Embed Size (px)
Citation preview
This article was downloaded by: [Eindhoven Technical University]On: 21 November 2014, At: 03:08Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK
Atlantic Journal of CommunicationPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/hajc20
The Digitized Self as Public Tender: ConceptualizingInformational Privacy at the Intersection of InformationTechnology, Commerce, and Public PolicyUmaru Bah aa Department of Communication Studies , Morgan State University ,Published online: 05 Dec 2007.
To cite this article: Umaru Bah (2007) The Digitized Self as Public Tender: Conceptualizing Informational Privacy at theIntersection of Information Technology, Commerce, and Public Policy, Atlantic Journal of Communication, 15:4, 231-248, DOI:10.1080/15456870701465281
To link to this article: http://dx.doi.org/10.1080/15456870701465281
PLEASE SCROLL DOWN FOR ARTICLE
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) containedin the publications on our platform. However, Taylor & Francis, our agents, and our licensors make norepresentations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of theContent. Any opinions and views expressed in this publication are the opinions and views of the authors, andare not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon andshould be independently verified with primary sources of information. Taylor and Francis shall not be liable forany losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoeveror howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use ofthe Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in anyform to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions
ATLANTIC JOURNAL OF COMMUNICATION, 15(4), 231–248Copyright © 2007, Lawrence Erlbaum Associates, Inc.
The Digitized Self as Public Tender:Conceptualizing InformationalPrivacy at the Intersection of
Information Technology, Commerce,and Public Policy
Umaru BahDepartment of Communication Studies
Morgan State University
This article identifies the key issues and interests influencing the informational
privacy debate, namely, new information technologies, the mass media, the iden-
tity industry, and lawmakers. It argues that new information technologies under-
mine informational privacy by facilitating personal record (mis)management and
(ab)use, that sensational coverage by the media of identity theft, data breach,
or record misplacement promotes, even if inadvertently, more the interests of
commercial data brokers than those of consumers. The article also asserts that al-
though the identity industry, consumer privacy advocates, and federal lawmakers
all share a genuine desire to provide greater protections to individuals’ personal
records, they differ on the nature and scope of such protection because of their
contrasting perceptions of informational privacy.
In the past 8 years, close to 80 million U.S. residents have been victims ofidentity theft, resulting in a loss of $49 billion to businesses and financialinstitutions, $5 billion in out-of-pocket expenses to consumers, and well over$250 million to the federal criminal justice system in investigation, prosecution,and incarceration.1 This epidemic has affected banks, credit card processing
Correspondence concerning this article should be addressed to Umaru Bah, Department of
Communication Studies, Morgan State University, 1700 E. Cold Spring Lane, Baltimore, MD,
21251. E-mail: [email protected] figures are based on computations of the U.S. General Accounting Office’s figures
(http://www.gao.gov/new.items/d02363.pdf), the Federal Trade Commission’s (FTC’s) 2003 Identity
Theft Survey (http://www.ftc.gov/opa/2003/09/idtheft.htm), and the FTC’s 2004 Identity Theft
Statistics (http://www.consumer.gov/sentinel/pubs/Top10Fraud2004.pdf). All sources were retrieved
June 4, 2005.
231
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
232 BAH
companies, commercial data brokers, stockbrokers, merchandise retailers, gov-ernment agencies, and educational and medical institutions. The vast majorityof reported cases (more than 70% by one estimate2 ) were not, as commonlybelieved, attributable to hackers but to poorly trained employees unwittinglygiving away information to pretexters (i.e., criminals impersonating data indi-viduals) over the phone, employees taking opportunity of lax industry oversightto steal and sell personal records, or employers themselves stealing employees’records.
In addition to identity theft, consumers are also adversely affected by iden-tity mismatch, two common examples of which are data pollution and profiling.The latter occurs as a result of data merging, a practice common among creditreporting agencies to combine records received from different sources that arebelieved, sometimes erroneously, to belong to the same individual. Identityprofiling, a practice common among federal law enforcement agencies, involvesthe determination of an individual’s potential criminality or threat to nationalsecurity, based partly on physio-ethno-cultural characteristics such as name,religious affiliation, and country of origin, and partly on matches, many inac-curate, made by data-mining software that identifies possible affiliations amongindividuals based on shared religious practices, neighborhoods, and workplaces,among other things. In some cases, such profiling had led to the detention byfederal law enforcement of innocent citizens.3 These examples of data fraudand mismanagement highlight a bigger issue, that of the continuous erosion ofinformational privacy, facilitated by market forces desiring quick, unrestricted,and cheap access to larger and more sensitive amounts of personal records; bythe virtual absence of comprehensive and effective state and federal regulationof businesses’ collection and use of personal records; and by new informationtechnology, which enables a more efficient system of personal record gathering,storage, analysis, and sharing.
The solutions proposed by policy scholars, lawmakers, and consumer privacyadvocates to curb the rampant rise in identity theft and data breach appearto be as many as the number of reported cases of identity theft themselves.Since 1974, when the Privacy Act was passed, federal lawmakers have enacted
2Based on a random survey of 1,037 identity theft victims conducted by Judith Collins, crimi-
nal justice professor at Michigan State University (http://www.newsmax.com/archives/articles/2004/
8/10/133351.shtml; retrieved June 6, 2005).3A case in point was Brandon Mayfield, an Oregon lawyer detained by the FBI in May 6, 2004,
as a ‘‘material witness’’ in the investigation of the March 2004 Madrid, Spain, train bombings
(Harden, 2004). The FBI claimed its Automated Fingerprint Identification System placed Mayfield’s
fingerprints at the scene of the crime, though Spanish authorities had raised doubts over that
possibility. Mayfield was ordered released by a judge after Spanish authorities concluded that the
fingerprints belonged to an Algerian man. In a pending lawsuit against the FBI, Mayfield contends
(a contention shared by many) he was suspect not because of the fingerprint but because of his
faith (he converted to Islam) and legal practice (he once represented a Portland man who admitted
trying to aid the Taliban in Afghanistan).
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 233
no fewer than 30 consumer privacy-related laws and have proposed more thanfour times as many. If the persistent rise in the reported incidents of identitytheft and data breach is any indication to go by, governments’ efforts have notbeen productive. Some consumer privacy advocates have attributed this failureto federal and state governments’ continued unwillingness and/or inability toenact laws regulating the identity industry. A similar argument is made by legalscholars and political scientists who employ public choice theory to argue thatthe powerful lobbying interests of the identity industry all but guarantee theprevention of the enactment of laws inimical to its interests. Self-regulation pro-ponents, which count among its members technological determinists, attributethe ineffectiveness of the laws to the very reason that facilitates identity theftin the first place, namely, the continued implementation of new and newer in-formation technologies, which often render privacy laws ineffectual or obsolete.Instead they propose a laissez-faire policy that places faith on technology andcommerce to provide greater protection to informational privacy.
What I propose in this article is not another solution to the problem but adifferent perspective on the informational privacy debate, one that focuses onthe commercial, technological, and sociopolitical imperatives that dictate thestructure, context, and outcome of the debate itself. Along this line, I identifythe key issues or interests influencing the debate, namely, information technol-ogy, the mass media, the identity industry, and lawmakers. I argue that newinformation technology invariably facilitates and encourages personal recordgathering, sharing, and distribution on one hand and record mismanagementand fraud on the other, the latter in turn resulting in public consternation andlegislative activities, the majority of which do not result in the enactment ofprivacy laws. I posit that media coverage of incidents of identity theft or databreach, although critical to the informational privacy debate, serves more theinterests of the identity industry than those of data subjects/consumers. I alsoargue that the identity industry, consumer privacy advocates, and lawmakers allshare a genuine desire for the protection of informational privacy but differ onthe nature and scope of such protection, because of contrasting perceptions ofinformational privacy, which influence their view on when and how personalrecords should be disclosed or protected from disclosure.
The article comprises two sections. The first section provides a discussionon the literature on privacy in general, including informational privacy, as wellas a discussion on the use of key terms. The second section discusses the roleand practices, where applicable, of each of the stakeholders, their perceptionof informational privacy, and their effect on the enactment or lack thereof ofprivacy laws. My analyses and observations are restricted to events and practicesin the United States, which may or may not be the same for those elsewhere.Only federal statutes are cited, in part to make the scope of analysis manageableand in part because the vast majority of state privacy laws are modeled afterfederal ones.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
234 BAH
CONCEPTUALIZATIONS AND
LITERATURE OVERVIEW
Many scholars have highlighted the difficulties of conceptualizing and opera-tionalizing privacy or of determining privacy rights, in no small measure becauseof its multifaceted and complexly intertwined dimensions and characteristics(Alfino & Mayes, 2003; Lusky, 1972). Nevertheless, the literature on privacycould to a very large extent be considered a literature on privacy rights. De-Cew (2002) divided privacy rights scholarship into two main categories, namely,reductionism and coherentism. Reductionists are generally critical of the coher-entist view of privacy as being a fundamental right or value, with some arguingthat privacy is a cluster of other rights already protected under law (Thomson,1975), others making the case for a pragmatically oriented view that balancesprivacy rights with economic interests (Posner, 1981), public safety, and na-tional security (Etzione, 1999), and yet others rejecting privacy all together,considering it a pretext for domination and oppression (MacKinnon, 1989).But the literature tilts more toward the coherentist camp, in which the is-sues could further be divided into four main categories: spatial/environmentalprivacy, informational privacy, privacy as a set of torts, and privacy as a funda-mental moral right.
Spatial privacy generally takes a normative approach, arguing for the rightfrom surveillance (Gumpert & Drucker, 1998), intrusion, and interference (Alt-man, 1975; Pedersen, 1979), whereas tortious privacy is largely descriptivist,delineating the conditions under which individuals could seek redress for viola-tion of their privacy. Four of these conditions—as identified by Prosser (1960)in his famous and influential essay on privacy torts—are intrusion, public dis-closure of private facts, false light in the public eye, and appropriation. Moralprivacy rights scholarship takes a broader, all-embracing, and noncompromisingapproach to the subject, arguing that privacy should be considered as a ‘‘fun-damental moral right’’ (Alfino & Mayes, 2003; Fried, 1968), which should notbe subject to any compromise or exemption.
Informational privacy research, which is traceable far back to Samuel D.Warren and Louis D. Brandeis’s (1890) groundbreaking article over a centuryago, in which the authors argue for the ‘‘right to be let alone’’ (in other words,the ‘‘inviolate right’’ from public intrusion and interference into one’s personalaffairs), focuses on protection from public intrusion into individuals’ privateaffairs (the focus of the Warren and Brandeis article) and protection of indi-viduals’ personal information (Hoofnagle, 2005; Margulis, 2003; Moore, 1997;Tavani, 2000; Westin, 1967).
Although scholars had drawn attention to the potentially crippling effect ofpersonal record digitization on privacy as far back as the early 1950s (Miller,1971; Packard, 1966; Rosenberg, 1969), it was not until the widespread dif-fusion and use of the Internet and computer-mediated communication by the
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 235
early 1990s—which also led to a rush of online entrepreneurial ventures (asignificant portion of which involved the sale of personal records)—that thedebate on informational privacy took front and center stage over other aspectsof privacy (Regan, 1995), focusing attention on privacy issues stemming fromaccess to and use of personally identifiable information, and addressing suchissues as the surreptitious monitoring of online users’ activities using cookies,4
clickstream,5 and spyware,6 and the illicit acquisition of personal informationfrom unsuspecting online users with the aid of pharming7 or phishing.8 In-formational privacy literature is further marked by its criticism of the identityindustry, concentrating on individuals’ unawareness of the acquisition and useof their personal records (Sullivan, 2004), their inability to gain free and un-restricted access to their records (Hoofnagle, 2005), their lack of authorityover the collection and use of their records (Branscomb, 1994; Marlin-Bennett,2004), the unreasonable burden of responsibility being placed on individuals tocorrect record inaccuracies, the lack of effective remedial measures for victimsof identity theft (Foust, 2005), and the lack of punitive measures for corporateabuse of personal records (Brown & Ploskina, 2001).
One area that remains largely unexplored is the notion of privacy as se-curity, arguably the most central to the debate surrounding identify theft anddata breach. One may well argue that present-day concern with informationalprivacy deals less with the acquisition of individuals’ information than withthe harmful effect of its use. It may not matter much to some people that
4 ‘‘Cookies are text files that are stored at the client’s hard drive. When a browser requests a
document, the Web server creates a fragment of data, which is sent to the browser and stored at
the client’s computer. Afterward, when the browser solicits another document, the cookie is sent
with the request. Cookies are very similar to the caller ID boxes that have become so popular in
that they provide telemarketers with such relevant information as the consumer’s name, address,
and previous purchase payment record’’ (DMReview, n.d.).5Clickstream is ‘‘the record of a user’s Internet activity including Web sites visited, length of
the visit, and what pages were viewed’’ (Target Marketing, n.d.).6Spyware, also known as adware, is ‘‘any software that covertly gathers user information through
the user’s Internet connection without his or her knowledge, usually for advertising purposes.
Spyware applications are typically bundled as a hidden component of freeware or shareware programs
that can be downloaded from the Internet. Once installed, the spyware monitors user activity on
the Internet and transmits that information in the background to someone else. Spyware can also
gather information about e-mail addresses and even passwords and credit card numbers’’ (Tribal
Justice Information Sharing System, n.d.).7 ‘‘Pharming is the exploitation of a vulnerability in the DNS server software that allows a
hacker to acquire the Domain Name for a site, and to redirect traffic to that website to another
website. DNS servers are the giant computers that ’run’ the Internet’’ (Pharma, 2005).8Phishing is a scam whereby unsuspecting individuals respond to an e-mail supposedly from their
banks or service providers, informing them that their account has expired, and asking them to update
it by clicking a link embedded in the e-mail. The e-mail takes them to a site counterfeiting their
banks’ or service providers’ real site. The fake site prompts them to submit their username, password,
credit card number, social security number, and other personal information. The information, once
submitted, goes directly to the scammer’s e-mail box, who then uses them for fraudulent purposes.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
236 BAH
their personally identifiable information is easily accessible to practically any-one without their knowledge or consent. But it matters a lot to many whetherthat information could be used to cause them physical, financial, or psycholog-ical harm. As Gumpert and Drucker (1998) succinctly put it, ‘‘whereas thereare diverse conceptualizations of privacy, some, if not all, may not actually becalls for privacy protection as much as cries for safety’’ (p. 411).
The term personal records refers to any symbol, character, data, physiologi-cal, or genetic attribute that could be used individually or in conjunction withother attributes to create, verify, or divulge an individual’s biological and/orsociological (i.e., political, financial, social, or cultural) identities. Such iden-tities may be immutable (as is the case with biological markers) or mutable(as is the case with sociological characteristics). In addition to names, personalrecords include, but are not limited to, home or e-mail addresses; social securitynumber; birth certificate; driver’s license; voter registration; financial, medical,employment, recreational, court, or criminal records; and biometric character-istics such as DNA, fingerprints, iris, and voice. Among lawmakers, advocates,and businesses, the term personal records is used interchangeably with nonpub-
lic records, personally identifiable information, and personally identifiable financial
information. For the sake of brevity, in some cases, records is used in this arti-cle as shorthand to refer to ‘‘personal records,’’ and record management and use
refers to the collection, storage, analysis, sharing, sale, and/or and distributionof personal records.
I used the term identity industry to denote the compendium of companiesthat either provide identity verification/analysis software products or servicesor generate their revenues primarily from the collection, storage, analysis, sale,or rent of personal records. A more widely used term in the industry is com-
mercial data brokers, which is used interchangeably with information brokers. Butidentity industry is preferred over these terms for two reasons. First, identity in-
dustry, unlike the other terms, does not include data-brokerage companies suchas NASDAQ and Dow Jones, which trade non-personally identifiable financialmarket data, or companies such as Nielsen and Arbitron, which trade non-personally identifiable survey data. Second, conventional conceptualizations ofcommercial data brokers and information brokers do not cover those companiesthat provide products and services that verify, capture, archive, analyze, and/ordisseminate personal records. These companies, which are fast becoming themost powerful within the identity industry, are critical to any substantive dis-cussion on privacy.
ON THE INFORMATION TECHNOLOGY
AND PRIVACY CYCLE
Turner and Dasgupta (2003) coined the term Information Technology and Privacy
Cycle to explain the interconnected relationship that exists among information
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 237
technology, public concern, and the enactment of privacy laws. According totheir illustration, new information technologies enable faster and more effi-cient means of personal record management and use by public and privateentities alike, which in turn raises public concern over privacy issues, which inturn generally influences the enactment of new laws to provide greater privacyprotections, which is undermined by the introduction of newer informationtechnologies, which repeat the cycle.
This simplistic conceptualization implies a cause–effect relationship that isnot wholly supported by historical and contemporary patterns of public andpolicymakers’ behavior. Although new information technologies do engenderprofligate record gathering and analysis, which in turn endanger privacy, pub-lic response to it tends to be tepid at best, in large part because of citizens’ignorance of the identity industry’s presence and activities; until most recently,when some of its members started providing identity protection services di-rectly to consumers, the identity industry provided its services exclusively toother businesses. When public concern is raised, it is often at the heel of sensa-tional media report of identity theft or data breach, the consequence of whichis a flurry of legislative activities in the form of congressional hearings and pro-posed legislation that, contrary to what the authors’ illustration might suggest,rarely results in the enactment of privacy protections.
What is cyclical instead is the hydratic nature of information technologyitself, which incessantly spurns new privacy-related problems from the ones itsolved. In other words, the introduction of new software to combat identitytheft or fraud generally encourages the introduction of new malware to over-come the new security measures, which in turn compels businesses to introducenew and better personal protection device. This software–malware cycle hasguaranteed both the viability of the identity industry and served as ample fod-der for proponents who advocate a regulation-free industry. Furthermore andmore important, Turner and Dasgupta’s Cycle does not include the role ofthe identity industry and the media, which, as I later argue, play a crucial,indispensable role in the informational privacy debate.
INFORMATIONAL PRIVACY AND THE MEDIA
Media coverage of the spate of identity theft involving government agenciesand major national and multinational corporations has had a significant andlasting impact on the informational privacy debate itself, though in ways morebeneficial to the interests of the identity industry than to consumers. Coverageof the incidents of ‘‘identity theft’’ is often driven by the astronomical numberof (potential) victims involved. However, a significant number of the reportedcases of ‘‘identity theft’’ involve not identity theft or fraud but misplacementor loss of data, which could potentially lead to identity theft and fraud. Butmultilayered security measures such as encryption technologies (which make
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
238 BAH
unauthorized access to the data almost impossible) and real-time monitoringtechnologies used by credit card companies to detect suspicious activities, espe-cially those of newly opened accounts, drastically diminishes the likelihood ofidentity theft or fraud stemming from misplaced or lost data.
As consumer privacy advocacy organizations such as the Electronic PrivacyInformation Center and Privacy Rights Clearinghouse have pointed out, by farthe most important albeit least sensational aspects of these news events are thestructures and/or practices within the identity industry that facilitate in the firstplace the rash of personal data theft, misplacement, or loss. Focus by the mediaon this question would have shifted attention away from identity theft to datamismanagement and put under public scrutiny the data-gathering and brokerageactivities of the identity industry, along with their implications for the erosionor loss of consumer privacy. But critics such as Mercuri (2006) and Foust andRyst (2006) have argued that the media, by opting for sensationalism instead,have in effect absolved the identity industry of any culpability and, worse,fostered in the public a sense of abject helplessness, one which, as I discuss ina later section, the industry would take advantage of to establish a lucrative,multibillion-dollar identity protection services industry.
INFORMATIONAL PRIVACY AND BUSINESSES
The identity industry consists of credit reporting agencies (CRAs), personaldata-mining companies (PDMCs), biometric companies, mailing list businesses,and companies such as manufacturers, grocery chains, and retail stores, whichhave as part of their core operations in-house personal data-gathering initiatives.The industry’s practices and revenue generation are characterized by a symbioticinteraction, with companies depending on each other to create, enrich, and/orsell their services. For example, the CRAs collect their data from businesses,which are required by law to furnish such information. The furnishers (as suchbusinesses are known) in turn use the CRA’s basic and value-added services todetermine credit-worthiness and solicit desirable consumers. The PDMCs enrichconsumer files by providing data analysis and identity-verification products andservices to CRAs, insurance companies, mortgage brokers, and in-house per-sonal data-gathering initiatives conducted by businesses. Government agencies,mandated to do so by state and federal freedom of information laws, provideindividuals’ public records to PDMCs, which in turn analyze, repackage, andsell them to law enforcement agencies.
To the identity industry, individuals’ personal records are considered muchless aspects of an individual’s identity than they are market data (perhaps be-cause of this reason, the identity industry reports illegal and fraudulent ac-cess and use of personal records more often as ‘‘data breach’’ than as ‘‘identitytheft’’). The value of such data, unlike other commodities, is predicated not
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 239
on scarcity (for data is infinitesimally abundant) but on the respect accordedto its copyright and credibility: The industry needs assurance that it would bejustly compensated for the use of its data, whereas businesses on their part needto know that the data on which they make critical mortgage, car, insurance,and security clearance decisions, among others, are reliable (i.e., they consis-tently and invariably refer to the same person) and valid (i.e., the person isthe right person). Primarily for this reason, the identity industry is equally asconcerned as consumer privacy advocates to curb the spread of data inaccu-racies and data tampering: Such inaccuracies would significantly devalue theirproduct and services.
Both consumer privacy proponents and the identity industry favor regula-tion governing disclosure. But whereas consumer advocacy groups desire thatfree, unrestricted, and unfettered access be granted to consumers’ own records,restricted access by businesses to consumer records and complete disclosure toconsumers of third-party access and use of their records, the identity indus-try consistently lobbies for unfettered access to individuals’ personal records,minimally restricted use of such records and limited and conditional access byconsumers to their records. Greater and unfettered access and use by the indus-try to individuals’ records increases the value of the industry’s commodity. Free,unfettered, and unlimited access by individuals to such records significantly re-duces the identity’s revenue. Given its commercial interests, what the industryopposes is providing greater protection not to individuals’ informational privacybut to individuals’ informational privacy free of charge. Although it may not beentirely true to state, as some consumer privacy groups contend, that the in-dustry welcomes and facilitates identity theft, it is fair to state that they havetaken monetary advantage of individuals’ desire for greater identity protection,which has fueled the rapid and highly lucrative growth of the Privacy Space,the moniker given to the identity protection industry (Lester, 2001).
Whereas consumer data are sold to businesses and law enforcement agencies,identity protection services are sold primarily to consumers. Credit reportingagencies now provide credit monitoring services, which promise to alert sub-scribers immediately to any change in their credit record. Companies such asSymantec, which is known for its Norton antivirus services, now provide onlineprotection services against identity theft malware such as spyware, phishing, andpharming. A growing number of companies now provide anonymizers, technolo-gies that enhance online users’ anonymity by blocking access to their Internetprotocol addresses, which are used to identify e-mail sources and track surfinghabits. Even insurance companies are now joining the Privacy Space by offeringidentity theft liability protection.
The annual revenue generated by the Privacy Space, $100 billion by oneestimate (Lester, 2001), is fast outpacing that generated by business-to-businessdata brokerage services. It is reasonable to assume that had there been stateand federal laws granting consumers free, unlimited, and unfettered access to
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
240 BAH
their records and indemnifying them of identity theft or data breach liabilities,these identity protection products and services would not have been requiredor been profitable as much.
INFORMATIONAL PRIVACY AND CONSUMER
PRIVACY ADVOCATES
Consumer privacy advocates have long been apprehensive of the adverse effectsof information technology on individual’s privacy. But in the earlier years, itwas the federal government, not corporations, that individuals considered po-tential abusers of individuals’ privacy, for three main reasons. First, by the early1940s, the federal government already had in its possession massive amountsof personally identifiable information that it had collected from birth, tax, andsocial security records. Second, though direct mail marketing companies andcredit reporting agencies were already well established by the late 50s, theiractivities were generally thought harmless because it was widely believed thatcorporations had neither the financial resources nor the technological capabil-ity to collect and store personal records on a scale that would cause irreparableharm to citizens’ privacy. This sentiment was echoed in the 1973 report of thefederal advisory committee on Automated Personal Data Systems, which wasset up to suggest ways of providing greater protection to personal records inthe face of new information technologies. Glaringly absent in the committee’sreport is recommendation for regulation of personal records in business cus-tody, borne of the belief that virtually no institution outside the governmenthad the technical and financial wherewithal to create a database containingthe ‘‘master file’’ of practically any American: ‘‘At the present time, however,compiling dossiers from a number of unrelated systems presents problems thatfew organizations, and probably no organizations outside of government, havethe resources to solve’’ (U.S. Department of Health, Education, and Welfare,1973, p. 21).
This belief ran counter to the committee’s own prescient report on the Mail-ing List industry’s ability to do just that. In Appendix H of the report, titledMailing Lists, author Daniel H. Lufkin argues that ‘‘probably no other applicationof electronic data processing has had a broader effect upon so large a popula-tion as the headlong computerization of the mailing list’’ (U.S. Department ofHealth, Education, and Welfare, 1973, p. 288).
Third and most important, a proposal by the federal Bureau of Budget in1965 to build a National Data Center that would collect, centralize, and digitizepractically all aspects of citizens’ personal records, only confirmed citizens’ fearsof an omniscient, omnipotent, and potentially evil and prying government à laGeorge Orwell’s 1984. The National Data Center,
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 241
a massive databank containing cradle-to-grave electronic records for every U.S.
citizen, [including] electronic birth certificate, proof of citizenship, school records,
draft registration and military service, tax records, Social Security benefits, and
ultimately, their death records and estate information. The FBI might even use
the system to store criminal records. (Garfinkel, 2001, p. 13)
As a result of these concerns and perceptions, privacy advocates, who in-cluded notable scholars such as Miller (1971), Packard (1966), Rosenberg(1969), and Westin (1967) focused their energies on having governments passlaws regulating the sharing, disclosure, and analysis of records in governmentcustody. They feared that government surveillance of personal records couldengender fear and consequently curtail citizens’ freedom of expression or, atbest, inhibit their willingness to exercise such freedom. Given this preoccupa-tion, it could well be argued that earlier privacy activists equated informationalprivacy with freedom of information, framed as individuals’ right to gain accessto their records in government custody, their right to know which governmentofficials have access to what type of their records, and their right to know howsuch records are being used and shared among government officials.
But by the late 80s, with many federal laws, most notably the landmark Pri-vacy Act of 1974, already enacted to address the previously referenced concerns,and with the rapid growth of newer information technologies facilitating effi-cient record management and use, the new crop of privacy advocates (e.g.,Hoofnagle, 2005; O’Harrow, 2005; Rosen, 2001; Sullivan, 2004; Whitaker,1999) and consumer privacy organizations (e.g., Electronic Privacy Informa-tion Center, Identity Theft Resource Center, Internet Privacy Coalition, andPrivacy International) see the activities of the identity industry detrimentalto consumers’ personal freedom and physical and financial well-being. Theyargue that lax oversight of the identity industry’s employees’ and clients’ useof personally identifiable information has resulted in irreparable financial andphysical harm to victims. They cite, for example, the unauthorized use of stolenrecords to secure loans, resulting in the collective loss of millions of dollars toindividuals to correct their records. Unregulated and lax supervision of personalrecords, they argue, have also been exploited by criminals to secure drivers’ li-censes (leading in some cases to innocent victims being arrested and chargedfor crimes committed by their impersonators) and by stalkers to locate theirvictims’ address, the most infamous incident being that of the 1999 murder inNashua, New Hampshire, of Amy Boyer by former high school classmate LimYouens, who secured Amy’s information, including her social security number,through an Internet personal data broker.
But of paramount concern to privacy advocates is the use of informationtechnology such as spyware, cookies, and clickstream to divulge online users’identity and/or monitor their activities. Given the instantaneous, borderlessreach of the Internet, privacy advocates argue that disclosure of online users’
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
242 BAH
identities and activities could lead to the detention and even death of users,especially users in politically repressive countries. They frequently cite, as anexample, the role of Yahoo!TM in helping Chinese security forces secure thee-mail record of Chinese journalist Shi Tao, which resulted in his imprisonmentfor 10 years on charges of revealing ‘‘state secrets’’ (Einhorn, 2005).9 Thus, liketheir predecessors, current privacy advocates are preoccupied with the assaultof information technology on individual privacy, freedom of expression, andpersonal safety. But for present-day privacy advocates, it is the activities ofcorporations, with government complicity, that is now the root cause of theproblem.
INFORMATIONAL PRIVACY AND LAWMAKERS
Many scholars have grounded their argument in public choice theory to explainfederal and most state governments’ unwillingness to regulate the identity in-dustry. Otherwise known as rational choice theory, public choice theory positsthat organized groups tend to win out in the policy marketplace. But becauseorganizing demands lots of knowledge, time, and money, the
calculus tends to work in favor of interests shared by a small number of citizens, in
homogenous fashion, with relatively large and obvious individual effects. It tends
to work against interests shared by many citizens, in diverse ways, with relatively
small or non-shared individual effects. (Farina & Rachlinski, 2002, p. 268)
This argument is strongly supported by prevailing practices in the industry. De-spite recent privacy laws such as the 2004 Fair and Accurate Credit TransactionsAct, which provide consumers greater privacy protection, the identity industryis self-regulated, answerable in practice only to each other and to its business-to-business clients; its data-gathering and dissemination services remain practicallyunfettered; it has been successful in preventing unlimited access to consumers’own records; it is held liable only in extremely rare circumstances for consumerharm arising from data pollution or data breach; and it has been successfulin holding victims liable for fraudulent loan acquisitions unless and until theycould prove their innocence.
The closest the federal government ever came to passing privacy legislationregulating the identity industry was in 1997, following Lexis-Nexis’s release inJune 1 of P-Trak, an online ‘‘personal locator’’ database allowing individuals toretrieve, for a fee, a trove of personally identifiable information of millions ofconsumers. The resulting public relations fiasco prompted senators Larry Pressler
9http://www.businessweek.com/bwdaily/dnflash/sep2005/nf20050921_9883_db065.htm.
Retrieved October 3, 2006.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 243
(R-SD), Ernest Hollings (D-SC), and Richard Bryan (D-NV) to request in ajoint letter to the Federal Trade Commission (FTC) that it conduct a studyon privacy concerns relating to online personal records databases (Pressler,Hollings, & Bryan, 1996).10 In its reply letter to Senator Bryan in Septem-ber 1996, the FTC recommended that Congress pass legislation regulating theindustry (Pitofsky, 1996).11
That year, shortly before adjournment in December, Congress directed theFederal Reserve Board to investigate whether release of personal informationconstituted an unreasonable potential for fraud. The following year, at least32 privacy bills were introduced in Congress, providing greater protections forSocial Security numbers, wireless and online communication, genetic informa-tion, and financial records (Library of Congress, n.d.),12 to name but a few.As a whole, the laws would have placed stronger restrictions on the gath-ering, use, and sharing of individuals’ personal records, provided better legalredress for victims of data breach, and created stiffer injunctive and punitivemeasures for fraud or noncompliance. Ironically, this congressional legislativefervor, rather than resulting in federal regulation of the identity industry, servedinstead to strengthen the industry’s clout by influencing the creation of its firstofficial lobby, a coalition named the Individual References Services Group,which counted among its members the three major credit bureaus and Choice-Point, and which mounted an aggressive and successful campaign against federallegislation. The Individual References Services Group dominated the hearingsessions held by the FTC in the summer of 1997 and was successful in con-vincing the FTC to change its earlier recommendation from federal regulationto self-regulation.
But although rational choice theory could satisfactorily explain the absenceof most business-related informational privacy laws, it does not convincingly ex-plain factors influencing the successful enactment of those few business-relatedinformational privacy laws, or the regulation of records in government custody,which account for the bulk of informational privacy laws. Perhaps for thesereasons, scholars such as Mayer-Schönberger (1999), dissatisfied with conven-tional conceptualizations of rational choice theory, have argued instead for aless generalizing and more flexible perspective that takes into account otherfactors besides well-organized groups influencing the enactment (or preventionthereof) of new privacy laws. Along this line, Green and Shapiro (1994) andMayer-Schönberger have pointed out that some laws unfavorable to the identityindustry may be enacted, especially following media coverage of incidents ofhigh visibility. Such was the case with the 1994 Drivers’ Privacy Protection Actpassed in response to the murder of actress Rebecca Schaeffer, whose address
10http://www.epic.org/privacy/databases/ftc_databases.html. Last visited July 5, 2005.11http://www.cdt.org/privacy/issues/pii/960920ftc_letter.shtml. Last visited July 5, 2005.12http://thomas.loc.gov/cgi-bin/thomas. Last visited July 4, 2005.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
244 BAH
the murderer got from the California Bureau of Motor vehicles. Other lawsmay be enacted for self-preservation purposes, as was the case with the 1988Video Privacy Protection Act, which was passed shortly after then Supremecourt nominee Robert Bork’s video rental records were perused and publishedin the Washington City paper by a journalist who was looking for dirt on thenominee. Lawmakers feared that the absence of such a law would leave themexposed to similar, potentially embarrassing situations.
I contend, however, that in addition to the observations made by critical ra-tional choice theorists like Green and Shapiro (1994) and Mayer-Schönberger(1999), the compendium of informational privacy laws reflects on one hand adeep-seated distrust of government powers and the potential for abuse arisingthereof and on the other hand a genuine desire on lawmakers’ part to bal-ance business interests with citizens’ constitutional rights, public safety, andnational security. Citizens’ and lawmakers’ fear of an omnipotent, all-intrusivegovernment unarguably influenced the enactment of the First, Third, and mostsignificantly Fourth Amendments. The Supreme Court’s 1965 ruling in Griswoldv. Connecticut, which for the first time recognized privacy as a constitutionalright, would refer to these amendments as forming a ‘‘zone of privacy’’ protec-tions, setting a precedence for later rulings in favor of individuals and againstthe federal and state governments in several cases including, most famously,Roe v. Wade in 1973. These rulings guarantee in varying degrees protectionsagainst surveillance (Katz v. U.S., 1967), interference (Stanley v. Georgia, 1969;Eisenstadt v. Baird, 1972), and intrusion (Winston v. Lee, 1985).
When the issue is protecting citizens’ freedom of expression and right toknow, lawmakers tend to enact privacy laws that would in some circumstancesrequire disclosure and access by individuals to their records (e.g., the 1996Electronic Freedom of Information Act, which amended the 1966 ElectronicFreedom of Information Act to include digitized records) and in some circum-stances prevent unauthorized access to or disclosure of citizens’ personal recordsby both government and private entities. For similar reasons, the 2001 Com-puter Fraud and Abuse Act makes it illegal for government employees to accessindividual files without reasonable cause or proper authorization, whereas the1990 Computer Matching and Privacy Protection Act prohibits unauthorizedinteragency access and matching of personal records. The right of the individualto know about the use of their personal records has been extended to records inbusiness custody by the 2004 Fair and Accurate Credit Transactions Act, whichmandates that all businesses dealing in personal record management and use(this applies in effect to all businesses within the identity industry), to disclosetheir records free of charge once a year to the data subject, at the individual’srequest.
Federal privacy laws also reflect lawmakers’ desire to protect individuals fromemotional and physical harm by passing laws prohibiting the unauthorized orunreasonable access to, use or disclosure of their financial records (e.g., the
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 245
1994 International Revenue Code, the 1996 Fair Debt Collections PracticesAct, and the 1999 Financial Modernization Act), medical records (e.g., the1996 Health Insurance Portability and Accountability Act), telecommunica-tions records (e.g., the 1986 Electronic Communications Privacy Act; the 2003CAN-SPAM Act), and entertainment records (e.g., the 1984 Cable Commu-nications Privacy Act; the 1988 Video Privacy Protection Act). Laws havealso been passed to prevent financial harm (e.g., the 1998 Identity Theft andAssumptions Act; the 2003 Identity Theft Penalty Enhancement Act), andphysical harm (e.g., the 1994 Drivers Privacy Protection Act). In some circum-stances, the protection of individuals from potential physical harm may dictatethe disclosure of other individuals’ information. This is the case for the 1996Megan’s Law, which requires the creation of a free, publicly available convictedsex offender registry and the disclosure of convicted sex offenders to their neigh-bors. It is also the reason informing the disclosure, as part of the public record,of individuals’ criminal records.
Although concern for the individual’s personal welfare tends to influencelawmakers to prohibit personal record disclosure, concern for the welfare ofbusinesses tends to compel them to enact laws enabling legitimate businesses toaccess, share, and use personal records. Government has historically supportedthe critical need for business access to personally identifiable information suchas date of birth and social security numbers, which are needed to hold clientsaccountable to contractual obligations and determine credit worthiness as mea-sured by credit history, reported income, and debt obligations. Furthermore,virtually all electronic business and security transactions—most of which, likeATMs, online banking, fingerprints, iris scanners, and radio frequency identi-fication devices used at EZ-Pass tollbooths, have made commerce and securityclearances more efficient—would not be possible without the use of personallyidentifiable information to verify user identity. It is needs such as these that nodoubt informed the enactment of the 1970 Fair Credit Reporting Act and the2004 Fair and Accurate Credit Transactions Act.
Furthermore, personal records, as discussed earlier, are business assets in theirown right, sustaining a multibillion-dollar industry that, like any multibillion-dollar industry, is a crucial source of tax revenues for the federal and stategovernments and a source of income of millions of employees who work di-rectly or indirectly with the identity industry. In addition to the tax revenuesthey generate, the identity industry is also a generous client of state govern-ments: It pays hundreds of millions of dollars annually as ‘‘reasonable copy fees’’to state agencies for court records, vital records, home and business addresses,drivers’ licenses, and the seemingly infinitesimally long list of professions thatrequire state licensing and regulation. The U.S. Postal Service, an autonomous,profit-making government agency, generates hundreds of millions of dollars an-nually from its licensing fees for business use of NCOALinkTM, its nationalchange-of-address database that provides real-time updates to residential and
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
246 BAH
business addresses. It is these financial incentives, above anything else, thatmake lawmakers reluctant to enact laws restricting the identity industry’s un-fettered access to and use of personal records.
But individual and business interests always take a back burner to law en-forcement and national security concerns. All statutes and constitutional rightsguaranteeing privacy protections provide exemptions, either implicitly or ex-plicitly, for law enforcement and national security agencies such as the FBI,the CIA, and the NSA, which are allowed unconditional and undisclosed ac-cess to and use of consumer records in the possession of both governmentand business entities. The disclosure provisions that apply to law enforcementagencies, which require that agents document their record gathering and mon-itoring activities, are exclusively for internal security measures and are in mostcases classified top secret. The 2001 USA PATRIOT Act (Public Law No.107-56)13 has broadened these powers to include access to, use, and monitor-ing of personal records without prior court warrant. Many critics believe thisbroad, all-embracing power diminishes the few effective federal privacy statutesthat exist and greatly encourages ‘‘mission creep,’’ the act of broadening theoriginal purpose of an investigation to include the investigation and/or prose-cution of other crimes discovered in the process, crimes that are often of farless gravity and unrelated to the original investigation (O’Harrow, 2004).
CONCLUSION
At the center of the informational privacy debate is the crucial question ofwhat aspects of individuals’ personal records could or should be disclosed, towhom, how, and under what conditions. This concern has gained front andcenter attention for two reasons, namely, sensational media coverage of re-ported incidents of large-scale data theft or misplacement and the introductioninto the marketplace of new information technologies, which concomitantlyfacilitates personal record management and use as well as data theft and/ormismanagement.
As the scholarly literature and this article demonstrate, privacy is a broad,all-embracing concept interchangeable with freedom, security, and anonymity.The question of record disclosure to and by stakeholders in the informationalprivacy debate is invariably tied to the dynamic, context-specific nature ofinformational privacy, which means different things to different interests indifferent situations, as well as different things to the same interest, in differentsituations. To the identity industry, informational privacy is a financial asset,
13USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Re-
quired to Intercept and Obstruct Terrorism) Act, Public Law 107-56, 115 STAT.272, H.R 3162
(2001).
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
THE DIGITIZED SELF AS PUBLIC TENDER 247
a market commodity. For this reason, the industry advocates free and unfetteredaccess to and use of personal records but conditional disclosure of such recordsto data subjects. To consumer advocacy groups, the disclosure of an onlineuser’s identity or activities could have adverse implications for their financialwell-being and, much more important, their freedom of expression and physi-cal safety. As such, consumer advocates argue for free and unfettered access ofdata subjects to their own personal records, conditional disclosure of some oftheir records and nondisclosure of others. As the compendium of federal pri-vacy statues reflect, the statutory disclosure of personal records, or prohibitionthereof, is influenced by lawmakers’ desire to balance individual interests withcommercial and national security concerns. Some laws geared toward protect-ing citizens’ constitutional rights prohibit unauthorized access to, and/or sharingof their personal records, whereas others mandate disclosure to data subjects.Laws enacted to protect individuals from emotional and financial harm prohibitrecord disclosure, as do most laws enacted to prevent them from physical harm.
However, concern for citizens’ physical safety mandates in some circum-stances the disclosure of individuals’ criminal records. But financial consider-ations for private businesses and government entities on one hand and lawenforcement and national security concerns on the other often tend to influ-ence the enactment of laws guaranteeing unconditional access to and use ofmany aspects of individuals’ personal records.
REFERENCES
Alfino, M., & Mayes, G. R. (2003). Reconstructing the right to privacy. Social Theory and Practice,
29(1), 1–18.
Altman, I. (1975). The environment and social behavior. Monterey, CA: Brooks/Cole.
Branscomb, A. W. (1994). Who owns information? From privacy to public access. New York, NY:
Basic Books.
Brown, D., & Ploskina, B. (2001, August 13). E-theft: Who’s liable? Interactive Week, 8(31), 11.
DeCew, J. (2002). Privacy. In Edward N. Zelta (Ed.), The Stanford Encyclopedia of Philosophy.
Retrieved July 13, 2005, from http://plato.stanford.edu/archives/sum2002/entries/privacy/
Etzione, A. (1999). The limits of privacy. New York, NY: Basic Books.
Farina, C. R., & Rachlinski, J. J. (2002). Symposium—getting beyond cynicism: New theories of
the regulatory state. Forward: Post-Public Choice? Cornell Law Review, 87(2), 267–279.
Foust, D. (2005, March 28). Keeping a grip on identity. Business Week, 3926, 34–35.
Foust, D., & Ryst, S. (2006, July 3). ID theft: More hype than harm. Business Week, 3991, 34.
Fried, C. (1968). Privacy (A moral analysis). Yale Law Journal, 77(1), 475–493.
Garfinkel, S. (2001). Database nation. Cambridge, MA: O’Reilly Media Inc.
Green, D. P., & Shapiro, I. (1994). Pathologies of rational choice theory: A critique of applications.
Political Science, 47–70.
Griswold v. Connecticut, 381 U.S. 479 (1965).
Gumpert, G., & and Drucker, S. J. (1998). The demise of privacy in a private world: From front
porches to chat rooms. Communication Theory, 8, 408–425.
Hoofnagle, C. J. (2005). Privacy self-regulation: A decade of disappointment. San Francisco, CA:
Electronic Privacy Information Center.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
248 BAH
Katz v. United States, 389 U.S. 347 (1967).
Lester, T. (2001, March). The reinvention of privacy. Atlantic Monthly, 287(3), 27–39.
Lusky, L. (1972). Invasion of privacy: A clarification of concepts. Columbia Law Review, 92(2), 192–
209.
MacKinnon, C. (1989). Toward a feminist theory of the state. Cambridge, MA: Harvard University
Press.
Margulis, S. T. (2003). On the status and contribution of Westin’s and Altman’s theories of privacy.
Journal of Social Issues, 59(2), 411–429.
Mayer-Schönberger, V. (1999). Privacy in the international context—no choice: Trans-atlantic
information, privacy legislation and rational choice theory. The George Washington Law Review,
67(5), 1309–1322.
Marlin-Bennett, R. (2004). Knowledge Power: Intellectual property, information, and privacy. Boulder,
CO: Lynne Rienner.
Mercuri, R. T. (2006, May). Scoping identity theft. Communications of the ACM, 49(5), 17–21.
Miller, A. R. (1971). The assault on privacy: Computers, data banks and dossiers. Ann Arbor, MI:
University of Michigan Press.
Moore, J. H. (1997). Towards a theory of privacy in the information age. Computers and Society,
27(3), 27–32.
O’Harrow Jr., R. (2005). No place to hide. New York, NY: Free Press.
Packard, V. (1966). The naked society. New York, NY: Pocket Books.
Pedersen, D. M. (1979). Dimensions of privacy. Perceptual and Motor Skills, 48, 1291–1297.
Posner, R. A. (1981). The economics of justice. Cambridge, MA: Harvard University Press.
Prosser, W. L. (1960). Privacy. California Law Review, 48(2), 383–423.
Regan, P. M. (1995). Legislating privacy: Technology, social values and public policy. Chapel Hill, NC:
University of North Carolina Press.
Rosen, J. (2001). The unwanted gaze: The destruction of privacy in America. New York, NY: Vintage
Books.
Rosenberg, J. M. (1969). The death of privacy. New York, NY: Random House.
Sullivan, B. (2004). Your evil twin: Behind the identity theft epidemic. Hoboken, NJ: John Wiley &
Sons, Inc.
Tavani, H. T. (2000). Privacy and the internet. Retrieved March 24, 2005, from http://www.bc.edu/
bc_org/avp/law/st_org/iptf/
commentary/content/2000041901.html
Thomson, J. V. (1975). The right to privacy. Philosophy and Public Affairs, 4, 295–314.
Turner, E., & Dasgupta, S. (2003). Privacy on the web: An examination of user concerns, technol-
ogy, and implications for business organizations and individuals. Information Systems Management,
20(1), 8–18.
U.S. Department of Health, Education, and Welfare (1973). Records, computers and the rights of
citizens: Report of the secretary’s advisory committee on automated personal data systems. Cambridge,
MA: The MIT Press.
Warren, S. D., & Brandeis, L.D. (1890). The right to privacy. Harvard Law Review, 4(5) 193–220.
Westin, A. (1967). Privacy and Freedom. New York: Atheneum.
Whitaker, R. (1999). The end of privacy: How total surveillance is becoming a reality. New York: The
New Press.
Dow
nloa
ded
by [
Ein
dhov
en T
echn
ical
Uni
vers
ity]
at 0
3:08
21
Nov
embe
r 20
14
