A Right to Online Privacy?

Congress can update current communications law to take into account technological advancements. The application of the law to common online activities, including Web search, remains unclear; the legal protections current law provides for the enormous amounts of personal data stored online are far too low.

By creating laws that are not Internet specific, we can protect privacy in general and maintain a free Internet.

From a policy perspective, we do need a better framework by which we can judge the use of personal information broadly-the Internet is just the beginning. Basically, I break it up as you see here, from "bad" uses of technology to "good":

Bad: Mandatory "National ID" cards encoded with biometric identifiers or compulsory databases for data-mining purposes. The underlying element here is compulsion, the inability to say no.

Not (necessarily) bad, but can be abused and require extensive Fourth Amendment or equivalent safeguards that do not yet exist: Government-run face cameras (and related technologies like iris scanners) that ride on top of a database of criminals or wanted individuals. These should not collect data on individuals other than those already in the database (presumably there through appropriate Fourth Amendment procedures). Incidental data collected on random individuals cannot be retained. Problem is the guarantee. This is where I think the real future privacy fights lie, and the most risk for sensible evolution of these technologies.

Good: Countless private uses of information that offer the opportunity for commercial offerings to the public, and those that offer extraordinary security by preventing others from posing as us, and ending rampant identity theft. This is where the market can shine. However, these must not be allowed access to data gleaned by government coercion, or they move into category 1 or 2 and give the entire industry (online marketing, biometric or data-mining, etc) a black eye, and make it impossible to defend the industry from regulation. I prefer to keep it self-regulated, especially since institutions like insurance and liability desperately need to emerge and premature regulation can undermine them.

So in a nutshell: 1: Avoid mandatory databases; 2: Ensure Fourth Amendment protections even for public surveillance; and 3: Avoid mixing public and private databases.

I'm sure I'm far more comfortable with market "regulation" of privacy, without government nudging, than some are; however, institutional/legal frameworks do matter. In the new "surveillance" state, or whatever we call the rise of behavioral marketing, government-run biometrics, cameras, compulsory IDs and data-mining, steps are being taken that impede -- and make impossible -- the market from doing urgently needed self-policing. None of these technologies are bad in themselves, and I even argue that, from a market standpoint, for purposes of security and authentication, we need lots of "national" IDs, so to speak, that have particular private authentication, and yes, marketing, purposes, but never a single, compulsory government biometric ID/database.

Such an ID would effectively destroy privacy, but also hinders the competing technologies that might better enable that very privacy, since government will likely pick the winning ID or data-mining firm. The Fourth Amendment aspects of public surveillance, to me, are more alarming than issues such as online privacy or mundane commercial privacy issues.

I take the glass-half-full position. So long as we don't take a wrong turn at this point in "business history" (by allowing governments and regulation to dominate privacy policies, IDs and biometric technologies) new information collection technologies are about increasing convenience, service, authentication and security and not about invading privacy. I think people have alternatives to dealing with private parties that snoop too much, alternatives that will serve better than over-regulation. But they don't have those options with governments.