For release August 10, 2001
"Cato Privacy Paper Not Persuasive”
Peter P. Swire
This document responds to a Cato Institute Briefing Paper released on August 9, 2001, written by Professor Tom W. Bell and entitled "Internet Privacy and Self-Regulation: Lessons from the Porn Wars." Available at www.cato.org. The Briefing Paper criticizes the American Civil Liberties Union, the Center for Democracy and Technology, and the Electronic Information Privacy Center for supporting Internet privacy legislation while opposing legislation that would restrict Internet speech considered "harmful to minors."
This paper represents the personal views of Peter Swire, currently Visiting Professor of Law at George Washington University and formerly the Clinton Administration's Chief Counselor for Privacy from 1999 until early 2001. This paper explains why the Cato paper is wrong on the facts, chiefly because self-help will not work for personal information once it is in the hands of outside parties. The paper also explains why the Cato paper is wrong on the law. The Cato paper would seem to make the doctor/patient and attorney/client privileges unconstitutional as violations of doctor and lawyer free-speech rights. Any such analysis is subject to serious doubt indeed.
(1) Why the Cato paper is wrong on the facts.
Professor Bell states: "Digital self-help offers more hope of protecting Internet users' privacy than it does of effectively filtering out unwanted speech, and the availability of such self-help casts doubt on the constitutionality of legislation restricting speech by commercial entities about Internet users." The ACLU, CDT, and EPIC have all supported use of self-help, also known as privacy-enhancing technologies, as an important component of protecting privacy on the Internet. Although the groups have differed about the desirability of one such technology, known as the Platform for Privacy Preferences, it is after extensive experience with privacy-enhancing technologies that the groups have each concluded that Internet privacy legislation is needed.
Professor Bell lists a number of existing privacy-enhancing technologies, none of them used by a large portion of Internet users. These technologies can indeed do specific useful tasks, such as rejecting cookies or preventing a web site from knowing the identity of an anonymous surfer. Professor Bell suggests that surfers should arm themselves with an arsenal of privacy-protecting software in order to fend off data collection by web sites.
Reasonable people may doubt whether ordinary surfers can, or will, out-fox the data collection efforts of sophisticated web sites. Even if surfers use every weapon in their arsenal, however, the technologies cannot provide any help with a pervasive problem of Internet privacy -- what will happen to data once the web site knows it. A web site may require your name to ship a product, sign you up to a subscription, register your software, or allow access to the site itself. Anyone who wishes to participate in e-commerce or many other Internet activities will repeatedly have to provide his or her personal information simply to carry out that activity. Without privacy rules in place, all of that identifying information can be shipped from the first site to any other, with no possibility of technological self-help by the individual.
The hard problem about privacy, then, is that technology does not work once the data is in the hands of outside parties such as a web site. By contrast, self-help offers a more compelling answer for what a family downloads to its own computer. The parent or other family member can set criteria for what is read on the computer. The rest of the world can make its own choices about what to read on the Web, while self-help works effectively in the home.
(2) Why the Cato paper is wrong on the law.
Professor Bell briefly refers to a lack of controlling case law, but then concludes that Internet privacy legislation would "almost certainly" face the fairly strict standard that applies to commercial speech and "might well" face the strict scrutiny test that applies to political and other speech that is most protected under the First Amendment. I believe these conclusions are wrong, and they fly in the face of the most authoritative court decisions to date as well as the principal scholarship on which Professor Bell relies.
The only case that Professor Bell mentions in his text is a Tenth Circuit decision,  issued over a sharp dissent, that discussed privacy and the First Amendment but never made any holding on the subject. He relegates to a footnote a recent, unanimous D.C. Circuit decision that found no First Amendment obstacle to a privacy rule that barred sale of names and addresses for target marketing purposes.  He does not mention another recent federal decision that upheld the Gramm-Leach-Bliley financial privacy protections against a similar challenge.  This kind of unconsented-to sale of personal information is precisely the sort of regulation that is at the heart of most proposed Internet privacy legislation. To my knowledge, no judge has followed the dicta of the 10th Circuit and found any First Amendment basis for striking down data privacy protections.
The deeper problem with Professor Bell's analysis is that it proves far too much. Professor Bell focuses on the First Amendment rights of those who receive the individual's personal information. His analysis, though, would seem to apply generally to those who receive personal information from another. For instance, is the doctor-patient privilege unconstitutional because it limits doctors' rights to speak about their patients? Is the attorney-client privilege an unconstitutional burden on the attorney's right to blab client secrets? No. The First Amendment has existed comfortably for two centuries together with the power of the legislature to set appropriate limits on the disclosure of client information. That is what is contemplated by Internet privacy legislation as well. A web site could receive a customer's information, but not disclose that information to others except pursuant to the customer's choice.
Indeed, the leading academic article on the First Amendment and privacy, on which Professor Bell principally relies, explains in detail why client information can constitutionally be protected by the sort of privacy laws supported by the ACLU, CDT, and EPIC. Professor Eugene Volokh says that “contract law not to reveal information” is “eminently defensible under existing free speech doctrine.” Although Professor Volokh expresses concerns about other sorts of speech restrictions, he specifically states that the telecommunications privacy rules struck down on other grounds by the 10th Circuit “are constitutionally permissible.” 
In sum, the legal portion of Professor Bell’s argument is contrary to the only federal court rulings on the subject, contrary to the leading academic article on which he claims to rely, and gives no basis for upholding the constitutionality of the doctor/patient and attorney/client privileges.
1. U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999).
2. Trans Union Corp. v. FTC, 245 F.3d 809 (D.C. Cir. 2001).
3. Individual Reference Services Group, Inc. v. FTC, 145 F. Supp. 2d 6 (D.D.C. 2001).
4. Eugene Volokh, “Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People from Speaking about You,” 52 Stanford L. Rev. 1049 (2000), at 1057 & 1060 n. 37.
Contact information: Professor Peter Swire, cell (301) 213-9587, email: firstname.lastname@example.org, web: www.osu.edu/units/law/swire.htm. The web sites of the groups criticized in the Cato paper are www.aclu.org, www.cdt.org, and www.epic.org.