Privacy in a Free Country: In Search of Reasonable Principles
Table of Contents
Privacy as Consumer Protection
"Many consumers and privacy advocates see business as a sinister 'Big Brother'."
In the case of the constitutional limits on government access to information, it is clear what citizens are being protected from: the unique powers of government to control law enforcement and the military, to arrest people for trial, to determine which acts are illegal and which are not, and so on. Businesses gather information about their customers' buying habits, and sometimes trade this information with other businesses. So long as the information is secure from criminals, there is little harm likely to result from this. For a minority of sensitive purchases, it is possible that marketing information could leak out and embarrass the consumer, but embarrassment is just as likely to result from a co-worker's wandering into one's office at the "wrong" time, an e-mail sent to the wrong address, or a neighbor's overhearing a conversation through thin walls. Marketing information is stored in vast, secured arrays that cannot be easily read by any human being; it is rarely, if ever, kept in personal dossiers sorted by name and address.
Now, many consumers and privacy advocates see business as a sinister "Big Brother." Changing technology and business methods are at the root of this unease. The new technologies can exacerbate real harms that need real solutions. But more often the new information tools are beneficial, and individuals can act to withhold personal information from others. In general, therefore, consumer unease about business information-gathering requires no broad legislative solution.
New Uses of Information that Affect Consumers
Attitudes to changing technology are at the root of the issue of privacy as consumer protection. The following are some examples.
The Development of Targeted Marketing. One relatively recent development that has fed concerns about privacy is the practice of targeted marketing. Especially throughout the '90s, businesses were responding to consumers' hatred of "junk mail." Consumers were unhappy with the number of irrelevant offers piling up in their mailboxes. The business response was to develop more targeted marketing schemes to avoid sending unwanted material. To do that, businesses needed to learn more about customers' preferences and to identify groups or classes of customers with particular interests. This began well before the Internet, and so long as it involved familiar mainframe computer technology and stand-alone networks was not perceived as particularly threatening. Indeed, from the standpoint of consumers, it was a very popular change. Catalog sales grew from $64 billion in 1995 to $104 billion in 2000.15
"Cookies are intended to help Web sites become viable commercial enterprises."
The Internet and the Demonization of Cookies. Next, the Internet came along - a new and thus inherently more scary technology. On the Internet, entrepreneurs trying to commercialize the medium for the first time had a particular problem. Imagine an ordinary shopkeeper with a little store in the corner of a very big mall. As he stands at the counter, he watches customers come in. He can see whether they are regulars or strangers, can get a fair idea whether they are locals or tourists, German or Spanish, young or old, male or female. Are they missing the special display in the back? Is it too dark? Do they look longingly at the stuffed monkeys, but comment that the price is just a little too high? The traditional operator of a Web site has none of this information. None of it. It is as if he is deaf, dumb and blind. He can learn nothing about his visitors. And thus he has little chance of improving his service to customers, unless he hits upon their needs by sheer dumb luck. Thus, cookies were born.
What are cookies, and what do they do? Invented by Internet pioneer Lou Montulli in 1994, when he was working for the brand new Netscape, cookies are intended to help Web sites become viable commercial enterprises. Cookies are little data files that are saved to an Internet user's computer, usually temporarily but sometimes permanently. For example, these files record how many times a user has seen a certain banner ad, track purchases loaded into online shopping carts, etc. They help Web sites identify a regular visitor, so the visitor need not reenter identification every time. Cookies tell the server, "this visitor has been here before" or "this visitor has an orange T-shirt and a pair of jeans in his shopping cart." Cookies cannot access your name or your e-mail address until you type that information into an online form.
Many people have come online only within the past few years, use the Internet without being entirely aware of how it works and are unaware of this practice. That does not exactly make cookies surreptitious: both Internet Explorer and Netscape can easily be set to tell a computer user when a cookie is being placed on his or her machine.16 And cookies are a way the Internet can show people what they want to see, not intrusions intended to ferret out secrets. A good thing to remember when venturing onto the Internet is that it is like heading out into Disney World - whenever you go out to deal with other people on their turf, you can expect that they will be interested in learning about why you're there and how they can get you to come back.
"Identity theft and credit card fraud are better seen as crime problems than as privacy problems."
Identity Theft and Other Security and Crime Problems. Real hazards await consumers on the Internet and in other venues. Identity theft and credit card fraud are reportedly growing. There is no evidence, however, that marketing data play a role in this. And there is no necessary link between technology and identity theft. Many cases of identity theft involve a criminal's dumpster-diving for financial records or bills carelessly thrown into the garbage or a vindictive cousin or schoolmate sneaking documents out of one's purse.
Identity theft and credit card fraud are better seen as crime problems than as privacy problems. The problem is not that the companies have too much information about their customers. Rather, they often have too little information to be able to detect when another person is pretending to be you. The less information the companies have, the more likely they are to be bamboozled. If, for example, all a company knows is that your name is Betty Smith, it is relatively easy for someone else to call and pretend to be Betty Smith. If the company knows your name and Social Security number and mother's maiden name, it is a little harder - the fake Betty must obtain this extra information before proceeding with her fraud. If the company knows all that plus a PIN number or other password, or has a fingerprint or retinal scan, it is that much harder for the fake Betty to proceed. In many ways, then, information is our most powerful weapon to detect and identify perpetrators of fraud. The need for security and the desire for privacy often cut in opposite directions.
In any case, the harms to consumers of fraud and identity theft are already illegal. Where consumers need more help is in the area of enforcement. The amounts of money stolen in fraud cases are often too small to interest police and prosecutors.17 New and more effective enforcement institutions should be developed to address these harms without penalizing the economy.
Consumer Surveys about Privacy as a Basis for Public Policy
The policy debate about privacy as a consumer issue thus seems to be driven more by consumers' perceptions of danger than by actual danger. Nevertheless, these perceptions are powerful.
Survey Results on Consumer Privacy. Consumer surveys purport to show that Americans are very concerned about privacy.
- One commonly cited survey reported that 57 percent of Americans want the government to pass federal privacy laws for the Internet.18
- The Pew Internet & American Life Project recently found that 86 percent of those surveyed thought that Internet companies should ask permission before sharing personal information with third parties.
- 54 percent viewed cookies as an invasion of privacy; and only 27 percent agreed that tracking consumers online helps improve content and service.19
The question is, do these survey results reveal that the public's perceptions create a crisis of trust demanding new laws? This is doubtful.
"The policy debate about privacy as a consumer issue seems to be driven more by consumers' perceptions of danger than by actual danger."
Surveys Can Be Misleading. First, responses to consumer surveys about privacy are likely to be misleading. All surveys suffer from what one might call the "talk is cheap" problem. That is, the consumer thinks about a problem (loss of privacy) and a solution (a new law) without being given any accurate information about the costs of that solution.20 If it were guaranteed free of all harmful consequences, who would oppose a new law addressing any issue? In addition to this, some privacy surveys have not distinguished between the use of information for marketing and its use by criminals - yet these are not the same issue at all. It is noteworthy that in the most accurate and least manipulative form of consumer survey, in which people are asked to list their top concerns without being prompted, privacy does not appear among top concerns.21
By comparison, actions are a better indicator of true preferences than words, because having to act makes the actor consider the cost of his preference as well as its theoretical benefit. Another colloquial saying, "Put your money where your mouth is," captures this well. Consumers say they are concerned about privacy. Yet their concern does not lead most of them to take action. Only a small percentage opt out of marketing lists, use encryption, regularly change their passwords or turn off cookies.22 Yet most of those actions require little effort. Apparently, when consumers report a "concern" about privacy, the concern is superseded by a desire to pay bills, watch TV or keep the toddler out of the swimming pool.
"The fact that some people question the security of online commerce is not a reason to enact a new law on privacy."
Privacy advocates would counter that many people are unaware of things like cookies. This is confirmed by some surveys and contradicted by others,23 but even among those who do know, the percentage that takes steps is low.24 Furthermore, privacy advocates cannot have it both ways - the public cannot be simultaneously concerned about privacy and unaware that businesses are interested in learning about their behavior. Many realize that charitable donations are likely to be followed by packets of information from other charities and orders sent to gardening catalogs will bring a new array of gardening catalogs. People are certainly aware of the privacy issue at this general level - and those who really do care deeply about the issue are on notice to seek out more information for themselves. Ignorance is voluntary and is not, in any event, a useful basis for public policy-making.
The Future of Consumer Privacy
Despite the above caveats about surveys, however, let us assume that the surveys offer us at least some evidence of people's views on privacy. And at least one survey result purports to show that some have responded to perceived privacy problems online by refusing to engage in electronic commerce (though that survey seems to have counted both concerns about security problems like credit card theft and concerns about marketing information).25 The possibility remains that a minority of the public questions the security of online commerce. The question may still be asked, is this the proper foundation for a new law on privacy? Surprisingly, the answer to that question is still "no."
Freedom Means Avoiding Unnecessary Legislation to Address Purely Speculative Harms. As a general rule, we will not preserve the freedom to build and plan a new business or any other venture in this country if legislators get into the habit of passing laws when there is only a perception of a problem but no real harm to consumers. The United States has remained one of the world's most innovative economies because legislators generally have acted against known or proven dangers, and only rarely interfered with invention, technical change and business method innovation. In the area of privacy, however, where the product being produced by business is greater knowledge and understanding of human behavior, state and federal level proposals to regulate this product almost out of existence are increasing.
The real harm in consumer protection debate - a very real harm indeed - is credit card fraud. The perception of security problems, not concerns about marketing, represents consumers' greatest concern with online commerce; one recent survey showed that among online users who do not buy online, 43 percent are concerned about security issues such as entering a credit card number online.26 (This topped all concerns; consumers were not prompted for their answers, and privacy or concern with marketing did not appear at all.) But credit card fraud is already illegal, and none of the privacy laws proposed by Congress would make enforcement of those laws more effective.
"Trust is largely a market phenomenon; legislation is not enough."
Building Trust as a Market Phenomenon. Broad new laws on the use of consumer information by marketers also would be unlikely to make a difference in the level of consumer trust. Trust is largely a market phenomenon. It comes from brand-building, good customer service and the positive experiences of friends and neighbors. No amount of legislation or legalese would substitute for the hard work of building trust in a new medium. And, slowly, American businesses are doing just that.
- In a study by the National Consumers League in August 2000, 91 percent of American respondents said they trust companies to follow posted privacy policies much of the time (up from 67 percent in 1998).27
- Internet users who think the Internet is secure enough for online financial transactions have risen from 34 percent to 45 percent since summer of 2000.28
- A recent study by Consumers International shows that U.S. companies are much more likely to reveal their privacy policies online than are European companies, although Europe is committed to broad privacy laws and the U.S. is not.29
Why Legislate to Suit the Most Technology-Resistant? The percentage of those refusing to use the Internet because of worries about online privacy no doubt includes a substantial proportion of the just plain technophobic. Research psychologists Larry Rosen and Michelle Weil estimate that about 30 to 40 percent of the population are "resistant" to technology.30 Of the remainder, 10 to 15 percent are early adopters, while about 60 percent wait for the early adopters to work out any problems before they go online. The massive growth of the Internet shows that it continues to capture the largest group - those who are skeptical at first but not perpetually resistant - at a tremendous pace:
- As Figure II shows, 55 percent of Americans bought something online this holiday season, up from 20 percent in 1998. (Eighty-six percent reported an intention to buy online, but technical problems prevented many from completing their transactions.)
- Experts expect electronic commerce to continue growing at a rate well above 55 percent - some anticipate growth rates of 150 percent.
"55 percent of Americans bought something online during the holiday season."
The most fearful among us would not necessarily be soothed by new federal or state privacy laws. Even among Europeans, one survey showed that fewer citizens believe new laws would improve Internet security (15 percent) than believe in technological solutions like passwords or encryption (27 percent).32 In the U.S., in response to a Jupiter Consumer Survey, only 14 percent of consumers reported that legislation would make them more likely to trust a Web site with information. Eighty-six percent said they would not trust Web sites even if regulated by the government. In other surveys, levels of support for government action have been very inconsistent.33
Several surveys have found (as one would expect) higher distrust of online commerce for security reasons among non-Internet users than among Internet users. Distrust levels are also generally lower among experienced than inexperienced users. It is unclear, however, what this means. It may mean that personal experience with the Internet results in a user more confident that, for example, Amazon.com is not in fact some sinister enterprise that tracks its customers in the hope of embarrassing or humiliating them, but rather is simply another bookseller. On the other hand, the levels of distrust may simply be more indicative of the users' attitudes to technology than any reality about the Internet; those most inclined to technophobia are naturally going to be the last adopters. In any case, this phenomenon decidedly does not prove, given that electronic commerce is still growing at an amazing pace, that the "distrusters" will just stay that way unless there is a new federal law.
"73 percent of employees think their employers have a right to monitor their e-mail."
Policy Should Do the Right Thing, Not Cater to Unfounded Fears. The idea that public policy should be shaped by the most fearful among us is a very bad one. The truth is that information-sharing among companies trying to learn about consumers' preferences has far more benefits than risks for consumers. In Jack Calfee's book Fear of Persuasion, research into marketing and advertising shows that consumers get enormous benefits in lower prices and higher quality when companies compete through advertising.34 Before consumer reports existed, poor people or strangers in town found it almost impossible to obtain loans or buy on credit. Small and midsize businesses and ventures trying to compete in a market for the first time are more likely to fail or never exist without the ability to use targeted lists of potential customers. The current perception of a crisis in consumer privacy is largely unfounded. Electronic databases have made people uneasy, but they have little true grounds for concern.