Reforming Internet Privacy Law

On December 4, 2009, Silicon Flatirons presented a conference on Reforming Internet Privacy Law.

By Pamela Emery, J.D. Candidate 2011

On December 4, 2009, Silicon Flatirons presented a conference on Reforming Internet Privacy Law. The conference consisted of three panels and two short presentations.

The first panel discussed first principles of online privacy, debating how privacy should be regulated online and whether meaningful distinctions may be drawn between online and offline conceptions of privacy. Nicholas Allard of Patton Boggs, a veteran of many Capitol Hill debates over federal privacy law, began by arguing that privacy law reform will be difficult to implement and practically impossible in the immediate future. Allard noted that there is little consensus about privacy interests with the pendulum continually swinging from favoring national security to worrying about privacy, and that without consensus on priorities, reform is not likely. Jim Dempsey of the Center for Democracy and Technology (CDT) agreed, arguing that there is no “institutional silver bullet,” so change needs to come from government and non-governmental institutions alike.

Michael Hintze of Microsoft argued for comprehensive federal privacy legislation that covers offline and online privacy the same. Hintze further underscored the importance of consumer input and trust, saying that “from the perspective of Microsoft, privacy is an important issue taken very seriously because fundamentally when people use [Microsoft’s] services there’s an element of trust involved, and so to be successful, we need to have the trust of our users. Legislation, while not a silver bullet, can foster an environment of trust.” Likewise, Scott Shipman of eBay argued that the traditional American sectoral approach to privacy law is flawed, and that a uniform privacy law would be better because there is a need for consistency in defining what exactly “privacy” and “personal information” is across the board. Phil Gordon of Littler Mendleson argued in response that a sectoral approach is best because any comprehensive privacy law he could imagine would be very difficult to apply to his clients’ individualized problems. Gerry Stegmaier of Wilson Sonsini Goodrich & Rosati added that the sectoral approach “creates a laboratory for federalism,” and even though the distinction between online and offline privacy law doesn’t matter for abstract purposes, it is quite relevant for business.

After the first panel, two groups detailed proposals for reforming online privacy law, with special attention paid to how to reform the Electronic Communications Privacy Act (ECPA). Jim Dempsey of the Center for Democracy and Technology (CDT) presented a proposal developed by a working group led by CDT which embraced incremental reforms to ECPA, which garnered substantial support from the panelists at the conference. Associate Professor Stephen Henderson of Widener Law School offered the details of a proposal developed by a working group chaired by Colorado Supreme Court Justice, Michael Bender. Many lauded the theory underlying the Henderson/Bender proposal, but noted that the proposal did not try to offer concrete proposals for immediate implementation of its ideas.

Next, the second panel began to tackle how Congress should amend ECPA, if at all, focusing in particular on the scope of protection, meaning whether sites like Google Search or are currently covered under the ECPA and whether they ought to be, if they are not. Kevin Bankston of the Electronic Frontier Foundation (EFF) argued that if it is ambiguous whether sites like these are protected (a point he did not concede), then this underscores the absolute need for ECPA reform. Justice Bender emphasized that the public doesn’t know what the government does or does not do because so much surveillance goes unreported and because sanctions for abuse are minimal. Susan Freiwald of the University of San Francisco Law School argued that government surveillance should be closely and strictly regulated whenever it is intrusive, hidden, continuous, and indiscriminate. This, in turn would better protect the public from fishing expeditions and create an incentive structure for compliance than under current law. Albert Gidari of Perkins Coie wrapped up the discussion by urging the audience to understand that service providers are generally trying to do the right thing and that they often say “No” to government requests they receive for private user information, choosing to fight the government on behalf of their users’ rights.

The final panel discussed both what a reformed ECPA should require of the government and the politics of implementing reform. Gidari argued that from a service provider’s perspective, high standards for privacy are optimal because they let service providers know exactly what they must comply with, giving them much more freedom to refuse information requests under the law. Gidari asserted further that given the politics of Internet reform, an incremental approach, like CDT’s, is the only way any reform will take place, as things will not turn 180 degrees overnight. Freiwald argued that the distinction ECPA draws between how it treats content and non-content must be discarded because it is outdated and mischaracterizes Supreme Court precedent. Henderson agreed about the problems with the content/non-content distinction and asserted that his proposal for reform would cure the distinction. On the politics, Henderson opined that while his proposal was unlikely to be embraced by Congress, it could easily be adopted by state legislatures, following the recent trend of states providing greater protection than federal law on Internet privacy matters. Chris Soghoian, PhD student and privacy activist, argued that we should put less faith in law as the proper mechanism for reform and turn instead to technology to restore privacy online. For example, Soghoian pointed out that Google reveals user search terms in URLs, even though there is no technological requirement that it do so. Finally, Soghoian reiterated the need for service provider transparency about policies for responding to government requests, to give consumers the ability to shop for providers that best protect their privacy rights.

Know What’s Next