Last week, I stayed at the St. Regis hotel in Washington, DC. It was
my first visit, and the management gave me a questionnaire, asking me
things like my birthday, my spouse's name and birthday, my anniversary,
and my favorite fruits, drinks, and sweets. The purpose was clear; the
hotel wanted to be able to offer me a more personalized service the
next time I visited. And it was a purpose I agreed with; I wanted more
personalized service. But I was very uneasy about filling out the form.
It wasn't that the information was particularly private. I make no
secret of my birthday, or anniversary, or food preferences. Much of
that information is even floating around the Web somewhere. Secrecy
wasn't the issue.
The issue was control. In the United States, information about a
person is owned by the person who collects it, not by the person it is
about. There are specific exceptions in the law, but they're few and
far between. There are no broad data protection laws, as you find in
the European Union. There are no Privacy Commissioners, as you find in
Canada. Privacy law in the United States is largely about secrecy: if
the information is not secret, there's little you can do to control its
As a result, enormous databases exist that are filled with personal
information. These databases are owned by marketing firms, credit
bureaus, and the government. Amazon knows what books we buy. Our
supermarket knows what foods we eat. Credit card companies know quite a
lot about our purchasing habits. Credit bureaus know about our
financial history, and what they don't know is contained in bank
records. Health insurance records contain details about our health and
well-being. Government records contain our Social Security numbers,
birthdates, addresses, mother's maiden names, and a host of other
things. Many driver's license records contain digital pictures.
All of this data is being combined, indexed, and correlated. And
it's being used for all sorts of things. Targeted marketing campaigns
are just the tip of the iceberg. This information is used by potential
employers to judge our suitability as employees, by potential landlords
to determine our suitability as renters, and by the government to
determine our likelihood of being a terrorist.
Some stores are beginning to use our data to determine whether we
are desirable customers or not. If customers take advantage of too many
discount offers or make too many returns, they may be profiled as bad
customers and be treated differently from the good customers.
And with alarming frequency, our data is being abused by identity
thieves. The businesses that gather our data dont care much about
keeping it secure. So identity theft is a problem where those who
suffer from it — the individuals — are not in a position to improve
security, and those who are in a position to improve security dont
suffer from the problem.
The issue here is not about secrecy, it's about control. The issue
is that both government and commercial organizations are building
“digital dossiers” about us, and that these dossiers are being used to
judge and categorize us through some secret process.
A new book by George Washington University Law Professor Daniel
Solove examines the problem of the growing accumulation of personal
information in enormous databases. The book is called The Digital Person: Technology and Privacy in the Information Age, and it is a fascinating read.
Soloves book explores this problem from a legal perspective,
explaining what the problem is, how current U.S. law fails to deal with
it, and what we should do to protect privacy today. It's an unusually
perceptive discussion of one of the most
vexing problems of the digital age — our loss of control over our
personal information. It's a fascinating journey into the almost
surreal ways personal information is hoarded, used, and abused in the
Solove argues that our common conceptualization of the privacy
problem as Big Brother — some faceless organization knowing our most
intimate secrets — is only one facet of the issue. A better metaphor
can be found in Franz Kafka's The Trial. In the book, a vast
faceless bureaucracy constructs a huge dossier about a person, who
cant find out what information exists about him in the dossier, why
the information has been gathered, or what it will be used for. Privacy
is not about intimate secrets; it's about who has control of the
millions of pieces of personal data that we leave like droppings as we
go through our daily life. And until the U.S. legal system recognizes
this fact, Americans will continue to live in an world where they have
little control over their digital person.
In the end, I didn't complete the questionnaire from the St. Regis
Hotel. While I was fine with the St. Regis in Washington, DC, having
that information to make my subsequent stays a little more personal,
and was probably fine with that information being shared among other
St. Regis hotels, I wasn't comfortable with the St. Regis doing
whatever they wanted with that information. I wasn't comfortable with
them selling the information to a marketing database. I wasn't
comfortable with anyone being able to buy that information. I wasn't
comfortable with that information ending up in a database of my habits,
my preferences, my proclivities. It wasn't the primary use of that
information that bothered me, it was the secondary uses.
Solove has done much more thinking about this issue than I have. His
book provides a clear account of the social problems involving
information privacy, and haunting predictions of current U.S. legal
policies. Even more importantly, the legal solutions he provides are
compelling and worth serious consideration. I recommend his book highly.
The book's website