In 1999, when Scott McNealy, the founder and CEO of Sun Microsystems, declared, “You have zero privacy…get over it,” most of us, still new to the World Wide Web, had no idea what he meant. Eleven years later, when Mark Zuckerberg said that “the social norms” of privacy had “evolved” because “people [had] really gotten comfortable not only sharing more information and different kinds, but more openly and with more people,” his words expressed what was becoming a common Silicon Valley trope: privacy was obsolete.
By then, Zuckerberg’s invention, Facebook, had 500 million users, was growing 4.5 percent a month, and had recently surpassed its rival, MySpace. Twitter had overcome skepticism that people would be interested in a zippy parade of 140-character posts; at the end of 2010 it had 54 million active users. (It now has 336 million.) YouTube was in its fifth year, the micro-blogging platform Tumblr was into its third, and Instagram had just been created. Social media, which encouraged and relied on people to share their thoughts, passions, interests, and images, making them the Web’s content providers, were ascendant.
Users found it empowering to bypass, and even supersede, the traditional gatekeepers of information and culture. The social Web appeared to bring to fruition the early promise of the Internet: that it would democratize the creation and dissemination of knowledge. If, in the process, individuals were uploading photos of drunken parties, and discussing their sexual fetishes, and pulling back the curtain on all sorts of previously hidden personal behaviors, wasn’t that liberating, too? How could anyone argue that privacy had been invaded or compromised or effaced when these revelations were voluntary?
The short answer is that they couldn’t. And they didn’t. Users, who in the early days of social media were predominantly young, were largely guileless and unconcerned about privacy. In a survey of sixty-four of her students at Rochester Institute of Technology in 2006, Susan Barnes found that they “wanted to keep information private, but did not seem to realize that Facebook is a public space.” When a random sample of young people was asked in 2007 by researchers from the Pew Research Center if “they had any concerns about publicly posted photos, most…said they were not worried about risks to their privacy.” (This was largely before Facebook and other tech companies began tracking and monetizing one’s every move on- and offline.)
In retrospect, the tendencies toward disclosure and prurience online should not have been surprising. As Sarah Igo observes in The Known Citizen, her masterful study of privacy in the United States, the sharing and oversharing of intimacies predates the social Web; indeed, the social Web simply allowed these behaviors to proliferate on a more open and accessible platform. Igo cites the enormous popularity of An American Family, a documentary doled out in twelve installments on public television in 1973, as one of the earliest cultural watersheds in Americans’ changing appreciation of privacy. Culled from the filmmakers’ seven-month immersion in the day-to-day lives of an ordinary family, the Louds of California, the series suggested that nothing was off-limits on TV: the Louds’ marriage fell apart; their son came out as gay; his father’s infidelities were exposed. Part of what made this so sensational was that, by making the private public, voyeurism and exhibitionism became mainstream entertainments. (Decades later, with webcams built into computers, peering into other people’s homes and lives no longer seems all that unusual.)
Igo also points to the influence of confessional talk shows, like Phil Donahue’s in the 1970s and Oprah Winfrey’s in the 1980s and beyond, where guests opened up about previously taboo subjects such as incest and spousal abuse. The public also had a voracious appetite for revelatory memoirs, a genre that grew exponentially as writers, famous or not, offered up increasingly startling, true—or possibly true—confessions of drug addiction, alcohol abuse, childhood traumas, sexual misadventures, and failures of every stripe. Igo writes:
Confessional culture, 1990s style, had many taproots: the media forms and celebrity culture that made self-publicity so alluring, the critique of secrets that was transforming political culture, and the incitements to authenticity and redemption emanating in equal measure from the couch and congregation.
When the social Web came along not long afterward, people were primed to participate.
None of this meant that Americans—ordinary people and lawmakers alike—were unconcerned then, or at any time, about what they perceived to be actual and potential incursions into their private lives. Government overreach into the homes and lives of citizens animated the Framers, and their intent has been debated in the courts and Congress ever since. As Cyrus Farivar writes in Habeas Data: Privacy vs. the Rise of Surveillance Tech, a lively catalog of privacy-related court cases and laws that have arisen alongside new technologies, “Nowhere in the Bill of Rights, or in the Constitution, is the word ‘privacy’ mentioned. But scholars, lawyers, judges, and others have intuited, or extrapolated, something resembling a privacy right from both documents.” “The right to be let alone is indeed the beginning of all freedom,” Supreme Court Justice William O. Douglas wrote in 1952, echoing the words of Justice Louis Brandeis, who, nearly a quarter-century earlier, wrote in his dissenting opinion in Olmstead v. United States, “The right to be let alone [is] the most comprehensive of rights, and the right most valued by civilized men.”
Brandeis and his law partner, Samuel Warren, are credited with inserting modern ideas about that right into American jurisprudence when in 1890 they published a Harvard Law Review article titled “The Right to Privacy.” Inspired by a new technology—the camera—and the widespread, unauthorized dissemination of photographs taken by prying tabloid journalists, Brandeis and Warren decried the
instantaneous photographs and newspaper enterprise [that] have invaded the sacred precincts of private and domestic life…and [the] numerous mechanical devices [that] threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.”
The law needed to respond as new technologies brought about new invasive practices, they argued, because “political, social, and economic changes entail the recognition of new rights.”
As a Supreme Court justice, Brandeis had the opportunity to pursue these ideas further a few decades later in Olmstead. In that case the new technology at issue was the telephone and the presumption of privacy it did—or did not—afford. The plaintiff, a bootlegger under surveillance by law enforcement, argued that his constitutional rights had been violated when investigators listened to his calls without a warrant. The Court’s majority did not see it that way. Since the government’s wiretaps did not entail an actual physical breach of the man’s private property, they found no injury.
In his dissent, Brandeis chided his colleagues for failing to take into account the development of new technologies unimagined by the Framers:
Time works changes, brings into existence new conditions and purposes. Therefore, a principle, to be vital, must be capable of wider application than the mischief which gave it birth. This is peculiarly true of constitutions…. The future is their care, and provision for events of good and bad tendencies of which no prophecy can be made.
But then he made a prophecy that perfectly anticipated our current, post-Snowden moment, when both the courts and the country grapple with government surveillance of e-mail, cell phones, and other electronic devices:
The progress of science in furnishing the Government with means of espionage is not likely to stop with wiretapping. Ways may someday be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.
In Habeas Data, Farivar illustrates how this “someday” is now here, as he examines the privacy issues arising from such relatively new technologies as license plate readers, security cameras, drones, stingrays (devices that mimic cell phone towers in order to intercept calls), stingrays mounted on drones, Doppler radar, facial recognition, and persistent surveillance systems—cameras mounted on airplanes that can see and record what’s happening on the ground. The stories he tells, often about how these technologies are used by the government to spy on its citizens, are all the more chastening because, for the most part, they are legal. The problem, as Farivar points out, is that “absent a department policy or state law specifically forbidding a particular practice or regulating a particular technology, law enforcement will always push the limits until they are told to stop.”
The deployment of new technologies frequently precedes their regulation, or even the public’s knowledge that such technologies exist or are being used. All too often, by the time these practices are challenged in the courts or addressed legislatively, the specific technology at issue has been retired and replaced by something new and, very likely, more invasive. For instance, facial images of more than half the American population already reside in various government databases, collected from such benign activities as renewing a driver’s license or reentering the country from a trip abroad, but now Axon, the nation’s largest supplier of police body cams, has just announced that it is considering adding facial recognition to its cameras. Facial recognition software, which is powered by artificial intelligence, is notoriously unreliable in identifying people with dark skin. Even so, at least one company is adding an “ethnicity detection” algorithm to its facial recognition software.
The Department of Homeland Security (DHS) is taking this further, according to the Electronic Frontier Foundation, by using
mobile biometric devices that can identify faces and capture face data in the field, allowing its ICE (immigration) and CBP (customs) officers to scan everyone with whom they come into contact, whether or not those people are suspected of any criminal activity or an immigration violation.
These will be part of a new, comprehensive DHS database that will include, in addition to facial images (supplied by, among others, airline companies), fingerprints, iris scans, DNA data, descriptions of physical anomalies (scars, tattoos), and maps of individuals’ affiliations and relationships culled from social media. The DHS will share this database with local and state law enforcement departments, other federal agencies, and certain foreign governments.
An argument could be made that a different once-novel technology—the birth control pill—was at the root of the other major privacy issue that bedevils both the courts and society: abortion. In 1965, five years after the Pill was approved by the FDA, a case was brought before the Supreme Court challenging a Connecticut law that banned the use of contraceptives by married couples, setting in motion developments that led to the Court’s Roe v. Wade decision legalizing abortion eight years later. At issue in the 1965 case, Griswold v. Connecticut, was the most basic measure of privacy, the one identified by the authors of the Fourth Amendment: the right to be let alone, free from government interference in one’s home. “Would we allow the police to search the sacred precincts of marital bedrooms for telltale signs of the use of contraceptives?” Supreme Court Justice William O. Douglas wrote, striking down the Connecticut law. “The very idea is repulsive to the notions of privacy surrounding the marital relationship.” Marriage, Douglas said, compelled a “right of privacy that was older than the Bill of Rights—older than our political parties, older than our school system.” And while the privacy right the Court was asserting in Griswold pertained specifically to the legal union of a woman and a man, and would not be extended to unmarried couples for another seven years, other language in the decision—especially the vague yet encompassing notion that “the specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance”—set the course for future privacy claims going forward.
The Supreme Court issued its decision in Roe v. Wade in 1973, the same year PBS broadcast An American Family (and only a year after the Court broadly legalized contraception outside of marriage). No other decision has proved more contentious or more socially and politically fracturing. This past spring alone, Mississippi, Indiana, Iowa, and Kentucky passed laws aimed in different ways at gutting it. Since the Reagan years, and even more so now under Donald Trump and Mike Pence, overturning Roe and outlawing abortion has been an organizing principle of the Republican Party. But in 1973, when the Court issued its ruling, only two justices dissented. Writing for the majority, Justice Blackmun noted:
The Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution…. This right of privacy, whether it be founded in the Fourteenth Amendment’s concept of personal liberty and restrictions upon state action, as we feel it is, or, as the District Court determined, in the Ninth Amendment’s reservation of rights to the people, is broad enough to encompass a woman’s decision whether or not to terminate her pregnancy. The detriment that the State would impose upon the pregnant woman by denying this choice altogether is apparent.
The privacy right established by Roe was not absolute. In the words of the Court:
The pregnant woman cannot be isolated in her privacy. She carries an embryo and, later, a fetus, if one accepts the medical definitions of the developing young in the human uterus…. The woman’s privacy is no longer sole and any right of privacy she possesses must be measured accordingly.
This, as we’ve witnessed in the intervening years, is the legal wedge that the anti-abortion movement has used to pick apart Roe.
Yet when the decision was issued, even some feminists, including Ruth Bader Ginsburg, were dismayed that the case had been argued and decided on privacy interests. To them, relying on claims of privacy enabled the Court to bypass more enduring and inclusive arguments based on sexual equality and self-determination, as well as to ignore the structural reasons poor women, especially, would face difficulties in obtaining abortion services. This became even more apparent in 1976 when Congress passed the Hyde Amendment, blocking federal Medicaid funding of abortions (except in cases of rape or incest, or if the woman’s life is endangered by the pregnancy).
Nonetheless, many feminists and feminist organizations like the National Organization of Women, Planned Parenthood (which had been the plaintiff in Griswold), and NARAL supported the privacy argument. In the estimation of the legal scholar Mary Ziegler, they then reinterpreted it, claiming that Roe conferred upon women a right “to choose” and a “right to control her own body,” though these constructions do not appear in the decision itself. “To some extent, the connection between freedom of choice and privacy was implicit in the Roe decision,” Ziegler writes in Beyond Abortion: Roe v. Wade and the Battle for Privacy:
But activists also took raw material from the Roe decision to make something new. Advocates described abortion as a right to choose and a right to control one’s own body partly because they believed that these terms captured the true meaning of the Constitution.
It wasn’t only abortion advocates who found Roe’s privacy language both elastic and useful. Ziegler cites example after example of groups that adapted Roe for causes far removed from terminating a pregnancy. These included those advocating the right to die, the right to use unproven medications, and the right to refuse medical treatment, including mental health services. Underlying all of these was an interpretation of Roe that found that the right to privacy—a right that has been shown to be both pliable and capacious—included the right to control one’s own body.
These post-Roe movements occurred at a time of heightened public awareness—and wariness—of government intrusions into people’s lives. COINTELPRO, the FBI’s covert surveillance of domestic political figures and groups, had been exposed in 1971. The Watergate break-in happened the following year. Two years later, Congress passed the Privacy Act of 1974, which, despite its many exemptions, was intended to give people the right to know what information was contained in their government records and the ability to amend them when they were incorrect, and prohibited federal agencies from sharing their records without citizens’ consent. According to a Justice Department statement explaining the provenance of the law, the Privacy Act came out of a Congress eager to curb
the illegal surveillance and investigation of individuals by federal agencies that had been exposed during the Watergate scandal. It was also concerned with potential abuses presented by the government’s increasing use of computers to store and retrieve personal data by means of a universal identifier—such as an individual’s social security number.
The Social Security number had been looked on with suspicion as soon as the Social Security Act was signed by Franklin Roosevelt in 1935. Here was the state collecting personal information (religious affiliation, marital status) on ordinary citizens: What might it do with that information, and what might others (like employers) do with it? Despite assurances from the Social Security Board that these records would be closely held, and despite the Board at first keeping them out of reach of the police, federal agents, and others who would find them of use to their investigations, its position weakened during the war, opening up a Pandora’s box of information—not only for the military looking for deserters, but police searching for escaped convicts, the FBI tracking down suspects, the IRS pursuing tax cheats, and investigators hunting Nazi war criminals. (This, as we’ve seen, is a pattern during times of heightened national security—after September 11, the government’s surveillance of citizens increased under the Patriot Act.)
The administrative state was just getting started. In the postwar period, computerization and centralized record-keeping became the norm, and with them came reawakened public recognition of the potential for and dangers of what the late Columbia professor Alan Westin, in his book Privacy and Freedom (1967), called “data surveillance.” When the Social Science Research Council and the Bureau of the Budget proposed combining the records of the Internal Revenue Service, the Census Bureau, the Social Security Administration, the Federal Reserve, the Bureau of Labor Statistics, and a slew of other federal agencies, the proposal was met with fierce public resistance. There was a growing sense, as Sarah Igo suggests, that the government knew its citizens better than they knew themselves.
But it wasn’t just the government. As advertisers turned to psychologically determined market research and employers relied on obscure personality tests, people became aware of the ways in which businesses had begun to encroach on something more intimate than even the bedroom: their minds. In Igo’s estimation:
Whether old like wiretapping or frighteningly new like subliminal advertising, the techniques of invasion appeared to be escalating in citizens’ daily lives. The threat came not from one particular direction but from every corner of American society.
Those threats have escalated and multiplied, especially now that cloud storage and artificial intelligence have enabled the collection and analysis of vast amounts of data. The DHS alone, for example, has fingerprint information on 220 million individuals and processes 350,000 fingerprint transactions a day. The NSA has been hoovering up data as well. In May, when the office of the director of national intelligence released its annual transparency report for 2017, it revealed that the number of Americans targeted for surveillance under section 702 of the Foreign Intelligence Surveillance Act of 1978, which allows the warrantless surveillance of digital communications, had tripled in the past year. Among other things, last year the NSA collected the metadata from 534 million phone calls and text messages.
As we learned—yet again—from the Cambridge Analytica scandal, privacy is also imperiled by the companies that have built their businesses by gathering, trading, and selling personal data. In May, just two months after Facebook apologized for the unauthorized appropriation of at least 87 million user profiles by Cambridge Analytica and explained that its policies regarding data-sharing with third parties had changed in 2014 (so that users and their friends were now safe from that kind of violation), the company admitted that it had allowed at least two hundred other apps access to its users’ data without their knowledge. Then it turned out that the company was also sharing users’ personal information with Apple, Microsoft, Amazon, and nearly sixty other device makers, even when users had denied Facebook permission to share this information with third parties. One of these, the Chinese telecommunications company Huawei, is considered by US intelligence to be a security threat.
Around the same time, Facebook transferred 1.5 billion user profiles from its international headquarters in Ireland to its American offices in California. This was a few weeks before the European Union’s General Data Protection Regulation (GDPR) was to go into effect, enabling the company to follow (in the words of Mark Zuckerberg) the “spirit” of the GDPR for those users, while sidestepping the strict mandates of what has been called “the most profound privacy law of our generation.” It also allows the company to avoid, for the most part, the considerable fines levied on firms that do not comply with the GDPR.
Facebook is not alone in trying to bypass strict privacy regulations. Recently, Google’s parent company, Alphabet, mounted a campaign to neuter what is considered to be “the most rigorous consumer privacy statute in the country,” the Illinois Biometric Information Privacy Act, which allows consumers to sue companies that use their biometric data without their consent. And Google itself, which in 2017 promised no longer to read users’ e-mail, in fact still allows third parties to read users’ e-mail. Add to all these incursions one more: it has recently been discovered that US cell phone carriers have been supplying customers’ real-time location data to a company called LocationSmart that, in turn, has been selling it to other obscure and sometimes shady companies. One of them, Securus, enables its customers to track anyone who carries a mobile device, anywhere, at any time, and without a warrant.
Money trumps privacy, not because consumers want that, but because in this new world of “surveillance capitalism” riches are to be had by luring people to use “free” and intentionally addictive products and then, with their consent or not, sucking up every possible bit of information about them. In Privacy’s Blueprint, Woodrow Hartzog suggests that companies might be required to take “privacy values” into account and build them into the designs of their products. This, in fact, is one of the mandates of the GDPR, a law that does not extend to the United States or other non-EU countries. Considering the prevarications of Facebook, for example, as it continually diminished users’ privacy over the years while claiming to protect it through obscure “privacy policies” that gave the company new ways to monetize people’s personal information, one wonders how feasible this is. We cannot rely on lawmakers to adjudicate these matters. In the words of Senator Mark Warner, “If you leave us to do this on our own, we’re gonna mess it up.” Yet the House of Representatives voted once again not to fund the Office of Technology Assessment, the bipartisan agency that provides assistance and advice on technical matters.
In 2016, the TRUSTe/National Cyber Security Alliance Consumer Privacy Index found that 92 percent of US Internet users were concerned about their online privacy, and that “worries over online privacy topped the loss of personal income by 11 percentage points.” This suggests that Mark Zuckerberg’s statement from 2010 may have been prescient in a way, though not in the way he would have liked: the social norms of privacy are changing as the known citizen becomes more knowing.
A survey recently published in The Atlantic found that “78.8 percent of people said they were ‘very’ or ‘somewhat’ concerned about the privacy of their information on social media, and 82.2 percent said they self-censor on social media.” This spring, Vermont passed legislation to regulate data brokers. In June, California passed the California Consumer Privacy Act, giving its residents the right to be informed about the kinds of personal information companies have collected about them, as well as the right to request that their personal information be deleted. Also in June, Colorado passed a tough data security law; as of September, Colorado-based companies will be required to, among other things, dispose of certain kinds of personal identifying information. Overall, two thirds of Americans are now eager to see stricter privacy laws. These may be—to borrow Justice Douglas’s word—emanations of things to come.