Lex 8256: The Law in Cyberspace Seminar

Privacy

    Start by reading Jeffrey Rosen's article The Eroded Self, published in the New York Times three years ago. Next, for a survey of the most relevant "privacy-destroying technologies," read pages 1468-76 & 1486-94 of Michael Froomkin's article The Death of Privacy?, 52 Stan. L. Rev. 1461 (2000).

    The U.S. Federal Trade Commission described what it saw as threats to Internet privacy in a 2000 Report to Congress (read pages 2-17), and in part two of its report (read the whole thing), it "recommend[ed] legislation that would set forth a basic level of privacy protection for all visitors to consumer-oriented commercial Web sites." In Fall 2001, though, the FTC decided that new legislation wasn't such a good idea after all. Rather, the agency said, it would seek to promote industry self-regulation; it would focus its enforcement efforts on ensuring that companies adhered to their published privacy policies. Read pages 1525-29 of Michael Froomkin's article for an assessment of how well industry self-regulation has worked.

    The European Union has moved much more aggressively than has the U.S. in seeking to protect what it sees as key privacy interests. Its most important rules are set out in the 1995 EU data privacy directive; click on the link and read Directive 95/46/EC, but you can skim through the interminable declarations that precede the actual operative provisions. If you find the language of the directive itself too opaque, you can try reading this layperson's guide to the directive's requirements. Not everyone in Europe is a fan of the directive's approach; for some scathing criticism, read Jacob Palme's published concerns and a note he published on enforcement of the directive in Sweden.

    The European action put U.S. policymakers in a bind; the directive forbids companies operating in the EU from transferring any information relating to individuals to any country that doesn't afford adequate legal privacy protection. Yet it would be disastrous if, say, a U.S.-based airline couldn't transfer information about passengers from a European country to its U.S.-based reservation system. After extensive negotiations beetween the U.S. Department of Commerce and E.U. authorities, Commerce published a "safe harbor" set of privacy principles (read this summary) that U.S. companies could voluntarily adopt, and the E.U. grudgingly agreed that data could be transferred from a European country to the U.S. company abiding by the principles.

    Now read at least two of the following four, somewhat longer, items:

David Chaum, Security without Identification: Card Computers to Make Big Brother Obsolete, 28 Comm. of the ACM 1030 (1985);^*
In re Doubleclick Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001);
Simson Garfinkel & Lorrie Cranor, P3P Privacy Primer (2002), along with Karen Coyle, P3P: Pretty Poor Privacy? (1999), and Coyle's further response;
Jessica Litman, Information Privacy/Information Property, 52 Stan. L. Rev. 1283 (2000).

[Added 2/11/03] A final piece of optional reading, with a different angle on the privacy issue: Neil Swidey, A Nation of Voyeurs, The Boston Globe (2/2/03)

Come prepared to talk about whether you think the U.S. should enact a new legal regime to govern Internet privacy issues and, if so, what it should look like.

^* If you like Chaum's "if-you-don't-collect-the-information-in-the-first-place-we-don't-need-fair information-practices" theme, you might also want to take a look at my own article Hardware-Based ID, Rights Management, and Trusted Systems, 52 Stan. L. Rev. 1251 (2000).