eﬀect an agency’s overall behavior.”); Todd Robert

Coles, Comment, “Does the Privacy Act of  Protect Your Right to Privacy? An

Examination of the Routine Use Exemption,”  Am. U. L. Rev. ,  n. ().

83.  F. d ,  (th Cir. ).

84. See Schwartz, “Privacy and Participation,” . For a compilation of state pri-

vacy laws, see Robert Ellis Smith, Compilation of State and Federal Privacy Laws

().

85. Schwartz, “Privacy and Participation,” .

86. Ga. Code Ann. § --.

87. La. Rev. Stat. Ann. § :(H).

88. Amelkin v. McClure,  F. d ,  (th Cir. ).

89. Ky. Rev. Stat. Ann. § ..

90. Fla. Stat. Ann. § .().

91. Colo. Rev. Stat. § --..

92. Cal. Gov’t Code § (f)().

93. See Rajiv Chandrasekaran, “Government Finds Information Pays,” Wash. Post,

Mar. , , at A.

94.  U.S.C. § (a)(). Although the FEC occasionally uses decoy names to

check to see if candidates are engaging in improper uses of the records, the FEC

has not, according to critics, done much to investigate reports of abuse. See Chan-

drasekaran, “Information Pays.”

95. Pub. L. No. -,  Stat.  (codiﬁed as amended at  U.S.C. §§ -

).

96.  U.S. , ,  ().

97. Schwartz, “Privacy and Participation,” .

Notes to Chapter 8

1. Dateline (NBC television broadcast, Oct. , ).

2. Louis D. Brandeis, Other People’s Money  ().

3. Engrav v. Cragun,  P. d ,  (Mont. ); Houston Chronicle Publ’g

Co. v. City of Houston,  S.W.d ,  (Tex. App. ); United States v. Hickey,

 F. d ,  (th Cir. ).

4. In re Cont’l Ill. Sec. Litig.,  F. d ,  (th Cir. ).

5. Letter from James Madison to W.T. Barry (Aug. , ), in  The Writings of

James Madison  (Gaillard Hunt ed., ).

6. Cowley v. Pulsifer,  Mass. ,  ().

251

notes to chapter 8

▲

7. United States v. Chagra,  F. d ,  n. (th Cir. ); G. Michael Fenner

& James L. Koley, “Access to Judicial Proceedings: To Richmond Newspapers and

Beyond,”  Harv. C.R.-C.L. L. Rev. ,  n. ().

8.  U.S. , – ().

9.  P.  (Cal. Dist. Ct. App. ).

10.  P. d  (Cal. ).

11. Westphal v. Lakeland Register,  Media L. Rep. (BNA) ,  (Fla. Cir. Ct.

); Roshto v. Hebert,  So. d ,  (La. ); Montesano v. Donrey Media

Group,  P. d ,  (Nev. ); Jenkins v. Bolla,  A.d , – (Pa.

Super. Ct. ).

12.  P. d  (Cal. ).

13. Id. (quoting William L. Prosser, “Privacy,”  Cal. L. Rev. ,  []).

14. Restatement (Second) of Torts § D cmt. b ().

15. Id. § B cmt. c.

16.  U.S. ,  ().

17.  F. d ,  (d Cir. ).

18.  F. d ,  (th Cir. ); see also Doe v. City of New York,  F. d , 

(d Cir. ) (“[A]n individual cannot expect to have a constitutionally protected

privacy interest in matters of public record”).

19.  F. d , – (th Cir. ).

20.  F. d ,  (th Cir. ).

21.  F. d , –,  (d Cir. ). But see Doe v. Portiz,  A.d , 

(N.J. ) (following the conception from Reporters Committee when examining

the constitutionality of Megan’s Law and noting that “a privacy interest is impli-

cated when the government assembles . . . diverse pieces of information into a

single package and disseminates that package to the public, thereby ensuring that

a person cannot assume anonymity”).

22. State Employees Ass’n v. Dep’t of Mgmt. & Budget,  N.W.d ,  (Mich.

)(quoting Tobin v. Mich. Civil Serv. Comm’n,  N.W.d ,  [Mich.

]).

23. Moak v. Phila. Newspapers, Inc.,  A.d ,  (Pa. Commw. Ct. ).

24. Mans v. Lebanon Sch. Bd.,  A.d ,  (N.H. ) (quoting H.R. Rep.

No. , at  []) (discussing federal FOIA); see also Pottle v. Sch. Comm. of

Braintree,  N.E.d , – (Mass. ) (holding that payroll records con-

taining names, salaries, overtime pay, and addresses of policemen and school em-

ployees were not private within the meaning of Massachusetts’s FOIA privacy

exception because the information was not intimate).

25. Jayson Blair & William K. Rashbaum, “Man Broke Into Accounts of Celebrities,

Police Say,” N.Y. Times, Mar. , , at B.

26. Robert O’Harrow, Jr., “Identity Thieves Thrive in Information Age: Rise of On-

line Data Brokers Makes Criminal Impersonation Easier,” Wash. Post, May ,

, at A.

27. See Priscilla M. Regan, Legislating Privacy: Technology, Social Values, and Pub-

lic Policy  ().

28. Sykes, End of Privacy, –.

29. Planned Parenthood v. Am. Coalition of Life Activists,  F. d  (th Cir.

) (en banc).

30. Arthur Miller, The Assault on Privacy  ().

252

notes to chapter 8

▲

31. See, e.g., Charles J. Sykes, The End of Privacy: Personal Rights in the Surveil-

lance Society  (); see also Note, “Privacy and Eﬃcient Government: Propos-

als for a National Data Center,”  Harv. L. Rev. ,  ().

32. Robert Ellis Smith, Ben Franklin’s Web Site: Privacy and Curiosity from Ply-

mouth Rock to the Internet  ().

33. See Richard Sobel, “The Degradation of Political Identity under a National

Identiﬁcation System,”  B.U. J. Sci. & Tech. L. ,  (). See generally Amitai

Etzioni, The Limits of Privacy ().

34. Immigration Reform and Control Act of , Pub. L. No. -,  Stat. 

(codiﬁed as amended at  U.S.C. §§ a–).

35. See Personal Responsibility and Work Opportunity Reconciliation Act of ,

Pub. L. No. -,  Stat. . See generally Robert O’ Harrow, Jr., “Uncle Sam

Has All Your Numbers,” Wash. Post, June , at A.

36. Sobel, “Degradation,” .

37. See id., –.

38. U.S. Dep’t of Health, Education, and Welfare (HEW), “Report of the Secretary’s

Advisory Committee on Automated Personal Data Systems: Records, Computers,

and the Rights of Citizens,”  ().

39. See Erik Larson, The Naked Consumer: How Our Private Lives Become Public

Commodities – ().

40. See Fred H. Cate et al., “The Right to Privacy and the Public’s Right to Know:

The ‘Central Purpose’ of the Freedom of Information Act,”  Admin. L. Rev. ,

– () (citing studies by the General Accounting Oﬃce, Department of

Health and Human Services, and the Department of Defense).

41. Patricia M. Wald, “The Freedom of Information Act: A Short Case Study in the

Perils and Paybacks of Legislating Democratic Values,”  Emory L.J. , 

().

42. See, e.g., U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press,

 U.S. ,  (); see also Halloran v. Veterans Admin.,  F. d ,  (th

Cir. ) (“[I]f disclosure of the requested information does not serve the purpose

of informing the citizenry about the activities of their government, disclosure will

not be warranted even though the public may nonetheless prefer, albeit for other

reasons, that the information be released”).

43.  A.d , – (D.C. ).

44.  F. d ,  (th Cir. ).

45. J.M. Balkin, “Ideological Drift and the Struggle over Meaning,”  Conn. L.

Rev. ,  ().

46. See HEW, “Records, Computers, and the Rights of Citizens,” viii.

47. Judicial Conference, Request for Comment on Privacy and Public Access to

Electronic Case Files (Sept. , ), available at http:// www.privacy.uscourts

.gov/ RFC.htm.

48. See Grayson Barber, “Too Easy an Answer: Beware of Simplifying the Impact

of Posting Court Records Online,”  N.J.L.J.  ().

49.  U.S. , – ().

50.  U.S.  ().

51. Press-Enterprise Co. v. Superior Court,  U.S.  () (jury selection);

Press-Enterprise Co. v. Superior Court,  U.S.  () (pretrial proceed-

ings).

253

notes to chapter 8

▲

52. See United States v. Criden,  F. d ,  (d Cir. ); United States v.

Chagra,  F. d ,  (th Cir. ).

53.  F. d ,  (d Cir. ) (internal quotations and citation omitted).

54. United States v. McVeigh,  F. d ,  (th Cir. ); see also Littlejohn

v. BIC Corp.,  F. d ,  (d Cir. )(“A ccess means more than the ability

to attend open court proceedings; it encompasses the right of the public to in-

spect and to copy judicial records.”); Associated Press v. United States Dist.

Court,  F. d ,  (th Cir. )(“There is no reason to distinguish be-

tween pretrial proceedings and the documents ﬁled in regard to them”). But see

Lanphere & Urbaniak v. Colorado,  F. d ,  (th Cir. ) (“[T]here is

no general First Amendment right in the public to access criminal justice

records”).

55.  U.S. ,  ().

56.  F. d ,  (th Cir. ).

57.  U.S. ,  ().

58. After Whalen and Nixon, the Supreme Court has done little to develop the

right of information privacy. A majority of the circuit courts have accepted the

constitutional right to information privacy. See, e.g., In re Crawford,  F. d ,

 (th Cir. ); Walls v. City of Petersburg,  F. d ,  (th Cir. );

Barry v. City of New York,  F. d ,  (d Cir. ); United States v. West-

inghouse Elec. Corp.,  F. d ,  (d Cir. ); Plante v. Gonzalez,  F. d

, ,  (th Cir. ). One circuit court has expressed “grave doubts” as

to the existence of the right, stopping short of confronting the issue of whether

the right existed. Am. Fed’n of Gov’t Employees v. Dep’t of Housing & Urban

Dev.,  F. d , , – (D.C. Cir. ). For more background about the

constitutional right to information privacy, see Elbert Lin, “Prioritizing Privacy:

AConstitutional Response to the Internet,”  Berkeley Tech. L.J. , –

().

59.  U.S. , –, – ().

60.  U.S. ,  ().

61.  U.S. ,  ().

62.  U.S.  ().

63. The Florida Star v. B.J.F.,  U.S. , ,  ().

64. L.A. Police Dep’t v. United Reporting Publ’g Corp.,  U.S. ,  ()

(Stevens, J., dissenting).

65. See, e.g., Chaplinsky v. New Hampshire,  U.S. ,  (); N.Y. Times Co.

v. Sullivan,  U.S. ,  () (public ﬁgures must prove actual malice to pre-

vail in defamation suits).

66. See Central Hudson Gas v. Public Service Commission,  U.S.  ().

Notes to Chapter 9

1. See Dana Hawkins, “Gospel of a Privacy Guru: Be Wary; Assume the Worst,”

U.S. News & World Rep., June , , http://www.usnews.com/usnews/

nycu/tech/articles//tech/privacy.htm (describing hotel chain sharing lists

of the movies, including pornographic ones, customers pay to watch in their hotel

rooms).

2. Julia Scheeres, “No Thumbprint, No Rental Car,” Wired News, Nov. , , at

http://wired.com/news/print/,,,.html.

254

notes to chapter 8

▲

3. See, e.g., Paul M. Schwartz, “Beyond Lessig’s Code for Internet Privacy: Cyber-

space Filters, Privacy-Control, and the Fair Information Practices,”  Wisc. L.

Rev. , – (describing lack of employee privacy).

4. SeeDana Hawkins, “Digital Skulduggery,” U.S. News & World Rep., Oct. , 

at .

5. J.C. Conklin, “Under the Radar: Content Advisor Snoops as Workers Surf Web,”

Wall St. J., Oct. , ,atB.

6. This information was requested in employer questionnaires in American Fed-

eration of Government Employees v. HUD,  F. d  (D.C. Cir. ) and Walls v.

City of Petersburg,  F. d  (th Cir. ).

7. SeeSarah Schafer, “Searching for a Workable Fit; Employers Try Psychological

Tests to Help with More than the Right Hire,” Wash. Post, Jan. , ,atV.

8. See  U.S.C. § (c), as amended by the USA-PATRIOT Act §§ –.

9. See John Markoﬀ,“Pentagon Plans a Computer System That Would Peek at Per-

sonal Data of Americans,” N.Y. Times, Nov. , .

10. http://www.darpa.mil/iao/index.htm.

11. William Saﬁre, “You Are a Suspect,” N.Y. Times, Nov. , ,atA.

12. See Cheryl Bolen, “Senate Withholds Data-Mining Funds until DOD Ad-

dresses Privacy, Rights Issues,” Privacy Law Watch, Jan. , .

13. SeeGlenn R. Simpson, “Big Brother-in-Law: If the FBI Hopes to Get the Goods

on You, It May Ask ChoicePoint,” Wall St. J., Apr. , ,atA.

14. See id.

15. See id.

16. SeeGregory Palast, “Florida’s Flawed ‘Voter-Cleansing’ Program,” Salon.com,

at http://www.salonmag.com/politics/feature////voter_ﬁle/index.html

(Dec. , ).

17. SeeRobert O’Harrow, Jr., “U.S. Backs Florida’s New Counterterrorism Data-

bases: ‘Matrix’ Oﬀers Law Agencies Faster Access to Americans’ Personal Records,”

Wash. Post, Aug. , ,atA;Brief of Amici Curiae Electronic Privacy Informa-

tion Center (EPIC) and Legal Scholars and Technical Experts, in Hiibel v. Sixth Ju-

dicial District Court of Nevada, No. - (U.S. Supreme Court, Dec. , ).

18. Daniela Deane, “Legal Niceties Aside ...;Federal Agents without Subpoenas

Asking Firms for Records,” Wash. Post, Nov. , ,atE.

19. The Attorney General’s Guidelines on General Crimes, Racketeering Enter-

prise and Domestic Security/Terrorism Investigations § II.C. (March , ).

20. The Attorney General’s Guidelines on General Crimes, Racketeering Enter-

prise and Terrorism Enterprise Investigations § VI (May , ).

21. Id., § VI.B..

22. Lisa Guernsey, “What Did You Do before theWar?” N.Y. Times, Nov. , ,at

G.

23. SeePaul Beckett, “Big Banks, U.S. Weigh Pooling Data on Terror,” Wall St. J.,

Nov. , ,atA;Robert O’Harrow, Jr., “Financial Database to Screen Accounts:

Joint Eﬀort Targets Suspicious Activities,” Wash. Post, May , ,atE.

24. DanEggen, “FBI Seeks Data on Foreign Students,” Wash. Post, Dec. , ,at

A.

25. Don Phillips, “JetBlue Apologizes for Use of Passenger Records,” Wash. Post,

Sept. , ,atE.

26. Sara Kehaulani Goo, “Northwest Gave U.S. Data on Passengers,” Wash. Post,

Jan. , , at A.

255

notes to chapter 9

▲

27. John Schwartz, “Some Companies Will Release Customer Records on Re-

quest,” N.Y. Times, Dec. , , at A.

28. See Mike Snider, “Privacy Advocates Fear Trade-Oﬀ for Security; FBI Sends

Warrants to Service Providers,” USA Today, Sept. , , at D.

29. See Robert Lemos, “FBI Taps ISPs in Hunt for Attackers,” ZD Net Sept. , ,

at http://zdnet.com/ﬁlters/printerfriendly/,,-,.html.

30. E. Judson Jennings, “Carnivore: U.S. Government Surveillance of Internet

Transmissions,”  Va. J. L. & Tech. , ,  ().

31. MSN Statement of Privacy, at http://privacy.msn.com.

32. Amazon.com Privacy Notice, at http://www.amazon.com.

33. Privacy Policy, at http://pages.ebay.com/help/community/png-priv.html.

34. Model Privacy Statement, at http://truste.com/bus/pub_sample.html.

35. For example, Larry Ellison, the CEO of Oracle Corporation, proposed a system

of national identiﬁcation involving biometrics. See Larry Ellison, “Digital IDs Can

Help Prevent Terrorism,” Wall St. J., Oct. , , at A.

36. See Greg Schneider & Robert O’Harrow, Jr., “Pentagon Makes Rush Order for

Anti-Terror Technology,” Wash. Post, Oct. , , at A.

37. Robert O’Harrow, Jr., “Drivers Angered over Firm’s Purchase of Photos,” Wash.

Post, Jan. , , at E; Robert O’Harrow, Jr. & Liz Leyden, “U.S. Helped Fund

Photo Database of Driver IDs: Firm’s Plan Seen as Way to Fight Identity Crime,”

Wash. Post, Feb. , , at A.

38.  U.S.C. § .

39. See  C.F.R. § .().

40. See Personal Responsibility and Work Opportunity Reconciliation Act of ,

Pub. L. No. -,  Stat. . See also Robert O’ Harrow, Jr., “Uncle Sam Has All

Your Numbers,” Wash. Post, June , , at A.

41. Pub. L. -,  Stat. .

42. USA-PATRIOT Act of , §  (amending  U.S.C. § ).

43. See Eric Lichtblau, “Justice Dept. Lists Use of New Power to Fight Terror,” N.Y.

Times, May , , at A.

44. California Bankers Ass’n v. Shultz,  U.S. ,  () (Douglas, J. dissenting).

45. See Margaret Raymond, “Rejecting Totalitarianism: Translating the Guaran-

tees of Constitutional Criminal Procedure,”  N.C. L. Rev. ,  ().

46. Olmstead v. United States,  U.S. ,  () (Brandeis, J., dissenting).

47. See Paul M. Schwartz, “Privacy and Democracy in Cyberspace,”  Vand. L.

Rev. , – ().

48. Julie E. Cohen, “Examined Lives: Informational Privacy and the Subject as Ob-

ject,”  Stan. L. Rev. ,  ().

49. NAACP v. Alabama,  U.S. ,  ().

50. See, e.g., Shelton v. Tucker,  U.S. ,  () (holding unconstitutional a

law requiring teachers to disclose membership in organizations); NAACP v. Al-

abama,  U.S. ,  () (restricting compelled disclosure of membership

lists of NAACP).

51.  U.S.  ().

52. Id., .

53. It is unclear how receptive the Court will be to this argument. The Court has

held that mere information gathering about a group’s public activities did not

harm First Amendment interests enough to give rise to standing. See Laird v.

Tatum,  U.S. , – ().

256

notes to chapter 9

▲

54.  U.S. , – ().

55. McIntyre v. Ohio Elections Commission,  U.S.  (); Watchtower Bible

& Tract Society v. Village of Stratton,  S. Ct.  ().

56. See, e.g., Doe v. TheMart.com, Inc.,  F. S upp.d , – (W.D. Wash.

); Columbia Insurance Co. v. Seescandy.com,  F.R.D. , – (N.D. Cal.

).

57. Julie E. Cohen, “The Right to Read Anonymously: A Closer Look at ‘Copyright

Management’ in Cyberspace,”  Conn. L. Rev. ,  ().

58. See Silas J. Wasserstrom & Louis Michael Seidman, “The Fourth Amendment

as Constitutional Theory,”  Geo. L.J. ,  ().

59. Lawrence M. Friedman, Crime and Punishment in American History  ().

60. Carol S. Steiker, “Second Thoughts about First Principles,”  Harv. L. Rev.

, – ().

61. See William J. Stuntz, “The Substantive Origins of Criminal Procedure,” 

Yale L.J. ,  ().

62. See, e.g., Friedman, Crime and Punishment, .

63. Curt Gentry, J. Edgar Hoover: The Man and the Secrets  (). The organiza-

tion created in  was called the Bureau of Investigation (BI); it became the FBI

in . See id., .

64. Id., –.

65. See, e.g., Albert J. Reiss, Jr., “Police Organization in the Twentieth Century, in

Modern Policing,” ,  (Michael Tonry & Norval Morris eds., ).

66. For a discussion of the harms of a national identiﬁcation system, see Richard

Sobel, “The Degradation of Political Identity under a National Identiﬁcation Sys-

tem,”  B.U. J. Sci. & Tech. L.  ().

67. Whitﬁeld Diﬃe & Susan Landau, Privacy on the Line: The Politics of Wiretap-

ping and Encryption , – ().

68. Philadelphia Yearly Meeting of the Religious Society of Friends v. Tate,  F. d

 (d Cir. ).

69. See Priscilla M. Regan, Legislating Privacy: Technology, Social Values, and Pub-

lic Policy  ().

70. See Gary T. Marx, Under Cover: Police Surveillance in America – ().

71. See Regan, Legislating Privacy, .

72. See Computer Matching and Privacy Protection Act (CMPPA) of , Pub. L.

No. -,  Stat. .

73. See Gen. Accounting Oﬃce, “Computer Matching: Quality of Decisions and

Supporting Analyses Little Aﬀected by  Act” (); Paul M. Schwartz, “Privacy

and Participation: Personal Information and Public Sector Regulation in the

United States,”  Iowa L. Rev. ,  () (noting that CMPPA “creates no sub-

stantive guidelines to determine when matching is acceptable”).

74. See Regan, Legislating Privacy, .

75. Oscar H. Gandy, Jr., “Exploring Identity and Identiﬁcation in Cyberspace,” 

Notre Dame J.L. Ethics & Pub. Pol’y ,  ().

76. Spiros Simitis, “Reviewing Privacy in an Information Society,”  U. Pa. L. Rev.

,  ().

77. Joe Sharkey, “A Safer Sky or Welcome to Flight ?” N.Y. Times (March ,

).

78. Ira Berkow, “Rower with Muslim Name Is an All-American Suspect,” N.Y.

Times, Feb. , , at D.

257

notes to chapter 9

▲

79. Pamela Samuelson, “Privacy as Intellectual Property?”  Stan. L. Rev. ,

 (). See also David H. Flaherty, Protecting Privacy in Surveillance Societies

– ().

80. Eric. K. Yamamoto, Margaret Chon, Carol I. Izumi, Jerry Kang, & Frank H. Wu,

Race, Rights, and Reparations: Law and the Japanese American Internment –,

 ().

81. Frank J. Donner, The Age of Surveillance: The Aims and Methods of America’s

Political Intelligence System  ().

82. See Gentry, Hoover, .

83. See Charles H. McCormick, Seeing Reds: Federal Surveillance of Radicals in the

Pittsburgh Mill District, –, at ,  (); Richard Gid Powers, Secrecy

and Power: The Life of J. Edgar Hoover  ().

84. See Donner, Surveillance, ; Gentry, Hoover, ; Powers, Hoover, .

85. See Gentry, Hoover, .

86. See Powers, Hoover, –.

87. See Gentry, Hoover, –.

88. See Ellen Schrecker, The Age of McCarthyism: A Brief History with Documents

– ().

89. Id., .

90. Gentry, Hoover, –, ; Powers, Hoover, –.

91. See Schrecker, McCarthyism, –.

92. Powers, Hoover, .

93. See Schrecker, McCarthyism, .

94. See Seth I. Kreimer, “Sunlight, Secrets, and Scarlet Letters: The Tension be-

tween Privacy and Disclosure in Constitutional Law,”  U. Pa. L. Rev. , –

().

95. Schrecker, McCarthyism, –.

96. Charles J. Sykes, The End of Privacy: Personal Rights in the Surveillance Society

 (). See Diﬃe & Landau, Privacy on the Line,  (wiretapping of members

of Congress and Supreme Court Justices); Gentry, Hoover, – (providing de-

tailed description of Hoover’s collection of ﬁles).

97. See David J. Garrow, The FBI and Martin Luther King, Jr.  ().

98. See Ronald Kessler, The Bureau: The Secret History of the FBI – ();

Gentry, Hoover, .

99. See, e.g., Diﬃe & Landau, Privacy on the Line, –. It was not until ,

nearly a decade after the wiretapping and three years after Hoover’s death, that

Congress conducted an inquiry into the wiretapping of King through the famous

Church Committee. See id., .

100. Garrow, Martin Luther King, –.

101. Id., .

102. Id., .

103. See id., . Hoover’s dislike of King may have also stemmed from racism. It is

well-documented that Hoover was racist. See id., .

104. See id., –.

105. See id., .

106. Id., .

258

notes to chapter 9

▲

Notes to Chapter 10

1. U.S. Const. amend. IV.

2. Akhil Reed Amar, The Constitution and Criminal Procedure  ().

3. See, e.g., Harris v. United States,  U.S. ,  ().

4. See Katz v. United States,  U.S. ,  ().

5. Brinegar v. United States,  U.S. , – ().

6. See Amar, Criminal Procedure, –.

7. See id.; Sherry F. Colb, “The Qualitative Dimension of Fourth Amendment ‘Rea-

sonableness,’”  Colum. L. Rev. ,  ().

8. See Amar, Criminal Procedure, –; Christopher Slobogin, “The World without

a Fourth Amendment,”  UCLA L. Rev. ,  ().

9.  U.S. ,  (). See also Camara v. Municipal Court,  U.S.  (). For a

critique of Terry and Camara, see Scott E. Sundby, “A Return to Fourth Amend-

ment Basics: Undoing the Mischief of Camara and Terry,”  Minn. L. Rev. 

().

10. See, e.g., Vernonia Sch. Dist. v. Acton,  U.S.  () (drug testing by

school oﬃcials); Nat’l Treasury Employees Union v. Von Rabb,  U.S.  ()

(drug testing of Customs oﬃcials); Skinner v. Ry Labor Executives Ass’n,  U.S.

 () (drug testing of railroad employees); O’Connor v. Ortega,  U.S. 

() (search by government employer); New Jersey v. TLO,  U.S.  ()

(search by school oﬃcials).

11. Silas J. Wasserstrom & Louis Michael Seidman, “The Fourth Amendment as

Constitutional Theory,”  Geo. L.J. ,  ().

12. Mapp v. Ohio  U.S. ,  (). For more background about the devel-

opment of the exclusionary rule, see Potter Stewart, “The Road to Mapp v. Ohio

and Beyond: The Origins, Development and Future of the Exclusionary Rule in

Search and Seizure Cases,”  Colum. L. Rev.  ().

13. Silverthorne Lumber Co. v. United States,  U.S. ,  ().

14. Arnold H. Loewy, “The Fourth Amendment as a Device for Protecting the In-

nocent,”  Mich. L. Rev. ,  ().

15. Several commentators have criticized the exclusionary rule, advocating a sys-

tem of civil damages rather than the exclusion of inculpatory evidence. See Amar,

Criminal Procedure, –, ; Christopher Slobogin, “Why Liberals Should Chuck

the Exclusionary Rule,”  U. Ill. L. Rev. , – (). Other commentators

argue that civil damages will prove to be much less successful than the exclusion-

ary rule. See Loewy, “Fourth Amendment,” ; Tracey Maclin, “When the Cure

for the Fourth Amendment Is Worse than the Disease,”  S. Cal. L. Rev. ,  ().

16. See William J. Stuntz, “Privacy’s Problem and the Law of Criminal Procedure,”

 Mich. L. Rev. ,  ().

17. William J. Stuntz, “The Substantive Origins of Criminal Procedure,”  Yale

L.J. ,  ().

18. See Stuntz, “Privacy’s Problem,” .

19. Stuntz, “Substantive Origins,” .

20. Stuntz, “Privacy’s Problem,” .

21. Scott E. Sundby, “‘Everyman’s’ Fourth Amendment: Privacy or Mutual Trust

between Government and Citizen?”  Colum. L. Rev. , – ().

22. Id., .

259

notes to chapter 10

▲

23. See Daniel J. Solove, “Conceptualizing Privacy,”  Cal. L. Rev. , –

().

24. Raymond Shih-Ray Ku, “The Founders’ Privacy: The Fourth Amendment and

the Power of Technological Surveillance,”  Minn. L. Rev. ,  () (exam-

ining connection between the Fourth Amendment and separation of powers).

25. See Daniel Yeager, “Does Privacy Really Have a Problem in the Law of Crimi-

nal Procedure?”  Rutgers L. Rev. , – () (agreeing with Stuntz that

regulatory inspections can be more invasive of privacy than regular searches, but

disagreeing that “encounterless police investigations should be more loosely con-

trolled”). Louis Seidman disputes Stuntz’s view that the Fourth Amendment

places privacy above coercion. See Louis Michael Seidman, “The Problems with

Privacy’s Problem,”  Mich. L. Rev.  ().

26. Although corporations are deemed “persons” under the Fourteenth Amend-

ment, see Santa Clara County v. S. Pac. R.R.,  U.S. , – (), they are not

aﬀorded Fourth Amendment rights. See California Bankers Ass’n v. Shultz, 

U.S. ,  () (stating that “corporations can claim no equality with individuals

in the enjoyment of a right to privacy”).

27. Stuntz, “Privacy’s Problem,” .

28. Id.

29. Amar, Criminal Procedure, .

30. See id.

31. Id., .

32. Leonard W. Levy, Origins of the Bill of Rights  ().

33. Sundby, “Everyman,” .

34. Louis Fisher, “Congress and the Fourth Amendment,”  Ga. L. Rev. , 

() (“The spirit and letter of the fourth amendment counseled against the be-

lief that Congress intended to authorize a ‘ﬁshing expedition’ into private papers

on the possibility that they might disclose a crime”).

35. U.S. Const. amend. IV.

36. Maclin, “Fourth Amendment Principles,” . Indeed, as Maclin notes: “Every-

one, including Amar, agrees that the Framers opposed general warrants.” Id., .