FOR EDUCATIONAL USE ONLY
University of San Francisco Law Review
Summer 2000
Article
*633 OUR DATA,
OURSELVES: PRIVACY, PROPERTIZATION, AND GENDER [FN1]
Ann Bartow [FNa1]
Copyright © 2000 University of San Francisco School of Law;
Ann Bartow
CYBERSPACE BRIEFLY HELD a lot of promise for women. [FN2] It was the closest we could expect to come
to being "brains in . . . boxes." [FN3] In cyberspace, we would not be judged by
our bodies. No one would know when we were having bad hair days. We would not
ever have to wear make-up and high heels. We could even be "men"
without hormones or expensive surgery. Then we began shopping and chatting over
the Internet. Shortly thereafter, we learned that anyone in cyberspace could
ascertain our gender, ages, incomes, education levels, marital status, sizes,
consumer purchase proclivities, aspects of our health, and employment
histories, and the number, ages, and genders of our children, and that this
information could be used to sell us *634 goods and services. [FN4] Now, instead of brains in boxes, we are
"eyeballs with credit cards." [FN5]
Cyberspace has become fertile ground for the harvesting of consumer data, and
consumers have very little ability to keep their personal information private,
especially online. Yet, we are unlikely to see any sector of government launch
comprehensive, enforceable online privacy initiatives based on the precept that
privacy is a good unto itself. [FN6] At the same time, copyright, trademark,
and patent protections obtained by companies for words, thoughts, ideas, and
symbols are expansive and seemingly grow broader on a daily basis. [FN7]
This article considers the possibility that one evil can be remedied by
another. Perhaps the current corporate-friendly intellectual property
framework, so effective at turning the information superhighway into a toll
road, can be co-opted to enable individuals to "own" and control our
own personal information, giving us the tools to "gatekeep" our own
informational privacy. [FN8] Perhaps we should have the same property
rights in our names and personal information that corporations have in their
names and data. At a minimum, we should have the same property rights that
corporations have in our names and personal information. Perhaps, if nothing
else, an attempt to secure property rights in our personal information will
draw attention to the ongoing corporate propertization of everything.
The data collection issue is of
singular importance to "web swimming" women. [FN9] Women do most of the shopping in real
space and will inevitably do the same in cyberspace, where we are appearing in *635
ever increasing numbers. [FN10] Women control 80 to 85% of all personal
and household goods spending and are reportedly the fastest-growing audience on
the web, a market "expected to grow to 65 million in 2002 from 45 million
today." [FN11] Internet analysts agree that
"anybody who wants to make money on the Internet cannot afford to ignore
[women]." [FN12]
In cyberspace, women are inherently desirable, but only because things of
value, data, and ultimately money, can be taken from us. In the abstract, many
of us may be concerned about personal privacy, but when we are out swimming the
web, this concern may be overshadowed *636 by a desire to
participate fully in online life. [FN13] We are lured to special "women-
oriented" web sites that efficiently facilitate the extraction of our
personal information assets and our nummular currency. [FN14] Attracted to interesting, high quality
content and the promise of supportive, dynamic online communities, we are
easily persuaded to actively share personal information with site owners and
advertisers. [FN15] Simultaneously, and often unmindfully, we
also passively share information about ourselves through the articles that we
select to read, the topics that we elect to post about, and the sites and
advertisers that we choose to visit. [FN16] Docilely, we allow corporate entities to
monitor our online efforts to educate and inform ourselves, support each other,
and purchase goods and services for our families and ourselves. [FN17] This data is then used to more
efficiently separate us from our money. [FN18] *637 The fact that we give
web sites information of greater value than the content we receive is
obfuscated by our sense of gratitude that we are no longer ignored in
cyberspace; that typing the keyword "woman" into a search engine now
produces something besides pornography sites; that we finally have cyber-rooms
of our own. Indeed, web analysts postulate that some women actually form
emotional bonds with certain sites, using cyber fora to create social networks
for themselves. [FN19] Electronic entities then attempt to
exploit this sharing and networking for commercial gain. [FN20]
Online data collection should be a serious concern to everyone who ventures
into cyberspace, regardless of gender. This phenomenon is particularly
problematic for women because, as explained above, women do most of the hunting
and gathering for themselves and their families, and are therefore becoming the
primary targets of marketers in cyberspace. [FN21] The admittedly problematic (and perhaps
appallingly cynical) solution proposed, however, applies equally well to men.
If all individuals are awarded the same broad property rights *638
in their personal data that business interests successfully assert in words,
ideas, and information, people can control how much online privacy they have
and, correspondingly, the levels of targeted marketing to which they are
subjected.
In cyberspace women are the
quarry, and we are "targeted" by web sites that are "aimed at
us." Online companies create content that will lure women to their web
sites. Touted by the New York Times as a "place for serious
sisterhood," iVillage [FN22] has immense corporate backers, including
General Electric, America Online, Intel, Tele-Communications, Ralston Purina,
Kimberly-Clark, AT&T, Ford, and Amazon.com. [FN23] An iVillage spokesman stated, "We're
very focused on the fact that the Web is one of the best mass- marketing
opportunities ever." [FN24] The company offers a plethora of online
shopping opportunities and "targets" affluent women between the ages
of 25 and 49, a "highly valued demographic." [FN25]
One tactic that iVillage uses is blending content and commerce as seamlessly as
possible. Candice Carpenter, the primary architect of iVillage "pioneered
the use of 'integrated sponsorships,' where advertisers participate in the
creation of content, the information, articles, and services that appear on the
company's Web sites." [FN26] For example, Ralston Purina sponsors a
pet channel, which offers chat rooms, message boards, and access to a pet
expert. The pet expert also happens, completely uncoincidentally, to be a
Ralston Purina employee, who *639 can refer web swimmers to
products available at an accompanying online pet store. [FN27] Similarly, "[i]n what it called a
breakthrough partnership with the milk industry, iVillage established a
'behavior modification program' of 'weekly chats, E-mail reminders, and lively
message boards' to encourage 'the habit of drinking three glasses of milk per
day." ' [FN28] One will not find any information
challenging the purported benefits of milk present at this site, so there is no
need to worry our pretty little heads about conflicting data regarding the
health benefits or utility of high levels of milk consumption.
iVillage also maintains a network of many web sites and claims millions of
registered members. [FN29] It seeks to build a community of women on
the Internet around issues such as divorce, miscarriage, breast cancer, child
discipline, job stress and "unfortunate taste in boyfriends," and
then "monetize" the community by profitably selling products and
advertising. [FN30] One example is found at the iVillage site
Parent Soup, [FN31] where "a pregnant woman can enter
her due date and receive a calendar showing day by day what's likely to be
happening inside her body." [FN32] Women with overlapping calendars are
directed to a "Pregnancy Circle," an online support group where they
can trade advice and concerns and are simultaneously prompted to purchase items
such as books from Amazon.com, [FN33] baby goods from iVillage's iBaby, [FN34] and maternity clothes from iVillage's
iMaternity. [FN35]
Another alleged "place for serious sisterhood" is Microsoft's online
magazine, insipidly named Underwire [FN36] and ostensibly "more serious and
sedate" than iVillage. [FN37] Microsoft also maintains WomenCentral, [FN38] a web site/Internet channel of the
Microsoft Network. [FN39] WomenCentral features content from
Women.com, [FN40] another *640 online
publisher of "women's material," as well as content from Underwire
and other original material. [FN41]
Oxygen Media, backed in part by Oprah Winfrey, has also constructed online
flypaper for female consumers, and runs three "women-oriented" sites
it bought from America Online in the fall of 1998: Electra, [FN42] ThriveOnline, [FN43] and Moms Online. [FN44] Its main site [FN45] appeared in late May of 1999. [FN46] The concept of Oxygen is to fuse the
television, the Internet, and the telephone, creating a strongly tight-knit,
multimedia community of women. [FN47] Aspects of Oxygen Media's mission were
imbued with an aura of public interest legitimacy when Markle Foundation President
Zoe Baird announced a joint venture between Oxygen Media and the charitable
Markle Foundation. [FN48] The venture involves $8.5 million dollars
worth of research, $4.5 million of which the Markle Foundation is providing, on
"the information needs of women." [FN49] According to Baird,
The Oxygen/Markle Pulse will develop baseline ongoing research, day in and day
out, to find out what women want, what they are concerned about, and how they
feel about the world around them. All of this will be made public so that other
companies can use it. We hope it will influence public perception and women's
perception about their influence. [FN50]
Thus, while the information generated by this research may somehow give women
more political power, as Baird seems to intend, in part, it will also, by
design, assist companies seeking to identify, understand *641 and
target female consumers. [FN51] This approach seems to reflect a
fundamental assumption that meeting the needs of women requires the efficient
sales and marketing of goods and services to women. In other words, our need to
shop is so powerful that a charitable foundation will, in the name of the
public good, spend millions of dollars assisting for-profit companies with
efforts to more sensitively and responsively take our money.
Other gateway pages are bawdier, such as Estroclick, [FN52] which bills itself as "an estrogen
powered web network." [FN53] This site promises "broad-based
content" (get it?) at "girl sites that don't fake it" and
features links to special interest sites like hipMama, [FN54] Wench, [FN55] Bust, [FN56] and Hissyfit. [FN57] Still other sites do not bother offering
much in the way of content at all, instead pitching their sites as time and
money savers that research products and services on our behalves. [FN58]
III. Buy This 16-Year-Old and Get All Her Friends
Absolutely Free [FN59]
Like women, "teenagers"
are also seen as a lucrative emerging e-market. [FN60] Many companies especially want to collect
data from teenage*642 women, a highly coveted audience. [FN61] In addition to their purchasing power at
present, they are "proto-consumers whose purchasing habits and brand
identification are still soft enough to shape" and "at the very
beginning of their lifetime value as a customer [sic]." [FN62] Data is collected first to measure, and
then ultimately to influence the popularity of consumer goods aimed at young
women. Ironically, one site designed to ensnare teenagers for market research
purposes, SmartGirl Internette, [FN63] has the (apparently) trademarked,
non-ironic slogan "smart girls decide for themselves." [FN64] At the "Speak Out" section of
the SmartGirl site, [FN65] "girls answer multiple-choice
questions and opine to their hearts' content in open response areas. Their
teenage sentiments are collected, cross-referenced and sold to SmartGirl
clients or sent out in press releases for promotional purposes." [FN66] SmartGirl uses the data it collects to
perform customized research and surveys. [FN67] It then publishes a line of subscription reports,
including the Celebrity Report, which appears six times per year and costs
$10,000 annually, and the shorter monthly Trend Report, which costs $2,000 per
year. [FN68] SmartGirl framed this market research as
a service to its teenaged readers, as a way to keep the site free of
advertising, and as a mechanism for determining "what girls want so
companies can make better stuff for you and really meet your needs." [FN69]
Empirically, teenagers are willing not only to provide data about themselves,
but also to divulge information about their friends and *643
other family members. [FN70] A recent study conducted by the Annenberg
School of Communications at the University of Pennsylvania determined that
while teenagers expressed a general nervousness about privacy on the Internet,
most would provide personal information about themselves and their families,
especially in exchange for a free gift. [FN71] Teenaged girls are also likely to engage
in very personal online dialogues. [FN72]
IV. Now That They've Come, What Can We Sell Them?: Data
Collection and Targeted
Marketing [FN73]
What sets so-called
"women-centric" sites apart from traditional real space, hard copy
women's magazines is that, in addition to providing content and subjecting
readers to advertisements, these sites can record which articles we read and
which ads catch our eyes, collecting reams of intimate personal data from each
person who accesses the site. [FN74] Computers can gather, store, sort,
retrieve, and *644 disperse previously incomprehensible
quantities of data. [FN75] As one observer stated:
It's not just that technology collates existing information like public records
in new and ways. It also creates new kinds of information. One of the most
interesting is "clickstream" monitoring, a page-by-page tracking of
people as they wander through the Web. Your clickstream reveals your interests
and tastes with unnerving precision. (Did you go from slate.com to a Volvo
dealer's Web site? Did you then buy some brie from peapod.com, the online
grocery? You may be one of those limousine liberals we've been hearing about.)
And when Web merchants combine clickstream analysis with another new software
technique known as "collaborative filtering," which makes educated
inferences about your likes and dislikes based on comparing your user profile
with others in the database, they have a marketing tool of high potential not
only for customer satisfaction but also for abuse. [FN76]
One Internet security consultant demonstrated that a data miner could easily
collect our names, street addresses, e-mail addresses, birthdays, transactional
information, and insight about products that interest us after we had visited
fewer than ten web sites. [FN77] The collection and assessment of
"clickstream" [FN78] data enables delivery of precisely
directed, sometimes personalized, advertisements. These advertisements are
rabidly sought after by advertisers, so that "targeting" *645
can be as accurately calibrated as possible. [FN79] After an advertisement draws us to a
site, the customization continues.
[What e-commerce companies term] the utopian vision of true "one-to- one
marketing" . . . is predicated on gleaning as much information as possible
about a customer and building a storefront tailored to that particular
individual. After gathering personal data and tracking a shopper's movements
within the site, Internet retailers can display products to suit that
customer's tastes and price range, or list customized specials and sales. [FN80]
As a result, "an Internet user who looks up tourist information about
England on a travel site . . . might be fed ads for airlines flying into
Heathrow Airport and for hotels in London as he checks sports scores." [FN81] Marketing analysis of a "women's
site" web swimmer might therefore transpire as follows: [FN82]
She's reading the articles on weight loss. Cross-reference this with her
shopping records, which indicate she purchases clothing in rather large sizes. Her
income level looks like it could support medication, prepackaged food, a diet
center, and/or a health club, or perhaps we could entice her with a rich line
of desserts and designer chocolates. Her medical records bespeak a family
history of hypertension and heart disease. She has articulated a desire to shed
pounds and increase her level of physical fitness in an online discussion.
She's also *646 worried that she would have trouble maintaining a
healthy diet if she were to become pregnant. Let's send some select banner ads
her way, and some precisely targeted, personalized e-mail advertisements as
well, because effective marketing is the true purpose of this web site, and
marketing in the guise of sisterhood, friendship, and support is the most
potent of all. [FN83]
Online merchants will not voluntarily forgo these opportunities: The concept of
online privacy "is directly as odds with one of the most attractive aspects
of doing business online--the Net's capacity for helping target marketing and
advertising efforts directly at specific users." [FN84] Gerry Laybourne, the self described
Chairman, CEO, and Founder of Oxygen Media, has boasted:
70% of women cannot stand the way America advertises to them. It's insulting.
It's demeaning. It doesn't understand what motivates them. And they don't want
to be sold. They want to buy, they want information, and they want to be talked
to as real human beings. And I know this from what we did with Nickelodeon,
where the same stereotypes were held for kids. And it is amazing what you can
do when you like your audience, you're an advocate for your audience and you're
on their side. [FN85]
Oxygen Media and its competitors may indeed do "amazing" things for
its corporate clients, after we freely provide the tools--copious amounts of
our personal data. Once the data is disgorged and tabulated, we are placed
squarely in vendors' sights, with our cyber-bull's eyes clearly e-outlined,
ready to be aimed at. We are simply prey. The chief executive of Women.com,
after describing techniques for luring women to and through a web site with
quality content, enthused, "For advertisers, it's fantastic because you're
catching a consumer right in flight." [FN86] Targeted marketing techniques can
significantly increase the response to an advertisement and web sites can
correspondingly charge a premium for delivering ads aimed at certain users. [FN87] One company has even patented a
"[m]ethod and apparatus *647 for determining [the]
behavioral profile of a computer user." [FN88] This method "provides targeting of
appropriate audience based on psychographic or behavioral profiles of end
users" that are formed by "recording computer activity and viewing
habits" for the purpose of "continually auto-target[ing] and
customiz[ing] ads for the optimal end user audience." [FN89] Targeted advertising has been called the
"Holy Grail" of the online advertising industry because it allows
publishers to charge higher rates based on a perception of enhanced efficacy. [FN90]
Women's sites with compelling content will certainly make their owners wealthy.
As one commentator observed, "The Internet has changed the characteristics
of information. It used to be that a bank robber would go to a bank to steal
money. Now the information about customers is almost as valuable as the
financial assets themselves." [FN91] Another opined, "The Internet is an
absolute gold mine" of exploitable personal information. [FN92] Still others stated, "The digital
deposits of . . . [online] transactional details are so deep that the practice
of exploiting their commercial value is called 'data-mining,' evoking the
intensive, subterranean, and highly lucrative labors of an earlier age." [FN93] At least one commercial web site
illustrated just how valuable it considered consumer data when it downgraded
customers' ability to evaluate its products by cutting a zoom feature in order
to free up bandwidth--so it could "employ a sophisticated database that
can track inventory as a user enters the site and can serve registered
customers*648 images of items they might like." [FN94] Further evidence of the value of personal
information is provided by the actions of Free-PC.com. [FN95] This company gave away 10,000 computers
to individuals who were willing to provide extensive demographic data and
accept a constant stream of advertisements, and a host of other companies
providing ostensibly "free" goods and services over the Internet. [FN96]
Meanwhile, web sites encourage web swimmers to "shop naked." [FN97] Presumably, the intended meaning is that
we can e-shop as we are, without toting children, hiring babysitters, applying
make-up, or even bothering to dress. A second denotation is more ominous--shop
naked because we are figuratively nude. Netscape and its clients know
everything about us, our personal flaws and most intimate attributes have been
stripped from us and are known to all. We are e-naked while we e-shop on the
Internet. The more we shop, the more exposed we become. As two observers
articulated, "Imagine walking through a mall where every store,
unbeknownst to you, placed a sign on your back. The sign tells every other
store you visit exactly where you have been, what you looked at, and what you
purchased. Something very close to this is possible on the Internet." [FN98] It is not only our online transactions
that will define us in cyberspace. Some Internet marketers, in an effort to be
fully comprehensive, will "[combine] information gathered from people
online with vast stores of data on *649 these same people kept by
companies that compile traditional mailing lists." [FN99] Indeed, "[a] series of initiatives .
. . are converging to transform the browse-and-surf Internet into a giant
information exchange, one that features a tug-of-war between consumers and Web
sites for everything from e-mail addresses to shoe sizes." [FN100] Paul Schwartz has described this as
"the privacy horror show currently existing in cyberspace." [FN101] In the future, even our home appliances
may contribute information to our marketing profiles. [FN102]
Sometimes data collected on us will be used to deny, rather than sell us
material things. [FN103] A newly formed debit credit bureau
"will combine data from full credit reports with demographics and other
information 'mined' from various computer sources. A computer-generated credit
score will [then] determine whether a store should accept an individual's debit
card." [FN104] Related practices, involving use of a
person's banking, insurance, credit card, brokerage transactions records (and,
conceivably, cyber-indicia of race, age or religion) to determine whether she
is too risky a candidate to receive a loan or line of credit, have been
christened "digital redlining." [FN105] In other instances, data derived from a
collective us will be used to maximize certain types of popular content and
minimize or eliminate features that are less frequently accessed, thereby
denying desired content to individuals with less mainstream interests. [FN106]
*650 Commercial entities track which advertisements lure
particular web swimmers without warning us that in the process of learning
about a product or service, we are also educating merchants and advertisers
about ourselves. In "real space," consumers who might answer surveys
or participate in focus groups could hardly do so without some awareness that
they were giving information or being observed. Sitting alone in a room in our
homes, with a computer we have purchased, swimming the web on time we are
paying for, is not an activity we would expect to have extensively monitored.
We might expect our online purchases to register and of course they do. But,
individual Internet services amass detailed records of who uses their sites,
how the sites are used, and can then cooperatively pool data "into a
central database containing digital dossiers on potentially every person who
surfs the Web." [FN107] In fact, even the act of placing objects
in online "shopping carts," but later declining to purchase them, is
closely observed.
Using this information, online merchants can then devise ways to convert
browsers to buyers, such as by giving shoppers fewer opportunities to abandon
purchases to maximize impulse spending. [FN108] Borrowing (and trampling) a cliche
familiar to lawyers everywhere, this has been characterized as "'mak [ing]
a consumer's purchase decision as slippery a slope as possible." ' [FN109] One online department store actually
pursues shoppers who abandon large purchases, calling or e-mailing them to try
to close the sale, identifying them with information knowingly or unknowingly
provided. [FN110]
There is a snowball effect too. The more information an entity has about us,
the more they are able to collect. Information from credit card purveyors
documents not only our creditworthiness, but also our travels by recording
airline or train tickets, rental cars, gasoline purchases, and hotel charges.
Information from food markets gives big clues about our consumption of fat,
sugar, red meat, cigarettes, and alcohol, as well as how many servings of
fruits and vegetables *651 we are likely imbibing. Simply paying
for a purchase by credit card may also provide the vendor with our social
security numbers. [FN111]
Web merchants lure women to
putatively supportive sites, learn about our frailties and desires in the
context of the articles we read, the discussion groups we post to, the chat
rooms we visit (and what we say when we are there). In the guises of
helpfulness and sisterhood, they then use this information to sell us products
and services, free of targeted intervention, for which we have not expressed or
entertained desires or needs. [FN112] As Jerry Kang observed:
After all, personal information is what the spying business calls
"intelligence," and such "intelligence" helps shift the
balance of power in favor of the party who wields it. . . . [A]nother's control
of our personal information can make us susceptible to a whole range of
ungenerous practices. It could subject us to influence that crosses the line
between persuasion and undue influence. Sophisticated advertisers, for example,
do not merely track consumer demand; they manufacture it outright. Detailed
knowledge of who we are and what we consume makes the job of preference
fabrication that much easier. [FN113]
The insidious effectiveness with which a marketer can infiltrate and co-opt a
discreet subculture is exemplified by Nike's successful campaign to market
shoes to skateboarders. [FN114] After discerning that skateboarders felt
victimized by intolerant police officers and local government officials, Nike
produced an ad that humorously asked what it would look like if other athletes
were harassed and fined the way skateboarders apparently routinely are. [FN115] By acknowledging and harnessing feelings
of persecution, Nike calculatedly transformed itself from an enemy into a
sympathizer, bringing the skaters "into the brand's fold." [FN116] The one-to-one marketing possible over
the Internet will give Nike and other companies the power to ascertain,
collect, monitor, and manipulate not only the emotions and perceptions of
subcultures, but also of individuals.
*652 Data mining, data aggregation, and data distribution in
cyberspace also perpetuate targeted "direct marketing" in real space.
By acquiring and compiling information about individuals, direct mailers can
eschew mass mailings in favor of customized pitches and marketing niches,
improving their bottom lines. [FN117] No trees are saved in the process,
though. "Junk mailings" actually increased in 1998 and appear to be
stoked, rather than usurped, by the Internet and the information it provides. [FN118]
It should be noted that some of the people deriving wealth from women accessing
these and other women-directed sites are in fact other women. While the folks
making millions from hardware and software are radically disproportionately
male, the consumer service and marketing aspects of e- commerce have brought
cognizable numbers of women into the web e-conomy. [FN119] Some argue that simply bringing more
women into the design, application, and evaluation of new technologies will
integrate women into cyberspace in a healthy, productive way. [FN120] We might reasonably anticipate that just
as the involvement *653 of smart, talented women in enterprises
such as Oxygen Media will result in better online content, the involvement of
women in developing technology will inevitably lead to better technology.
However, in both cases, the end result will be attempts to sell more goods and
services to women--either by advertising the goods and services on high quality
women oriented sites or through inventions embodying technology developed by women.
The assumption that being enticed to buy more things benefits women is
bolstered, rather than questioned. [FN121]
Datum by datum, woman by woman,
the cyber-definition of "female" is being constructed. One observer
remarked that reading about the behavioral studies and statistical sum-ups that
advertisers create made her feel like "a discarded lump of target-audience
Spam." [FN122] Compilers of her information will decide
what she means in cyberspace. [FN123] Derivative e- stereotypes, braced by a
plenitude of personal *654 information, will appear scientific
and incontrovertible. [FN124] Aggregations of data will certify to
entities engaged in commerce:
This is what older cyber-women want to wear, that is what younger cyber-women
want to read, these are the toys that appeal to middle class cyber-women with children,
those are the hats and wigs likely to be purchased by cyber-women undergoing
chemotherapy.
Data collectors thus position themselves as interpreters of the popular will.
Women.com deserves special mention for proclaiming that it had conducted research
demonstrating that all women fall into one of six categories, or
"psychographic segments" for net marketing purposes: Pillars, Movers,
Trendsetters, Believers, Breadwinners, and Explorers. [FN125] Meanwhile, an advertising agency, with
many online clients, subdivides mothers into a mere four assemblages: June
Cleaver: The Sequel, Tug of War, Strong Shoulders, and Mothers of Invention. [FN126]
Additionally, online activities may also be monitored for social science
research purposes that may or may not have a direct relationship to commerce,
making web swimmers unwitting subjects of research without their consent. [FN127] Chat rooms and "clickstreams"
are tools that can be utilized for example, either by anthropologists in
academia or "industrial anthropologists" who are employed by
companies to study consumer behavior. [FN128] The advertising firm Ogilvy & Mather
overtly recruits "anthropology Ph.Ds who have 'no ideological or moral
objections to consumption/materialism." ' [FN129] Behavioral *655 scientists
are also employed to observe consumers and, ultimately, to persuade them to
make certain purchasing decisions. [FN130]
It has been argued that extensive, nonconsensual observation is in tension with
human dignity, in part because it interferes with exercises of choice and leads
inexorably to self-censorship. [FN131] Such observation can also sell a lot of
sneakers. Nike marketers embarked on "an ethnographic fact finding
tour" of high school girls' basketball in meet space, and based on its
findings, the company invented a replica girls' high school basketball team,
which was "made the subject of intentionally low-budget-looking commercials
that document the team's arduous, unsung road to a fictitious state
championship." [FN132] Consumers found the faux authenticity
very convincing. [FN133] The ability to cheaply and efficiently
collect reams of data in cyberspace will enable much smaller, less wealthy
companies to fabricate its own targeted marketing campaigns.
Ironically, while we may be targeted individually for marketing purposes, the
only content that may ultimately be available to us is what is demonstrably
popular to the masses (via "clickstream" accretion), which we may
find bland and unoriginal, or even patently offensive. One journalist observed,
"The more we learn about exactly how much and why you like us, the less
excuse we'll have to rely on our own judgment." [FN134] He further noted:
In print publications, certain departments depend on an at best fragile feeling
of editorial obligation to keep them running; rare is the magazine that can
justify a book review section--not to mention, *656 say, dance or
visual arts coverage--on readership alone. Glamour magazine couldn't even
justify continuing the only women-in-politics column in a major women's mag,
killing it last fall. Improved metrics could only worsen this tendency. The
online-media business is already founded on mealy-mouthed rationalizations
about how editorial/business compromises--commerce links next to articles,
selling placements within search-engine results--are really just foresighted,
win-win strategies to empower users and give them what they want. As we
[journalists] get better and better at giving readers exactly what they want,
what will be the percentage in trying to give readers what we think they need? [FN135]
Desirable, online content may still be unavailable if we do not wish to provide
personal information. [FN136] Even when we are willing to capitulate,
we may still be denied access if we do not have a large enough income or fit
other demographic criteria. [FN137] According to at least one webtrepreneur,
"[t]he Web of the future will be all about 'coach, business and first
class." ' [FN138] Consumers may be categorized by
variables such as income and purchasing habits. [FN139] Content would be made available to them
based on whether they occupied "basic, gold, [or] platinum tiers." [FN140] Digital redlining can be "employed
to determine who gets--and who is excluded from--all kinds of opportunities
like jobs, housing and education." [FN141]
The use of e-data for e-stereotyping will not be limited to women. Dispersal
and collection of personal data online has comparable ramifications for
cognizable demographic groups such as racial minorities. [FN142] At present, companies are more
interested in "women" than they are in "minorities" per se
because women do most of the *657 shopping across racial lines. [FN143] As more racial minority members gain
Internet access, race specific sites will undoubtedly develop apace. [FN144] These sites will likely feature quality
content intended to draw the targeted group to the site, where data will be
collected and reactions to specific content offerings will be measured and
evaluated. [FN145] Site visitors will be exposed to
advertisements tailored by racial expectations and stereotypes, which in turn
may be "verified" or "fine-tuned" by data that is reaped. [FN146]
One could argue that the right to
privacy is a platform from which to wrest control of our personal information.
Certainly, a privacy-based approach would be doctrinally preferable to those
aghast and appalled at the prospect of expanding the scope of intellectual
property protection in the manner discussed below. However, it is not *658
likely to be successful. [FN147] We certainly do not have personal
information privacy at the moment. We are not like Europeans, who are protected
by "strict and broad data privacy laws that protect personal information,
like where a citizen lives, what [s]he buys, and how much money [s]he
makes." [FN148] The only recent data protection law
enacted in the United States protects only children.
A. The Children's Online Privacy Protection Act
The Children's Online Privacy Protection Act [FN149] ("COPPA" or "Act")
was passed in October of 1998. This Act requires a "website or online
service directed to children" to obtain verifiable "parental
consent" prior to collecting individually identifiable personal
information from children under the age of thirteen. [FN150] Parents are also to be provided access
to personal information collected about their children and the opportunity to
prevent further use or collection of this personal information. [FN151] Commercial web site operators are
further required to "establish and maintain reasonable procedures to
protect the confidentiality, security, accuracy, and integrity of personal
information collected from children." [FN152]
The Federal Trade Commission ("FTC") is the agency charged with
promulgating regulations to implement COPPA. On October 20, 1999, the FTC
issued the Children's Online Privacy Protection Rule [FN153] *659 ("Rule"),
which went into effect on April 21, 2000. The Rule requires certain commercial
web sites to obtain parental consent before "collecting, using, or
disclosing" personal information from children under thirteen. FTC
Chairman Robert Pitofsky asserted, "The rule meets the mandates of the
statute. It puts parents in control over the information collected from their
children online, and is flexible enough to accommodate the many business
practices and technological changes occurring on the Internet." [FN154] COPPA's implementation was driven partly
by a March 1998 survey of 212 commercial children's web sites, which found that
"while 89 percent of the sites collected personal information from children,
only 24 percent posted privacy policies, and only one percent required parental
consent [for] the collection or disclosure of children's information." [FN155]
COPPA applies to commercial web sites and online services "directed to
children that collect[ ] personal information from children or . . . that ha
[ve] actual knowledge that [they are] collecting personal information from . .
. child[ren]" under thirteen. [FN156] These sites will be required to provide
site-based notice about their policies with respect to the collection, use, and
disclosure of children's personal information, and (with certain statutory
exceptions) to obtain "verifiable parental consent" before
collecting, using or disclosing personal information from children. COPPA
defines "verifiable parental consent" as "any reasonable effort
(taking into consideration available technology) . . . to ensure that a parent
of a child . . . authorizes the collection, use, and disclosure" of a
child's personal information. [FN157]
The Rule "temporarily adopts a 'sliding scale' approach that [enables] Web
sites to vary their consent methods based on the intended use[ ] of the child's
information." [FN158]
For a two-year period, use of the more reliable methods of consent [, such as]
print-and-send via postal mail or facsimile, use of a credit card or toll-free
telephone number, digital signature, or e-mail accompanied by a PIN or
password[,] will be required only for those activities that pose the greatest
risks to the safety and privacy of children--i.e., disclosing personal
information to third parties or making it publicly available through chatrooms
or other interactive activities. [FN159]
*660 "For internal uses of information, such as an
operator's marketing back to a child based on the child's personal information,
operators will be permitted to use e-mail, as long as additional steps are
taken to ensure that the parent is providing consent." [FN160] The Rule requires operators to
"give the parent the option to consent to the collection and use of the
child's personal information without consenting to disclosure of his or her
personal information to third parties." [FN161]
However, the Rule also "sets forth several exceptions to the requirement
of prior parental consent that permit operators to collect a child's e-mail
address for certain purposes." [FN162] "For example, no consent is
required to respond to a one-time request by a child for 'homework help' or
other information." [FN163] "In addition, an operator can enter
a child into a contest or send a child an online newsletter as long as the
parent is given notice of these practices and an opportunity to prevent further
use of the child's information." [FN164] "The Federal Register notice
accompanying the [R]ule makes clear that [it] covers only information submitted
online, . . . not information requested online but submitted offline." [FN165] This exception creates a potentially
large loophole through which companies can circumvent COPPA strictures. [FN166] Moreover, the "personal
information" referenced in *661 COPPA is defined as
"individually identifiable information about an individual collected
online." [FN167] Asking a child about her age, gender,
height, weight, grade in school, interests, habits, hobbies, pets, friends, zip
code, even her first name (only) and then recording her preferences and
movements online would not be susceptible to COPPA regulations as long as her
first and last name, address, phone number, or other contact information was
not solicited. [FN168]
Additionally, the Rule makes clear that schools can act as parents' agents, or
as intermediaries, between web sites and parents in the notice and consent
process. [FN169] In an age of advertisements, corporate
sponsorships, product placements, and Channel One in schools, this loophole is
potentially cause for concern. [FN170] Companies may seek to trade cash for
student access and data, and schools are empirically likely to acquiesce. [FN171] America Online ("AOL") has
offered free service to schools nationwide, purportedly to build brand loyalty
and create *662 a generation of future AOL customers. [FN172] AOL claims that no marketing information
will be gathered on students because they will use only a first name and a
password to access the service in school. [FN173] However, while it is possible that
personally identifiable information will not be collected, it defies credulity
that AOL will pass up a golden opportunity to collect aggregate marketing
information about school children utilizing this "free" access. While
few web marketers wanted to openly oppose the viscerally appealing concept of
protecting children online, most argued that COPPA should impose the least
restrictive consent requirements possible, and successfully opposed parental
control of data after consent has been obtained. [FN174]
B. The European Union's Data Protection Directive
Ultimately, in terms of protecting the privacy of personal information,
COPPA compares unfavorably to the European Union's Data Protection Directive
("Directive"). The Directive requires entities collecting data to
inform citizens what their data will be used for, provide citizens free access
to data about themselves, the ability to correct false information, and notice
and opportunity to "opt out" of data transfers to third parties. [FN175] European citizens have the specifically
enumerated right:
*663 [To] object, on request and free of charge, to the
processing of personal data relating to him which the controller anticipates
being processed for the purposes of direct marketing, or to be informed before
personal data are disclosed for the first time to third parties or used on
their behalf for the purposes of direct marketing, and to be expressly offered
the right to object free of charge to such disclosures or uses. [FN176]
The Directive is premised on "the fundamental idea that 'my' personal
information is none of 'your' business." [FN177] It "treats privacy as a basic human
right and seeks to protect individuals against violations of the right . . .
and says to other countries that it is none of their business to intrude on the
privacy rights of persons in the European Union." [FN178] By contrast, "the United States
does not have a single, comprehensive privacy law or agency charged with
administering such laws," [FN179] reflecting a nation more concerned with
commerce and less with individual rights. [FN180] The Directive gives more data privacy
protection to European adults than COPPA gives to American children. Possible
explanations for the differences between the data privacy regulatory cultures
in the United States and Europe include hypotheses that Americans are more
trusting of the private sector; that Americans believe the mass media will expose
market sector privacy abuses; that Americans believe technology can solve the
problem; and that *664 Americans are more wary of government
regulation. [FN181] Europeans, it is posited, prefer to err
on the side of overprotection of personal data because they view informational
privacy as a fundamental right of citizens. [FN182] Americans, on the other hand, "are
more likely to cherish the principles embodied in the First Amendment--which
favors a free flow of information--as fundamental human rights." [FN183]
The European Union's Data Protection Directive is intensely disliked by
American companies that do not want to comply with it when engaging in e-
commerce overseas. [FN184] They are specifically concerned about
provisions that give individuals and private organizations the right to sue
companies that do not provide adequate privacy protections. [FN185] United States' commercial interests are
pushing for the ability to have access to European data, while agreeing only to
self-regulation, and to have "safe harbor" status for certain
business practices. [FN186] These discordant views of privacy
oversight are currently the subject of international negotiation. [FN187] Even if the safe harbor approach is
adopted, as appears likely, Americans will not get the same privacy protections
as Europeans, rendering us, from a privacy standpoint, "second-class
citizens in [our] own country." [FN188]
*665 C. The United States' Approach to Privacy Protection
The United States' legislative approach to informational privacy is best described
as piecemeal. By way of illustration, cable subscription records and video
rental records have statutory privacy protections, but medical records do not. [FN189] As a result of the gaping holes in
privacy protection, information about us circulates widely without our control,
or even our awareness:
Finding out what agencies have information on you is tricky--if not impossible.
The number of bureaus that have the potential to get information on you has
soared amid technological advances that have made data processing cheaper and
faster than ever. The spread of personal information is also facilitated by
so-called information brokers, who make it worth the major credit bureaus'
while to sell data. These brokers buy data in bulk and then sell it in smaller,
more affordable portions to other agencies. Smaller agencies have also been
empowered by information-sharing with their clients. If you bounce a check at
Macy's, for example, the department store will share that fact with a
monitoring service. That service, in turn, will warn Bloomingdale's when you
try and write a check there. [FN190]
Players in the information industry, who profitably buy, collect, and sell huge
data banks of personal information about Americans, have successfully lobbied
against government regulation of most of their practices. [FN191] The Clinton administration asserted that
"U.S. companies should not be forced to give people access to personal
information about themselves" and actively opposed the adoption of broad
privacy safeguards. [FN192] When President Clinton spoke in favor of
consumer *666 privacy, his focus was primarily on individual
financial information and medical records, rather than general personal data. [FN193] While he has, on occasion, spoken in
favor of expanding general consumer privacy, he has not backed his words with actions.
[FN194] Quite the contrary, his administration
recently declined to support a proposal by the Federal Trade Commission for
Internet consumer privacy legislation. [FN195]
Members of Congress who express concern about data privacy seem primarily
focused on potential privacy violations by the government and do not seem troubled
by intrusions by commercial entities. *667 [ FN196] Congress has promulgated statutory
restraints upon law enforcement's ability to collect data related to phone records,
[FN197] cable subscriber records, [FN198] video rental records, [FN199] credit reports, [FN200] and medical records. [FN201] It also enacted the Driver's Privacy
Protection Act, [FN202] which prohibits state motor vehicle
registration agencies from disclosing personal information about its drivers
without their express *668 consent. [FN203] These are all prohibitions on the "jackbooted
thugs" of government and largely do not affect the jackboot-selling agents
of commerce, except to the extent private entities acquire data from government
sources. The Privacy Act of 1974, [FN204] the United States' most comprehensive
privacy law to date, addresses the automation of records held on individuals by
the federal and state governments, but not those gathered by private entities. [FN205]
1. Self-Regulation
In July of 1999, the FTC released
a report entitled "Self-Regulation and Privacy Online: A Report to
Congress." [FN206] The FTC concluded that "legislation
to address online privacy is not appropriate at this time" because
"self-regulation is the least intrusive and most efficient means to ensure
fair information practices [online], given the rapidly evolving nature of the
Internet and computer technology." [FN207] By May of 2000, however, the FTC
appeared less enamored of self-regulation, and voted to ask Congress for new
regulatory powers over collection and use of consumer information on the
Internet. [FN208] The FTC actually floated a proposal for
legislation to protect consumer privacy on the Internet, but it was rejected by
both the Republican-*669 controlled Congress and the Clinton
administration. [FN209] The FTC's newfound interest in consumer
privacy originated not out of an independent concern for individual
informational integrity, but as a result of trepidation that privacy concerns
hamper the growth of online retail sales. [FN210]
Private sector efforts at self-regulation have emerged, including
"seal" programs such as those administered by TRUSTe, [FN211] the Better Business Bureau's Online
Privacy Program [FN212] ("BBBOnLine"), and the Online
Privacy Alliance. [FN213] Commercial web sites that carry an
online "seal," a unique logo, purport to subscribe to a corresponding
set of privacy principles articulated by the organization providing the seal. [FN214] Use of such seals is not particularly
widespread at present. [FN215] *670 Moreover, purveyors
of seals may be paid by sites to post their symbol, which presents an inherent
conflict of interest. Giving a web site a poor privacy rating may lower
consumer participation and the site's revenues. [FN216] In addition, the efficacy of TRUSTe in
particular appears dubious. A security expert discovered that TRUSTe licensee
RealNetworks [FN217] was secretly collecting personally
identifiable information on what users were playing and recording from
consumers using its RealJukebox software. [FN218] RealNetworks did not disclose its
extensive information gathering practices in the long privacy policy posted on
its web site, nor in the licensing agreement users approved when installing the
RealJukebox program. [FN219] TRUSTe distinguished the RealJukebox
software from the RealNetworks site where the software was downloaded. [FN220] TRUSTe maintained that the web site was
what had earned the TRUSTe seal and the software available at the site was
outside of the seal's purview. [FN221] TRUSTe's CEO has publicly conceded that
even a site that collects consumers' e-mail addresses and then sells them to a
direct-marketing company could *671 "earn" the TRUSTe
seal. [FN222] He also conceded that TRUSTe has never
removed its seal from a site for bad behavior and that very few sites get
rejected from the seal program. [FN223]
The pressure on privacy seal companies to keep their privacy requirements mild
and corporate friendly is illustrated by an exchange between BBBOnLine and
eBay, [FN224] the online auction company. [FN225] After BBBOnLine investigated a consumer
complaint against eBay, it rendered a decision criticizing eBay for not
informing eBay users what purposes their personal information was being used
for in some contexts. [FN226] The decision concluded that eBay needed
to take corrective action to conform to BBBOnLine privacy policies. [FN227] In response, eBay stated that it
believed that BBBOnLine had "erroneously accepted" the consumer
complaint, had "subsequently mishandled resolution of the complaint,"
and had "demonstrated its complete lack of understanding of both the
Internet and software." [FN228] After pointing out that it far preferred
the resolution of this issue proffered by TRUSTe, eBay concluded its diatribe
against BBBOnLine by announcing "[I]t is with great regret that eBay
announces that it will withdraw from the BBBOnLine program, should this matter
not be satisfactorily resolved." [FN229] If other BBBOnLine participants take
criticism as poorly as eBay, BBBOnLine will have to choose between maintaining
a credible seal with fewer subscribers, or watering down its privacy policies
and enforcement practices. Overall, there is little reason to hope that seal
programs, as currently constituted, will advance informational privacy very far.
[FN230]
*672 2. Asking Big
Brother for Assistance
Opinion polls have indicated the
public's desire for government regulation of online data collection. [FN231] However, even if the government could be
persuaded to protect consumer data, it is uncertain what the scope and nature
of that protection would ultimately be. [FN232] Not everyone is comfortable having the
government make decisions about who gets access to our personal information. As
one commentator noted:
It's ironic that Americans are asking for privacy protection from the same
government that has in the last few years expanded electronic surveillance
beyond Richard Nixon's wildest dreams--always with an appeal to public fear and
mistrust. Federal agencies are creating centralized databases to track every
new job hire in the country (to catch illegal immigrants and deadbeat dads), to
make sure that welfare recipients don't overstay their five years by changing
states and to provide instant "terrorist" profiling to airport
security agents. The country has not hesitated in the last few years to wipe
out the civil liberties of whole swaths of the population in futile gropes for
greater public security that's never attained. [FN233]
In the name of curbing crimes such as terrorism, identity theft, and retail
fraud, the government actively thwarts sales and development of technology that
would improve privacy in electronic communications. [FN234] The government often seems as eager as
commercial *673 entities to collect information about citizens. [FN235] For example, it was recently reported
that a company that built a national database of driver's license photographs
received extensive financial support from Congress and technical assistance
from the United States Secret Service. [FN236] In the closing days of the 105th
Congress, the Clinton Administration proposed that the federal government's
"New Hires" database, ostensibly authorized to track down parents who
were failing to pay child support, be made available to the Department of
Education for tracking down defaulting student loan holders. [FN237] Personal information is as attractive to
the government as it is to the private sector. [FN238] As one observer noted, "Now that
financial data are compiled and stored digitally, it is cheap, easy, and
tempting for the government to cast a wider and wider financial dragnet to
build increasingly intrusive computer profiles of citizens." [FN239]
3. Bartering Information for Access
Along with asserting that
collecting our data helps commercial interests serve us better and perpetuates
"female empowerment," [FN240] web site merchants also argue that if
consumers accept an offer for free content in exchange for personal
information, there is an information exchange that does not infringe upon
privacy interests. [FN241] This would be a reasonable position if
the terms of the exchange are mutually understood and agreed upon, and if the
freely conferred information is not subsequently divulged to others, nor used
for any unintended, undisclosed purposes. However, as Jerry Kang noted,
"For numerous reasons, such as transaction costs, individuals and
information collectors do not generally negotiate and conclude express privacy
contracts before engaging in each and every cyberspace transaction." [FN242]
In a related vein, Paul Schwartz has pointed out that that the cyberspace use
of personal data "helps set the terms under which we *674
participate in social and political life and the meaning that we attribute to
information- control." [FN243] By this, he means that
"consenting" to the terms and conditions of web site access or an
Internet transaction superficially appears to represent an informed
"exercise of self-reliant choice." [FN244] However, these terms and conditions are
offered on a take-it-or-leave-it basis, which severely constrains consumer
choice, and "locks in" a low level of privacy. [FN245]
Even if consumers were able and willing to bargain over collection and
disclosure of their personal information in an intelligent and informed
fashion, data collectors may, for efficacy and utility reasons, be disinclined
toward negotiating with consumers in a transparent and straightforward manner. [FN246] American data merchants are generally
loathe to rely exclusively on voluntary "information exchanges." This
dislike is based on empirical evidence that when individuals are directly and
openly confronted with a request for information, they are unwilling to part
with it without compensation and may not agree to divulge it at all. [FN247] For example, people resist filling out
online registration forms, which seem invasive, and do not have a real space
counterpart. [FN248] As one commentator noted, "Imagine
going to a 7- Eleven to buy a can of Coke, and having to fill out a
registration form that asks you about marital status." [FN249]
Jerry Kang has persuasively argued that individuals do not generally have
enough information to know the value of their personal data. [FN250] Perhaps we do not feel
"robbed" when it is taken, but many people do feel invaded at some
level. Recent studies have indicated that "Internet users are increasingly
uncomfortable with the amount of personal data gathered by online companies . .
. as online companies [are] becom[ing] more aggressive about collecting that
information." *675 [ FN251] One study found that 87% of people
online want "complete control" over their personal data. [FN252] Jerry Berman and Deirdre Mulligan
recounted:
[S]everal recent incidents involving the sale and disclosure of what many
perceive as less sensitive information indicate a rising of privacy concerns
among the public. In recent years, a number of corporations . . . have learned
the hard way that consumers are prepared to protest against services that
appear to infringe on their privacy. In 1996, public criticism forced
Lexis-Nexis to withdraw a service known as P-Trak, which granted easy online
access to a database of millions of individuals' Social Security numbers. Also
in 1996, Yahoo faced a public outcry over its People Search service. The
service, jointly run with a marketing list vendor, would have allowed Net
searchers to put an instant finger on 175 million people, all culled from
commercial mailing lists. After hearing the complaints, Yahoo decided to delete
85 million records containing unlisted home addresses. During August of 1997,
American Online ("AOL") announced plans to disclose its subscribers'
telephone numbers to business partners for telemarketing. AOL heard loud
objections from subscribers and advocates opposed to this unilateral change in
the "terms of service agreement" covering the use and disclosure of
personal information. In response, AOL decided not to follow through with its
proposal. [FN253]
Moreover, an April 2000 study by a market research firm determined that
"[a] notable 92% of online households agree or agree strongly with the
statement, 'I don't trust companies to keep personal information about me
confidential, no matter what they promise." ' [FN254] This mistrust is not misplaced. By way
of illustration, "Gizmoz" is a technology that "uses consumers
to pass along marketing messages and content embedded in email to develop a
'viral network." ' [FN255] "Viral *676
marketing" is a technique used to spread information from person to person
like a virus, so that consumers are provided with incentives to effectively
become part of a company's sales force, and pass marketing messages to their
friends and acquaintances. [FN256] Gizmoz's technology then leaves an
electronic trail that marketers can follow to see where content and promotions
go. [FN257] A major Gizmoz investor publicly
asserted that "privacy is a key concern of Gizmoz and the company does not
request nor pass on private information about individuals." [FN258] Gizmoz's terms-of-service agreement
tells a very different story, stating that users "should not have an
expectation of privacy in (their) account." [FN259]
Allowing a user to opt in to a data collections scheme puts a web swimmer on
notice that she is being watched and followed, and gives her the opportunity to
obfuscate or to say no to such practices. However, if she accedes to a site's
practices, knowing that her "clickstream" is being observed and
recorded will cause her to self-censor, compromising the data collected. [FN260] Passive, sub rosa data collection
techniques are therefore preferred by database assemblers to straightforward
requests for personal information, as they do not cost anything, nor draw
attention to the nature or scope of the data mining that is occurring. Passive
collection may also prove more accurate, as "[s] urvey after survey has
indicated that online users resent being asked for personal information, don't
trust companies that do ask for such information and often--as much as 25 percent
of the time--enter false information when prompted for personal details." [FN261]
Ironically, the commercial enterprises so eager to collect or take advantage of
consumer data collections hypocritically object when data is collected by
others about their consumer bases or commercial activities. In some instances,
web publishers and advertising agencies quarrel with each other concerning
exclusive ownership of our *677 data. [FN262] Once companies have assembled databases,
many would like to impose criminal penalties on others that steal
"their" information. [FN263] Of course, even though corporations may
not be able to protect their data by invoking a right to privacy, they are able
to do so using contract, tort, and intellectual property law. [FN264] As Jerry Kang has pointed out:
[A] potent array of unfair competition, trade secret, patent, trademark, and
copyright law, in addition to confidentiality agreements, support an
institution's ability to control various types of information identifiable to
itself. In addition, collective entities often have the wherewithal to employ
self-help security measures so that information in their control flows only in
ways they choose. [FN265]
The possibility of giving individuals similar tools to control our personal
information is explored at the end of this article.
A. Ad-Blocking Software
Web software to block advertising is already available and attractive to
some web swimmers. In addition to keeping advertisements off their screens,
"ad- blocking software can mean faster performance. Files that contain ads
laden with graphics and animation take far longer to load than files with
text." [FN266] Ad-blocking utility programs sometimes
include firewalls intended to prevent intrusions by hackers and other features
that limit or prevent web sites from collecting "clickstream" data
through cookie files. [FN267]
Not surprisingly, most web site operators and advertisers generally both fear
and oppose ad-blocking software, maintaining that it will "clog their
revenue stream, and challenge the fundamental structure of the emerging
Internet industry." [FN268] Use of such software is characterized
not only as unfair but practically bigoted. As one webtrepeneur *678
stated, "The audience already allows overt advertising in mainstream
media, so they must be tolerant in the context of the online model as
well." [FN269] Another maligns the desire for privacy
as deviant and dishonest, analogizing ad-blocking to shoplifting, and asserts
that his site uses "software code that prevents anyone using an ad blocker
from even logging onto the company's site." [FN270] Ad- blocking software poses very high
risks for some companies. For example, when CDNow's marketing budget was
divided by the number of people who make purchases from the site, the result
indicated that the company was spending $45 in advertising to attract each
paying customer. [FN271] Some data collection techniques are kept
intentionally surreptitious, so that web swimmers seeking data privacy will not
even know what to avoid. For example, one simple animated mouse pointer has
been secretly tracking its users' web travels on behalf of companies such as
Yahoo, Lycos, theglobe.com, Warner Bros., Universal Studios, RealNetworks,
MindSpring, M&M/Mars, MSNBC, Energizer, CNET, Comedy Central, United Media,
and Universal Press Syndicate. [FN272] As is sadly typical with many electronic
data collection techniques, this practice was exposed, rather than disclosed.
If an independent software analyst had not figured out that Comet Systems was
using its cursor software for web tracking purposes, the public would still be
unaware that this was occurring. [FN273]
B. Cookie Disablement
"Cookies" in the cyber context are data files created on our own
computer hard drives when we visit a web site. [FN274] Cookie files contain unique tracking
numbers that can be read by the web site, and advertising servers, tracking us
as we swim from one web page to another. [FN275] The technologically proficient can set
our Internet browsers to refuse *679 cookies, but sites that use
cookie files, which includes almost all commercial sites, will then refuse us
access. [FN276]
C. Consequences of Self Help in Protecting Our Privacy
Average web swimmers are aware of some technological solutions to data
collection techniques, such as ad-blocking software and cookie disablement.
These solutions theoretically exist for people who like to look at
advertisements, but do not want their movements through commercial cyberspace
tracked and recorded, as well as for those who prefer to avoid advertisements
altogether. However, such "self help" is easily thwarted by web site
operators who will simply refuse access to web swimmers who will not submit to
banner ads and cookie files. [FN277] Unless web sites are required to accept
visitors who block ads and/or refuse cookies, technology will not effectively
or consistently protect consumer privacy without effecting access. Given the
opposition to regulating the Internet, which flows from so many quarters,
imposition of such requirements seem highly unlikely. Similarly, use of
"anonymizers," [FN278] to the extent they are even held to be
legal, could be blocked by web sites. [FN279] Web sites can require confirmation of
identity before allowing access if they so choose. Some types of cyberspace
transactions make anonymity impractical anyway. For example, when we purchase
goods and services, we have to pay for them and provide an address for
delivery. This requirement could be avoided through extensive pre-planning, but
most people are not likely to be prepared to shoulder the burdens of losing
access to some sites, navigating the *680 complexities of an
anonymous payment system such as digital cash, and obtaining real space
"mail drops" for delivery of tangible goods, in order to avoid
disclosing personal data online. As Paul Schwartz observed:
For the current online industry . . . personal information largely has the
quality of nonrivalrous consumption, which means that one firm's utilization of
it does not leave any less for any other company. As a result, almost all major
Internet enterprises and computer companies benefit from developing standards,
including new technology, that preserve the current status quo of maximum
information disclosure. [FN280]
Data collections will lock in low levels of privacy through collaborative
standard setting, forcing consumers to choose between informational privacy and
the Internet. [FN281]
D. Buying Back Our Privacy
Another technological solution involves companies called
"infomediaries." These companies will, for a price, provide security
mechanisms that help consumers "regain control" over who purchases
their personal data and for what purpose. [FN282] This service takes the quixotic
experience of having to pay extra to have a phone company not publish your
telephone number to new extremes. It would require us to buy back control of
our personal data and means that we would have to make decisions about how much
information privacy we can afford. It would also force us to trust a commercial
entity to manage our personal information for us and to forgo the enticing
profits that exploitation of our data would offer.
Moreover, relying upon technology or technological changes to prevent the
distribution of personal data is likely to provide more information privacy for
wealthier, better educated web swimmers, and less for poorer, less computer
savvy members of the population. Some "privacy rating" services are
available to consumers for free, but are either beholden to the sites that they
rate for income, which creates a conflict of interest, or they subject users to
advertising and give marketers *681 access to user lists. [FN283] As Peter Swire and Robert Litan have
noted:
It can be daunting for an individual consumer to bargain with a distant
Internet merchant or a telephone company about the desired level of privacy. To
be successful, bargaining might take time, effort, and considerable expertise
in privacy issues. Even then, the company might not change its practices. Even
worse, a bargain once reached might be violated by the company, which knows
that violations will be hard for the customer to detect. [FN284]
E. Opting Out of Data Collection
Another purported solution to protect privacy compromised by data
collection is allowing a web swimmer to "opt out" by filling out a
form (online or on paper) asking web entities not to disseminate personal
information. [FN285] This option places the burden on
consumers to be constantly vigilant and possibly fill out a form for every web
site visited, which could quickly get onerous. [FN286] Compounding the arduousness of any
attempt at uniform and consistent opting out is the fact that some sites for
services may require consumers to assert "privacy preferences" more
than once. [FN287] For example, AOL requires subscribers
desiring personal information privacy to fill out an opt out form once a year. [FN288] If they do not submit timely annual
renewal forms, their privacy preferences "expire" and information
collected from their AOL usage may be sold to marketers and other interested
parties. [FN289] Additionally, large-scale data compiler
DoubleClick's opt out system was recently determined to be
"ineffective" with certain versions *682 of the
Netscape Communications web browser. [FN290] Preferences for high security were
reverting back to low security without notice to the user. [FN291] People who had affirmatively opted out
of data collection schemes were secretly, and involuntarily, opted back in to
them. [FN292]
Additionally, opting out of a data collection and distribution framework may
fence the privacy-seeking web swimmer off from content or other perquisites of
a site. The iWon website's so-called privacy policy aptly illustrates this
capability. [FN293] One may access the website without
providing personally identifiable information, but failing to provide such
information renders one ineligible for the "free" daily, weekly,
monthly, and yearly drawings and prize giveaways, the only reason most people
would access the site in the first place. [FN294] The iWon Privacy Policy site touts its
TRUSTe seal and then states in pertinent part:
During registration, iWon collects personal information including your name, address,
email address, birth date, gender, zip code and phone number. After providing
iWon with this information, you are no longer anonymous. You do not have to
provide any personal information to use the iWon service. However, if you
choose to withhold requested information, you will not be registered and you
will not earn entries into the iWon Sweepstakes when using iWon. In addition,
we may not be able to provide you with some of the other services dependent
upon the collection of such information, such as a personalized home page. [FN295]
The entire policy is rather lengthy and discloses that iWon will do just about
anything it pleases with our data, including matching it with personally
identifiable consumer data collected by other entities and selling it. [FN296] The company is therefore unlikely to jeopardize
its TRUSTe seal by not complying with its stated privacy policy, as it would be
virtually impossible for iWon to do anything that ran afoul of its stunningly
broad self proscribed privacy mandate. Just in case iWon changes its mind, it
reserves the right to modify its privacy policy at *683 any time.
[FN297] The only way site users will learn of
the change is by constantly monitoring the policy and comparing it to earlier
versions. [FN298]
F. Opting In
The mirror image of "opt out" is "opt in," which puts
the burden on a data collector to get an individual's approval of the data
harvesting. Mandatory opt in is one approach to privacy promoted by some online
privacy advocates. However, when and how it could be implemented is unclear. A
federal appeals court recently concluded that an FCC regulation requiring phone
companies to secure opt in style consent from customers before using their
personal information for commercial purposes violated the phone companies First
Amendment free speech rights. [FN299] Moreover, an opt in scenario would be
efficacious only if full disclosures of the nature and scope of the data
collection were made, with the ability to opt out of any objectionable portions
of whatever plans a web site has for the data.
If sites can exclude web swimmers unwilling to fully opt in to data collection
schemes, this approach will not solve anything. We will be required to opt in
before we can access content and fully utilize desirable aspects of the
Internet. Any freedom of choice associated with opting in will be illusory.
Moreover, an opt in approach does not solve the problems posed by our inability
to value our own data. [FN300] It also raises legitimate concerns for
data collectors about the accuracy of data that is permissively and
transparently obtained. [FN301]