The turn to analytics is a response to this situation. Analytics involve the use of statistics, algorithms, and other tools of mathematics, harnessed through information technology, to use data to improve decisionmaking. A wide variety of organizations use analytics in their operations. Analytics are used by government, for example, but this white paper concentrates on how private-sector organizations use this technique.It does so because distinctive regulatory and ethical issues are likely to arise for different categories of enterprises. This white paper offers a contextual examination of analytics and develops ethical standards for private organizations using this technique. The term ‘‘contextual’’ is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses to privacy and the kind of responsible processes that should accompany the use of analytics generally. This white paper finds that analytics tend to be applied to four stages of a data life-cycle: (1) collection, (2) integration and analysis, (3) decision-making, and (4) review and revision.

Its ethical standards for private organizations using analytics were developed through a series of interviews and discussions with the leading companies that participated in this project of the Centre of Information Policy
Leadership at Hunton & Williams. The resulting standards acknowledge that analytics can have a negative as well as a beneficial impact on individuals. Thus, the white paper requires implementation of accountable processes that are tailored to the specific, identified risks of analytics used. The guidelines further require development of organizational polices that govern information management and training of personnel. A company should also place responsibility for data processing operations and decision on designated individuals within the company. The following report is an abridged version of the full white paper, which is available online.

Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.

These business decisions leave individuals and merchants with some of the externalities of identity theft. Victims sometimes spend their own money, and more often, valuable personal time dealing with identity theft externalities. This article concludes by reviewing several approaches to internalizing these costs. Popular approaches specify prescriptive rules to address particularly problematic practices in credit granting, such as using the Social Security number as a password for authentication. These approaches may lead to compliance-oriented approaches and reification. Several commentators have suggested negligence actions as a cure to identity theft, but uncertainty surrounding the duty of care would probably leave many consumers unremunerated. A strict liability regime is suggested because credit grantors are the least cost avoiders in the identity theft context, and because consumers cannot control the credit granting process nor insure against identity theft losses efficiently.

UCLA Journal of Law and Technology, p. 1, 2010

This “grounded” account should inform privacy reforms. While widespread efforts to expand consent mechanisms to empower individuals to control their personal information may offer some promise, those efforts should not proceed in a way that eclipses robust substantive definitions of privacy and the protections they are beginning to produce, or that constrains the regulatory flexibility that permits their evolution. This would destroy important tools for limiting corporate over-reaching, curbing consumer manipulation, and protecting shared expectations about the personal sphere on the Internet, and in the marketplace.

The Article concludes with two recommendations aimed at reducing the likelihood of companies deploying protection measures with known security vulnerabilities in the consumer marketplace. First, Congress should alter the Digital Millennium Copyright Act (DMCA) by creating permanent exemptions from its anti-circumvention and antitrafficking provisions that enable security research and the dissemination of tools to remove harmful protection measures. Second, the Federal Trade Commission should leverage insights from the field of human computer interaction security (HCI-Sec) to develop a stronger framework for user control over the security and privacy aspects of computers.

First, increasingly, privacy statutes create evolving standards of care, thus encouraging innovation for handling of data and avoiding the reification that can result from prescriptive, detailed regulation. For instance, the Fair Credit Reporting Act mandates an evolving “maximum possible accuracy” standard.

Second, in the direct marketing context, the US has imposed advertiser liability for violations of telemarketing, fax, and spam laws. This is a promising approach to address the use of difficult-to-identify and prosecute service providers that are responsible for illegal marketing campaigns.

Third, audit requirements for access to personal information has had a profound effect in encouraging industry and citizen policing of privacy violations. Audit logs have substantiated long-suspected privacy problems regarding “browsing” of files, and news media access to celebrities’ medical records.

Fourth, the US has briefly experimented with “data provenance,” a requirement that buyers of personal information exercise diligence to ensure against misuse of data. Data provenance responsibilities can create incentives to reduce gray and black market sales of personal information.

Finally, most federal privacy law acts as a floor of protections, allowing states to enact stronger rules. This has created a tension between state and federal governments, resulting in a leveling up of protections, because states (which tend to be more activist on privacy issues) can act where the US Congress is occupied with other issues.

NB: The final report, an executive summary of the final report, both by Douwe Korff and Ian Brown (et al), and one of two working papers, as well as two further country reports (on France and Germany) and a Comparative Chart, all by Douwe Korff, all also produced for the Comparative Study of Different Approaches to New Privacy Challenges in Particular in the Light of Technological Developments, can be found on SSRN.

Jennifer King
UC Berkeley School of Information; Berkeley Center for Law & Technology

Su Li
University of California, Berkeley- School of Law, Center for the Study of Law and Society

Joseph Turow
University of Pennsylvania - Annenberg School for Communication

Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media.

In this telephonic (wireline and wireless) survey of internet using Americans (N=1000), we found that large percentages of young adults (those 18-24 years) are in harmony with older Americans regarding concerns about online privacy, norms, and policy suggestions. In several cases, there are no statistically significant differences between young adults and older age categories on these topics. Where there were differences, over half of the young adult-respondents did answer in the direction of older adults. There clearly is social significance in that large numbers of young adults agree with older Americans on issues of information privacy.

A gap in privacy knowledge provides one explanation for the apparent license with which the young behave online. 42 percent of young Americans answered all of our five online privacy questions incorrectly. 88 percent answered only two or fewer correctly. The problem is even more pronounced when presented with offline privacy issues – post hoc analysis showed that young Americans were more likely to answer no questions correctly than any other age group.

We conclude then that that young-adult Americans have an aspiration for increased privacy even while they participate in an online reality that is optimized to increase their revelation of personal data.

This article attempts to actuate a market for bank safety by comparing identity theft victim data with government statistics used to measure the relative size of financial institutions. It envisions a future when this market incentivizes financial services firms to explicitly compete to reduce the likelihood that customers will become victims of identity theft or other frauds. In a world of competition in bank safety, consumers who put a premium on avoiding fraud could reward the most proficient firms with their loyalty.

This article concludes that the available data, while weakened by several methodological concerns, do show that certain banks, large and small, have different identity theft footprints. Other discoveries were made as well. First, if present trends continue, there will be a substantial upswing in identity theft complaints to the Federal Trade Commission in 2008. Second, over a three-year period, a small group of companies accounted for almost 50 percent of identity theft incidents. Focusing interventions on this small group of companies could have a profound effect on incidence of identity theft. Finally, non-banking institutions, such as telecommunications companies, have an enormous identity theft footprint; in our highly dependent credit markets, impostors may be using these companies as stepping stones for attacks against banks.

This survey finds that Americans want openness with marketers. If marketers want to continue to use various forms of behavioral targeting in their interactions with Americans, they must work with policymakers to open up the process so that individuals can learn exactly how their information is being collected and used, and then exercise control over their data. We offer specific proposals in this direction. An overarching one is for marketers to implement a regime of information respect toward the public rather than to treat them as objects from which they can take information in order to optimally persuade them.

If we move from the past of tax law to the present, tax law looks much like other privacy statutes. The Tax Reform Act of 1976 removed the authority of the President to make rules for release of tax information. Its Section 6103 established a general rule of confidentiality with Congress to set exceptions through this rule by statute. A flood of disclosure exceptions have been enacted since 1976 with requirements based on how difficult Congress thinks it should be for a given party to obtain the tax information for a specific purpose. Disclosure of tax information is now permitted for the purposes such as civil litigation, criminal litigation, child support obligations, and terrorism prevention.

Regarding predictions about the future, it is likely that tax privacy as regulated under the Tax Code will be both less and more important in the future. It will be less important because of broad governmental and public access to financial and other information of the kind that taxpayers file. At the same time, one aspect of tax privacy will be more important than before. Threats of data breaches and data leaks make tax return security more significant. For one thing, the IRS increasingly collects tax return information through e-filing. Increasingly, tax returns may also be prepared by U.S. firms that outsource work internationally and send tax information around the globe electronically. Tax preparation software is subject to hacks and virus attacks.

Both of these predictions suggest a final point. If we return to the policy arguments for and against tax privacy, there has been a shared assumption of a special status, an exceptional status for tax information. Yet, today, the same information found in tax returns is accessible through other legal statutes. Moreover, tax information in the electronic age is subject to the same vagaries of data security as other data. One can therefore predict that the privacy of tax information will not only be both more and less important in the future. It will also increasingly be subject to the same kind of forces, legal and otherwise, as other personal information.

A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.

These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations. Drawing upon earlier work, we conclude that because the term "privacy policy" has taken on a specific meaning in the minds of consumers, its use should be limited to contexts where businesses provide a set of protections that meet consumers' expectations.

In 2007, fraud events where the victim could identify the institution associated with the incident, were concentrated among a relatively small number of companies. Just ten companies accounted for 30% of events. Verizon was identified by victims more than any other company as being targeted by impostors to commit fraud. AFNI, a collections agency, was next in total number of events. Bank of America improved dramatically over its 2006 numbers, while ING Bank and American Express remained top performers among large institutions.

Studies have shown that most consumers oppose the sale of personal information. Unfortunately, most consumers are under the misimpression that a company with a "privacy policy" is barred from selling data. To learn more about information selling, the authors, using a California privacy law, made requests to 86 companies for a disclosure of information sharing practices. The results show that while many companies have voluntarily adopted a policy of not sharing personal information with third parties, many still operate under an opt-out model that is inconsistent with consumer expectations, and others simply did not respond to the request. Based on these results, the authors propose several public policy approaches to bringing business practices in information sharing in line with consumer expectations.

Professor Alan Westin has pioneered a popular "segmentation" to describe Americans as fitting into one of three subgroups concerning privacy: privacy "fundamentalists" (high concern for privacy), "pragmatists" (mid-level concern), and the "unconcerned" (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin's conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.

And finally, the worst identification and tracking policies from the online world are finding their way into the offline world. In other words, online self-regulatory approaches have encouraged a more invasive web environment, and have dragged down the practices of ordinary, offline retailers. This paper argues that the FTC and Congress should reevaluate their commitment to market approaches, and empower consumers with privacy law that incorporates Fair Information Practices.

CDBs make available a wide variety of personal information, from arrest and court records to notice that a suspect has opened a private mailbox. Access to private sector databases has significantly altered the balance of power between law enforcement and the individual. This new power has been made possible by the confluence of fast network connections; the availability of public records, both electronic and paper, that are rich with personal information; a regulatory environment that has turned a blind eye to private sector collection of personal information for marketing and other purposes; and the alacrity of companies that have become very profitable from selling personal data to the government.

This article summarizes the findings of three years of research into the relationship between CDBs and the federal government. The federal Freedom of Information Act was employed to obtain over 1,500 documents from nine federal agencies concerning ChoicePoint and other CDBs. Findings are presented from the requests, and concerns are raised regarding law enforcement access to personal information.

The documents led to six major findings. First, the documents show that law enforcement can quickly obtain a broad array of personal information about individuals. Second, although broad requests for documents were filed, there was almost no evidence of controls to prevent agency employees from misusing the databases. It appears as though auditing employee use of the databases is either impossible or simply not done. Third, the database companies are extremely solicitous to the government and actually design the databases for law enforcement use. Fourth, ChoicePoint expanded significantly in 2000 by starting to acquire and sell personal information of non-citizens. That discovery has led to strong international dissent. Fifth, many of the contracts with CDBs are sole-sourced, meaning the contracts are not open to competitive bidding. Sixth, the FBI has a secret, sole-source contract with ChoicePoint to develop an information service prototype.

Based on these documents, the author concludes that the Privacy Act should apply to CDBs. The Privacy Act of 1974 establishes a comprehensive set of Fair Information Practices for government collection of personal information, but does not substantially affect the data practices of these private companies. Because of this lack of coverage, government entities have performed an end-run around the protections of the Privacy Act by allowing the private sector to amass troves of personal information that the government would ordinarily not be allowed to collect. Essentially, commercial data brokers are big brother's little helpers - private sector companies that have escrowed personal information that is customized for law enforcement and other government agencies.

The author also concludes that public policy makers should not draw distinctions between commercial and government collection of personal information. Libertarians and conservatives have employed persuasive arguments to stave off privacy regulation that affects the commercial sector. They have argued that government collection, use, and disclosure of information presents more risk than commercial collection because the government has the power to arrest, imprison, and even to execute citizens. But this article shows that this distinction between the risks of government and commercial privacy risk is no longer tenable. Commercial actors provide personal information to the government in a number of contexts, and often with astonishing alacrity.

Finally, policymakers should revisit policies surrounding access to public records. Much of the personal information made available to law enforcement originates from public records. In a variety of contexts, the government compels individuals to reveal their personal information, and then pours it into the public record for anyone to use for any purpose. The private sector has collected the information, repackaged it, and brought it back to the government full circle. While public records are supposed to provide a window for a citizen to check abusive government activities, increasingly, they are used to leverage more control for powerful institutions against the common man.

This Article begins by examining governmental data mining. In Part II, this Article reviews widely held views about the necessary safeguards for the use of data mining. In Part III, this Article considers dataveillance by private corporations and how they have compiled rich collections of information gathered online in the absence of a robust legal framework that might help preserve online privacy.

This Article then discusses some of the techniques that individuals can employ to mask their online activity as well as existing and emerging technological approaches to preventing the private sector or government from linking their personal information and tracing their activities. This Article concludes by briefly considering three topics: (1) whether and how to regulate the potential impact of identity management systems on counterterrorism efforts; (2) the requirements of transparency and understanding of the underlying models used in either data mining or identity management systems as a necessary prelude to the creation of rules on appropriate access and use; and (3) the need for research in several further areas.

The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

Such rational inquiry about telecommunications surveillance is, however, largely precluded by the haphazard and incomplete information that the government collects about it. This Article evaluates the main parts of telecommunications surveillance law and the statistics about their use. The critical statutory regulations are (1) the Wiretap Act, (2) the Pen Register Act, (3) the Stored Communications Act, and, for foreign intelligence, (4) the Foreign Intelligence Surveillance Act, and (5) the different provisions for National Security Letters (NSLs).

Other parts of the surveillance landscape represent an even greater expanse of blank spaces on the legal map. There are a number of "semi-known unknowns" (to coin a phrase); these are kinds of telecommunications surveillance about which only limited public information exists - this surveillance also occurs outside a detailed legal framework.

This Article concludes with the development of the concept of "privacy theater." Currently, the value of the collection of telecommunications statistics is largely ritualistic. It serves to create a myth of oversight. This Article proposes that we go beyond myth and re-dedicate ourselves to the task of creating a telecommunications surveillance law that minimizes the impact of surveillance on civil liberties and maximizes its effectiveness for law enforcement.

In this paper, we ask why. We first explore why both process requirements and traditional means of political oversight are often weak tools for ensuring that policy reflects privacy commitments. We then consider what factors might, by contrast, promote agency consideration of privacy concerns.

Specifically, we compare decisions by two federal agencies - the Department of State and the Department of Homeland Security - to use RFID technology, which allows a wireless-access data chip to be attached to or inserted into a product, animal, or person. These two cases suggest the importance of internal agency structure, culture, and personnel, as well as alternative forms of external oversight, interest group engagement, and professional expertise, as important mechanisms for ensuring bureaucratic accountability to the secondary privacy mandate imposed by Congress.

The analysis speaks to debates in both public administration and privacy protection. It implicates disputes over the efficacy of external controls on bureaucracy, and the less-developed literature on opening the black box of administrative decisionmaking. It further offers insight into pre-conditions necessary to advance privacy commitments in the face of social and bureaucratic pressure to manage risk by collecting information about individuals. Finally, it offers specific proposals for policy reform intended to promote agency accountability to privacy goals.

This Review's Part II looks at two additional aspects of Heymann's vision of future uses of intelligence to thwart terrorism. In Part II.A., we describes the contours of data mining, a technique of intelligence analysis that Heymann advocates. Although Heymann notes that data mining is likely to have an adverse effect on privacy, he does not develop detailed safeguards in response. A Pentagon blue ribbon panel, the Technology and Privacy Advisory Committee (TAPAC), has, however, developed a recommended framework for governmental use of data mining techniques, and we assess the TAPAC recommendations. Finally, in this Review's Part II.B., we turn to an important policy discussion related to data mining: how can the USIC better disseminate intelligence within a proposed new intelligence network? We sketch the proposed form of the new intelligence network and analyze four important legal and policy questions that it raises.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

In the aftermath of the ChoicePoint debacle and other major information security breaches, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as ChoicePoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We have welcomed input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We have incorporated criticisms and constructive suggestions, and we will continue to update this Model Regime to include the comments we find most helpful and illuminating.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

This article proposes a fix to address lax credit granting practices. It takes the form of a change in the default state of credit reports from their current liquid state to a frozen one. That is, our current credit system allows our personal information to flow like water to almost anyone who requests it. Once credit information is released, credit grantors who are operating in an extremely competitive market, race to issue new accounts. This makes it simple for impostors to commit identity theft by obtaining new credit accounts.

Under the proposed system, credit reports would be sealed or frozen, available only when the individual thaws her file, and specifies to whom, when, or in what contexts it should be released. Creditors will not extend tradelines without a credit report, and thus under a frozen credit report system, impostors would have great difficulty in obtaining new accounts. A simple barrier to obtaining a credit report will provide a shield for all individuals against most identity thieves.

This article is a short book chapter in a forthcoming book to be published by Stanford University Press of papers presented at a March 2004 symposium on privacy and security at Stanford Law School.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

This Review begins by examining Gilliom's methodology and findings. It credits the insights of his look at the inner world of welfare recipients, but finds that he appears to ignore the need for income limits on aid recipients and the concomitant need for at least some personal information to enforce these limits. It also criticizes his failure to explore an interaction of an "ethics of care" among welfare recipients with possible use of retooled privacy rights or interests. In the second part of this Review, we consider the extent to which theoretical work inside and outside of the legal academy points to a new privacy and discuss how Gilliom's empirical research provides support for that scholarship. We will also evaluate the extent to which the new privacy, centered on FIPs, can prevent the threats to personal autonomy so poignantly identified by Gilliom.

This Article also examines the statutory law that governs telecommunications surveillance in Germany and the U.S. It evaluates six categories: (1) legal protection for telecommunications information; (2) legal protection for connection data; (3) legal protection for stored data; (4) legal requirements for data retention or data erasure; (5) legal protection for contents of telecommunications; and (6) the nature of available remedies. In a final section, this Article examines three possible "X factors," beyond the surveillance regulations expressed in legal regulations, that may affect law enforcement behavior in carrying out telecommunications surveillance in the two countries.

Also much disputed is the constitutionality of database protection legislation proposed in Congress akin to the new intellectual property regime created in the EU that confers on publishers an exclusive right to control extraction and reuse of data from databases. The Court in Feist insisted that the U.S. Constitution required a creativity-based standard for copyright (and presumably for copyright-like) protection of databases. While the Supreme Court did not accept the extension of the principles of Feist for which Eldred argued, it did not abjure Feist. Hence, EU-style database protection may be unconstitutional. Eldred also suggests that higher First Amendment scrutiny may be required when assessing changes to the traditional contours of intellectual property law, such as EU-style database protection and the DMCA anti-circumvention rules, calling into question the Second Circuit's decision in Universal City Studios v. Corley. Even if such laws can surmount facial challenges to their constitutionality, the article gives examples of "as applied" challenges likely to be successful.

In this Article's final section, we explore ways in which to make the GLB Act's mandatory rules more flexible, and we propose possible revisions to the existing "notice and opt-out" default in the GLB Act. Finally, we revisit the GLB Act's opt-out requirement. We propose to improve upon this requirement by using social science research concerning the power of "frames." We also discuss the possible merits of a shift to an opt-in requirement.

A privacy market can play a role in helping information privacy fulfill this constitutive function. Yet, Lessig's propertization of privacy raises a further set of difficulties. In my view, propertization a la Lessig will only heighten flaws in the current market for personal data. This consequence follows from numerous shortcomings in this market and structural difficulties that indicate the unlikelihood of a self-correction in it. Moreover, in revisiting Calabresi and Melamed's work regarding the comparative merits of property and liability regimes, I find that a mixed regime is to be preferred for Internet privacy over Lessig's property regime.

Part III of this Article turns from criticism to prescription and develops the mixture of property and liability rules necessary for establishment of information privacy standards in cyberspace. It proposes recourse to Fair Information Practices (FIPs) to establish rules for the fair treatment of personal data on the Internet. Yet, FIPs are not without potential shortcomings if structured only as command-and-control rules. My suggestion therefore is that an American Internet privacy law consisting of FIPs should include both mandatory and default elements.

Finally, Internet Privacy and the State in its Part III examines how the State can improve the functioning of a privacy market and play a positive role in the development of privacy norms. Regarding the privacy market, the State's first two steps should be to: (1) discourage a default of maximum information disclosure, and (2) encourage a market for privacy-enhancing technology. To overcome more general failings in privacy market efficiency, the State should also: (3) reduce information asymmetries, and (4) seek ways to overcome collective action problems. Regarding privacy norms, the State should: (1) encourage norm circumvention by facilitating attempts to bargain around objectionable norms, (2) provide incentives to groups to modify certain kinds of behavior, and (3) help construct positive bandwagon effects.

This Article advocates a legislative enactment of the four fair information practices. This legal expression of privacy norms is the best first step in promoting democratic deliberation and individual self-determination in cyberspace. It will further the attainment of cyberspace's potential as a new realm for collaboration in political and personal activities. Enactment of such a federal law would be a decisive move to shape technology so it will further--and not harm--democratic self-governance.