In the 1980s and early 1990s, while lawmakers in Europe and Canada passed comprehensive privacy legislation complete with commissioners and enforcement mechanisms, the United States adopted a piecemeal approach. Some databases had legally mandated privacy guarantees; others didn’t. Wiretapping required a warrant–except when companies taped employees for the purpose of “improving customer service.” But even if policies weren’t consistent, they basically covered most situations that arose.
Then came the Internet’s explosive growth–a boon to community, commerce, and surveillance all at the same time. Never before had it been so easy to find out so much, so quickly. But while most Internet users soon became dependent on services from companies like Yahoo and Google, few realized that they themselves were the product these companies were selling.
All activity on the Internet is mediated–by software on your computer and on the remote service; by the remote service itself; and by the Internet service providers that carry the data. Each of these mediators has the ability to record or change the data as it passes through. And each mediator has an incentive to exploit its position for financial gain.
Thousands of different business models bloomed. Companies like Doubleclick realized that they could keep track of which Internet users went to which websites and integrate this information into vast profiles of user preferences, to be used for targeting ads. Some ISPs went further and inserted their own advertisements into the user’s data stream. One e-mail provider went further still: it intercepted all the e-mail from Amazon.com to its users and used those messages to market its own online clearinghouse for rare and out-of-print books. Whoops. That provider was eventually charged with violating the Federal Wiretap Act. But practically every other intrusive practice was allowed by the law and, ultimately, by Congress, which was never able to muster the will to pass comprehensive Internet privacy legislation.
It’s not that Congress was shy about regulating the Internet. It’s just that congressional attention in the 1990s was focused on shielding children from online pornography–through laws eventually found unconstitutional by the Supreme Court, because they also limited the rights of adults. The one significant piece of Internet privacy legislation that Congress did manage to pass was the Children’s Online Privacy Protection Act (COPPA), which largely prohibited the intentional collection of information from children 12 or younger.
Instead, it fell mostly to the Federal Trade Commission to regulate privacy on the Internet. And here the commission used one primary tool: the FTC Act of 1914 (since updated), which prohibits businesses from engaging in “unfair or deceptive acts or practices.” The way this works in connection with online privacy is that companies write “privacy policies” describing what they do with personal information they obtain from their customers. Companies that follow their policies are fine–even if they collect your information and publish it, sell it, or use it to send e-mail or for “any other lawful purpose” (and the law is pretty tolerant). The only way for companies to get in trouble is to claim that they will honor your privacy in a specific manner and then do something different.
Hearings were held at the end of the Clinton administration to pass some online privacy legislation with real teeth. I testified in favor of strong regulations at one of those hearings, but sitting next to me at the witness table were powerful business interests who argued that regulation would be expensive and hard to enforce. The legislation didn’t go anywhere. Business groups saw this outcome as the triumph of their “market-based” approach: consumers who weren’t happy with a company’s privacy stance could always go elsewhere. Privacy activists winced, knowing that legislation would be unlikely to pass if the Republicans won in 2000. We had no idea how right we were.