Privacy and Technology: Reconsidering a Crucial Public Policy Debate in the Post-September 11 Era

Special Report 259

Lisa NelsonUniversity of Pittsburgh

Special Report

Privacy and Technology: Reconsidering a CrucialPublic Policy Debate in the Post-September 11 Era

In the post September 11 era, one truism in the ongoing public policy debate surrounding technol-ogy and privacy is that there is no easy solution to the increasing presence of technology in ourlives. There are, however, several long-standing guiding principles. We must be wary of extendingpolitical authority to protect privacy without careful contemplation of the consequences. While itmay appear that the idea of balancing technology and privacy is novel, the tension between themis informed by a broader theoretical framework that is inherent to democracy. Understanding thisbroader theoretical framework is helpful in identifying ways to advance the debate toward policysolutions rather than continuing a dogmatic discussion that juxtaposes technological innovationwith the loss of privacy. The purpose of this discussion is not to settle the public policy debate.Instead, the aim is to consider how long-standing constitutional doctrine and the theoretical frame-work of democracy can lend insight into the current debate surrounding privacy and technology.

The events of September 11, 2001, and the ever-increas-ing prominence of information technology in our lives havehad a significant influence on the nature of public policydebates on privacy. As society becomes more informationbased, the tendency—perhaps necessity—of individuals todistribute their personal information continues to increase.Yet, as personal information becomes more important andis accessible to a greater number of people and institu-tions, concerns about privacy protection and civil libertiesabound. The escalating information society, together withthe increasing reliance on technology for intelligence gath-ering and surveillance in the aftermath of September 11,2001, has resulted in a growing public policy debate re-garding the balance that should be forged between tech-nology and privacy.

In these policy debates, however, the terms are oftenmired in time-worn dichotomies and stymied by entrenchedpolitical positions. The first step in moving the public policydebate forward is reconsidering the terms of debate. Whileit may appear that the question of balancing technologyand privacy is novel, the tension between them is informedby a broader theoretical framework that is inherent to de-mocracy. Understanding this broader theoretical frameworkis helpful in identifying ways to advance the debate to-

ward policy solutions rather than continuing a dogmaticdiscussion that juxtaposes technological innovation withthe loss of privacy. In other words, there must be a meansof ensuring the ongoing protection of privacy in light ofinnovations in information technology and within the con-text of continued efforts to guard against terrorism. An un-derstanding of the democratic underpinnings of privacy,which are affected by the growth of the information ageand the events of September 11, 2001, is essential to a re-consideration of the terms of the debate. The purpose ofthis discussion is not to settle the public policy debate. In-stead, the aim is to consider how long-standing constitu-tional doctrine and the theoretical framework of democ-racy can lend insight into the current debate surroundingprivacy and technology.

Implicitly, the exercise of political authority in the nameof preventing harm informs the current public policy de-bates regarding the proper balance between technology and

Lisa Nelson is an assistant professor in the University of Pittsburgh’s Gradu-ate School of Public and International Affairs and a fellow at the Philosophyof Science Center of the University of Pittsburgh. She also serves as an affili-ate in the InSITeS Institute at Carnegie Mellon University and the University ofPittsburgh School of Law. She is a recent recipient of a National ScienceFoundation award to study the societal and legal implications of biometrictechnology. E-mail: [email protected].

260 Public Administration Review • May/June 2004, Vol. 64, No. 3

privacy. Harm, however, is perceived differently by thoseinvolved in the making of public policy. On one hand, thoseconcerned with the loss of privacy have taken issue withthe increased political authority exercised in the post–Sep-tember 11 environment. The war on terror is viewed as athreat to our liberty interests in privacy because of increasedintelligence gathering, expanded surveillance, and extendedbureaucratic prerogative to use technology to ferret outterrorism. On the other hand, there is a growing sentimentthat contends there is a need for greater government pro-tection for individuals against invasions of privacy by thevagaries of the information age. Here, the threat to privacytakes the form of unfettered information gathering by gov-ernment and private industry. The solution from this per-spective is increased regulation. In either case, the libertyinterest in privacy is juxtaposed with the exertion of politi-cal authority. Thus, the policy debate regarding the properbalance between technology and privacy presents an ironiccontradiction: Political authority is viewed both as a threatand a panacea to our liberty interests in privacy. To betterunderstand the equilibrium between political authority andprivacy, we begin first with the concept of liberty in ourdemocratic tradition.

Liberty and DemocracyThe origin of liberty in democratic theory is best de-

scribed by John Stuart Mill as “the civil or social libertywhich exists within the nature and limits of the power whichcan be legitimately exercised by society over the individual”(Mill 1956, 2). As Mill explains, the balance between lib-erty and authority is struck by guaranteeing certain immu-nities that cannot be violated by those holding politicalauthority. If violated, those in positions of authority havebreached their duty as leaders. As a secondary check onpolitical authority, constitutional checks that are establishedby the consent of the community are a necessary conditionof the acts of governing power (Mill 1956, 4). In practice,this means the exercise of political authority is mediatedby the immunities of the citizenry and the consent of thegoverned.

The liberty interest in privacy is construed similarly. Toparaphrase Justice Robert H. Jackson in his concurringopinion on the 1952 Youngstown Sheet and Tube Co. v.Sawyer (343 U.S. 579) decision, “the Fourth Amendmentprotects more than privacy; it ensures that governmentalinvasions of individual privacy are based upon rules estab-lished by the people, rules our rulers must follow in orderto engage in surveillance.” Jackson’s description of pri-vacy mirrors that of Mill. The conditions of our libertyinterest in privacy are created by the immunities of thecitizenry and the consent of the governed. Each serves as alimit on political authority. Yet, the analysis is not quite so

simple. The equilibrium of this balance between politicalauthority and the liberty interests of individuals is changedin the face of harm. As Mill explains, government shouldbe established on the harm principle: “That the sole endfor which mankind is warranted, individually or collec-tively, in interfering with the liberty of action of any oftheir number, is self-protection. That the only purpose forwhich power can be rightfully exercised over any memberof a civilized community, against his will, is to preventharm to others” (Mill 1956, 4).

The authority to interfere with a member of a civilizedcommunity in defense of liberty occurs when there is aneed to prevent harm. In fact, as Mill argues, “it is one ofthe undisputed functions of government to take precau-tions against crime before it has been committed, as wellas to detect and punish it afterwards” (Mill 1956, 116).Liberty, augmented in our constitutional framework bythe principles of privacy, is mediated by the exercise ofpolitical authority to protect against harm. What is leftunanswered is the type and form of political authoritythat is ideal for preserving our liberty interests in privacy.In theory, the answer seems quite simple: The exercise ofpolitical authority is justified when the political will nec-essary for the prevention of harm is warranted. Yet, as apractical matter, the perception of harm—and the justifi-cation of political authority necessary to combat it—isoften problematic. As Mill warns, “the preventative func-tion of government, however, is far more liable to beabused, at the prejudice of liberty, than the punitive func-tion” (Mill 1956, 116).

This concern is particularly acute in the post–Septem-ber 11 environment because it is not only the assertion ofpolitical authority, but also the architecture of it that po-tentially threatens our liberty interest in privacy. Far-reach-ing regulations that enable the gathering and sharing ofinformation, the concentration of power in the hands ofthe intelligence community, and the extensive powergranted to the executive branch in the name of the “war onterrorism” is seen as altering the structural balance betweenpolitical authority and social and civil liberties at the ex-pense of democratic principles. The call for increased po-litical authority to protect privacy in the wake of the infor-mation age, however, faces similar criticisms. Here, it isargued that under the limits of the Constitution, there isinsufficient legal basis for the exercise of political author-ity to protect privacy. In this sense, protective legislation isseen as potentially overstepping the appropriate constitu-tional boundaries of political authority and squelching freeenterprise and innovation in the information age.

Though it seems to be at the other end of the spectrum,the question of whether the Constitution allows for thepower of government to adopt and enforce laws to protectprivate information from intrusion by the private sector is

Special Report 261

not unlike the question of whether the events of Septem-ber 11 justify increased intelligence gathering and surveil-lance. Each is a question of enhanced political authorityand its relationship to the liberty interests of privacy. Yet,the answer is not so easily discerned from either constitu-tional doctrine or public sentiments. Rather, the publicpolicy debate must account for the interplay between each,because one is not separate from the other.

Interestingly, the war on terror coincides with the ac-celeration of the information age and, as a result, affectsthe direction of policy debates regarding each. Perhaps thewar on terror seems less intrusive and less threatening toour privacy because our notions of privacy have been al-tered in an unprecedented age of information. Surveillanceis becoming commonplace, frequent, and innocuous. More-over, the information age has altered the traditional physi-cal divide between the public and the private with the ageof the Internet and other technologies. Physical locale isno longer the definitional quality of privacy, and, as a re-sult, the traditional demarcation of privacy is no longer aptin either legal doctrine or societal perceptions. Similarly,the events of September 11 and the subsequent prominenceof surveillance and information gathering may have causedus to be overly sensitized to information sharing in boththe government and private sectors.

The events of September 11 and the rise of the informa-tion age challenge the previous balance between politicalauthority and liberty, but it does not follow that a new bal-ance cannot be struck. Yet, it is necessary to move the de-bate beyond its current dichotomy, which tends to viewthe rise of technology and the information age as intrudingon privacy. The dichotomy is not helpful because it is im-possible to eliminate the specter of terrorism and turn backthe clock on the information age. Instead, each is a newfactor to be weighed in the quest for a balance betweenliberty and the exercise of political authority. For this, letus return to Mill.

As Mill advocates, the balance is secured by the guar-antee of certain immunities that cannot be violated by thoseholding political authority. As a secondary check on po-litical authority, constitutional checks that are establishedby the consent of the community are a necessary conditionfor the acts of governing power. Thus, as a point of depar-ture, the proper course of policy development to protectprivacy while fostering the appropriate exercise of politi-cal authority requires us to turn to the necessary immuni-ties, which cannot be trammeled, and to the constitutionalchecks that must remain intact.

The Constitutional Doctrine of PrivacyOne of the most prominent frameworks for the devel-

opment of policy for surveillance and information gather-

ing is, of course, the constitutional doctrine on privacy.Although privacy is absent from the text of the Constitu-tion, the Supreme Court has found privacy interests in nu-merous amendments. Privacy exists within the prohibitionagainst search and seizures; in decisional freedom in pro-creation, marriage, contraception, and abortion; and in aprohibition against the disclosure of information. For thepurposes of this discussion, however, the liberty interest inprivacy is most directly affected when government surveil-lance and information gathering occur. Here, privacy isdefined relative to the exercise of political authority withinthe context of Fourth Amendment freedoms. The 1928Olmstead v. United States (277 U.S. 438) decision—a caseinvolving Fourth Amendment protection against unreason-able search and seizure—provided the beginning of theconstitutional concept of privacy in this regard. Privacy asdeveloped in the search and seizure cases has applicationsbeyond Fourth Amendment jurisprudence. It may not beobvious that a broader legal right to privacy is expressedthrough the doctrine of search and seizure cases; however,the loss of the condition of privacy is analogous and, moreimportantly, instructive for understanding the key conceptsthat inform the intersection of privacy and technology incurrent public policy debates.

In Olmstead, the Supreme Court was asked to considerwhether the Constitution provides protection for citizenswhen the government places a wiretap on their telephonesand records their conversations. In its decision, the Courtheld that wiretapping does not violate the guarantee againstunreasonable search and seizure because of the lack ofphysical intrusion or seizure of tangible evidence. Employ-ing a traditional trespass analysis, the Court argued thatbecause the taps were placed without any actual physicaltrespass on the property of the defendants, the evidencewas secured with the use of the “sense of hearing and thatonly,” and therefore did not violate Fourth Amendmentprotections. This precedent regarding governmental use oftechnological surveillance allowed law enforcement to useelectronic means to enter the physical domain of privacyin the name of preventing potential harm. The familiar di-chotomy between the political authority to prevent harmand the realm of personal privacy is evident in Olmstead.The protection of privacy was relegated to a secondaryconcern when the necessity of preventing harm to societywas present. There was, of course, strong opposition tothis limited conception of privacy and the acceptance ofthe exercise of governmental authority within it. JusticeLouis D. Brandeis dissented, claiming the protections ofthe Fourth Amendment reach farther than what the Court’sdecision reflected. Brandeis characterized the right to pri-vacy as “the right to be let alone—the most comprehen-sive of rights and the right most valued by civilized men.”More important for our purposes, Brandeis’s dissent rec-


ognized that the Supreme Court should take into accountthe evolution of technology when interpreting the Consti-tution. “Discovery and invention have made it possible forthe government by means far more effective than stretch-ing upon the rack to obtain disclosures in court of what iswhispered in the closet.” Though outdated in terms of thetechnology under consideration, Olmstead outlines theparameters of the current debate regarding the nexus be-tween privacy and technology. There is both a constitu-tionally recognized need for governmental authority toprotect against harm and a need to protect personal au-tonomy and privacy. The pressing question in Olmstead—and in the current debates—is whether the technologicalinvasion of privacy is justified in the name of preventingharm. This depends, of course, on the underlying concep-tion of privacy and the definition of harm against which itis juxtaposed.

In its 1967 decision in Katz v. United States (389 U.S.347), the Supreme Court elaborated on the definition ofharm and privacy first discussed in Olmstead. In applyingthe Fourth Amendment to government searches of citizens’homes, the Court stated, “At the very core [of the FourthAmendment] stands the right of a man to retreat into hisown home and there be free from unreasonable govern-mental intrusion.” In Katz, a bookie had placed an incrimi-nating phone call from inside a public phone booth, towhich FBI officials had attached an electronic listeningand recording device. The question presented to the Courtwas whether the conversation was admissible. In rulingthe conversation inadmissible, the Court noted that theFourth Amendment protected people and not places. In hisconcurrence, Justice John M. Harlan formulated what hasbecome the prevailing standard in Fourth Amendmentcases. In essence, the two-pronged test requires a subjec-tive expectation of privacy that society deems objectivelyreasonable. The Supreme Court has applied this principleto hold that a Fourth Amendment search does not occurunless “the individual manifested a subjective expectationof privacy in the object of the challenged search,” and “so-ciety [is] willing to recognize that expectation as reason-able.” The subjective perception of privacy informs therealm of privacy, but the justification for invasion is mea-sured by normative expectations of privacy defined by so-cietal standards. Here, perceptions of harm can affect theevaluation of subjective perceptions of privacy. If societalperceptions of harm diverge from an individual’s claim toprivacy, the individual’s perspective is given less credenceand may even be viewed with a modicum of suspicion.The decision lends insight into the nexus between subjec-tive and objective expectations of privacy, but it also offersguidance for understanding the effect of technological in-novations on societal evaluations of privacy. As techno-logical innovations become more commonplace, the ex-

pectation that an individual remains outside their purviewis considered less reasonable by societal standards.

This principle was further articulated in Kyllo v. UnitedStates (533 U.S. 27 [2001]). In Kyllo, the Court consid-ered “whether the use of a thermal-imaging device aimedat a private home from a public street to detect relativeamounts of heat within the home constitutes a search withinthe meaning of the Fourth Amendment.” The Court subse-quently held that “obtaining by sense-enhancing technol-ogy any information regarding the interior of the home thatcould not otherwise have been obtained without physicalintrusion into a constitutionally protected area…constitutesa search—at least where the technology in question is notin general public use.” According to this standard, as so-phisticated technologies become more widely available,privacy protection diminishes. This has much to do withwhat characterizes a reasonable expectation of privacy. The“reasonable expectation of privacy” requirement begs thequestion: what renders scrutiny unreasonable? It is less ofan invasion, it seems, if the public is made aware that thetechnology is in place.

When technology becomes more widely used, the ex-pectation of privacy that an individual may retain is di-minished. The same can be said about the context of anact. Traditionally, action in a public sphere compared to aprivate one entails a much lower expectation of privacy.The collection of biometric identifiers through face recog-nition systems, for example, takes place in public arenas,thereby delimiting privacy claims because one cannot ex-pect that his or her facial features are private in the publicsphere. This point was noted in United States v. Dionisio(410 U.S. 1 [1973]), in which a grand jury subpoenaedindividuals to obtain voice samples and compare them witha recorded conversation that was in evidence. In ruling sucha subpoena constitutional, the Court noted that “no personcan have a reasonable expectation that others will not knowthe sound of his voice, any more than he can reasonablyexpect that his face will be a mystery to the world.” Onemight argue that privacy is construed more broadly as theinviolability of an individual’s rights over his or her per-son beyond the physical person to intellectual activitiesand personality (Cohen 2000, 1424–28). If privacy is per-ceived as being free from influence to express and developoneself outside the public eye, then monitoring of this sortis indeed an invasion of privacy (Allen 1999, 754). Thisconcept of privacy is tied to the First Amendment’s pro-tection of anonymity. The concept of anonymity has notbeen featured as prominently in discussions surroundingtechnology, though its presence in our historical politicaltradition is arguably as essential as privacy. More impor-tantly, courts have generally protected anonymity in pub-lic spaces, whereas they have generally held that there isno expectation of privacy in public places.

Special Report 263

Similarly, if iris scans are used to restrict access toschools or if fingerprints are used to verify identity beforethe boarding of an airplane, is there a privacy interest atstake? In these types of settings, the privacy interest mustbe mitigated by the interest in security. For instance, instriking a balance between the liberty interest of the rightto travel and the need to protect security, courts have al-lowed searches of passengers and baggage. The logic ofthe administrative search doctrine is best articulated inUnited States v. Edwards (498 F.2d 496 [1974]), in whichthe court held,

When the risk is the jeopardy to hundreds of humanlives and millions of dollars of property inherent inthe pirating or blowing up of a large airplane, thedanger alone meets the test of reasonableness, so longas the search is conducted in good faith for the pur-pose of preventing hijacking or like damage and withreasonable scope and the passenger has been givenadvance notice of his liability to such a search so thathe can avoid it by choosing not to travel by air.

In considering the balance between the liberty interestin privacy and the exercise of political authority to protectagainst harm, the public policy debate must be nuanced.The growing prevalence of technology, as well as the set-ting and the purpose for technology all must be factoredinto to public policy debates that attempt to strike a bal-ance between privacy interests and the exercise of politi-cal authority. Sometimes, the exercise of political author-ity is not as obvious as a search. An invasive search ofdigital activities or transactional data can be performedautomatically, and the information gathered and storedwithout the attention of a human intermediary. The threatto privacy here is the lack of control that the subject of a“search” has over the information gathered. Privacy in thiscontext is conceived of as control over personal data orcontrol of what others (individuals, companies, or govern-ment) know about the individual (Katsh 1995).

Privacy, when it is conceived of as control over personaldata, is less established in the Constitution. In the 1975Whalen v. Roe (423 U.S. 1313) decision, patients and doc-tors challenged a statute in New York that required copiesof prescriptions for certain drugs to be recorded and storedin a centralized government computer, arguing that it vio-lated their constitutional right to privacy. Although theCourt rejected this claim, a majority argued that under cer-tain circumstances, the disclosure of health care informa-tion may violate a constitutionally protected right to pri-vacy. Justice John Paul Stevens, writing for a majority ofthe Court, identified informational privacy as one aspectof the constitutional right to privacy. Stevens argued, “Thecases sometimes characterized as protecting ‘privacy’ havein fact involved at least two different kinds of interests.One is the individual interest in avoiding disclosure of per-

sonal matters, and another is the interest in independencein making certain kinds of important decisions.” Whalen,although distinct from Fourth Amendment protections ofprivacy, nonetheless mirrors the logic of Olmstead and Katz.Privacy acts as a bulwark against government surveillanceand information gathering, but only to the extent that asocietal harm is not compromised. Additionally, it is clearthat defining privacy as a physical sphere of security isbecoming less and less workable in the face of both tech-nological innovation and the increasing prevalence of tech-nology in society. Nonetheless, the definitional quality ofthe constitutional doctrine on privacy juxtaposes the exer-cise of political authority with a protected sphere of pri-vacy. In current policy debates, this balance should be re-tained, but with an eye toward changing technologies and,as a consequence, changing notions of privacy.

In simple terms, while the constitutional doctrine of pri-vacy represents a point of departure for understanding theproper exercise of political authority, it is only that: a pointof departure. Recall that Mill argues the balance betweenpolitical authority and liberty is not only secured by cer-tain constitutional immunities that cannot be violated bythose holding political authority, but also by the consent ofthe community. Although constitutional immunities estab-lish a check on political authority, a secondary check isprovided by the consent of community members. Limitson information gathering and government surveillance arealso found in legislative provisions that provide notice,access, control, and consent.

Notice, Access, Control, andConsent: Legislative Efforts

Legislative protections of privacy appear in a variety ofstatutes aimed at both government and private actors. TheFair Credit Reporting Act of 1970 was one of the first at-tempts to protect individuals’ interests in information pri-vacy from private actors, while the Privacy Act of 1974was among the earliest statutory protections against gov-ernmental misuse of personal information. In addition,Congress has enacted a wide variety of other statutes in aneffort to protect information privacy, including the BankSecrecy Act, the Cable Communications Policy Act, theComputer Matching and Privacy Protection Act, theDriver’s Privacy Protection Act, the Electronic Communi-cations Privacy Act, the Electronic Fund Transfer Act, TitleIII of the Omnibus Crime Control and Safe Streets Act(also known as the Wiretap Act), the Right to FinancialPrivacy Act, and the Video Privacy Protection Act.

In each case, the legislation institutes a means for indi-viduals to be made aware of—and thus control or consentto—surveillance and information gathering. Yet, these pro-visions limit the exercise of political authority only to the


extent they are effective in practice. Consider the PrivacyAct of 1974, which was designed to protect the privacy ofcitizens by requiring government departments and agen-cies to observe certain rules in the use of personal infor-mation. The purpose of the act was to safeguard the inter-ests of citizens in informational privacy with the creationof a code of fair information practices that delineates theduties owed to individual citizens by federal agencies thatcollect, store, and disseminate information. The PrivacyAct does not preclude governmental collection, mainte-nance, or use of private information about individuals gen-erally or federal employees in particular. Instead, it im-poses restrictions on federal agencies to curb abuses in theacquisition and use of such information. In principle, thePrivacy Act limits the disclosure of personnel records andforbids federal government agencies from disclosing anyrecord that is contained in a system of records regardingan individual without that individual’s express permission.The act prohibits any federal agency from disclosing anyrecord contained in a system of records without notice andthe written consent of the individual to whom the recordpertains; however, the expansive scope of this prohibitionon nonconsensual disclosure is subject to numerous ex-emptions. In practice, the requirements of notice and priorconsent are often circumvented with a “routine use” ex-emption. In addition to the routine use exemption, recordsmay also be disseminated pursuant to a court order whenthe need for the disclosure outweighs the potential harmof disclosure. In the case of airline travel, one might easilyinfer that the need for disclosure, in the face of a hijackingor terrorist threat, far outweighs the potential harm of dis-closure. In a closely related exception, information can alsobe disseminated to other parties without prior consent whenthe records are to be used for law enforcement purposes.This exception obviously applies to law enforcement agen-cies; however, it also applies to other agencies whose func-tions normally do not include law enforcement. The limiton federal agencies to gather only information that is re-quired to accomplish their purposes is another proceduralsafeguard established by the Privacy Act of 1974. In theory,this imposes a limit on the collection, maintenance, anddissemination of information, but in practice, the expan-sive meaning of “purpose” translates into a broad discre-tion. These broad exemptions have led privacy advocatesto argue that the Privacy Act offers little in the way of pro-tection against technological surveillance or informationgathering by the government.

Similar criticisms have been leveled at the ElectronicCommunications Privacy Act (ECPA) (18 U.S.C. §§2510–20), which prohibits the illegal procurement of communi-cations in the form of wire, oral, and electronic communi-cations. The methods of interception prohibited under theECPA include wiretapping, audio recording, and the use

of electronic devices. This statute also prohibits the use ofany such illegally attained communications and the pro-duction or distribution of devices used specifically for theillegal procurement of protected communications. Whilethe ECPA seems to offer protections against the harms ofsurveillance and information gathering, there are concernsthat the act’s reach has been undermined by the events ofSeptember 11, 2001. The USA Patriot Act amended theECPA to allow and encourage the sharing of informationobtained through the interception of wire, oral, and elec-tronic communications relating to computer fraud andabuse. The Patriot Act amends Title 18 of the ECPA, au-thorizing any “investigative or law enforcement officer, orattorney for the Government” to disclose the contents ofany wire, oral, or electronic communications or evidenceso derived, as well as “any other Federal law enforcement,intelligence, protective, immigration, national defense, ornational security official” if the contents of the communi-cations include foreign intelligence or counterintelligence.Before the Patriot Act, provisions for sharing informationrelevant to national security were more circumscribed.

Here, it is argued that the increase in governmental au-thority authorized under the Patriot Act alters the ECPA’seffectiveness in limiting government surveillance and in-formation gathering and sharing. The Patriot Act is viewedas extending political authority at the expense of the pro-tections offered under the ECPA. While proponents of thisview would like to limit the authority granted under thePatriot Act, at the same time they would like to see author-ity extended under the ECPA to control the use of surveil-lance and information-gathering tools in private industryand government. The broad exemptions of the Privacy Actand the countervailing effects of September 11 have givenrise to a call for increased regulation to fill in these regula-tory gaps.

The question, however, is whether these legislative pro-tections represent effective methods of limiting politicalauthority by providing notice, access, control, and consentto those who come under the scrutiny of surveillance orinformation gathering. As discussed above, there are notedshortcomings with regard to legislative protections. In part,the sense of dissatisfaction in current public policy debatescomes with the ineffectiveness of legislation to providenotice, access, control, and consent to individuals, and thusthe limits on political authority seem lacking to some en-gaged in the public policy debates. From this perspective,one solution is to shore up these provisions through in-creased legislation.

In this regard, the provisions of the European Directiveon Data Privacy provide an example for privacy legisla-tion in the United States. For instance, the first principle ofEuropean data protection requires that information be col-lected only for specific and specified purposes, used only

Special Report 265

in ways that are compatible with those purposes, and storedno longer than is necessary for those purposes. As a sec-ondary check on the misuse of information, the directiverequires that measures that are appropriate to the risks in-volved be taken to protect against the “unauthorized alter-ation or disclosure or any other unauthorized form of pro-cessing.” Particular types of data receive special protectionunder the directive. According to its language, “racial orethnic origin, political opinions, religious beliefs, philo-sophical or ethical persuasion … or concerning health orsexual life” are generally forbidden. With regard to indi-vidual control, the directive requires that processing ac-tivities “be structured in a manner that will be open andunderstandable.” Similarly, personal information cannot betransferred to third parties without the permission of thesubject. Lastly, the directive requires independent oversightprinciple and individual redress. These principles ensure aright to access personal information, to correct inaccurateinformation, and to pursue legally enforceable rights againstdata collectors and processors that fail to adhere to the law.Individuals have recourse to the courts or government agen-cies to investigate and prosecute noncompliance by dataprocessors.

While notice, access, control, and consent may assuageprivacy concerns and limit political authority in terms ofgovernment surveillance and information gathering, canthe same be said of regulations applied to private indus-try? Increasing political authority to defend privacy in theform of protective legislation against government surveil-lance and information gathering may not achieve the re-sults we desire because private industry is increasinglybeing viewed as the culprit.

Privacy in Private IndustryThe call for increased political authority to defend pri-

vacy is not limited to the government sector. Many arguethat the patchwork of privacy legislation—which includesstate legislation, private agreements, industry self-regula-tory codes, company privacy policies, and individual self-help—does little to squelch information gathering and sur-veillance in private industry. Despite the wide variety ofU.S. data protection, there is a continued presumption thatpersonal data usually may be processed without individualor government permission.

The call for increased regulation to protect privacy in-terests in the private sector represents a different exerciseof political authority than that wielded in the post–Sep-tember 11 environment, yet it is arguably no less problem-atic. Increased political authority, in the form of legisla-tion to protect against the use of technology and informationgathering, is contentious in democratic theory. Does theexercise of political authority to restrict the availability of

information violate the Constitution when it is used to re-strict the collection and use of information by the privatesector? Further, do restrictions on the use of informationviolate the rights protected under the First Amendment?

The surge in privacy legislation has proceeded on thepremise that the harm to be protected—the rise of surveil-lance and information gathering in private industry—ne-cessitates increased political authority. From this perspec-tive, privacy protection is often traded for commercialincentive. If information is conceded willingly, U.S. lawcan do little more to protect the subject (Froomkin 1996,492). The literature supports the idea that some publicpolicy measures ought to be adopted to protect privacy in-terests and to override the market rhetoric of current pri-vacy standards when it is assumed that information is atraded commodity once consent is obtained (Litman 2000).

Yet, while the protection of privacy rights presents it-self as an unmitigated good in the public policy debates,there may be a cost to be borne. As Cate and Litan argue,“The U.S. Constitution has been largely ignored in the re-cent flurry of privacy laws and regulations designed to pro-tect personal information from incursion by the privatesector despite the fact that many of these enactments andefforts to enforce them significantly implicate the FirstAmendment” (2002, 38).

Just as antiterrorism rhetoric in the post–September 11environment fueled legislation to enable government sur-veillance and information gathering, the rush to legislateto protect privacy is fueled by the rhetoric of preventingthe harms of the information age. In each case, the consti-tutional limits on political authority may have been over-looked. The Constitution represents a starting point forunderstanding the balance that must be struck with regardto the regulation of private industry. Here, one importantlimit must be retained in the ongoing effort to enact legis-lation that protects privacy interests: the First Amendment.“The Supreme Court has decided many cases in which in-dividuals sought to stop, or obtain damages for, the publi-cation of private information, or in which the governmentrestricted expression in an effort to protect privacy. Virtu-ally without exception, the Court has upheld the right tospeak or publish or protest under the First Amendment, tothe detriment of the asserted privacy interest” (Cate andLitan 2002, 49). This line of argument points out the ten-sion between the First Amendment’s protection for expres-sion and an individual’s interest in privacy involving thepublication of information in which there is legitimatepublic interest. Where there is a legitimate public interest,the individual’s privacy interest is narrowed. As Cate andLitan explain, “The speech of corporations is routinelyaccorded the highest First Amendment protection, ‘strictscrutiny’ standard, unless the Court finds that the purposeof the expression is to propose a commercial transaction


or that the expression occurs in the context of a highlyregulated industry or market (such as the securities ex-changes), where the regulation of expression is essentialto the government’s regulatory objectives” (2002, 51).

Commercial speech, therefore, is accorded First Amend-ment protection unless the public interest behind thegovernment’s regulatory objectives justifies the exerciseof political authority. This idea of public interest returnsus to the question of preventing harm. The question leftunanswered in constitutional doctrine and in current pub-lic policy debates is whether information gathering by pri-vate industry represents a harm so great that it necessitateslimiting the free exchange of information in the market-place of ideas. “Although we may feel uncomfortableknowing that our personal information is circulating in theworld, we live in an open society where information mayusually pass freely” (Cate and Litan 2002, 54). Although itis clear there are harms to be avoided in light of the infor-mation age, it is not clear that increased legislation ad-equately addresses the harms, and, even more problem-atic, it may limit the free exchange of information. Herethere are some guidelines on the construction of policy toprotect privacy while retaining some control over the exer-cise of political authority. Restraints on private industrymust be evaluated for their restriction on expression ver-sus restriction on the use of private information. Similarly,it is necessary to ask whether the First Amendment is im-plicated when the government seeks to restrict the use ofpersonal information when the use does not implicate mat-ters of general public concern. Finally, it is necessary thatlegislation be designed to protect privacy in a way that is“narrowly tailored” to achieving privacy protection (Cateand Litan 2002).

These principles were addressed in a 1999 decision bythe U.S. Court of Appeals of the Tenth Circuit Court, U.S.West, Inc. v. Federal Communications Commission (182F.3d 1224), in which FCC rules were challenged on thebasis they violated U.S. West’s First Amendment freedom.The FCC required U.S. West to obtain “opt-in” consentfrom customers. In its decision, the Court found that underthe First Amendment, the rules were found to be presump-tively unconstitutional unless the FCC could demonstratethey are necessary to prevent a “specific and significantharm” to individuals, and that the rules were “no moreextensive than necessary to serve [the stated] interest[s].”As in the case of government surveillance and informationgathering, the call for increased legislation must be mea-sured by both the constitutional limits on political author-ity and the harm that is to be avoided.

The harm to be prevented is definitional to the properexercise of political authority when privacy protection issought. This has been true in constitutional doctrine, legis-lation, and in the growing body of law surrounding the

regulation of private industry. At the center of the publicpolicy debate regarding privacy, then, is the nature of harmthat is inflicted when privacy is lost. Although we havespent a great deal of time talking about the doctrinal limitson political authority being exercised, relatively little timehas been spent discussing the nature of harm that rhetori-cally justifies the invasion or protection of privacy. Themost important limit on the exercise of political authorityin democratic theory is whether there is harm to be avoided.For this, we must understand privacy and the harm facedin light of the loss of privacy.

PrivacyIncreasingly, privacy relates to the diverse modes by

which people, personal information, certain personal prop-erty, and personal decision making are made less acces-sible to others. While privacy is protected by law, it is alsogoverned by culture, ethics, and business and professionalpractices. Given the multifarious nature of privacy, consti-tutional principles and legislation are only the first steptoward understanding the effects of increased technologyin our lives and the potential harms and benefits it carries.

The classic legal argument for the harm effected by theloss of privacy was stated by Samuel D. Warren and LouisD. Brandeis in 1890: “The intensity and complexity of life,attendant upon advancing civilization, have rendered nec-essary some retreat from the world, and man, under therefining influence of culture, has become more sensitiveto publicity, so that solitude and privacy have become moreessential to the individual; but modern enterprise and in-vention have, through invasions upon his privacy, subjectedhim to mental pain and distress, far greater than could beinflicted by mere bodily injury” (196).

The right to privacy is grounded in preconstitutional con-cepts and possesses both legal and moral underpinnings. Inpart, Brandeis and Warren developed their argument fromthe natural law concepts that dominated discussions of lawin the late 1800s. The creation of legal doctrine was to mir-ror the dictates of natural law. In line with this logic of therelationship between mankind and governance, Brandeisand Warren constructed their argument around a notion ofprivacy that was founded on human dignity and equal re-spect for persons. In their articulation of the “inviolate per-sonality,” they sketch out a notion of privacy that is stillrelevant today. Privacy is an essential component ofpersonhood and is limited only by sufficient justificationfor the invasion of privacy by government, private individu-als, or business entities. While Brandeis and Warren pro-vided a framework that came to characterize the develop-ment of privacy doctrine, many questions regarding thepractical implementation of privacy remain problematicthroughout the development of the doctrine of privacy.

Special Report 267

It is no surprise that the current policy debate surround-ing privacy continues to strive for appropriate protectionsby wrestling with these difficult and persistent dilemmas.For instance, if privacy is an essential component ofpersonhood, how is personhood compromised by the in-formation age, surveillance technologies, and other poten-tial invasions of privacy? Similarly, what constitutes suffi-cient justification for the invasion of privacy by government,private individuals, or business entities? Lastly, for thepurposes of constructing policy, how should policy reflectthe appropriate balance in protecting privacy? The mod-ern enterprise and invention that Brandeis and Warren writeabout is salient for considering the intersection of technol-ogy and privacy because they highlight the long-standingdifficulties of balancing the liberty interest of privacy withmodern society that cannot be answered with finality. Per-haps the most difficult part of defining the liberty interestin privacy in the current debate is locating its meaning.

Beyond the doctrinal principles of privacy, there is alsothe normative expectation of freedom from government,technological or physical intrusion, and the right not tohave information used for the purposes of discrimination.These are but a few of the markers for privacy that figureeither explicitly or implicitly in the policy debates surround-ing privacy. Given the myriad definitions of privacy thatare available, it is necessary to winnow down the guidingprinciples for affecting the conditions of privacy. Here it isimportant to draw a distinction between privacy as a fac-tual condition of life and privacy as a legal right (Hart 1949).Privacy as a factual condition of life is demarcated by theperception that it has been altered or lost by the actions ofothers. The perception that we face a loss of privacy inlight of the information age is a factual condition of pri-vacy loss and is attributable to our normative expectationsof privacy. This is where the call for greater regulation andsafeguards occurs, because a factual condition of privacyloss is distinct from a violation of the legal right of privacyin that there are no legal protections afforded for it. Thenormative expectation of privacy is significant when de-veloping new trajectories of public policy, and it is argu-ably more influential in today’s debate regarding the pro-tections that should be afforded privacy. The question forthe current policy debate is twofold. Prior constitutionaldoctrine and legal policy can guide our understanding ofwhere the violation of the legal right of privacy occurs andwhere political authority must be reigned in. Beyond this,however, is the more illusive but nonetheless importantfactual condition of the loss of privacy founded in our nor-mative expectations. While more obtuse and abstract, thesegeneral sentiments regarding privacy are the precursors ofpolicy. Brandeis and Warren’s notion of the inviolate per-sonality is thus important for understanding the complex-ity of normative and factual expectations of privacy, which

are heightened in the current debate on the proper balancebetween technology and privacy.

Tracing the normative expectations of privacy is a diffi-cult task because our notions of privacy are complicated.Humphrey Taylor, working with privacy expert AlanWestin, reported in a 2003 Harris Poll that respondentsfell into three general categories: “Privacy fundamental-ists” (about one-quarter of those polled) feel they have al-ready lost a great deal of privacy and are resistant to anyfurther erosion. “Privacy unconcerned” constituted about10 percent of respondents; they have little anxiety aboutthe collection and use of their personal data. Sixty-fivepercent of those polled were considered “privacy pragma-tists,” who are concerned about protecting their informa-tion from misuse but are willing to provide access to anduse of their information when there are clear reasons andtangible benefits, and when there are safeguards againstmisuse. Regarding the control of personal data, 69 percentfelt that consumers have lost control of companies’ use ofthis information. Over half disagreed that companies useinformation responsibly, and over half disagreed that ex-isting laws and practices provide adequate protectionsagainst misuse. In the context of the war on terrorism, how-ever, 45 percent felt the government should have the abil-ity to track internet activity at all times, and 66 percentagreed the government should make it easier for law en-forcement to track online activities without notice or con-sent (Harris Interactive 2003).

Similar results were found in a 2002 Harris Poll con-ducted on behalf of the Privacy and American Businessthink tank. According to that survey, a majority of con-sumers (57 percent) did not trust businesses to properlyhandle personal information, and 84 percent preferred in-dependent examination of privacy policies. Respondentsreported concern for the following privacy risks: compa-nies will sell data to others without permission (75 per-cent); transactions are not secure (70 percent); and crack-ers are able to steal personal data (69 percent). A majority(63 percent) felt that existing law does not provide enoughprotection against privacy invasions. Eighty-seven percentof respondents had refused to give information to a busi-ness because they felt the collection of such informationto be unnecessary or the information too personal. Largemajorities believed that access within businesses to col-lected information ought to be limited, and that individualpermission (or legal justification) ought to be necessaryfor an exchange of information outside the company (Har-ris Interactive 2002).

However, privacy concerns shifted considerably afterthe terrorist attacks in 2001. Several polls conducted in themonths after the attacks sought insight into public opinionabout how the government’s antiterrorist measures wouldaffect privacy. In general, the public was supportive of


measures that would be limited to tracking and deterringterrorism, but skeptical that technological means would belimited to the pursuit of that end. A December 12, 2001,New York Times report gave survey results on privacy con-cerns in the political landscape after September 11. Sixty-five percent of respondents reported they did not want thegovernment to monitor the communications of ordinaryAmericans to reduce the threat of terrorism. Forty-eightpercent supported wiretap surveillance by the governmentto deter terrorism, while 44 percent opposed such surveil-lance on the grounds that it constitutes a civil rights viola-tion (Toner and Elder 2001). A similar Harris Poll con-ducted in October 2001 showed Americans to be generallysupportive of new surveillance technologies when appliedto deterrence of terrorism, but also concerned that law en-forcement applications of the technologies would be ex-tended beyond that purpose (Harris Interactive 2001)

Not surprisingly, the difficulty in assessing the norma-tive expectations of privacy is defined by the complicatedopinions about the role of technology in our lives, whichis affected by the context of both the information age andthe events of September 11. In practice, the distinctionbetween normative and factual expectations of privacy re-quires the public policy debate to account for constitutionaland legislative limits on political authority that may im-pinge upon privacy. In addition, the context of the action,the prevalence of technology, the war on terror, and soci-etal and individual expectations of privacy all figure intothe proper balance between political authority and privacy.The changing nature of privacy is the only constant in theongoing debate regarding privacy and technology. In fact,the increasing prevalence of information technologies inour lives may become more commonplace and more ac-cepted in time and, as a result, the normative loss of pri-vacy may become less pressing. “The explosion in infor-mation technologies decreases both the ability of, and theneed for, law to protect privacy. Instead, we should recog-nize the democratic promise of technologies that help equal-ize our access to information and our ability to speak andthat provide technological protections for privacy that werenever dreamed of before” (Cate and Litan 2002, 62).

ConclusionOne truism in the ongoing public policy debate surround-

ing technology and privacy is that there is no easy solutionto the increasing presence of technology in our lives. Thereare, however, several long-standing guiding principles. Wemust be wary of extending political authority to protectprivacy without careful contemplation of the consequences.This admonishment is true for those who advocate in-creased political authority in the post–September 11 envi-ronment and for those who contend there is a need for

greater government protections against invasions of indi-vidual privacy by the vagaries of the information age. Ineither case, the exertion of political authority presents apotential threat to our liberty interests according to demo-cratic theory. Thus, the policy debate regarding the properbalance between technology and privacy must work withinan ironic contradiction: Political authority is viewed bothas a threat and panacea to our liberty interests in privacy.This contradiction, however, does not mean that a properbalance cannot be struck.

Although there are protections afforded by constitutionaldoctrine and federal protections of privacy, we must alsobe cognizant of the fact that technological innovation, sur-veillance, information gathering, and the conditions of thepost–September 11 environment are also parts of the newlandscape of society which will not disappear. We mustaccept both the continued presence of technology in ourlives and continue to use political authority to prevent itsloss within existing democratic and constitutional guide-lines. The use of legal means to protect privacy must becarefully construed, however. Increasingly, privacy is in-formed by a myriad of meanings and defined in a multi-tude of contexts. Legal doctrine, therefore, must accountfor a variety of contexts and conditions under which pri-vacy must be protected. Additionally, if the protectionsafforded by legal doctrine seem lacking, it is necessary toremember that it is not our only form of protection againstpotential violations of privacy. Technological innovation—whether it is for the purposes of surveillance or informa-tion gathering—takes into account technological safeguardsand solutions for protecting privacy. Technological inno-vation, in other words, strives to provide technological so-lutions for surveillance and information gathering. For in-stance, many Web sites that collect personal data publish aprivacy statement that specifies the uses of data so that anindividual may decide whether to use the site. Another tech-nical approach to protecting privacy is to design systemsthat allow consumers and businesses to interact withoutthe need to directly disclose privacy-sensitive data. Thismay involve either cryptography or public key infrastruc-ture. In practical terms, public key technologies enableusers on the Internet or other networks to encrypt theircommunications for confidentiality purposes, identify thepeople receiving or sending them communications, pre-venting tampering with their communications, controllingaccess to protected information, and binding other users toelectronic transactions and communications. In short, pro-tecting privacy represents not only a delicate balance be-tween political authority and liberty, but also represents aswiftly changing landscape of interests, technological in-novations, and, most important, public policy solutions.

Special Report 269

Acknowledgment

I would like to thank Thomas K. Lammert for his thoughtfuland insightful comments on this work.

References

Allen, Anita L. 1999 Coercing Privacy. William and Mary LawReview 40: 723, 754–55.

Annenberg Public Policy Center, University of Pennsylvania.2003. Americans and Online Privacy: The System is Broken.http://www.annenbergpublicpolicycenter.org.

Cate, Fred H., and Robert Litan. 2002. Constitutional Issues inInformation Privacy. Michigan Telecommunications and Tech-nology Law Review 9(1): 35–63.

Cohen, Julie. 2000. Examined Lives: Informational Privacy andthe Subject as Object Stanford Law Review 52(1373) 1424-28.

Cohen, Julie. 2003. DRM and Privacy. Berkeley Technology LawJournal 18(2): 575–88.

Froomkin, A. Michael. 1996. Flood Control on the InformationOcean: Living with Anonymity, Digital Cash, and Distrib-uted Databases. Journal of Law and Commerce 395(15): 492.

Gavison, Ruth. 1980. Privacy and the Limits of Law. Yale LawJournal 89(3): 421–71.

Harris Interactive. 2001. Overwhelming Public Support for In-creasing Surveillance Powers and, Despite Concerns aboutPotential Abuse, Confidence that the Powers Will be UsedProperly. October 3. http://www.harrisinteractive.com/news/allnewsbydate.asp?NewsID=370.

———. 2002. First Major Post-9/11 Privacy Survey Finds Con-sumers Demanding Companies Do More to Protect Privacy;Public Wants Company Privacy Policies to Be IndependentlyVerified. February 20. http://www.harrisinteractive.com/news/allnewsbydate.asp?NewsID=429.

———. 2003. Most People are “Privacy Pragmatists” Who,While Concerned about Privacy, Will Sometimes Trade It Offfor Other Benefits. March 19. http://www.harrisinteractive.com/harris_poll/index.asp?PID=365.

Hart, H. L. A. 1949. The Ascription of Responsibility and Rights.Proceedings of the Aristotelian Society 49: 171–94.

Katsh, Ethan. 1995. Law in a Digital World. New York: OxfordUniversity Press.

Litman, Jessica. 2000. Information Privacy/Information Prop-erty. Stanford Law Review 52(5): 1283–1313.

Mill, John Stuart. 1956 [1859]. On Liberty. Edited by Currin V.Shields. New York: Macmillan.

Toner, Robin, and Janet Elder. 2001. A Nation Challenged: Atti-tudes; Public Is Wary but Supportive on Rights Curbs. NewYork Times, December 12. http://query.nytimes.com/gst/abstract.html?res=F20617FF3E5B0C718DDDAB0994D9404482.

Warren, Samuel D., and Louis D. Brandeis. 1890. The Right toPrivacy. Harvard Law Review 4(1): 192–220.

Privacy and Technology: Reconsidering a Crucial Public Policy Debate in the Post-September 11 Era

Documents

Transcript of Privacy and Technology: Reconsidering a Crucial Public Policy Debate in the Post-September 11 Era