1997 ASIS Mid-Year Meeting Preview
Privacy and Policy
by Shelly Warwick
© 1997 ASIS

For many years there was much hand-wringing over the fact that the United States didn't have an information policy. Then the National Information Infrastructure (NII) was proposed, the Telecommunications Act passed, and many cheered or despaired because there was an information policy. But there isn't. Only a telecommunications policy. Many elements are missing, and chief among them is an organized approach to what rights or privileges individuals or organizations have in relation to privacy and what rights or privileges they have regarding access.

One of the difficulties in creating a privacy policy is defining the term privacy. Is it the right to be left alone? or the right to control's one's persona? or the right to restrict either access to or use of some form of information? Privacy, in various laws and rulings, has been construed to cover all of these situations.

While the Constitution does not directly address privacy, the Bill of Rights includes two provisions that imply a recognition of privacy: the right not to have one's home searched or possessions seized without due process and the right not to have one's home be used to quarter troops without consent. Both provisions attempt to balance the reasonable expectations of free individuals with the needs of society. The right to control the use of one's persona as an aspect of privacy was first articulated in an 1890 article by Warren and Brandeis in regard to the right to control publicity, good or bad. In the early 1900s New York State passed what is considered the first privacy law, which established the right to control use of one's name and image for commercial usage, and created what has since become known as personality rights (within the policy sphere). Since then privacy has been regulated and judged in a piecemeal fashion, usually in regard to telephone and other forms of electronic communications (Communications Act of 1934; Digital Telephony and Communications Privacy Act, Electronic Communications Privacy Act, Privacy Act of 1974; Katz v. United States; Olmstead v. United States), though it was the finding in Griswold v. Connecticut that privacy was included in the penumbra of the Constitution that was the basis for the decision in Roe v. Wade, upholding that privacy rights extended to a person's body.

The Emotions of Privacy

Privacy is personal. It's territorial. It's the right to exclude others. It's the right to have secrets or to reserve something for your own enjoyment. It is the right of the individual against society. As individuals we assert our desire for privacy in many ways. But we also have a desire for access; for the right to know and to protect ourselves through knowledge, especially in areas of health, safety and government actions. The conflict between the rights of personal privacy and public access can be seen clearly in New Jersey's Megan's law and similar measures, which require that communities be notified when a released sex offender is in residence. The law passed because many believe that the possibility of preventing harm to children carries greater weight than any privacy concerns of sex offenders. The Court did not agree and found the law unconstitutional.

On a perhaps less emotional level there is caller ID. There has been a high demand for the newly authorized equipment that enables one to know the phone number of an incoming call, yet there has been widespread use of the option to block transmitting one's phone number when dialing. In short, we want to see yours, but not show you ours.

With the proliferation of electronic data collection and data warehousing, what constitutes privacy takes on a new meaning. The ability to easily collect and correlate many diverse pieces of information from a variety of sources makes the revelation of any information the basis for a possible invasion of privacy. Use a supermarket discount card to buy cat food and you'll be inundated with offers for pet supplies. Register a computer or appliance, and there won't be a long wait before the offers for accessories appear. And we supply the information willingly. We trade our privacy in small bytes to get the things we want -- tech support or 3 cents off dish detergent or the convenience of not carrying cash, or paying later, or ordering by phone. Each piece not that important, each piece not especially revealing. But the data collectors concatenate our credit card spending patterns, age, profession, gender, region of the country, make of car, and, of course, those supermarket purchases, to form a picture of us as a consumer, contributor and voter; to fill our mailboxes with circulars or pleas for contributions; to interrupt our dinners with offers we can't refuse; to send us e-mail for products we surely must need. Finally we say, "Enough!" We want the right to block unsolicited commercial e-mail, to be able to have our names removed from calling lists, to prevent those firms and organizations with which we interact from revealing the information we provide.

Yet most of us wear another hat, where we want to be able to sell our products or solicit for our favorite causes or find out the credit worthiness of possible clients, tenants or partners. Then we demand access in the name of free speech, freedom of the press or whatever portion of the flag we find handy.

Need for Integrated Policy

Privacy issues, obviously, do not stand alone. They relate to, and often conflict with, free speech, freedom of the press, intellectual property and trade practices. Do our name and address belong to us, and do we have the right to restrict access or give them away freely or sell them as we wish, or are they the property of anyone who collects them and places them in a database? The proposed World Intellectual Property Organization (WIPO) copyright treaty seems to state the latter.

Should publishers escape without penalty for printing false statements that damage the persona of an individual if the publishers believe the statements are true when they go to press? The courts say "yes" (see New York Times v. Sullivan and Sharon v. Time, Inc.). Should historical or literary figures have the right not to allow scholars to use excerpts from their unpublished diaries or letters, even if the diaries and letters have been donated to a library for use by researchers? The creator of Catcher in the Rye got a big yes on this one (Salinger v. Random House, Inc.). Should an information provider have the right to block unsolicited electronic mail of a commercial nature that originates from competitors, or does this violate free speech? America Online (AOL), not being a government actor, was allowed to block (Cyber Promotions Inc. v. America Online). Does whatever privacy that resides in e-mail outweigh policing operations? Some want a law that will hold an institution guilty as an accessory for any use of its system to send material covered by copyright, even if sent with the belief that it was fair use. If passed, would the result be less infringement or more censorship or less institutionally provided access?

All of these issues are being addressed one-by-one without a clear statement of intent or policy. While the development of policy by case law often allows more flexibility and provides a longer time frame for development and a deeper consideration of the issues, it also often results in contradictory decisions in various districts and the lack of an integrated approach, not to mention that it sometimes results in bad law and bad policy.

There is a strong need to develop a national privacy policy and a cogent statement of that policy to guide legislation and judicial decisions. The policy needs to address clearly the following issues: the balance between the right to privacy and the right to access; the expectations of individuals and the needs of society; the appropriate level of privacy protection that should be afforded to public figures, private persons, governments and other organizations; clear guidelines as to what information an individual can be compelled to reveal to benefit society and what should be under his or her control.

Developing such a policy won't be easy, and perhaps might prove impossible. But it would be a valuable exercise. Basic assumptions about the nature of our society might be examined, as well as what we mean by privacy, and, perhaps, by access. Tradition describes Americans as rugged individualists, whose homes are their castles. Free enterprise and capitalism, which are considered basic to our society, support the right to make a profit from information, and let the buyer beware. Yet how many of us would feel that a researcher should have the right to withhold a cure for cancer? Or that an heir have the right not to publish diaries that told who shot John F. Kennedy?

Privacy involves both logic and emotion. A privacy policy will have to satisfy both.

References

An Act to prevent the unauthorized use of the name or picture of any person for the purpose of trade. (1903). Chap. 132. New York. Communications Act of 1934. (1934). 48 Stat. 1064. Cyber Promotions v. America Online (1996) Lexis 16237. Digital Telephony and Communications Privacy Improvement Act of 1994. (1994). Electronic Communications Privacy Act of 1986. (1986). P.L. 99-508. 100 Stat. 1848. Griswold v. Connecticut. 381. U.S. 479 (1965). Katz v. United States. 389. U.S. 347 (1967). New York Times v. Sullivan 376 U.S. 254 (1964). Olmstead v. United States. 277. U.S. 438 (1928). Privacy Act of 1974. (1974). Roe v. Wade. Sup. Ct. 410. U.S. 133 (1973). Salinger v. Random House, Inc. 816 F. 2d 1252 (1987) Sharon v. Time. Inc. 609 F. Supp. 1291 (S.D. N.Y.) 1984. Warren, S.D. & L. B. Brandeis. (1890). "The Right to Privacy." Harvard Law Review 4, 193-220.

Shelly Warwick is affiliated with Baruch College in New York City.