Return to D Post home page

Privacy, Property, Cyberspace

David G. Post

American Lawyer, "Plugging In," November 1997

Feel free to redistribute this column, but please retain author attribution if you do so. If you are not on the mailing list to receive this column and would like to be, send a message "Subscribe" to

The problem of protecting personal privacy against the threats posed by the new communications technologies is ascending rapidly on the Zeitgeist scale. A Time magazine cover story on electronic eavesdropping, a New York Times front-page story on the emergence of a new multi-billion dollar business in Internet-based intelligence gathering, even the extensive press coverage of the paparazzi's role in Princess Diana's death -- are have at their core some very real, very difficult, and very pressing problems of defining a scope for "private" activity in a world where the public-private dividing line is increasingly blurred, and where information about one's "personal" activities can be collected, processed, and disseminated at staggeringly low cost and at staggeringly high speed.

Travelers in cyberspace are certainly subject to a rather fearsome array of devices that appear to constitute a serious threat to what Justice Brandeis called, over 100 years ago, the right most valued by a free people, the "right to be left alone." An electronic record of virtually every move you make in cyberspace -- the websites you visit and the amount of time you spent at each, the recipients of your email messages -- can be captured and stored on your own computer, your central office LAN server, or your Internet Service Provider's computers (or all three). At the same time, each website you visit can, if it chooses, store a record of your visit there, and each of them can reciprocate by depositing a small string of text -- what the techies call a "cookie" -- on your hard disk, noting when you visited the website and what you looked at. (If you're interested, take a look at the file named "cookies.txt" in the directory that contains your Internet browser). This allows the site to identify you the next time you visit and, perhaps, to serve up a particular advertisement tailored to what it thinks you would be most interested in.

These little electronic breadcrumbs that travelers deposit as they move from one site to another are entirely innocuous standing alone; how significant is it really that has stored information about my search yesterday for books on 18th century political theory? As we conduct more and more of our business and personal activities via electronic media -- purchasing goods and services through the World Wide Web, communicating with business associates, friends, and colleagues via electronic mail, etc. -- increasing amounts of this kind of personal information are available in electronic form. With the help of high speed network connections among all the sites where these breadcrumbs may have been dropped, and sophisticated database processing software, this information can converted into permanent records that, when combined with innumerable other such records, form a detailed profile of who we are -- the persons or organizations to whom we send messages, the discussion groups in which we participate, the sites on the Internet that we have visited (and the amount of time we spent at each), the goods we have ordered (and those we have looked at and chosen not to order), and the like.

Information, in short, takes on a qualitatively different meaning when it can be cheaply and easily aggregated together (as a new generation of direct marketers and intelligence gatherers is discovering). The public instinctively recognizes how potentially intrusive these new capabilities may be -- witness the outcry when the Social Security Administration announced that it would provide Internet access to its database containing information on each individual's social security account, information, incidentally, already accessible by telephone. Public opinion polls convincingly show that there is substantial public concern about these perceived attacks on personal privacy. The question is: how can -- and how should -- the law respond?

That, of course, turns out to be a complicated question. At present, in the U.S. at least, while government use of personal information is subject to a fairly wide range of constitutional and statutory restrictions, we have few legal tools to control the private use or dissemination of personal information. A few federal statutes prohibiting the disclosure of particular kinds of personal information -- the Fair Credit Reporting Act of 1970 (credit records), the Video Privacy Protection Act of 1988 (the "Bork" bill dealing with video rental records), the Family Education Rights and Privacy Act of 1974 (educational records), the Employee Polygraph Protection Act of 1988 (employee polygraph records), and the like -- and some ill-defined common law torts for "invasion of privacy" covering only the most egregious and outrageous conduct. Nothing, that is, that prevents the routine, and unspectacular, compilation of a detailed dossier on my activities and the offer to sell that information to the highest bidder, no overarching framework for the treatment of personal transactional records.

Not surprisingly, this status quo is being aggressively challenged by those who seek to build a firmer legal wall of informational privacy around individuals. In accordance with Post's Second Law -- all policy choices in an age of binary information are themselves binary -- two very dissimilar approaches to this problem have been placed on the table. One is direct, involving increasing the statutory prohibitions on the publication or dissemination of a much broader range of personal information than is covered by existing statutory regimes. Prof. Cass Sunstein of the University of Chicago, for example, has recently suggested that State governments should seize the moment to experiment with laws to "restrict speech in the interest of protecting privacy" ("Reinforce the Walls of Privacy," New York Times, Sept. 6, 1997), prohibiting, say, publication of photographs of "famous" persons taken without permission, or information that is personally "humiliating" to the subject.

This approach is, to put it mildly, a First Amendment minefield. Even Sunstein acknowledges that it will require States to draw lines between "bad speech" -- those nasty paparazzi, with their focus on the "personal joys and tragedies of famous people" -- and "good speech" like "the famous photographs of Gary Hart with Donna Rice."

In some recent law review articles and even in court(see the pleadings in Avrahami v. US News & World Report, available at, a number of privacy advocates have argued for a different approach to the personal information problem: Instead of trying to determine in advance what information can or cannot be collected or disseminated, the law should recognize and give individuals a property right in personal information about themselves. This approach is appealing, in that it appears to be more closely aligned with the kind of market-oriented and decentralized scheme that the architecture of the Internet itself, not to mention everyone from the authors of the Clinton Administration's "Framework for Electronic Commerce" to the libertarians who dominate Net culture, seem to favor. A property right in personal information will facilitate the development of a kind of "privacy market"; anyone who wants to collect and use information about where I've been and when I've been there will have to obtain my authorization to do so, and I get to set the price that direct marketers or others need to pay to get access to this information.

Appealing, but not entirely free of problems of its own. As lawyer and commentator Peter Huber has pointed out, there is no small irony in this proposal. Many of those calling for expanding the role of property rights in personal information are those who (correctly, in my view) have sounded the alarm about proposals to expand copyright protection in cyberspace, on the ground that treating creative expression as personal property will do serious and lasting damage to the free flow of information in cyberspace. (See Copyright and Free Expression: Battle or Dance? (January 1996) and 'Clarifying' the Law of Cyberspace (April 1996)). It is not difficult to level precisely the same charge against the privacy proposals, that giving me the right to stop dissemination of information about where I've been and what I've done on the Internet will have similar implications for freedom of expression and debate.

Indeed, I would go so far as to suggest that the "privacy problem" and the "copyright problem" are really one and the same. Computer technology doesn't distinguish between "personal" information and "expressive" information; in the words of my favorite bumper sticker, "Relax -- on the Net, it's all just 1s and 0s." And in both cases, the technology itself will move much faster than the law in providing people with control over both forms of information. The cookie problem, for example, which many of you may not even have been aware of until reading this column, has already been largely solved; both of the commercially available Internet browsers (Netscape Navigator and Microsoft Internet Explorer) allow users to set a switch that informs them every time a website tries to send a cookie to the user's machine, and allows them, if they choose, to avoid any such sites entirely. Similarly, tools for encrypting information and "anonymizing" transactions (stripping away all identifying information) are already widely available to those with the technical skills to utilize them; as these privacy issues get a higher public profile, these tools will undoubtedly become more widely available to average users like you and me. All of which may render the debate about the necessity of providing property rights much less important. After all, if we could easily and cheaply build perfect fences around our property -- not just a "Keep Out" sign but an impenetrable 12-foot high electric fence with junkyard dogs behind -- then we wouldn't really need legally-enforceable property rights at all. And cyberspace suddenly makes the possibility of constructing such perfect fences in cyberspace -- zero you're in, one you're out -- a very real one.