Background

In the last class on PartFour I proposed the idea of regulating forgetting, forcing data keepers to sunset data. Eben raised First Amendment issues with that proposal, which I think are compelling. However, there may be other sorts of information practices which could be mandated through regulation on government and third parties that may not raise such concerns and that would be useful for providing some protection against losing our identity to those who aggregate information about our lives. Perhaps we can use this space to think of a set of information practices that we would like to see codified, and discuss whether this is a worthwhile exercise at all.

Proposals

To start us off, in 1973 the US Department of Health, Education and Welfare released a code of fair information practices. See, Simson Garfinkel, Database Nation 13 (2000). The code had five tenants:

• There should be no secret databanks.
• There must be a procedure for a person to access their record.
• The data should not be disseminated without the person's consent.
• There must be a procedure for a person to correct misinformation.
• There should be a responsibility imposed on organizations to ensure the accuracy of the data.

Another resource could be the Fair Credit Reporting Act.

-- JustinColannino - 15 Feb 2009

---

It seems to me that a number of the fair information practices (and the equivalent EU privacy scheme) run smack into first amendment concerns when applied to private parties (as opposed to the government):

(1) There should be no secret databanks and (2) There must be a procedure for a person to access their record -- we're not normally in the business of forcing people to reveal everything they may or may not know about other people. Isn't this a massive privacy invasion in itself?

(3) The data should not be disseminated without the person's consent -- this is a clear limitation on the content of a private party's speech

(4) There must be a procedur for a person to correct misinformation -- lots of case law about the unconstitutionality of analogous proposals for rights of reply to newspaper editorials, etc. Traditional 1st Amendment theory is that misleading speech should be countered by correcting speech, but noone is required to provide you with a forum (at their expense).

(5) There should be a responsibility imposed on organizations to ensure the accuracy of the data -- how is this not analagous to legislating the way in which someone thinks? Would you be in favor of legislating a general responsibility for people to ensure the accuracy of the data they use in making every day decisions?

If sunset legislation is meant to ensure that we retain the traditional practice of forgiving old mistakes, then I think you can achieve much of the same effect without going after the private parties collecting the information by forbidding the state from requesting information older than a certain number of years.

I recognize there are issues with the enforcement of such a limitation--if the data is valuable, people will find ways to get at it--, but I don't see how it is any harder to enforce then a sunset clause on data held by private parties.

-- AndreiVoinigescu - 16 Feb 2009

---

While I agree with Andrei's well reasoned points against the 1973 proposal to private parties in general, I think that it is overly simplistic to group all private information gathering and retention practices together, and then to condemn regulation on them all. For example, as noted previously, the Fair Credit Reporting Act was enacted to provide transparency in the methods of determining a persons creditworthiness. See, Fair Credit Reporting Act § 602. Also, regulations for fair information practices in certain industries could conform with and even enhance first amendment principals. For example, the American Library Association (ALA) has been fighting certain provisions in the Patriot Act that force libraries to hand over patron records to the FBI upon request. The ALA believes that the law has a severe chilling effect on free speech. Though their efforts to repeal the legislation has failed, the ALA's current solution is to severely limit record retention.

These are just two examples. I think we all agree that some fair information practices should be imposed on the government, but perhaps not always on private parties. Maybe the way forward, if this discussion has any value, is to think about when/whether information practices of private entities should be regulated. Does the Fair Credit Reporting Act go too far? Should something similar to the ALA's resolution apply to ISP's? To Google?

-- JustinColannino - 16 Feb 2009

---

I tend to agree that there's a relevant distinction between regular Joe Six-pack private actors and institutional private actors. I don't think the threat to autonomy from a corporation knowing you is any less than from the government knowing you -- in either case, you're creating a significant imbalance of power between one small group of people and everyone else. That not only exacerbates existing inequalities--it also enables tyranny.

I don't think there's much hope that ISPs or Google will self-limit the information they retain. Commercial logic argues against it.

• Let me clarify: I was suggesting that such limitations could be imposed on ISPs, Google or other similar entities through legislation. I was also trying to point out that such legislation may be more desirable from a First Amendment standpoint than current regulations on information such as the Fair Credit Reporting Act because it would protect the First Amendment interests of the public against those of large corporations. -- JustinColannino - 17 Feb 2009

I am curious however about the Fair Credit Reporting Act -- could someone better versed in 1st amendment jurisprudence opine about whether such legislation is vulnerable to a constitutionality challenge?

-- AndreiVoinigescu - 17 Feb 2009

Being not a lawyer, and thus knowing nothing about 1st amendment (or any other) jurisprudence, I'm going to sidestep that question entirely.

But I am intrigued by the question of whether governments can/should/would regulate companies like Google, or whether, as Andrei seems to suggest, they are two sides of the same powerful coin and naturally prone to work together to take and manage more of our data.

On the first or second day of class, Eben made a crack about being most concerned about the union of the federal government and Citigroup (though he’s plenty scared about each one by itself). I’m really ONLY scared by their union:

Historically, governments have been the chief limitation on private sector abuses from antitrust law to trade and labor treaties. Even when government directives are toothless (as in the case of many human rights conventions), it’s to these state measures that citizen activists wind up appealing.

Similarly, companies have been loud advocates for limited government whether to reduce their own tax liabilities or to secure opportunities for future profit. Example: Big Pharma lobbyists, even when they pay lip service to Partnership for a Drug Free America, often support medical marijuana because it’s just one more thing they can make and sell.

Andrei is right that states or corporations only ever act in their own interest, and their interest is usually to control more territory, more money or more data. But there was a time when states and corporations each perceived that it was their interest to seek control at the expense of the other. It seems to me the smart route the privacy-concerned-community could take would be try to get us back to that dialectic, to frame the privacy argument in terms of the open, but well-regulated, market economy.

Another example: by fits and starts, we are actually making steps towards addressing climate change in precisely this way. The enviro movement has been smart to speak out of both sides of its mouth to government and business. Greenpeace, et al pressure companies to get green before the government comes to run their businesses, while pressuring legislators or international treaty organizations to prove their strength by cracking down on corporations. In effect, the enviro activists promote their agenda by riling government and business against one another along parallel tracks.

What are the possibilities for pushing information protection in a similar manner? Prod companies with the logic that they don’t want to be doing the FBI’s dirty work; prod government with the logic that they don’t want to be bought. This is admittedly just a partially baked idea, but that's what Wikis are supposed to iron out.

-- MahaAtal - 18 Feb 2009

While in theory it's true that government and business can act as counterbalancing checks on each other's power, I don't really see that happening organically around privacy issues. Some third party--read, the public--needs to step in and lobby both--make it clear to businesses that resisting government intrusion carries commercial advantages while making it clear to politicians that regulating business abuses of privacy will be politically rewarding in terms of re-election. Which all requires an educated, engaged public who cares about privacy. That's the first (and hardest) step.

Privacy is arguably different than environmental issues because both businesses and goverment stand to gain from knowing more about you. Their interests align. With enviromental issues, goverment is largely apathetic--open to influence from big oil/the coal industry, yes, but there's no arm of the goverment itself pushing for more fossil fuels to be burned.

-- AndreiVoinigescu - 19 Feb 2009

All true, but it is precisely because government was more or less apathetic about the environment and therefore because business had been able to lobby them successfully that the public/NGOs pushed aggressively to force the kind of check/balance I'm describing. So no, these things don't develop organically and the role of civil society raising issue awareness is key, but I think the enviro case is an example of that.

One place on the privacy front where government and business don't align so neatly: government is by definition national, corporations aren't. Shouldn't it alarm the CIA that Google might also be working with governments the CIA is collecting intel ON? Might be one way for civil society to make the case to government?

-- MahaAtal - 20 Feb 2009

Possibly; but the flip side of the coin is tha Google is collecting information on the citizens of other nations too--information the CIA can get with a simple supeona. There's also the issue of where most of the information is actually located. While many of the corporate players are multinational, I'd say a disproportionate number of their server and storage facilities are located within the US. Still, I think the "we can't let you collect this data, our enemies might force you to reveal it" is a better lever than any I can think of right now.

-- AndreiVoinigescu - 20 Feb 2009