This is the first in a series of articles about privacy-related issues that may be of interest to state attorneys general.
When I was in law school, “privacy law” wasn’t really discussed. Today, it seems like all anyone can talk about. That might be because I work on privacy and data security matters for the Consumer Protection Division of the Vermont Attorney General’s Office, and teach about privacy at the University of Vermont. Or it could be that people really care about their privacy and are continually dismayed by revelations that the businesses to which they entrust their most sensitive data may be selling it, using it in untoward ways, or failing to protect it from cyberthieves.
The state attorney general community serves a critical role in the debates over privacy. Attorneys general enforce laws that attempt to protect peoples’ privacy, can apply state consumer protection laws to hold businesses accountable for unfair and deceptive practices, and can criminally prosecute the worst actors. State attorneys general can also influence the policy debate over what a comprehensive privacy law that protects consumers while fostering a healthy business climate should look like.
I have been working on these policy questions for a while, whether through Vermont’s Data Broker Registry law and lawsuit against facial recognition company Clearview AI, or through outreach and education. I have learned that the very concept of privacy is not very well understood by many stakeholders. Even defining privacy can be difficult.
This article will share some thoughts on privacy policies in general and, in particular, on the arguments used by those who do not favor strengthened protection of privacy, which may have superficial appeal but are often based on invalid premises. The goal is to move the discussion in a way that helps state attorneys general better protect our citizens and support a healthy business environment.
First Principle: Privacy is a Balance
The list of potential harms to personal privacy are numerous and ever-expanding. Problems like stalking and harassment, swatting, identity theft, data theft, redlining, blanket surveillance, location tracking, fraud, spying, extortion, election tampering, psychological manipulation, and government control all have common elements: increasingly ubiquitous surveillance technologies coupled with an unregulated market for personal data. Unfortunately, trying to elucidate all the potential harms can make one feel that they are disappearing down a rabbit-hole of conspiracy theories.
The privacy problems citizens (and attorneys general) worry about are often abstract while the short-term benefits of related technologies are immediate and obvious. Beyond a vague sense of “creepiness,” the average consumer may not really be in any immediate danger of harm. The dangers of surveillance may be more obvious if one is a member of a marginalized group for whom surveillance can lead to imminent harm, such as someone seeking anonymity to flee an abusive relationship or someone with a critical health condition who has a good reason for it not to be generally known. Not having to care about your privacy is an unrecognized privilege that many in this country share.
A key thing to remember about privacy is that it’s a balance. Under certain circumstances, there are justifiable, even benevolent reasons to sacrifice some of it. Businesspeople, police officers, scientists and journalists all may have legitimate reasons to access the intimate details of our lives. But there are also reasons to surveil us that are not so benign. Their advocates may invoke lofty goals like bringing together the global community, keeping us safe, and making life more convenient, but those justifications are often just a pretext to continue the profitable practice of selling our most sensitive information to the highest bidder.
The issue is that when new technologies are being developed to solve important problems, privacy advocates are usually not in the room to raise concerns. It is only after a technology has been deployed that privacy concerns can be raised, and by then it may be too late. This is where thoughtful public policy comes in: to set the ground rules and draw the lines up front so that businesses can innovate and flourish while privacy is protected.
Fallacy 1: If You Have Nothing to Hide, You Have Nothing to Fear
This is the granddaddy of anti-privacy arguments. Criminals and scoundrels hide their actions, but innocent people take pride in their behavior, and public accountability is supposed to keep politicians honest. Thus, based on this argument, if you’re a good person you should be completely transparent, while if you defend privacy, you just might have something to hide. Right?
This argument’s historical pedigree is disturbing, but it has been used to justify privacy violations both real and literary:
- Then-Google CEO Eric Schmidt (2009): “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
- Then-Senator Trent Lott (2006): “What are people worried about? What is the problem? Are you doing something you’re not supposed to?”
- Former Minister of Magic Pius Thicknesse (1998): “You have nothing to fear if you have nothing to hide.” (You probably didn’t realize that Harry Potter was in fact a meditation on the dangers of ubiquitous surveillance.)
On the other hand, Edward Snowden famously responded, “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
It’s perfectly acceptable to have secrets, and everyone does. Just because you prefer to keep something confidential or only share it with people you trust doesn’t mean you’ve done something wrong. The Supreme Court has long recognized that our fundamental right to freedom of assembly sometimes requires secrecy. Secrets between a husband and wife or a penitent and her minister are respected by the law. It is reasonable to want to keep your political leanings, sexuality, health issues, or any other unknown detail about yourself private. It is reasonable to say, “That’s none of your damned business.”
More tellingly, this argument puts the onus on the individual to justify his or her right to privacy and implies that they (the entities violating that right) have the right to know everything about you. This is backward. There is no right to surveil, but privacy is a human right. Article 12 of the Universal Declaration of Human Rights, adopted by the UN General Assembly in 1948 and ratified by the United States, states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
A right doesn’t have to be justified – it is accepted as a quality of being a citizen or a human being. Entities that want to spy on you, read your communications, film your comings and goings, track your movements, and compile dossiers on you are defying accepted norms. Those entities are the ones that should be justifying their antisocial behavior, not the individual seeking to protect their privacy rights.
Fallacy 2: Our Data Is Already Out There Anyway
The argument I hear most often from legislators, citizens, and others is “Our data is already out there, so why bother?” They don’t necessarily oppose the idea of privacy protections, but also don’t see the point of trying. The horse has left the barn. The toothpaste is out of the tube. There’s nothing we can do.
These arguments miss the mark.
First, data ages. Once it is not “fresh” anymore, it is not as useful to those who would use it for unscrupulous purposes. Turning off the data spigot now will in fact protect our privacy moving forward. Also, our children’s data has not yet been collected (not all of it, at least). In other words, just because we have failed to protect our own privacy is no reason to sacrifice the privacy of future generations.
Second, the most fundamental job of government is to protect its citizens. Our shortcomings up to now are irrelevant. Legislation is usually reactive. Time and again we see law playing catch-up with technological and economic developments and abuses. Millions ate tainted meat, took contaminated pharmaceuticals, were thrown from cars without seatbelts, labored in sweatshops, or drank from rivers laced with toxic chemicals before legislation was introduced to rein in these harms. (And the fact that these practices still exist to a degree does not mean it was pointless to try to regulate them.)
We have been told that “privacy is dead” for more than a decade. Consumers disagree. Ninety-six percent of Americans want more to be done to protect their privacy. We in the attorney general community are tasked with doing so and, by educating ourselves about the issues at stake and understanding the nuances of the debate, we should be well-positioned to act.