Книга: Code 2.0
(3) Rules to Enable Choice About Privacy
(3) Rules to Enable Choice About Privacy
The real challenge for privacy, however, is how to enable a meaningful choice in the digital age. And in this respect, the technique of the American government so far — namely, to require text-based privacy policy statements — is a perfect example of how not to act. Cluttering the web with incomprehensible words will not empower consumers to make useful choices as they surf the Web. If anything, it drives consumers away from even attempting to understand what rights they give away as the y move from site to site.
P3P would help in this respect, but only if (1) there were a strong push to spread the technology across all areas of the web and (2) the representations made within the P3P infrastructure were enforceable. Both elements require legal action to be effected.
In the first edition of this book, I offered a strategy that would, in my view, achieve both (1) and (2): namely, by protecting personal data through a property right. As with copyright, a privacy property right would create strong incentives in those who want to use that property to secure the appropriate consent. That content could then be channeled (through legislation) through appropriate technologies. But without that consent, the user of the privacy property would be a privacy pirate. Indeed, many of the same tools that could protect copyright in this sense could also be used to protect privacy.
This solution also recognizes what I believe is an important feature of privacy — that people value privacy differently[44]. It also respects those different values. It may be extremely important to me not to have my telephone number easily available; you might not care at all. And as the law’s presumptive preference is to use a legal device that gives individuals the freedom to be different — meaning the freedom to have and have respected wildly different subjective values — that suggests the device we use here is property. A property system is designed precisely to permit differences in value to be respected by the law. If you won’t sell your Chevy Nova for anything less than $10,000, then the law will support you.
The opposite legal entitlement in the American legal tradition is called a “liability rule[45]”. A liability rule also protects an entitlement, but its protection is less individual. If you have a resource protected by a liability rule, then I can take that resource so long as I pay a state-determined price. That price may be more or less than you value it at. But the point is, I have the right to take that resource, regardless.
An example from copyright law might make the point more clearly. A derivative right is the right to build upon a copyrighted work. A traditional example is a translation, or a movie based on a book. The law of copyright gives the copyright owner a property right over that derivative right. Thus, if you want to make a movie out of John Grisham’s latest novel, you have to pay whatever Grisham says. If you don’t, and you make the movie, you’ve violated Grisham’s rights.
The same is not true with the derivative rights that composers have. If a songwriter authorizes someone to record his song, then anyone else has a right to record that song, so long as they follow certain procedures and pay a specified rate. Thus, while Grisham can choose to give only one filmmaker the right to make a film based on his novel, the Beatles must allow anyone to record a song a member of the Beatles composed, so long as that person pays. The derivative right for novels is thus protected by a property rule; the derivative right for recordings by a liability rule.
The law has all sorts of reasons for imposing a liability rule rather than a property rule. But the general principle is that we should use a property rule, at least where the “transaction costs” of negotiating are low, and where there is no contradicting public value[46]. And it is my view that, with a technology like P3P, we could lower transaction costs enough to make a property rule work. That property rule in turn would reinforce whatever diversity people had about views about their privacy — permitting some to choose to waive their rights and others to hold firm.
There was one more reason I pushed for a property right. In my view, the protection of privacy would be stronger if people conceived of the right as a property right. People need to take ownership of this right, and protect it, and propertizing is the traditional tool we use to identify and enable protection. If we could see one fraction of the passion defending privacy that we see defending copyright, we might make progress in protecting privacy.
But my proposal for a property right was resoundingly rejected by critics whose views I respect[47]. I don’t agree with the core of these criticisms. For the reasons powerfully marshaled by Neil Richards, I especially don’t agree with the claim that there would be a First Amendment problem with propertizing privacy[48]. In any case, William McGeveran suggested an alternative that reached essentially the same end that I sought, without raising any of the concerns that most animated the critics[49].
The alternative simply specifies that a representation made by a website through the P3P protocol be considered a binding offer, which, if accepted by someone using the website, becomes an enforceable contract[50]. That rule, tied to a requirement that privacy policies be expressed in a machine-readable form such as P3P, would both (1) spread P3P and (2) make P3P assertions effectively law. This would still be weaker than a property rule, for reasons I will leave to the notes[51]. And it may well encourage the shrink-wrap culture, which raises its own problems. But for my purposes here, this solution is a useful compromise.
To illustrate again the dynamic of cyberlaw: We use law (a requirement of policies expressed in a certain way, and a contract presumption about those expressions) to encourage a certain kind of technology (P3P), so that that technology enables individuals to better achieve in cyberspace what they want. It is LAW helping CODE to perfect privacy POLICY.
This is not to say, of course, that we have no protections for privacy. As we have seen throughout, there are other laws besides federal, and other regulators besides the law. At times these other regulators may protect privacy better than law does, but where they don’t, then in my view law is needed.
- (1) Limits on Choice
- About the author
- Displacement of rules to different chains
- Iptables-save ruleset
- About the Author
- Making the Choice
- Using ssh-keygen to Enable Key-Based Logins
- About the Apache Web Server
- Display Information About Connected Users
- 1.3 A Word About Modes
- About This Book
- All About ifconfig