Prof. Doug Lichtman, UCLA School of Law
March 11, 2013
I had the chance last month to participate in a public discussion about Facebook and, in particular, Facebook’s privacy policies. I am not a privacy expert by any means. And I barely use my Facebook account. But, in preparing for the event, I found myself deeply puzzled by privacy law in general, and the role for law in particular.
Start with the high-level question of why the law protects privacy. Modern privacy law is puzzling in that it restricts the disclosure of private facts related to personal finances, sexual orientation, medical conditions, and the like, even in instances where public revelation might serve social interests. Imagine, for example, if information about sexual promiscuity and sexual orientation could be acquired and disseminated without fear of legal liability. The former would do much to protect unsuspecting partners from the dangers of STDs, while the latter might significantly destigmatize what are still today controversial closet preferences. Yet the law protects these facts. Why?
My theory is that privacy law protects this information because, in the absence of legal protection, individuals would protect it anyway, and they would do so in ways that are more wasteful still. Patients would withhold vital information about their sexual history from doctors; adults discussing personal matters would speak in tongues; and lovers interrupted in the privacy of their homes would on occasion resort to violence. Privacy law might thus be best explained as a way to obviate what would otherwise be effective but costly self-help measures. The law protects you, in short, because otherwise you would spend even more protecting yourself.
Avoiding the costs associated with self-help is actually a common justification for formal legal intervention. A few years ago, for instance, Major League Baseball’s Chicago Cubs were involved in a dispute with several firms that owned rooftop properties overlooking the Cubs’ home stadium, Wrigley Field. At issue were what were in essence unauthorized stadium skyboxes – complete with plush seats, fancy catering, and full service bars – built on those nearby rooftops and to which tickets were sold to watch Cubs baseball. The Cubs understandably thought this practice unfair; rooftop seats compete with stadium seats and yet the rooftop owners were contributing nothing toward team salaries or stadium upkeep. Thus, the Cubs engaged in a little self-help: The team installed a large canvas windscreen that just so happened to block the view from several rooftop properties. The rooftop owners in response made plans to raise their rooftop seats higher; by the time a court began hearing the merits of the dispute, rumor had it that the Cubs were planning to construct a giant inflatable that would have randomly obscured even elevated rooftop views. Stopping this “arms race” was one of the core reasons that a court ultimately intervened. Self-help here was in each party’s short-term private interest but was in the aggregate wasting resources and worsening the baseball experience both within the stadium and above it.
If all that is right – that is, if the right way to think about privacy law is to focus on the ways it reduces the need for costly self help – then exactly what should the law demand from a service provider like Facebook? Obviously, one demand should be that Facebook clearly disclose its privacy policies such that individuals can easily evaluate and ideally be at peace with them. Another demand should be that Facebook live up to whatever it promises. If Facebook were allowed to fall short, after all, individuals would not be willing to rely on Facebook’s protections, and they would instead engage in self help like that described above.
But what more? For instance, should there be rules about how often Facebook changes its privacy options and settings, given that change often leads to confusion, and fear of confusion would lead to a protective self-help response? Should there be rules about how Facebook’s defaults are set, such that technologically unsophisticated users would know that they automatically enjoy the highest privacy settings and thus do not need to protect themselves from their own technical incompetence? And how would rules like these be defined and enforced, given that privacy is not some stand-alone feature for a site like Facebook but is instead deeply interwoven into the site, its structure, and its offerings?
I must admit that I do not myself yet have answers to these questions. But I am intrigued by the idea of evaluating privacy law from this perspective. Sure, privacy law might do more than simply reduce the costs of self-help protections. It might be an affirmative effort to keep certain information out of public view, for instance, even if individuals would not or could not maintain confidentiality on their own. But, to the extent that privacy law really is about the costs of self help, how would that translate into specific rules and regulations? And how should we evaluate modern privacy law along this dimension?