Theories of Privacy and Surveillance

Topic 1Graham Greenleaf

University of New South Wales

Last revised: September 2008

Questions to start with What threatens our privacy? What values justify privacy laws? What do 'privacy' and 'surveillance’

mean? Why are there sceptics on whether

laws should protect privacy? See

RG - Theories of privacy and surveillance

Threats to privacy Embarrassment ‘Past coming back to

haunt you’ Lack of security of

information Unwanted marketing Marketing manipulation Irrelevant

considerations Collection of profiles

Intrusive biometrics Repressive state control Unfair decisions on

wrong/secret info. Tracking of

movements / location Interception of

communications

Values underlying privacy? Respect for human autonomy Psychological need for privacy Conduct free from inhibiting surveillance ‘Forgiveness’ of past actions Avoidance of injustices ‘Openness’ as a democratic virtue Preventing long-term repression Enabling markets (e-commerce)

Compare RG ‘The Concept of Privacy’ - for the origins of the above

suggestions under ‘Threats to privacy’ ALRC 108 [1.39] - Roger Clarke’s suggestions HKLRC (2004) Ch 1 ‘functions of privacy’

Attempts to define 'privacy' Most liberal theorists regard privacy as a value

that should be protected by law Some distinction between public and private spheres

has been essential to liberal thought Many support legislation, not just tort But there is no agreement on a definition or on

the justification Some (eg Wacks) regard ‘privacy’ as a useless

concept for legal implementation Others (eg HKLRC) retain it as a key term

Most privacy laws do not define ‘privacy’

4 ways of defining ‘privacy’ in terms of non-interference

'the right to be let alone’ (Warren & Brandeis) In terms of degree of access to a person

Secrecy / solitude / anonymity (Gavison) In terms of information control (Westin) as"intimate" and/or "sensitive" details (Innes)

Limits scope of privacy Bygrave: all 4 are reflected in privacy laws

Bygrave: privacy laws also protect self-realisation and democracy (see later)

Deficiences of the definitions

‘degree of access’ and ‘information control’ are too broad if they apply to all disclosures, and circular if they do not (Wacks (2000)

"intimate" or "sensitive” is too narrow

Solove’s ‘bottom up’ approach See ALRC [1.62] for discussion Rejects ‘top down’ approach of starting with a

definition Starts with ‘a web of interconnected types of

disruption’ - but these are not categories Criticisms (Bruyer): without a common

denominator, remains a piecemeal approach

Defence of ‘bottom up’ approaches Compare data protection and copyright law

see RG 0 ‘IPPs as a legal concept’ You can’t define the common element in the rights that make up

copyright either, and they have grown up piecemeal Apply Wittgenstein’s Family Resemblance thesis

“… things which may be thought to be connected by one essential common feature may in fact be connected by a series of overlapping similarities, where no one feature is common to all.” (Wikipedia)

How useful is ‘privacy’ as a legal concept? If it is only shorthand for a bundle of different rights, each of those

rights may have separate justifications It may have rhetorical value even if it is a composite and

indefinable term (a ‘black box’ term)

Categories of privacy ALRC 108 [1.31] (and many others) suggest 4

main ‘related concepts’: Information privacy (or ‘data protection’)

Which can be seen as falling into 10 or more ‘UPPs’, which have a ‘family resemblance’ rather than

Bodily privacy Privacy of communications Territorial privacy

These last 3 are less well defined in law or privacy theory than is information privacy

See the Australian and Asia-Pacific Privacy Charters as examples of attempts to incorporate them

Privacy and public interests Bygrave: privacy laws also protect self-

realisation and democracy Victorian Law Reform Commission Defining

Privacy (Occasional Paper) 2002 Privacy as a group value (public sphere): ‘The

right of privacy exists because democracy must impose limits on the extent of control and direction that the state exercises over the day-to-day conduct of individual lives’ (Rubenfeld)

Question: why limit this to state control?

Wacks’ redefinition “ `Personal information' includes those facts,

communications or opinions which relate to the individual and which it would be reasonable to expect him to regard as intimate or sensitive and therefore to want to withhold, or at least to restrict their collection, use or circulation.”

This attempts to give an objective test of what is personal information

But it shifts the legal issue (‘reasonable’) to when other interests will over-ride.

Problem: ‘personal information’ is only part of what we mean by ‘privacy’

Sceptical views of privacy law See RG 2.3

Privacy as economic inefficiency Technological defeatism / dystopianism Technological counter-surveillance Technological optimists - 'PET lovers' Property right / ‘private orderings’

‘Privacy scepticism’ is often a mix of these views - it is useful to disentange them

Privacy as economic inefficiency Posner (1978):

Information privacy allows people to misrepresent their character

It is inefficient and should not be valued Less sophisticated variants

Business / government should have unfettered use if this enhances efficiency

‘the innocent have nothing to fear’ Privacy always loses out to other interests, even if

it does have some weight (common view)

Technological defeatism / dystopianism Futile to attempt to protect privacy in the face

of surveillance developments 'You have zero privacy. Get over it.’ (McNealy) Exemplified in Orwell’s 1984 (1948)

Technological counter-surveillance Maximise surveillance of all those who have control

of surveillance (David Brin) But who will win a surveillance arms race?

Movie ‘Enemy of the State’ Q: Can we accept the technique but reject the

defeatism?

Technological optimism - 'PET lovers'

Privacy-enhancing technologies (PETs) - RG11 emphasises technology, not law, as protection Encryption

Egs PGP (Pretty Good Privacy); browsing anonymisers Negative - Irrelevant to most privacy problems Positive - Focus on privacy-friendly system design Double-edged because of authentication uses

Facilitating ‘privacy markets’/consent P3P - the 'platform for privacy preferences’ How effective without legislation or property rights?

Property right approaches Samuelson (1999) identifies advantages:

Allows alienability of privacy rights, and for individuals to share in market value

Forces firms to internalise costs of interference Property right + markets will suffice Mainly a US view

Reject European ‘bureaucratic’ approach US First Amendment forces this approach Constitutionally easier to establish property rights

than to limit disclosures

Property right approaches (cont)

‘Private orderings’ Leave privacy to contracts and the market

The previous view minus the property rights Equates to no protection

just freedom of contract in the private sector Whatever legislation allows in the public sector

The most extreme view

Theorists of surveillance See RG 2.4 ‘Theorists of surveillance’

Panopticism Foucault's influence

Sociological analysis James Rule's analysis

The techniques of `Dataveillance' Roger Clarke's analysis

Michel Foucault - Panopticism Panopticism - Bentham’s prison Foucault’s ‘panopticism’: the general principle

of a new relationship of power - ‘discipline’, a ‘technology of power’.

Spread of the panoptic approach through other social institutions results in ‘measures of normality’ which are largely outside the legal system

Compare panopticism and data surveillance

James Rule - Sociology of surveillance Rule treats as neutral terms:

‘Surveillance’ as ‘the systematic collection and monitoring of personal data, for the purpose of social control’

‘Social control’ as ‘any means of influence [to] render other people's behaviour more predictable and more acceptable;

Best early analysis of the techniques information systems offer for social control

Eg 3 methods of enforcement - (I) exclusion; (ii) adjusting benefit to risk; (iii) active coercion

Expectations of ‘appropriate’ treatment based on past history equates to an internalisation of surveillance

`Efficiency criteria' - do privacy laws control surveillance? Eg application to IPPs (Greenleaf)

Roger Clarke - Dataveillance distinction between Personal v Mass data

surveillance analysis of techniques of data surveillance

Personal: record integration; front-end verification; front-end audit; cross-system enforcement

Mass: routine screening; file analysis; profiling Facilitated by data matching, data concentration

Adds precision to the discussion of data surveillance law and privacy law responses