From: <ek259@columbia.edu>
  To  : cpc@emoglen.law.columbia.edu <cpc@emoglen.law.columbia.edu>
  Date: Sat, 01 Apr 2006 10:44:14 -0500

Paper 1: Privacy Protection. Should an Insitutional Reform Come First?

At the root of the erosion of our privacy is our “silent” consent;
lack of opposition stemming from ignorance or indifference to what
is going on. The lack of general awareness suggests that an
immediate attempt to protect privacy through substantive regulation
will fail. Special interests will prevail against the unasserted
general interest. This dictates a two-step approach. The first step
is to militate for an institutional reform, the creation of a
specialized and permanent federal agency that would raise public
awareness and act as a catalyst for the second step, substantive
regulation. If the agency is conceived as a non-regulatory
body,support by activist groups would hopefully be sufficient to
win Congress in the absence of fierce resistance by special
interests. The agency could have oversight and enforcement
authority for all privacy laws, oversee the privacy-related
activities of other federal agencies, represent the United States
internationally in privacy forums and most of all educate the
public and raise awareness commensurate with the extent of the
problem.

The Emergence of a Surveillance Culture: the Erosion of Our Privacy
by Ignorance, Indifference and Consent

The emergence of a surveillance society is rooted in the
emergence of a surveillance “culture” characterized by generalized
public acceptance of surveillance and data collection. We tried to
identify in class the reasons why people care about their privacy
just not enough to press for effective reforms. Other than
terrorist concerns that justify intervention and surveillance in the
public eye, the reasons seem to be:

1. Lack of knowledge of the extent of data mining and surveillance.
Although privacy matters are constantly in the news, the average
citizen does not fully grasp the extent of data mining and
surveillance. The degree of the intimate cooperation between the
government and the private sector is also unknown. Two recent
reports by the Annerberg Public Policy Center indicate that despite
fairly wide awareness that websites collect information about them,
the overwhelming majority of U.S. internet users are fundamentally
unaware of data flows: how organizations glean bits of knowledge
about individuals online, interconnect those bits, and share them
with other organizations private and governmental. (1)

2. The threat of harm is diffuse and not imminent. It is difficult
to understand concretely how data mining and surveillance can
negatively affect our lives. On the one hand, we do not fully
understand the impact of the legal use of personal information, for
instance the role of online profiling for purposes of price
discrimination and consumer behavior manipulation by marketers (2).
On the other hand, the illegal use or misuse of personal data
(identity theft or use of inaccurate information) has not yet
directly harmed us.

3. The benefit is concrete. While the threat of harm is diffuse and
not imminent, the “benefit” is concrete. Convenience, speed of
transactions, discounts, promotions, individualized suggestions for
future purchases is what we have to gain by trading our personal
information. This had led to the commercialization of our intimacy,
which is gradually eroded with our consent.

4. The information provided is not by itself considered sensitive or
secret. Giving, for instance, information about movie preferences to
marketers is not considered sensitive data by consumers and is
thus easy to give away.  Further, much information used in data
mining is found in public records. It is the aggregate effect of
collecting and connecting disparate information that constitutes
the threat and not each isolated piece of information.

5. The surveillance and data collection has ceased to target
specified individuals only and has become generalized and routine.
This change seems fundamental. Surveillance and data collection has
ceased to target specific individuals and has, instead, become
generalized and widespread. Surveillance previously focused on
individuals for specific reasons related to suspicions of
wrong-doing (and was normally part of a judicial procedure) but
today nobody is singled-out. It is not individuals who are
exceptionally watched for reasons unique to their persona; it is
all of us indiscriminately. The process has become collective,
systematic and automated. Generalized, routine, invisible control
is less threatening than targeted, individualized and exceptional
control.

The Need for a U.S. Information and Privacy Commissioner

Public attitude is thus at the root of the problem. An institutional
reform and the creation of a new federal privacy agency may be the
catalyst needed to make the problem surface.

The need for an agency has been suggested in the literature (2) and
discussed to some extent in Congress (3). Many governments around
the world have established data protection agencies—the prime
example being the European Union (4) but also Canada and Australia
(5) and a number of others (6). In fact, the overwhelming majority
of countries with privacy laws have established an agency dedicated
exclusively to privacy protection. Countries have established
privacy agencies whether they pursue a comprehensive regulatory
approach (EU and Canada) or adopt a self-regulation/sectoral laws
model (Australia)(7).  In the United States, responsibility for
privacy issues is shared by a number of agencies. For instance,
responsibility for the enforcement of the Gramm-Leach Bliley Act on
financial privacy is shared by eight agencies (8). The U.S. has been
represented at international data protection conferences by the
Commerce Department, the State Department, the FTC, the Office of
Management and Budget and others (9). The agency charged with most
oversight authority is the FTC but it does not have sole nor
exclusive jurisdiction and deals with information privacy only to
the extent it raises consumer concerns (as opposed to human
rights). Further, it does not oversee the privacy activities of
other federal agencies. A federal privacy agency will coordinate
the work now performed by many. But, most importantly, its mere
existence will reveal the problem to the public at large. If the
agency is non-regulatory, it will probably be perceived as less
threatening to established interests and have a greater chance of
being adopted, After all, everybody pays lip service to the
importance of privacy. The U.S. has agencies responsible for marine
mammals, migratory birds, arctic research and postal rates (10). It
is time to have an agency for our privacy protection.

Evangelia Kleftodimou

Footnotes:

1.	See Anneberg Public Policy Institute report on “Open To
Exploitation: American Shoppers Online and Offline at
www.annenbergpublicpolicycenter.org/04 info society/Turow APPC Report WEB FINAL.pdf.,
June 2005. Also see the July 2003 report on “Americans and Online
Privacy. The System is Broken”, a report also showing consumers’
lack of knowledge of data collection strategies.
2.	Open To Exploitation, supra at p. 4. The report shows that U.S.
consumers are largely unaware of behavioral targeting involving
buying or collecting information about a customer’s activities in
order to know how to best sell to him or her. They are also unaware
of price discrimination,the charging of different prices to
different customers based on data the seller has about them. The
report warns that price discrimination will soon be the predominant
trend in the marketplace.
3.	 Robert Gellman: A Better Way to Approach Privacy Policy in the
United States: Establish a Non-Regulatory Privacy Protection Board,
54 Hastings L.J. 1183 (2003).
4.	Id. For past proposals on the creation of privacy agencies, see
Robert Gellman, Fragmented, Incomplete and Discontinous: The
Failure of Federal Privacy Regulatory Proposals and Institutions, 6
Software L.J. 199 (1993).
5.	The EU Data Protection Directive requires each EU member state to
have a supervisory authority. All EU member states have established
Information and Privacy Commissioners.
6.	Information and Privacy Commissioner of Canada at
www.privcom.gc.ca.   Privacy Commissioner of Australia at
www.privacy.gov.au.
7.	Thailand, New Zealand, Hong Kong, Argentina.
8.	Australia adopts a so-called “co-regulatory” approach. Under the
Australian Privacy Act, private sector industry groups are free to
develop codes of practice within the wider bounds of the Act. The
Codes may be approved by the Privacy Commissioner and are binding.
9.	See www.ftc.gov/privacy/privacyinitiatives/glbact.html.
10.	See Robert Gellman, at p. 1188 supra at note 1.
11.	Id at p. 1190.

-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list