Do You Have a Right to Privacy Online?
Only if you really want it
1. Brandeis & Warren
In the fourth-ever volume of the Harvard Law Review, published in 1890, Louis Brandeis and Samuel Warren penned an article titled “The Right to Privacy.”
In it, they appealed to the long-run evolution of law—from protection of the merely physical to protection of our spiritual rights:
Gradually the scope of these legal rights broadened; and now the right to life has come to mean the right to enjoy life,— the right to be let alone; the right to liberty secures the exercise of extensive civil privileges; and the term “property” has grown to comprise every form of possession — intangible, as well as tangible.1
They argued that a natural next extension presented itself: instead of only protecting against libelous speech—which was physically, materially harmful—the law should also protect against spiritually-harmful gossip:
The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. […] The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. […] Even gossip apparently harmless, when widely and persistently circulated, is potent for evil. It both belittles and perverts.2
But Brandeis & Warren never really explain what kind of gossip-specific “evil” exists—as Harry Kalven Jr. put it in a 1966 rebuttal:
One may perhaps wonder if the tort is not an anachronism, a nineteenth century response to the mass press which is hardly in keeping with the more robust tastes or mores of today. More surprising is the fact that the article reads so much like a brief and rests on an incomplete argument. […] There can be no objection to the tactic of locating a broader principle behind the protection of intellectual, artistic, and literary property at common law. The difficulty goes rather to the selectivity with which this is done. Even in 1890 it must have been abundantly clear that the common law had a highly cautious and ambivalent set of reactions toward giving protection against dignitary and emotional harms.3
In other words: we shouldn’t be coming up with new laws on the basis of “it really hurts my feelings when [x] does [y].” Brandeis & Warren were proving too much—Kalven clarifies just how silly their argument really was:
Alcorn v. Mitchell, for an easy example, was on the books in Illinois when Warren and Brandeis wrote. It was a supreme instance of an offensive battery, the defendant having spat upon the plaintiff in the courtroom. Judgment for a thousand dollars was affirmed. It is transparent that it was the offensiveness, the indignity, and not the physical battery that infuriated the plaintiff, the jury, and the judge. Yet one might have argued, using the Warren and Brandeis logic, that the principle underlying the case supports recognition of insults and indignities as torts, regardless of whether they are accompanied by a technical battery.4
Of course, it’s crazy to say that there should be a specific legal punishment for public insult (so long as it isn’t libelous)—similarly, why should there be punishment for public, “apparently harmless” gossip?
And, more relevantly to today, why should we think major internet companies do anything wrong when they collect our search history and personal data, in order to sell to advertisers? If they don’t even make our personal information public, what kind of right is being violated?
2. The Vibes Point to Privacy, But Only Barely
At this point, the legal ground for specific privacy rights is pretty shaky. So philosophers have stepped in—among the foremost, Judith J. Thomson, who wrote a 1975 article also called “The Right to Privacy.”
She writes that while everyone pretty much agrees there is a right to privacy, we mostly struggle to describe exactly what it consists of:
Consider, for example, the familiar proposal [advanced by Brandeis & Warren] that the right to privacy is the right "to be let alone." On the one hand, this doesn't seem to take in enough. The police might say, “We grant we used a special X-ray device on Smith, so as to be able to watch him through the walls of his house; we grant we trained an amplifying device on him so as to be able to hear everything he said; but we let him strictly alone: we didn't touch him, we didn't even go near him—our devices operate at a distance.” Anyone who believes there is a right to privacy would presumably believe that it has been violated in Smith's case; yet he would be hard put to explain precisely how, if the right to privacy is the right to be let alone.5
Clearly we need some more specific way to pick out when our privacy’s been violated. Thomson proposes a pair of test cases:
Imagine you and your spouse are loudly arguing with the windows wide open, and some passerby hears and stops to listen for a moment. Intuitively, your right to privacy hasn’t been violated, and so any theory we advance should exclude this case.
Imagine you’re still arguing, but quietly and with the windows closed. A neighbor trains an amplifying device at your house, and eavesdrops on the conversation anyway. In this case, it’s clear that your right to privacy has been violated.
How to include (2) and exclude (1)? Thomson proposes that a privacy right to do with argumentation is downstream of regular old ownership rights: if I own a really awesome CD, and for whatever reason I don’t want you to listen to it, I have a right to keep you from playing it. But if I left my CD out in such a way that you’d have no idea I or anyone else owned it, or I accidentally left my car’s windows rolled down with the CD playing, then I’d’ve waived my right to keep you from listening.
Similarly in the case of the voice which I own: generally speaking, I have a right to keep you from hearing my voice—but if I start talking loudly within earshot, clearly I’ve waived that right, even if only accidentally.6
But this isn’t really the kind of privacy that Brandeis & Warren were concerned with: what about my right to control what other people know about me?
At the most basic level, Thomson notes, there’s clearly nothing wrong with knowing things about other people—instead, information-privacy rights have to do with the process by which we come to know and spread those things: She writes, “we have a right that certain steps shall not be taken to find out facts, and we have a right that certain uses shall not be made of facts.”7
For example:
If we use an X-ray device to look at a man in order to get personal information about him, then we violate his right to privacy. Indeed, we violate his right to privacy whether the information we want is personal or impersonal. We might be spying on him in order to find out what he does all alone in his kitchen at midnight; or we might be spying on him in order to find out how to make puff pastry, which we already know he does in the kitchen all alone at midnight; either way his right to privacy.8
But, once again, we need to ask where the right comes from—and it seems like this one’s just about self-ownership again! If I own a book and the book has a recipe for puff pastry, I have a right to keep you from seeing it—similarly, I have a right to keep you from watching me make puff pastry. Privacy might be a good label for this right, but it’s not what underlies—my property right is what’s fundamental.
How about publicly-shared information—gossip?
[S]uppose I find out by entirely legitimate means (e.g. from a third party who breaks no confidence in telling me) that you keep a pornographic picture in your wall-safe; and suppose that, though I know it will cause you distress, I print the information in a box on the front page of my newspaper, thinking it newsworthy: Professor Jones of State U. Keeps Pornographic Picture in Wall-Safe! Do I violate your right to privacy? [… In fact,] what is violated here is the right to not be caused distress by the publication of personal information, which is one of the rights which the right to privacy consists in, and one of the rights which the right to not be caused distress consists in. Distress, after all, is the heart of the wrong (if there is a wrong in such a case): a man who positively wants personal information about himself printed in newspapers, and therefore makes plain he wants it printed, is plainly not wronged when newspapers cater to his want.9
In other words: gossip is bad and harmful insofar as it’s bad and harmful! There’s no special magical evil to it—if you’re distressed by a story about you in the paper, then that story is wrong because it distressed you—not strictly because it’s about you.
Thomson caveats, though, that we shouldn’t care so much about the right not to be distressed in cases like these:
[E]ven if there is a right to not be caused distress by the publication of personal information, it is mostly, if not always, overridden by what seems to me a more stringent right, namely the public's right to a press which prints any and all information, personal or impersonal, which it deems newsworthy.10
3. Privacy in the Age of Information
Judith Thomson was writing in 1975. Lots has changed since then, and it’s probably good to think about how her ideas stand up in more contemporary privacy-invasion cases.
Here’s one, lightly paraphrased from my Ethics Bowl Case Studies set:
Some cars are very smart now. They can tell where you’re driving them and also how you’re driving them—how fast you’re going, how safe you’re being, and so on. Recently, car companies started selling this data to insurance companies so they could adjust your insurance based on how well you, in particular, drive. Customers got mad about this apparent invasion of their privacy—technically they’d agreed to it, but any mention of it was buried deep in a 600-page contract that no one ever actually reads.
Are the car companies doing something wrong? Do the customers have a right to be upset?
Applying Thomson’s methods, we can notice that, while the customer concerns are privacy-valenced, “the heart of the wrong” really has more to do with being made to pay higher insurance premiums.
And is there anything really wrong with that? Presumably there’s a much stronger public right to have the number of deadly car crashes reduced—higher insurance premiums for dangerous drivers seem extremely justified to that end. There’s also the question of whether driving is even a private activity—we can imagine an altered, but ultimately isomorphic case where an unsafe driver of an old, dumb car careens around a corner at high speed, nearly running over his insurance adjuster, who promptly goes to the office and increases his premiums. Clearly the driver’s rights aren’t violated in such a scenario!
When I made this argument at a local ACX meetup the other day, someone presented a more challenging case:
These smart cars can probably also tell when you’re… kissing vigorously inside them. Imagine you and your partner drive out into the middle of nowhere, trying to make sure no one will see you, and then do lots of vigorous and consensual kissing in your car. The car detects this and the company sells the information to your insurance adjuster, who figures that a kisser as vigorous as you is probably a pretty unsafe driver, and increases your premiums. Surely, this must be a violation of your right to privacy!
My answer at the time was mumbly and unconvincing, but now I think: yes! Your rights have been violated! You took specific precautions to make your act a private one, but it was still detected and shared without your knowledge. Of course, again, “the heart of the wrong” probably doesn’t have much to do with privacy—you and your partner have a right not to share a view (or detection, generally) of whatever it is you’re doing (akin to the right you’d have not to show me a videotape you owned depicting something similar), and you also have some kind of right not to be harmed by an insurance rate-increase.
The question then, is this: when we go online, are we engaging in activities more like reckless driving, or more like carefully-planned vigorous-kissing?
4. End the Cult of Privacy
I think the answer largely depends on the person. While it’s not exceptionally easy to find good, secretive alternatives to prying-eyes like Google’s or Microsoft’s it’s also nowhere near impossible: when I cared more about my search history, I used DuckDuckGo happily! When I started to care more about my email security, I began to use Proton Mail. If you care to close the windows to your online house, or to drive your online car out to the middle of nowhere, it’s not very hard to do so!
And yet, many of us don’t: we use Google because it’s easier than making the three or four clicks to switch to a more private option. To me, this is revealed preference more than anything: if we cared more about our right to privacy than the privilege of maximal convenience, we’d act like it!
There are probably two good arguments to make against this view:
I didn’t choose to use Google, my job did!
Google is a Big Bad Monopoly, and we should trust-bust their butts up. As it is, no one’s actually truly freely consenting to Google’s data-harvesting.
But both of these responses neglect the role of markets as preference-aggregators: if enough employees and businesses cared enough, there’d be plenty of employees holding out for an office job sans GSuite, or businesses using alternatives. Similarly, if enough customers hated Google’s practices enough, it wouldn’t be such a successful company! Bryan Caplan has argued forcefully that antitrust doesn’t make much sense in general—Google won because customers liked it more than they disliked its privacy policies.
None of this is to say that privacy can’t or doesn’t exist anymore—extremely successful companies like Apple have made it a central motivating principle, and it’s still bad to doxx people without reason. On the internet, if anything, the public’s interest has been diluted, and we should give lots more credence to people who say “sharing my personal information widely will cause me tons of distress.”
But for the vast majority of us, it just doesn’t matter. I’ve mostly come around to this view: I write under my name, and I use Google products. If this ever causes me any distress, I don’t think I’ll blame myself for lacking privacy—I’ll blame the people who are violating my right not to be distressed!
A question that’s often puzzled legal scholars is that of why Brandeis & Warren would write such a strange and angry article. A leading theory is that Warren had married into a high-profile family, found his name in the papers a lot, and really didn’t like it. So he figured, naturally, that gossipy journalists were evil, belittling perverts, and had to be stopped at any cost.
This was clearly a crazy and maladaptive response, and yet it’s shaped most American jurisprudence and philosophy of privacy since. We should take a marginally more enlightened, marginally thin-skinned view: “privacy” describes a wide array of only slightly-related rights. Sometimes those rights are really important, and so we should protect privacy when it keeps people from being swatted or harassed—but often they’re unimportant, and willingly discarded for the convenience of asking Alexa to set a timer from across the room.
And still, tech companies conceal the extent of the data they’re collecting because they fear consumer backlash, and then government passes laws forcing them to share more information, and then the consumers never actually do a backlash. Populists have extracted billions from big tech companies who are too afraid to be upfront with the public about all the data they collect—when, really, no one cares. Simply for the privilege of not switching cloud storage, most Google Photos users would probably happily consent to some degree of facial-recognition data collection (e.g., to be sold to AI researchers). No one ever reads the EULA—not just because it’s long, but because they don’t care what it says.
For the special, Warren-esque snowflakes among us, DuckDuckGo and Proton are great options. And for the vast majority who don’t care, Google does great work. It’s fine for them to sell away their privacy if they want to—it’s really not so important a right.
Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review, 4(5), 193. https://doi.org/10.2307/1321160.
Ibid. at 196.
Kalven, H. (1966). Privacy in Tort Law: Were Warren and Brandeis Wrong? Law and Contemporary Problems, 31(2), 329. https://doi.org/10.2307/1190675
Ibid. at 330.
Thomson, J. J. (1975). The Right to Privacy. Philosophy & Public Affairs, 4(4), 295. http://www.jstor.org/stable/2265075.
Thomson goes on to argue that, technically, the “right to privacy” isn’t really very fundamentally a right at all—it’s just a label we use for a cluster of rights arising from more basic ideas like ownership and non-aggression. This seems right to me, but most people still think “privacy’s” a good and useful label for the cluster, and the point of this article is to argue that when the cluster interacts with the digital world, it becomes much less useful.
Thomson, 307.
Ibid.
Ibid. at 309.
Ibid. at 310.
For me and 99% of people, the tradeoff is: companies get aggregated data about my internet browsing history that never affects me in the slightest, and I get offered useful goods and services through targeted ads, high-quality literature and journalism without paywalls, and free access to cutting-edge, integrated, personalized software on all my devices.
I'm happy VPNs and cryptocurrencies exist in case I ever need to go on the run from the Deep State, but until then, I will gladly let the whole world know that I am looking for housing in Palo Alto, especially if that means I magically receive good offers for housing in Palo Alto.
I think that, like with medical consent and various other decision situations, the way you phrase the choice An’s degree of trust make a big difference.
Also, the relative upsides and downsides for the parties involved.
The issue with various IT privacy “options” is that the ratio of the company’s upside / downside far exceeds that for the individual user. It’s this asymmetry that is distasteful (unfair) to most humans. If it wasn’t, the IT corporations wouldn’t go to such great lengths to hide it in the “600 pages of EULA”.
And if the public ends up pushing successfully for privacy-preserving laws, why couldn’t we accept that as “revealed preferences” by other means, on par with spending out of pocket for certain services which have come to be necessities by means of bait-and-switch / shady practices of the corporations?..