Internet Confidential: How to establish a privacy right on the public Internet
In the beginning, there was the Fourth Amendment to the U.S. Constitution:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
This protects citizens against actions by the government. The genesis of our legal right to privacy, or “a right to be left alone,” is the essay “The Right to Privacy” (4 Harvard L.R. 193 (Dec. 15, 1890), which is credited to Louis Brandeis and Samuel Warren, but is believed to have been written by Brandeis at the suggestion of Warren, according to Wikipedia. What motivated the law review article was the growing trend of newspaper society columns of the time disclosing intimate details of the lives of private individuals.
The authors conclude that existing laws offer "a principle which may be invoked to protect the privacy of the individual from invasion either by the too enterprising press, the photographer, or the possessor of any other modern device for recording or reproducing scenes or sounds.” A breach of this right is based on “an implied contract or … a trust or confidence.” It is not based merely on a property right, according to Brandeis and Warren.
Usually, no contract is implied simply by the act of sharing information – there is no offer, acceptance, or bargained-for consideration. Modernly, a privacy breach is more likely to be one of a “trust or confidence.” The authors state that the privacy right “ceases upon the publication of the facts by the individual, or with his consent.” They offer the example of a private letter that is sent inadvertently to someone other than the intended recipient. The author of the letter did not intend the contents to be made public, but the unintended recipient is under no contractual obligation not to share it.
Sharing with some isn’t sharing with all
Here’s where Brandeis and Warren introduce the concept of “abuse of confidence.” The courts have found that a party receiving confidential information has benefitted from the disclosure, and in exchange promises not to disclose the information further without the authorization of the person who provided it. In a British case, Morison v. Moat, 9 Hare, 241, 255 (1951), the court wrote that it “fastens the obligation on the conscience of the party, and enforces it against him in the same manner as it enforces against a party to whom a benefit is given, the obligation of performing a promise on the faith of which the benefit has been conferred.”
In other words, when you benefit from confidential information, you are legally obliged to maintain its confidentiality by not disclosing it further.
Brandeis and Warren conclude that the right to privacy extends to all matters “which concern the private life, habits, acts, and relations of an individual, and have no legitimate connection with … any public or quasi public position which he seeks … and have no legitimate relation to or bearing upon any act done by him in a public or quasi public capacity.” Assuming that we retain our status of private citizens during and after using the Internet – as opposed to the use transforming us into public figures, such as celebrities or politicians – our use of the Internet constitutes a private activity, according to the description by Brandeis and Warren. Therefore, it retains its confidential nature.
The third-party doctrine’s slippery slope
Expanding the privacy principles described by Brandeis and Warren, when we share personal information using an Internet-connected computer or phone, it doesn’t stop being confidential. We know or should know we’re being tracked when we use the Internet, so there’s a diminished sense of privacy from the get-go.
However, when we agree to share personal, “confidential” information with one party, we are not waiving the right to prevent the information from being shared with a third party. In a sense, the information’s value to Internet services is based on its confidentiality. Once the information is no longer confidential, it loses some of its value – the more people who know it, the less confidential it is, and the less valuable it is.
(Internet services claim the personal information is no longer confidential because they anonymize it. The first problem with this proposition is that it is trivially easy to de-anonymize the information, as explained on Wikipedia. The November 18, 2014, Weekly, “Trading privacy for the public good,” includes a link to Pete Warden’s May 2011 post on O’Reilly Radar entitled “Why you can’t really anonymize your data.”)
Wikipedia defines the third-party doctrine as the mechanism by which the government is able to demand our private information from third parties to whom we voluntarily surrender it – telephone companies, banks, and Internet service providers, for example – without requiring a court-issued warrant beforehand. In 2014, Sen. Ron Wyden (D-Oregon) introduced the Secure Data Act, which would “shut down government-ordered backdoors into digital systems,” according to Ars Technica’s Cyrus Farivar in an April 3, 2016, article.
The fate of the Secure Data Act is uncertain at best – it hasn’t even made it to committee, according to Farivar. It would outlaw all built-in back doors to data-encryption systems. In that sense, the act is the antithesis of the Burr-Feinstein bill that would require such back doors in all encryption mechanisms. Senator Wyden states that “when people enter into a private business relationship, they don’t expect that that’s going to be public.”
According to Wyden, the negative reaction of intelligence and law-enforcement agencies to encryption is comparable to the initial response to Miranda v. Arizona, 384 U.S. 436 (1966), and the resulting requirement that police advise arrestees of their rights to an attorney and to remain silent. The agencies will adapt to encryption and will find constitutional means to ensure timely access to the information they need to prosecute crimes.
There is, in effect, a third-party doctrine for personal information collected from people who use Internet services: If we share our information with one party, we’ve shared it with all parties. No explicit permission is required for the sharing, and individuals have no right to control, limit, or remove their personal information from collection and reuse.
When it comes to protecting the confidential information we disclose voluntarily and involuntarily via the Internet, existing privacy laws will be adapted to meet the needs of modern life… eventually. The process starts by acknowledging that the information being collected retains some measure of confidentiality after it is shared with one party, even when the service claims to have anonymized the data. It also implies the right of individuals to control, limit, and remove the information.