Privacy in 2013 does not exist
as we knew it in 2000.
But don't be fooled: The
almost complete erosion of what we would have considered our private spaces at
the beginning of this millennium is not entirely -- nor even mainly -- a result
of the National
Security Agency's surveillance. While nobody should doubt that the
government's electronic spying is intrusive, we largely let online privacy slip
away without any assistance from security agencies. Each step along the way
was, for the most part, understandable and reasonable rather than nefarious.
But the fact is that privacy in the United States is not what it used to be,
and until we realize that, our debate about electronic privacy -- Manichean as
it is, and focused almost exclusively on the relationship between the
government and its citizens -- will fail to resurrect its value.
Four distinct factors have
interacted to kill electronic privacy: a legal framework that has remained
largely static since the 1970s, significant changes in our use of rapidly evolving
technology, commercial providers' increasingly intrusive tracking of our every
online habit, and a growth in non-state threats that has made governments the
world over obsess about uncovering these dangers. Only by understanding the
interaction between these factors can we begin the necessary discussion about
what privacy means in the 21st century -- and how to forge a new social compact
to address the issue.
Our Decades-Old Privacy Laws
While technology has
massively evolved since 1979, the laws governing electronic privacy have not. Two
legal frameworks, both forged in the 1970s, have fundamentally shaped our
understanding of electronic privacy.
One of these frameworks is
statutory. Congress passed the Foreign Intelligence Surveillance
Act, which is at the heart of so much current political debate, in 1978 to
govern the collection of intelligence aimed at foreign powers. Although the Act
has undergone multiple amendments, its language has remained eminently
recognizable to lawyers active in the late 1970s.
The other legal framework is
a 1979 Supreme Court case, Smith v.
Maryland, which addressed whether the
State of Maryland required a warrant to install a pen register (which would
record telephone numbers called, but not the contents of those calls) on a
suspect's home phone. The Court held in Maryland's favor, finding that though
the actual contents of a call were protected by the Fourth Amendment, and thus
were subject to its warrant requirement, information about the call -- like
the number being dialed -- was not protected. This is because the Fourth
Amendment only applies when the government's actions intrude upon what might be
considered a reasonable expectation of privacy. The Court found that no
reasonable expectation of privacy existed for the numbers a person dials: all
phone users were aware that they conveyed this information to a third party, "since it is through telephone company switching equipment
that their calls are completed." Further, the court noted that all phone users
realize "that the phone company has facilities for making permanent records of
the numbers they dial," since they see this information in their monthly
In other words, when a third
party is able to see what a person is doing in an electronic environment, no
reasonable expectation of privacy exists. And one can draw a number of
conclusions about the legal precedent Smith
One conclusion is that the
NSA's metadata collection appears legal. Every call that is part of this
collection has, like the calls at the heart of Smith, been transmitted to a third-party commercial provider. Whether
or not one thinks the law should
protect metadata, Smith sets the
precedent that it likely does not.
A second conclusion is more
disturbing, given the role technology plays in our lives: our use of the
Internet probably enjoys no constitutional protection. The Internet is designed to connect an individual to
other parties, and most emails, Internet chats, or web browsing is routed
through multiple servers. All Internet users are aware that their online
activities are conveyed to a third party, which suggests there is no reasonable
expectation of privacy, and no Fourth Amendment protection. (There are,
however, some statutory protections, such as the Electronic Communications Privacy Act.)
And a third conclusion is
that existing laws are intensely focused on privacy from the government, not
privacy from non-governmental entities, be they corporations or other citizens.
This focus on the government is unsurprising, since the Bill of Rights is meant
to constrain the government's powers over its citizens. But, as explained,
these non-governmental entities have also become the very reason that our
metadata and online activities do not enjoy constitutional protection from the
The manner in which we use
technology, and hence what we consider private, has changed significantly since
1979. From a court's perspective, however, this is a distinction without a
difference: unless the Supreme Court alters Smith's
holding or a statute grants greater protection to call data and online
activities, information that is transmitted to third parties no longer has a
reasonable expectation of privacy, and therefore does not enjoy Fourth
Amendment protections. But beyond the legal perspective, the changes that have
occurred in the way we use technology should
matter to us.
Our Evolving Use of Technology
Privacy has long been an
unsettled concept. As Frederick S. Lane explains in American Privacy: The 400-Year History of
Our Most Contested Right, it was "at best a
sometime thing in seventeenth and eighteenth-century America," but was by no
means non-existent. The concept of privacy underwent continual evolution,
including important legal changes, through the middle of the 20th century. One
of the most noteworthy legal developments was the 1965 Supreme Court decision Griswold v. Connecticut, which held for the first time that the Constitution
provided a free-standing right of privacy. Griswold
would give birth to several controversial progeny, including Roe v. Wade,
which held that the constitutional right to privacy included abortion rights.
By the end of the 20th
century, while privacy remained unsettled in important ways, it was expanding
rather than shrinking. In 2000, the Supreme Court held that the right to privacy precluded state bans on
partial-birth abortions, and in 2003 it struck down a Texas law that criminalized consensual oral and anal sex
by gay couples. These decisions were consonant with what in 2000 was seen as a fairly
stable and expanding conception of privacy. American observers and the legal
system paid little attention as technological developments and accompanying
changes in the way we relate to technology upended that conception.
The Internet only gained one
million users worldwide in 1998, the same year Google was founded. Email was
widely used in the United States by 2000, but did not enjoy the same degree of
penetration worldwide, and Google's Gmail service wouldn't launch for another
four years. Internet penetration was still undergoing rapid growth; by 2005, the
Internet boasted one billion users.
Social media evolved markedly
in this period. LiveJournal and Blogger launched in 1999, at a time when the
word blog still hadn't become common
parlance. The once-popular MySpace launched in 2003, followed by Facebook
(which enjoyed more staying power) in 2004. These services introduced two innovations.
First, they made it possible to map users' social networks in ways that the
users didn't comprehend. Second, MySpace and Facebook encouraged frequent
status updates rather than the longer entries that characterized previous
services like Blogger. Posting became more impulsive, and -- particularly as
methods of data analysis advanced -- users divulged much more about themselves
than they knew. By 2013, for example, researchers found that by relying only on users' Facebook "likes," they
could discern who was gay, and how users voted in elections.
As people increasingly lived their
lives online, they divulged more and more intimate details about themselves, sometimes without realizing that they were doing so.
Unfortunately for traditional conceptions of privacy, commercial providers'
capacity to track every movement of users' digital lives was also growing.
Our Consent to Being Tracked Online
Internet law specialist
Joanna Kulesza recently
noted in the University of Arkansas
at Little Rock Law Review that while Europeans see protection of personal
data as a human right (yet struggle with how
to protect it), Americans perceive personal data "primarily as a commercial commodity."
There are several ways that
commercial providers track user activity. Social networks require tracking
in order to function: a server has to authenticate a password in order to
return user requests. Cookies are placed in a browser by a website to remember
this information, so that, for example, a Facebook user doesn't have to
re-enter his password with every click to a different page on the site. Cookies
make the social Internet work; they're a compromise between privacy and utility
that is accepted with every single login.
cookies don't just remember passwords. Once a user has picked up cookies on a
website, those cookies can follow the user's activity across the web,
potentially recording information entered into different web pages and building
a profile of the user. As the Germany-based academic André Pomp explains
in a paper on tracking Internet users, "if a user visits a computer website
first, then a social network website containing name and age and finally a
diving website, a cross-site tracker, that is included on all three websites,
could be able to create a single profile for this user."
are just one method of tracking. As Pomp writes, in a typical visit to the
Internet, a user will encounter "hundreds of different trackers trying to track
users by collecting their data." He notes a recent study in which researchers,
by visiting Alexa's top 500 domains and clicking on four random links on each
site, stumbled upon 7,264 trackers. Online tracking by commercial entities is
pervasive, a fact of online life.
Those who are best at
tracking you have the most to gain commercially. Facebook may know your sexual
orientation, but Google knows even more about you. As the Wall Street Journal has
noted, "the breadth of Google's information
gathering about Internet users rivals that of any single entity, government or
corporate." It is helped in this endeavor by the fact that, as CNN reports, Google on average "accounts for about 25 percent of all
consumer internet traffic running through North American ISPs."
Our cell phones can also reveal
where we are at all times. Smartphones are equipped with GPS systems, and even
with the GPS turned off, connecting to a cell tower still provides an
approximation of a person's location. A study by MIT reveals
that, with just four proximate locations, it's possible to identify an
individual with 95-percent accuracy.
There are advantages to
treating personal data as a commodity. Companies can provide remarkable
services at no cost to the user. Google, Facebook, and similar companies could
certainly command subscription fees if they chose that route, but the fact is
that the companies make more money by getting to know their users -- understanding
their interests, their aspirations, their likes and dislikes -- than they would
by charging users twenty or thirty dollars a year. It's understandable that
these companies would treat user data as a commodity, and no doubt many users
would willingly sacrifice privacy for top-quality free services.
There are also disadvantages.
When we think about the information we are disclosing, and the methods of data
analysis now available, we are apt to grow uncomfortable with what these
companies know about us -- our social networks, sexual predilections, voting
preferences, and much more - and how they're sharing this information.
Our Response to Terrorism
Just as commercial providers
have responded to market incentives, the NSA has responded to the incentives
provided to it in a world of growing transnational threats. The threat of a
terrorist attack is real, not a chimera, and the NSA after 9/11 was charged
with sifting through electronic data to shake out the dangers. To accomplish
this, the agency wanted a lot of data. As Deputy Attorney General James Cole
has said, "If you're looking for the needle in a haystack, you have
to have the haystack." This is not to say that we should accept the NSA's
programs as they are -- hard questions have been raised about its broad
collection of metadata and its internal safeguards against privacy violations
-- but the present debate has taken on a Manichean quality in which the NSA is
often portrayed as rapacious. It is in fact aggressively pursuing the
mission with which it was charged -- of trying to prevent another attack on the
The NSA also undertook its
surveillance efforts at a time when the meaning of privacy was shedding its old
meaning due to the migration of our lives online, into an environment where --unlike
in the offline world -- we are being constantly tracked and monitored, and
everything we do is remembered.
So what does privacy mean
now? The answer isn't entirely clear; but what is clear is that we need to have
the right kind of discussion about it. Perhaps a good place to start is asking
whether lawmakers should limit commercial entities' ability to retain user data
There is, of course, good
reason for these entities to be able to track users. User data gives them a
source of revenue, and they invested in their services with the expectation
that their ability to profit from these services will continue. We are not
arguing that the government should constrain the ability of these companies to
generate revenue, but is very old data really essential -- or even relevant -- to
their business efforts? Do commercial entities really need to know what
websites you visited, and who you sent instant messages to, and the location of
your cell phone, eight or ten years ago in order to understand your consumer
preferences today? The government could require these entities to purge all
digital user data (including messages sent, websites visited, records of
individuals called, and geolocations) that is more than, say, five or seven
years old if a) the user has tried to get rid of it by, for example, deleting the
information; and b) there is no independent reason, such as ongoing litigation
or national-security concerns, to retain it.
This would be an admittedly small step, but one in the
right direction that could help kickstart a badly needed conversation on
privacy. Contrary to the absolutist claims that have dominated the public debate
on the issue, there is a complex balancing act at play. It involves not only
liberty and security, but also commerce rights, Internet users' appetite for
free and convenient services, and the desire for privacy not only from one's
government but also one's neighbors. The right kind of privacy conversation
would recognize this.
given the way the surveillance debate has been proceeding
so far -- focused exclusively on the government, lacking a concrete conception
of what privacy means today, and framed in harsh Manichean terms -- we're
unlikely to get there.
Brendan Smialowski/Getty Images