Fred H. Cate
Professor of Law
Louis F. Niezer Faculty Fellow
Director, Information Law and Commerce Institute
Indiana University School of Law--Bloomington
Senior Counsel for Information Law
Ice Miller Donadio & Ryan
Subcommittee on Courts and Intellectual Property
Committee on the Judiciary
U.S. House of Representatives
Privacy in Electronic Communications
March 26, 1998
Professor Fred H. Cate
School of Law--Bloomington
211 South Indiana Avenue
Bloomington, IN 47405
Telephone (812) 855-1161
Facsimile (812) 855-0555
E-mail [email protected]
Mr. Chairman and members of the Subcommittee:
My name is Fred Cate. I am a professor of law, Louis F. Niezer Faculty Fellow, and director of the Information Law and Commerce Institute at the Indiana University School of Law-- Bloomington, and senior counsel for information law at Ice Miller Donadio & Ryan in Indianapolis. I am testifying today on my own behalf,(1) as someone who has researched, taught, and written about information law issues generally, and information privacy issues specifically, for more than a decade.(2)
When I was invited to testify today I was asked to address one question: is new Congressional action necessary to protect personal privacy in electronic communications? My answer is "no."
This is not to suggest that the extraordinary proliferation of information technologies and growth in their power and affordability are not presenting important privacy issues, but rather that further Congressional action is premature and likely to be unnecessary altogether. That conclusion is based on four related considerations:
1. Rapid Change
First, we are in the midst, not at the end, of the phenomenal technological innovation that is prompting new concerns about privacy. The World Wide Web, for example, which was first made available to the public in 1992, is now used by more than one-quarter of the U.S. population, making it the fastest-growing medium in human history. By comparison, it took 38 years for radio to reach that percentage of Americans, 13 for television, and 10 for cable. And that dramatic growth is continuing. According to the semi-annual Internet Domain Survey released in January 1998 by Network Wizards, the World Wide Web continues to grow at a dramatic pace. The survey found 29.7 million hosts in January 1998, up from 26 million just six months earlier--a greater than 26% annual growth rate. Five years ago, the survey found only 1.3 million hosts.(3)
The nature of the Internet is changing as well. In 1995, World Wide Web hosts designated ".com" for commercial slightly outnumbered those designated ".edu" for educational institutions--the traditional mainstay of the Internet. The most recent survey, however, shows ".com" sites outnumbering their ".edu" counterparts more than two-to-one.(4) And the disparity may be even greater, because businesses outside of the United States tend to use the abbreviation of their country rather than ".com" as part of their web address.
The fact that we are in the midst of rapid, significant change--not just in technologies but also in the new services, markets, and activities that those technologies are facilitating--argues against legislative action. This is especially true in a field such as information privacy, in which past legislation and judicial interpretation have sought to protect "reasonable expectations of privacy."(5) It is inadvisable to attempt to define "reasonable expectations" of virtually anything while experiencing such extraordinary change.
2. Expansion of Self-Help and Self-Regulation
Second, in recent years we have witnessed not only an increase in concerns about privacy, but also a parallel increase in the tools available to consumers to protect their privacy and in the self-regulatory actions of industries responding to consumer demands. As a result, consumers today have greater opportunities than ever before both to participate in the world around them and to protect their privacy while doing so.
For example, technological innovations such as adjustable privacy protection settings in both Netscape and Microsoft Explorer, encryption software, anonymous remailers, and in fact, the Internet itself all facilitate privacy and individual control over the information we disclose about ourselves.
Many companies are actively competing for customers by promoting their privacy policies and practices. If enough consumers demand better privacy protection and back-up that demand, if necessary, by withdrawing their patronage, virtually all competitive industry sectors are certain to respond to that market demand. In fact, when competitive markets exist, consumer inquiries about, and response to, corporate privacy policies are an excellent measure of how much the society really values privacy.
Industry organizations are increasingly providing standards for privacy protection and help to consumers whose privacy interests are compromised. The Direct Marketing Association, for example, operates the Mail Preference Service and the Telephone Preference Service. With a single request to each it is possible to be removed from most DMA-member company mailing and telephone solicitation lists. However, although the Mail Preference Service has been available since 1971, the DMA reports that the service is used by approximately two percent of the U.S. adult population. This suggests that concern over direct mail solicitations is not that great or that the public is unaware of, or not taking the initiative to use, this free service. A proposed use of data can hardly be considered unreasonable if the user gives consumers a meaningful opportunity to object to the use and so few do.
Often, industry associations, such as the Information Industry Association and the Interactive Services Association, have adopted guidelines and principles which may serve as models for individual company policies. Corporate compliance with privacy standards constitutes an increasingly important accolade in competitive markets, particularly among Internet users. Moreover, industry associations can help persuade member organizations to adopt and adhere to industry norms for privacy protection. The DMA, for example, has begun issuing quarterly reports on members who are being disciplined for violating DMA codes of conduct.
A consortium of privacy advocates and software companies has announced the development of a service to make privacy self-help easier on the Internet. "TRUSTe" is a program that rates Internet sites according to how well they protect individual privacy. Internet sites that provide sufficient protection for individual privacy--including not collecting personal information, not disseminating information to third parties, and not using information for secondary purposes--earn the right to display the "TRUSTe" logo.(6)
Considerable privacy protection also exists in private agreements. According to the Bankcard Holders of America Association, merchants are prohibited by their agreement with Visa and Mastercard from requiring a driver's license or telephone number for a credit transaction. Similarly, Visa and Mastercard prohibit the merchants with whom they deal from requiring credit card information to guarantee a check. These restrictions create legal obligations through private contracts that help protect individuals' privacy.
3. Adequacy of Existing Legal Protection
Third, Congress has already provided legal protection for privacy in key contexts, such as financial services, and has created in regulatory agencies, prosecutors, and citizens significant legal rights for protecting individual privacy. The Electronic Communications Privacy Act of 1986(7) is an excellent example. The Act prohibits the interception or disclosure of the contents of any electronic communication, such as telephone conversations or e-mail, or even of any conversation in which the participants exhibit "an expectation that such communication is not subject to interception under circumstances justifying such an expectation."(8) This language creates significant protection and it is sufficiently flexible to both accommodate new technologies and permit individual states to experiment with greater protection. For example, some states have gone beyond the Act's one-party consent rule to require the consent of both parties if a communication is to be recorded.
Perhaps the best example of the power and flexibility of the current legislative regime is the authority delegated by Congress to regulatory agencies, such as the Federal Trade Commission. In the Federal Trade Commission Act, Congress declared unlawful "unfair or deceptive acts or practices in or affecting commerce"(9) and delegated to the FTC the authority to carry out that provision. Pursuant to that statutory mandate, the FTC has been actively examining privacy issues, particularly in the context of the Internet. The FTC has been especially attentive to privacy issues surrounding computerized databases, electronic look-up services, and children's use of the Internet. Although those inquiries are on-going, the FTC, operating under its existing statutory authority, has focused public attention on privacy issues, facilitated the development of industry self-regulation and codes of conduct, identified key principles for meaningful privacy protection, and brought pressure to bear on those companies that are inadequately attentive to consumer privacy issues.
This is not to suggest that there may not at some point in the future be a need for specific, narrowly targeted legislation to deal with privacy issues involving children or sensitive medical information, but rather that existing authority created by Congress is sufficient to deal with most privacy concerns. In short, there is no convincing evidence that new legislation is necessary to deal with privacy issues in electronic communications.
4. Costs of Overprotecting Privacy
Finally, and most importantly, privacy is not an unmitigated good. As a result, efforts to enhance personal privacy should always be evaluated in the context of the costs that those efforts pose to the free flow of information, the development of efficient markets, and the provision of valuable services especially through the Internet.
The debate over privacy today is fundamentally a debate over control of information. Historically, the United States has accorded enormous protection for privacy through legal respect for private property, which allows individuals to separate themselves from each other; a vigorous First Amendment, which permits individuals the privacy of their own thoughts and beliefs; and unparalleled limits, reflected in the First, Fourth and Fifth Amendments, on government authority to intrude on private property, to compel testimony, or to interfere with practices closely related to individual beliefs, such as protest, marriage, family planning, or worship.
As much protection as U.S. law has offered these and other activities, the law has historically afforded equal protection to the freedom to disclose and disseminate information about such activities. This freedom is at the core of the First Amendment. It is also at the core of a market-based economy, which depends on the accessibility of information.
While privacy is certainly a necessary element of quality life in modern society, protecting the privacy or information imposes real costs on individuals and institutions. Privacy facilitates the dissemination of false information, such as when a job applicant lies about his previous employment, by making discovery of that falsity more difficult or impossible. Privacy similarly protects the withholding of relevant true information, such as when an airline pilot fails to disclose a medical condition that might affect job performance. Privacy interferes with the collection, organization, and storage of information on which businesses and other can draw to make rapid, informed decisions, such as whether to grant credit or accept a check. As these examples suggest, the costs of privacy may be high. Those costs include both transactional costs incurred by information users seeking to determine the accuracy and completeness of the information they receive, and the risk of future losses resulting from inaccurate and incomplete information. Privacy therefore may reduce productivity and lead to higher prices for products and services.
Privacy recognizes the right of the individual, as opposed to anyone else, to determine what he will reveal about himself or herself. As a result, privacy conflicts with other important values within the society, such as society's interest in facilitating free expression, preventing and punishing crime, protecting private property, and conducting government and commercial operations efficiently.
To the extent that legal protections and social mores concerning privacy interfere with creating the systems necessary to acquire and use personal information, privacy may even conflict with the interest of the persons whose privacy is being protected. If a customer wants credit in a retail store, but the law prohibits the store owner from obtaining or verifying the credit information necessary to extend that credit, the customer is inconvenienced, even though he or she may be willing at that moment and for that purpose, to consent to the disclosure of his or her credit information. If an individual requires emergency medical attention, but privacy laws interfere with the hospital obtaining his or her medical records, he or she may face greater risks than mere inconvenience. Instant credit, better targeted mass mailings, lower insurance rates, faster service when ordering merchandise by telephone, special recognition for frequent travelers, and countless other benefits come only at the expense of some degree of privacy.
I am not suggesting that privacy is inherently evil, but rather that it is not inherently good. The late Anne Branscomb, author of Who Owns Information?, wrote: "Information is the lifeblood that sustains political, social, and business decisions."(10) This is especially true in commercial contexts where, as the Federal Reserve Board noted in its recent report to Congress on privacy, "it is the freedom to speak, supported by the availability of information and the free-flow of data, that is the cornerstone of a democratic society and market economy."(11) Protecting privacy inevitably impedes that availability of information and free-flow of data.
This is particularly true in the context of laws affecting electronic communication. The vast majority of information in the industrialized world today is electronic. No form of communication other than face-to-face conversation and hand-written, hand-delivered messages, escapes the reach of electronic information technologies. As those exceptions indicate, no communication that bridges geographic space or is accessible to more than a few people exists today without some electronic component. And the dominance of electronic communication is growing at an astonishing pace.
As a result, the regulation of electronic information flows cuts deeply into freedom of expression and the data necessary for open markets generally. And the dangers inherent in limiting the flow of information are exacerbated by the rapidly expanding and changing context in which information is created, transmitted, stored, and used. Such restrictions should be avoided if possible.
I believe that it is possible--and desirable--to avoid further restrictions on the accessibility of information by taking advantage of the legal power that already exists in the hands of citizens, prosecutors, and regulatory agencies and the technological and market power of consumers. Efforts by regulators, such as the FTC, and by individual companies and industry groups are further expanding opportunities for meaningful privacy and are helping to inform consumers about the practical steps they can take to control the disclosure of private information. These efforts are uniformly preferable in a democratic society to legal restrictions on information collection and dissemination.
These measures may be fully effective in protecting privacy to the extent compatible with a democratic society and market economy. Or it may ultimately prove necessary to enact additional laws to strengthen privacy protection. I do not believe that is the case today in the face of expansive change, impressive technological and commercial alternatives for protecting privacy, powerful existing law and regulators, and strong constitutional preference against such restrictions.
Fred H. Cate is a professor of law, Louis F. Niezer Faculty Fellow, and director of the Information Law and Commerce Institute at the Indiana University School of Law--Bloomington. An internationally recognized expert on information law, Professor Cate is also senior counsel for information law in the Indianapolis law firm of Ice Miller Donadio & Ryan.
Professor Cate is the author of many articles and books, including Privacy in the Information Age, which received Honorable Mention as the Association of American Publishers Professional/Scholarly Publishing Division Best New Book in Law 1997, and Sexually Explicit Expression in the Classroom: The Internet, Schools, and the First Amendment, and he is the editor of Visions of the First Amendment for a New Millennium.
Professor Cate chairs the American Association of University Professors' Intellectual Property Committee, and he serves as a member of the U.S. Privacy Experts Group, the Privacy Exchange Advisory Board, and the Committee on Institutional Cooperation's Copyright and Intellectual Property Committee. He is secretary of the Board of Directors of the Advanced Research and Technology Institute and faculty advisor to the Federal Communications Law Journal, the official journal of the Federal Communications Bar Association and the nation's oldest communication law journal.
Previously he directed the Electronic Information Privacy and Commerce Study for the Brookings Institution, chaired the Department of Health and Human Services' Working Group on Intellectual Property in Networked Health Information, and served as a member of the U.S. Congress Office of Technology Assessment's panel of experts on Global Communications Issues and Technology and panel of reviewers on International Money Laundering. From 1990 to 1996, he served as a senior fellow (and from 1991 to 1993, director of research and projects) of The Annenberg Washington Program in Communications Policy Studies.
Professor Cate writes widely for the popular press--including the Atlantic, Chicago Tribune, Christian Science Monitor, International Herald Tribune, Los Angeles Times, San Francisco Chronicle, Wall Street Journal, and Washington Post--and has appeared on CNN, PBS, and many local television and radio programs. He received his J.D. and his A.B. with Honors and Distinction from Stanford University. Prior to joining the faculty at Indiana University, he practiced in the Washington, D.C. office of Debevoise & Plimpton. A life member of Phi Beta Kappa Associates, Professor Cate is listed in Who's Who in American Law.
He can be reached at: Indiana University School of Law--Bloomington, 211 South Indiana Avenue, Bloomington, Indiana 47405, telephone (812) 855-1161, facsimile (812) 855-0555, e-mail [email protected]
1. In compliance with House Rule XI, clause 2(g)(4), I certify that I have received no federal grant, contract, or subcontract in the preceding two fiscal years.
2. I am the author of "Privacy and Telecommunications," forthcoming in the Wake Forest Law Review; Privacy in the Information Age (Brookings Institution Press, 1997); "The EU Data Protection Directive, Information Privacy, and the Public Interest," 80 Iowa Law Review 431 (1995); and "The Right to Privacy and the Public's Right to Know: The 'Central Purpose' of the Freedom of Information Act," 46 Administrative Law Review 41 (1994) (with D. Annette Fields and James K. McBain). A biographical statement is attached.
3. See http://www.nw.com/zone/WWW/report.html.
4. See http://www.nw.com/zone/WWW-9501/dist-byname.html and http://www.nw.com/zone/WWW /dist-bynum.html.
5. See, e.g., 15 U.S.C. § 1681e(b) (1997) (Fair Credit Reporting Act of 1970); Restatement (Second) of Torts §§ 652A-652E (1976); Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring); Terry v. Ohio, 392 U.S. 1, 9 (1968); Smith v. Maryland, 442 U.S. 735, 740 (1979).
6. See http://www.truste.org.
7. 18 U.S.C. §§ 2510-2520, 2701-2709 (1997).
8. Id. §§ 2510-11.
9. 15 U.S.C. § 45(a)(1) (1997).
10. Anne W. Branscomb, "Global Governance of Global Networks: A Survey of Transborder Data Flow in Transition," 36 Vanderbilt Law Review 985, 987 (1983).
11. Board of Governors of the Federal Reserve System, Report to the Congress Concerning the
Availability of Consumer Identifying Information and Financial Fraud 2 (March 1997).