Privacy In The Digital Age - Searching For An Answer To A Changing Question

Introduction

Privacy is the number one issue facing every entity and individual currently involved with or using information technologies. Whether it is an individual consumer, e-business or government agency or legislator, when it comes to the use of the Internet and related computer technology, everyone is to some degree concerned about their and other parties' "privacy" rights. As a general matter, most everyone would agree that "privacy" is an important principle worthy of certain practical, if not legal, protections. Given the speed and ease with which modern information technologies can aggregate, analyze and disseminate all or portions of "personal information," many have come to fear the "digital age" and what it means to their personal lives. Therefore, in the name of "privacy" they seek to limit or prohibit the collection and/or use of such information. However, upon close examination it becomes clear that "privacy" in the digital world does not mean the same thing to everyone. The precise meaning of "privacy" and the steps needed to protect it can vary greatly from circumstance to circumstance. For instance, the information and relationships involved in the health care field on one hand and consumer e-commerce on the other differ significantly and therefore, the meaning of "privacy" and the measures that should be taken to protect it are quite different.

Understanding these types of differences is critically important for software developers, system integrators, their customers and the industry watchdogs and governmental regulators seeking to ensure the "privacy" of targeted parties. These key players will not be in a position to properly design, implement, use or regulate information technology systems without a full appreciation for the distinctions arising in different market sectors.

The purpose of this paper is to identify certain general "privacy themes" appearing in major market sectors and highlight the differences and the need for tailored legal and practical protections. Given the great variety of personal "privacy" expectations and the competing legal interests at issue, it is clear there is no one consistent theme and no one appropriate solution. In the end, the only consistent "privacy principle" might be the overarching need for a thorough evaluation and understanding of the computer systems to be used and the information handled in each market setting in order to tailor legitimate "privacy" protections for the system's users. This principle should be applied to the practical, technical side of the equation as well as the legal or policy side.

Privacy: A Variety Of Meanings

Webster's New World Dictionary defines "privacy" as "the condition of being private" or "secrecy." It goes on to define "private" as "removed from public view;" "secluded."

As this definition makes clear, the context will drive the proper meaning of the word "privacy" and the relative expectations of the parties involved in a particular transaction. What is "secret" or "secluded from public view" can vary depending upon how the information is to be exchanged, stored, repurposed, analyzed and/or further disseminated by use of computer technologies. The scope of the term "public" may also vary significantly depending on who is speaking. Having information "secluded" begs the question of "from whom?" Is the information stored and disseminated through a computer network with five hundred users within one company "secluded from public view?" How about five users spread across a wide area network or secure extranet shared by three companies? What if the information is not directly linked to an immediately identifiable individual? What if the individual has granted permission for the five users to access and review the information but the companies' network is not secure and any one of hundreds of users would get the information with a little effort? Without sensitivity to such variables "privacy" advocates will likely miss their intended target. Moreover, technology service providers and their users will likely fail to properly allocate and manage their risks during the contracting phase.

Security Does Not Ensure Privacy

It is important to understand that computer network security is not the same as and does not ensure the "privacy" of sensitive information stored or communicated within that particular network. While a firewall or "secure socket layer" may protect electronically stored or transmitted information from misappropriation or interception by an unintended third party, it does not completely address the ultimate use of the information by these information-based service providers and their affiliates. Many individuals sit behind a firewall and many may have access to the system and stored information. Privacy policies need to consider such realities.

Individual Privacy Concerns

Every individual has a different level of desire or expectation for privacy. Some...