This year is the 20th anniversary of my first book, The Digital Person: Technology and Privacy In the Information Age (NYU Press 2004) (Amazon) (free digital copy on SSRN). I thought that it would be a great opportunity to engage in a reflection on some of the points I discussed in the book. Apologies for the self-indulgence.
The key theme in The Digital Person is about the rise of what I call “digital dossiers” – the extensive repositories of personal data about us that are collected and used by large organizations. The government and private industry propelled each other into the digital age and beyond through the collection and use of personal data. At the time I wrote, the story culminated with the rise of the internet. Since that time, new technologies have taken the spotlight – AI, Big Data, smart phones, the Internet of Things, social media, and much more. The book is so old that my publisher long ago allowed me to post the entire digital version online for free. And yet, the basic problems and ideas discussed in the book largely remain the same. There are new chapters in the story, but its direction has been quite predictable. I could practically reissue the book with a new preface that says “I told you so.”
The Aggregation Effect: Algorithms, AI, and Inferences
At the time I wrote, the terminology of today didn’t exist to describe the combination and analysis of personal data by computers. I discussed a phenomenon that I called the “aggregation effect” – “Similar to a Seurat painting, where a multitude of dots juxtaposed together form a picture, bits of information when aggregated paint a portrait of a person.” (p. 44).
Today, this is described in terms of algorithms and inference – and it is often an issue discussed in connection with AI. But this isn’t a new problem – it was a privacy problem many decades ago. And it was a problem long before my book, and I certainly wasn’t the first to discuss it.
What we are now witnessing today is the vast acceleration of the aggregation effect. There is more personal data, more collection of that data, more storage and use of that data, and more sophisticated algorithms analyzing that data. The problem is worse, and it remains very poorly addressed by privacy laws.
Metaphors for Privacy: Kafka vs. Orwell
In my opinion, the most important contribution of the book was my attempt to conceptualize why the rise of digital dossiers and the aggregation effect were problematic. At the time, many commentators called the commercial aggregation of personal data “Orwellian.” In contrast, I argued that although Orwell’s 1984 captures the problems of government surveillance, Franz Kafka’s The Trial more aptly captures the problem of privacy today with so many companies gathering and using our data: “The Trial captures an individual’s sense of helplessness, frustration, and vulnerability when a large bureaucratic organization has control over a vast dossier of details about one’s life. Bureaucracy often results in a routinized and sometimes careless way of handing information—with little to no accountability.” (p. 9).
For data collected by companies, the problem was less about oppression and more about being vulnerable and manipulated. Certainly, there is a lot of oppression, but Orwell depicted a dismal drab world, where Big Brother chilled all joy. Our world, however, dazzles with color and excitement. Companies often don’t want to oppress; they manipulate and exploit.
I recently wrote a follow up piece (with Prof. Woodrow Hartzog) discussing how Kafka remains quite relevant to understand current privacy problems, especially in the age of AI. Kafka in the Age of AI and the Futility of Privacy as Control, 104 BU L Rev 1021 (2024). We wrote that “if bestowed with control over their data, people will willingly cede it to the large entities that are collecting and using their data. And they will do so even when it harms them.”
The Problems of Privacy Law
I was highly critical of privacy law in the book, discussing how the privacy torts, statutes, and FTC enforcement all failed.
On the privacy torts, I contended that they “are not well adapted to regulating the flow of personal information in computer databases and cyberspace.” (p. 58-59). Today, my verdict remains the same on the privacy torts. They have stopped evolving. With Professor Neil Richards, I wrote an article discussing how the recognition of the privacy torts by the legendary torts professor, William Prosser, had a Midas touch, legitimizing and strengthening the torts but also ossifying them. See Neil M. Richards & Daniel J. Solove, Prosser’s Privacy Law: A Mixed Legacy, 98 Cal. L. Rev. 1887 (2010).
I was also highly critical of privacy statues: “In sum, the federal laws are a start, but they often give people only a very limited form of control over only some of their information and frequently impose no system of default control on other holders of such information. Although the statutes help in containing the spread of information, they often fail to adequately address the underlying power relationships and contain broad exceptions and loopholes that limit their effectiveness.” (71).
Although many new statutes have been passed in recent years, they still fail. I would write my critique differently than I did back in 2004. At the time, I thought that more individual control could be helpful. But now, I think that individual control has been so over-relied upon by privacy laws that it serves more as a façade than anything meaningful.
On the FTC, I was too dismissive. I argued that the FTC “only ensures that companies keep their promises.” (73). In the years since, the FTC has expanded and used unfairness as a basis for enforcement actions. Although far from perfect, the FTC has been a positive force for privacy enforcement. For more background, see Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 584 (2014).
But there are headwinds, as the FTC has political limitations, which Professor Alicia Solow-Niederman discusses in her essay, The Overton Window and Privacy Enforcement, 34 Harv. J. L. & Tech. 1007 (2024). The FTC can’t be too bold, or else it can readily be punished and its power taken away. This dramatically constrains the FTC; it chills it from being bolder in its enforcement; it inhibits the FTC from pushing new ground in its enforcement. It remains to be seen just how aggressive the FTC will be in the Trump Administration, but I suspect the FTC will be quite cautious.
In my more recent work, I’ve argued that privacy law is heading in the wrong direction. Many of the most common elements of privacy laws, such as individual rights and sensitive data, unfortunately don’t work. Privacy law is especially poorly adapted to deal with the challenges of AI. If you’re interested, see the following pieces:
- Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data
118 Northwestern University Law Review 1081 (2024) - The Limitations of Privacy Rights
98 Notre Dame Law Review 975 (2023) - Artificial Intelligence and Privacy
77 Florida Law Review __ (forthcoming 2025)
Although a lot has happened in the 20 years after the publication of The Digital Person, the problems I diagnosed largely remain the same. The law hasn’t done a good job of addressing them. Now, as AI technology is sweeping the world, the problems are going to get much worse.
It didn’t take a Nostradamus to foresee where we are now. I was far from the only one to see these problems. The work of Paul Schwartz, Julie Cohen, Oscar Gandy, Anita Allen, Joel Reidenberg, Ian Kerr, Alan Westin, and many others have been quite prophetic.
I encourage you to read these older works by the scholars listed above. Despite being old, these works still have many insights relevant today.
I hope that you check out The Digital Person. I’ve posted the entire book online for free. You can download it here.
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
Subscribe to Solove’s Free Newsletter
Pre-Order Prof. Solove’s forthcoming book,
ON PRIVACY AND TECHNOLOGY
Prof. Solove’s Privacy Training