Debunking the Privacy Fallacies

This is the first in a series of articles about privacy-related issues that may be of interest to state attorneys general.

When I was in law school, “privacy law” wasn’t really discussed. Today, it seems like all anyone can talk about. That might be because I work on privacy and data security matters for the Consumer Protection Division of the Vermont Attorney General’s Office, and teach about privacy at the University of Vermont. Or it could be that people really care about their privacy and are continually dismayed by revelations that the businesses to which they entrust their most sensitive data may be selling it, using it in untoward ways, or failing to protect it from cyberthieves.

The state attorney general community serves a critical role in the debates over privacy. Attorneys general enforce laws that attempt to protect peoples’ privacy, can apply state consumer protection laws to hold businesses accountable for unfair and deceptive practices, and can criminally prosecute the worst actors. State attorneys general can also influence the policy debate over what a comprehensive privacy law that protects consumers while fostering a healthy business climate should look like.

I have been working on these policy questions for a while, whether through Vermont’s Data Broker Registry law and lawsuit against facial recognition company Clearview AI, or through outreach and education. I have learned that the very concept of privacy is not very well understood by many stakeholders. Even defining privacy can be difficult.

This article will share some thoughts on privacy policies in general and, in particular, on the arguments used by those who do not favor strengthened protection of privacy, which may have superficial appeal but are often based on invalid premises. The goal is to move the discussion in a way that helps state attorneys general better protect our citizens and support a healthy business environment.

First Principle: Privacy is a Balance

The list of potential harms to personal privacy are numerous and ever-expanding. Problems like stalking and harassment, swatting, identity theft, data theft, redlining, blanket surveillance, location tracking, fraud, spying, extortion, election tampering, psychological manipulation, and government control all have common elements: increasingly ubiquitous surveillance technologies coupled with an unregulated market for personal data. Unfortunately, trying to elucidate all the potential harms can make one feel that they are disappearing down a rabbit-hole of conspiracy theories.

The privacy problems citizens (and attorneys general) worry about are often abstract while the short-term benefits of related technologies are immediate and obvious. Beyond a vague sense of “creepiness,” the average consumer may not really be in any immediate danger of harm. The dangers of surveillance may be more obvious if one is a member of a marginalized group for whom surveillance can lead to imminent harm, such as someone seeking anonymity to flee an abusive relationship or someone with a critical health condition who has a good reason for it not to be generally known. Not having to care about your privacy is an unrecognized privilege that many in this country share.

A key thing to remember about privacy is that it’s a balance. Under certain circumstances, there are justifiable, even benevolent reasons to sacrifice some of it. Businesspeople, police officers, scientists and journalists all may have legitimate reasons to access the intimate details of our lives. But there are also reasons to surveil us that are not so benign. Their advocates may invoke lofty goals like bringing together the global community, keeping us safe, and making life more convenient, but those justifications are often just a pretext to continue the profitable practice of selling our most sensitive information to the highest bidder.

The issue is that when new technologies are being developed to solve important problems, privacy advocates are usually not in the room to raise concerns. It is only after a technology has been deployed that privacy concerns can be raised, and by then it may be too late. This is where thoughtful public policy comes in: to set the ground rules and draw the lines up front so that businesses can innovate and flourish while privacy is protected.