What is privacy? This is a central question to answer, because a conception of privacy underpins every attempt to address it and protect it. Every court that holds that something is or isn’t privacy is basing its decision on a conception of privacy — often unstated. Privacy laws are also based on a conception of privacy, which informs what things the laws protect. Decisions involving privacy by design also involve a conception of privacy. When privacy is “baked into” products and services, there must be some understanding of what is being baked in.
Far too often, conceptions of privacy are too narrow, focusing on keeping secrets or avoiding disclosure of personal data. Privacy is much more than these things. Overly narrow conceptions of privacy lead to courts concluding that there is no privacy violation when something doesn’t fit the narrow conception. Narrow or incomplete conceptions of privacy lead to laws that fail to address key problems. Privacy by design can involve throwing in a few things and calling it “privacy,” but this is like cooking a dish that requires 20 ingredients but only including 5 of them.
It is thus imperative to think through what privacy is. If you have an overly narrow or incomplete conception of privacy, you’re not going to be able to effectively identify privacy risks or protect privacy.
In my work, I have attempted to develop a practical and useable conception of privacy. In what follows, I will briefly describe what I have developed.
The U.S. Court of Appeals for the 2nd Circuit just issued a 97-page ruling limiting the NSA’s power to sweep up data about people’s phone calls. The case is ACLU v. Clapper, and the court held that the USA Patriot Act Section 215 doesn’t authorize the kind of sweeping collection of phone call metadata that the NSA has been engaging in. The court’s holding is limited to statutory interpretation — the scope of data collection authorized by Section 215. The court doesn’t base its holding on the Fourth Amendment, though it does note the uncertain status of current Fourth Amendment law.
The bottom line is that the NSA has been gathering a lot more data than it has been authorized to gather.
The law regulating government surveillance and information gathering is in dire need of reform. This law, which consists of the Fourth Amendment and several statutes, was created largely in the 1970s and 1980s and has become woefully outdated. The result is that law enforcement officials and intelligence agencies can readily find ways to sidestep oversight and protections when engaging in surveillance and data collection.
It is often said that people don’t care much about privacy these days given how much information they expose about themselves. But survey after survey emphatically concludes that people really do care about privacy.