Obama Administration Fights Privacy Act Liability
In February 2004, privacy advocates were put off by a Supreme Court case called Doe v. Chao, in which the Court found that the Privacy Act requires a victim of a government privacy violation to show “actual damages” before receiving any compensation. The Act appeared to provide for $1,000 per violation in statutory damages, but the Court interpreted the legislation to require that actual damages be proven, after which the victim would be entitled to a minimum award of $1,000. (Statutory damages are appropriate in privacy cases against the government because government bureaucrats pay little price themselves when their agency gets fined. A penalty is required to draw oversight and political attention to violations of the law.)
Doe v. Chao was a close call given the statutory language, and the Court chose the outcome that would limit the government’s exposure to Privacy Act liability. Doing so marginally weakened the government’s attentiveness to the already insubstantial protections of the Privacy Act.
A companion case to Doe v. Chao has now reached the Supreme Court. FAA v. Cooper, which the highest court recently agreed to hear, involves a victim of a government privacy invasion who alleges “actual damages” based on evidence of mental and emotional distress. Cooper, a recreational pilot who was HIV-positive, had chosen to conceal his health status generally, but revealed it to the Social Security Administration for the purposes of pursuing disability payments. When the SSA revealed that he was HIV-positive to the Department of Transportation, it violated the Privacy Act. Cooper claims in court that he suffered mental and emotional distress at learning of the disclosure of his health status and inferentially his sexual orientation, which he had kept private.
In the Ninth Circuit Court of Appeals and now in the Supreme Court, the Obama Administration has argued that it doesn’t have to pay the victim of this privacy violation because mental and emotional distress do not qualify as “actual damages.” No one disputes that Cooper has to present objective proof of harm as a check on the truth of his claims. But the government isn’t saying that Cooper is faking distress at having his health status and sexual orientation illegally exposed by the government. The government is arguing that the court should limit “actual damages” to economic injury simply because it’s the government being sued.
Internet Privacy Law Needs an Upgrade
Imagine for a moment that all your computing devices had to run on code that had been written in 1986. Your smartphone is, alas, entirely out of luck, but your laptop or desktop computer might be able to get online using a dial-up modem. But you’d better be happy with a command-line interface to services like e-mail, Usenet, and Telnet, because the only “Web browsers” anyone’s heard of in 1986 are entomologists. Cloud computing? Location based services? Social networking? No can do, though you can still get into a raging debate about the relative merits of Macs and PCs.
When it comes to federal privacy law, alas, we are running on code written in 1986: The Elecronic Communications Privacy Act, a statute that’s not only ludicrously out of date, but so notoriously convoluted and unclear that even legal experts routinely lament the “mess” of electronic privacy law. Scholar Orin Kerr has called it “famously complex, if not entirely impenetrable.” Part of the problem, to be sure, lies with the courts. It is scandalous that in 2010, we don’t even have a definitive ruling on whether or when the Fourth Amendment requires the government to get a search warrant to read e-mails stored on a server. But the ECPA statute, meant to fill the gap left by the courts, reads like the rules of James T. Kirk’s fictional card game Fizzbin.
Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
E-Verify: The Surveillance Solution
The federal government will keep data about every person submitted to the “E-Verify” background check system for 10 years.
At least that’s my read of the slightly unclear notice describing the “United States Citizenship Immigration Services 009 Compliance Tracking and Monitoring System” in today’s Federal Register. (A second notice exempts this data from many protections of the Privacy Act.)
To make sure that people aren’t abusing E-Verify, the United States Citizenship and Immigration Services Verification Division, Monitoring and Compliance Branch will watch how the system is used. It will look for misuse, such as when a single Social Security Number is submitted to the system many times, which suggests that it is being used fraudulently.
How do you look for this kind of misuse (and others, more clever)? You collect all the data that goes into the system and mine it for patterns consistent with misuse.
The notice purports to limit the range of people whose data will be held in the system, listing “Individuals who are the subject of E-Verify or SAVE verifications and whose employer is subject to compliance activities.” But if the Monitoring Compliance Branch is going to find what it’s looking for, it’s going to look at data about all individuals submitted to E-Verify. “Employer subject to compliance activities” is not a limitation because all employers will be subject to “compliance activities” simply for using the system.
In my paper on electronic employment eligibility verification systems like E-Verify, I wrote how such systems “would add to the data stores throughout the federal government that continually amass information about the lives, livelihoods, activities, and interests of everyone—especially law-abiding citizens.”
It’s in the DNA of E-Verify to facilitate surveillance of every American worker. Today’s Federal Register notice is confirmation of that.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
