TCS Daily

Want Privacy? Dont Look To New Laws; Seek Self-Protection

By Duane D. Freese - February 12, 2001 12:00 AM

Should people who live in glass houses seek a ban on binoculars? Or fines for neighbors who talk about them? Or penalties for passersby who look in instead of away?

Or should people who live in glass houses simply buy drapes?

The simplest solution is most often the best. But it rarely appeals to political hounds hunting up an issue, especially one as visceral as privacy.

Last week, the Privacy Foundation held a news conference demonstrating a "glitch" in e-mail software that would allow someone in effect to wiretap your e-mail. The wiretap works by inserting JavaScript code into an HTML-formatted message, the foundation's experts said. If that confuses you, just know that it would allow a remote computer to spy on what your e-mail your friends, your family or your business associates.

Disturbing? Sure. No one likes someone peeking over his or her shoulder. And privacy advocates and their brethren in the political arena are taking full advantage of that human reaction to stampede Congress to enact new privacy protections.

David Sobel of the Electronic Privacy Information Center told on hearing the foundation's report: "All of these techniques point to the need for legal protection of online privacy rights. The burdens cannot be on the user to know what goes on behind the scenes."

EPIC, along with other privacy groups, wants Congress and the Federal Trade Commission to erect a scaffold of new federal laws to protect consumers online. Already, the 107th Congress has responded with nine privacy proposals in the first month. The bipartisan Congressional Privacy caucus has even proposed a ban on some Internet tracking technologies, such as "cookies," that monitor web-surfing activity. "As far as I'm concerned, we ought to put in law an outright ban" on Web bugs, Reuters reporter Andy Sullivan quoted Texas Republican House member Joe Barton as saying.

This rush to legislate has set even anti-regulatory groups hunting for legal covers. The AeA, the high tech business group formerly known as the American Electronics Association, last month reversed its stance and endorsed the idea of federal privacy legislation. It hopes to pre-empt states' moves to capitalize on privacy angst. AeA Vice President John Palafoutas told The Wall Street Journal: "There's a knife to our throats and that's the threat of state legislation. I don't think there's a company in this country that can tolerate 10 different state bills, much less 50 state bills."

Free-market advocates, though, fear the result of seeking federal rules will be to get the worst of both worlds: Baseline federal protection layered with state controls. At a symposium of the Federalism Project at the American Enterprise Institute in late January, George Mason University law professors Bruce Kobayashi and Larry Ribstein argued: "Better to give the state law approach a chance to demonstrate its merits than have a one-size-fits-all federal or global standard."

State experimentation in most matters is worthwhile. Better one state suffers the consequence of a bad law than an entire nation. And the good coming from a sound law will quickly replicate. But for businesses not to be whipsawed, they'll need to choose the state whose law would govern their privacy policy. Otherwise, states with the most onerous privacy policies would set the rules for the entire Internet.

Unfortunately, even if business got to choose the forum in which it could be sued, state regulation would still, as Fred Smith of the Competitive Enterprise Institute noted at the symposium, set more government regulation as the default position for privacy protection online. And the best policy on Internet privacy protection could be no new law whatsoever.

For one thing, existing law already covers many privacy concerns. UCLA professor Eugene Volokh, another panelist at the symposium, has written extensively on how laws of trespass and contract protect people. (See TechCentralStation host James Glassman's Dec. 4, 2000, interview with Volokh for more details.) If someone sends you an e-mail that contains a bug tracking your e-mails, you can sue him or her. If a web site says it won't disseminate personal information you provide it, you can sue for damages. If you entrust your lawyer, doctor or bank with information you have an expectation will be kept secret, they are liable if it gets out.

What's happened with the great scare stories that privacy advocates claim justify new laws reinforce the fact new laws aren't needed. Internet banner-ad firm DoubleClick kicked off consumer angst last February when it said it might combine its anonymous database of people's web-surfing habits captured by its "cookies" with the identifiable personal information of a company it planned to buy. Consumers howled, the FTC weighed in -- and nothing happened. After nine months, the FTC finally dropped its investigation.

Similarly,'s threat to renege on its promise to keep the personal information from sales during bankruptcy came to naught, with the's list being bought by Disney for $50,000, which burned it.

But what about identity theft, which privacy advocates claim requires greater Net governance to protect against? Identity theft is a legitimate public concern. But the big threat comes from lost wallets and purses, which accounted for 47 percent of the 16,000 identity theft cases reported to the FTC last year. Mail theft or a fraudulent address change led to another 23 percent of the cases. Internet solicitation or purchases were responsible for a mere 4 percent, behind compromised job and loan applications, employment records and outright theft of information from the home.

Meanwhile, new federal or state privacy rules would certainly raise costs for businesses, by making it more difficult to personalize services, as most people want, and market goods and services more specifically to meet people's needs. As Orson Swindle, one of two FTC commissioner to oppose the commission's wrongheaded proposal calling for federal regulation last May, noted the bottom line of new regulation is that it discourages competition and ultimately raises prices for consumers.

The laws also would undercut voluntary self-regulatory efforts, such as third-party privacy enforcement regimes as TRUSTe, BBBonline, Webtrust and Enonymous. As the Information Technology Association of America warned Congress in a Jan. 31 letter, the "clear and conspicuous" privacy notices most legislative provisions would require are "a dated relic of the print world" and have "no place when information can be conveyed more effectively" by such things as pre-programmed computer tools that can accept or reject various privacy policies. As ITAA President Harris Miller said, "Expecting consumers to read and digest mind numbing legalese at each and every website they visit is phony privacy protection."

Indeed, just as for people in glass houses, the best solution is self-help.

At the same time that the Privacy Foundation was warning of an e-mail glitch, two new privacy protection packages came on the market. MyMailMutt from EmailChannel, Inc., can control e-mail and establish a privacy protection for e-mail accounts, and Privada Network 3.0 announced a new privacy protection device, which will further protect people who connect with the Internet through an Internet Service Provider.

Don't want a "cookie"? Turn on a "cookie cruncher." Want anonymity, get an anonymizer? Worry about someone spying on your e-mail as the Privacy Foundation warned? Simply turn off your JavaScript - or join an ISP. Their e-mails don't have that problem.

In short, if you want real privacy protection in the open house that is the Internet, put up some electronic drapes. Don't count on laws that are nothing more than costly window dressing for the ambitions of politicians and the overwrought fears of some privacy groups.

TCS Daily Archives