® InfoJur.ccj.ufsc.br

Recommendations for the Evolution of Cyberlaw

Ellen M. Kirsh David W. Phillips Donna E. McIntyre

Abstract

This article focuses on the privacy implications arising from an increasing reliance on digital networks for communication, commerce, education and entertainment. Greater access to the maze of information and services will create needs for customized services and tools to guide users through the information anarchy and channel products of interest to consumers. Yet these trends raise concerns about what usage data will be collected and how such data will be stored, used and disclosed to others.

While there have been calls from privacy advocates in the U.S. to adopt the European model and create new privacy laws and federal agencies to govern data use practices, this approach conflicts with not only traditional U.S. legal privacy paradigms, but also with current U.S. public opinion. The global market for interactive services, the U.S. public’s growing concern for their privacy in cyberspace and reluctance to rely on government intervention with respect to personal privacy matters all support initial reliance on market forces and the industry-regulatory model. For U.S. providers of interactive services to remain competitive in the United States and operate in global markets, they must establish and maintain their subscribers’ trust with respect to individual privacy. Consumers will penalize providers who fail to proactively disclose their data collection practices and privacy safeguards.

 Introduction

[ 1 ]
The increased use of digital networks and advances in database technology are transforming the types of information available about individuals[ 2 ] and the manner by which businesses, including interactive service providers [ 3 ] and online merchants, can collect, process and use such information. Although personal information was available prior to the widespread use of computers, it was not easily collected, processed or distributed [ 4 ]. Nevertheless, information about individuals has been used for many years by a variety of businesses, such as department stores, credit card companies, and catalog merchants, to market to potential customers, retain existing ones and meet the growing demand for goods and services sold through direct marketing channels.

To make the online experience easier and more personalized for users and to facilitate interactive commerce and advertising, interactive service providers need to collect and use certain individual information. The responsible and fair use of such information will make online services and the Internet a more compelling and affordable medium. However, failure to adequately inform users about data policies and implement strong privacy protections risks alienating a public who fears that computer networks will be used to undermine our individual privacy and autonomy [ 5 ].

Whether this fear is justified by a fundamentally different and greater threat to privacy posed by the use of digital networks, or is attributable more to the public’s unfamiliarity with and distrust of technology [ 6 ], the interactive service industry must address the underlying privacy concerns. In particular, the industry must earn and keep its customers’ trust that their personal privacy will be vigorously protected. The industry must assure the public that their data practices will not produce an Orwellian world in which intimate details of our personal lives are tracked and traded without individual knowledge or consent.

Failure to address the public’s privacy concern could be perilous. Fear about children’s access to pornography on the Internet led to Congress’ misguided passage of the Communications Decency Act, which failed to account for the unique qualities of the interactive medium and which a federal court recently struck-down as unconstitutionally abridging free speech [ 7 ]. Mindful of that experience, the industry must ensure that the privacy debate not be commandeered by demagogues and devolve into irrational conjecture which plays upon the public’s fear of technology and change.

Defining personal privacy in our digital age is a complex task which requires that we chose between strong competing interests. The challenge is made more difficult by those who invoke Big-Brother imagery or a one-dimensional approach that fails to weigh other important policy issues such as free speech, intellectual property and personal accountability. The complexity of perspectives involved in the privacy debate is illustrated by the current controversy over the widespread use of encryption, the public’s split over "anonymous" use of digital networks, and the mixed calls for government regulation of industry data practices or reliance on a pure self-regulatory model.

Any review of the data and privacy practices of the interactive service industry should be consistent with the scrutiny accorded to other industries’ data and privacy practices. Any regulation of data practices in cyberspace should account for the benefits that will inure to consumers from the responsible use of personal information and the unique and personally empowering qualities of this medium.

This Article proposes that consumers’ expectation of privacy on digital networks, as well as the global reach of the interactive service industry, will create the critical market- based demand for widespread industry adoption of robust privacy protections. Although Americans are acutely sensitive about their privacy in cyberspace, they are also reluctant to empower government to protect their privacy [ ]. The public’s apparent preference for private sector options for privacy safeguards offers individual interactive service providers an opportunity to address consumers’ privacy concerns as a competitive feature of their services. Consumer demand should lead providers to advertise their privacy protections in an effort to garner greater market share over competitors who fail to offer similar protections.

Collection and Use of Personal Information

Technological Advances: Marketing Opportunities and Privacy Risks

Advances in database technology, marketing technology, and the sudden growth and capabilities of digital networks are creating new opportunities for direct marketers and raising new privacy issues. Technological advances and increasing use of digital networks provide marketers with increasing amounts of information with which to target their customer base and contact potential customers more efficiently. While the technological advances raise privacy concerns that are not limited to the use of digital networks (e.g., scanners allowing easy collection of data on grocery purchases) [ 9 ], the public’s increasing reliance on digital networks has focused particular attention on data collection practices and privacy issues in cyberspace [ 10 ].
1. Data Collection and Digital Networks

Public use of computer mediated communication to inform, educate, entertain and shop is proliferating [ 11 ]. Each new use generates data revealing detailed information about our personal lives -- our user preferences and purchasing habits -- as well as data concerning those with whom we speak and associate. Interactive service providers, such as America Online, CompuServe, and the Microsoft Network, could potentially gain access to vast amounts of information that were previously available only in piecemeal form to separate entities such as banks, credit card companies, department stores, catalogue companies, telephone providers and the post office.

Users are particularly sensitive about records of their online activities such as visiting "chat groups," posting to interactive discussion forums, or visiting Web sites which may leave "mouse-droppings" or specific usage data [ 12 ]. Interactive services providers may collect and store both individual and aggregated information. Individual information (sometimes referred to as personal information) means data or records relating to an identifiable individual’s use of an interactive service, such as information that John Doe (or an account registered to Mr. Doe) entered a specific online area or forum at a certain time or purchased a particular product online [ 13 ]. Collection of usage information revealing an individual’s online behavior is particularly sensitive because it could be suggestive of intimate personal information, such as a subscriber’s sexual preferences, health concerns or other confidential matters [ 14 ].

Aggregate information, on the other hand, describes usage patterns, habits and demographics of users of online services as a group in a forum that does not identify any individual or individual account. An example of aggregate information would be a report that out of 100 accounts that entered into the BusinessWeek online area, 25 of those were males between the ages of 45-54 who entered directly from the main "welcome" screen and are heavy users of investment forums.
2. Legitimate Needs for Information

While interactive service providers must address subscribers’ privacy concerns by disclosing data collection practices and implementing privacy safeguards, they need to provide their independent content providers, advertisers, merchants and other partners with aggregate information for editorial, programming, and demographic analysis. In fact, the lack of adequate demographic and behavioral information regarding users who visit sites creates a serious impediment to attracting significant advertising revenues and to the development of interactive commerce. This information is also necessary to provide subscribers the content and services in which they are interested. For example, a national magazine publisher who manages an online area needs the usage and demographic patterns of subscribers who enter its area to better tailor the interactive services offered to these subscribers. Such data would enable advertisers and merchants to target their marketing efforts at interested customers.

More importantly, the customized experience which providers can soon offer to individual users by gathering customer preference data will help ease the interactive services into an era of true utility. Many still regard the Internet and online interactive services as little more than a faddish entertainment medium for the masses [ 15 ]. It often seems as if the medium only offers utilitarian value to sophisticated users skilled in complex computer mediated research. The typical user often feels confronted with too many informational offerings making the medium overly complex and of limited utility. As James Fallows, Washington editor of the Atlantic Monthly, wrote in a recent article, "[t]he great problem of the information age is that there's too much information. The easier it becomes to store any kind of data on a computer or to dump material onto the Internet, the harder it can be to find what you are looking for."[ 16 ]

In the near future, information service providers increasingly will be able to customize each subscriber’s computer screen interface and online options to address special user preferences and personal interests. The development of increasingly intelligent virtual editors -- editorial avatars -- will enable users transparently, and perhaps unconsciously, to direct their information input along the lines of their personal needs and interests [ 17 ]. As the difficult job of teaching machines to parse natural language comes closer to fruition, such avatars may combine with simple user requests to provide instant access to relevant information [ 18 ].

Interfaces automatically and intelligently customized to an individual user’s preferences, as derived from her online activities, will present the user with information she might want or need before she even realizes it exists. Far from limiting choices, such software has the potential to individualize the utility of the medium, while continuously updating the user’s interest profile.

Interactive service providers, like any other customer service business, have legitimate business needs for gathering and analyzing customer data. Their customers need and derive benefits from this analysis. Prohibiting companies from utilizing such information would deny efficient data management to those individuals who welcome the responsible use of personalized and targeted information to serve their special needs. Many users would embrace tools that chart a course through the maze of information options and tailor their online experience to areas of personal interest. Indeed, individuals might appreciate the convenience of dealing with merchants who can access their purchasing history. In short, the responsible and fair use of online information will make this a better medium: easier to use, more personalized, and more affordable for consumers.

The Public’s Privacy Concerns

1. Public Surveys

Recent surveys show that the American public is acutely concerned about their privacy while using electronic networks [ 19 ]. In a 1994 survey by Louis Harris & Associates and Dr. Alan Westin, 82% of those interviewed expressed their concern about threats to their personal privacy [ 20 ]. The Harris Survey also found that 51% of the people polled are concerned about having a subscriber profile created about their viewing and purchasing patterns online [ 21 ].

Despite this apprehension, many people appear interested in receiving customized services. In the Harris survey, 52% of those surveyed were interested in receiving information and advertising tailored to their particular interests [ 22 ]. More importantly, a large majority of the survey participants -- 73% -- preferred voluntary industry-wide protections of their personal information rather than government regulation.[ 23 ]

Despite this high interest in receiving personalized information, the Harris Survey indicates that people will demand that their service providers clearly disclose what usage data they are collecting and for what purpose [ 24 ]. Of those individuals surveyed, 77% stated they would like advance notice before use of their profiles and would like to be informed as to how their profile is being used [ 25 ].
2. Public Outcry

In addition to this survey information, there are several poignant illustrations of the public’s sensitivity to the use of personal information for commercial purposes. In 1991, Lotus Development Corporation and Equifax joined to manufacture and sell Lotus Marketplace: Households [ 26 ]. Using information supplied by Equifax, one of the country’s largest credit bureaus, Lotus compiled data on the purchasing patterns of 120 million consumers for marketing on CD-ROM [ 27 ]. This would have made detailed marketing information about individuals available to anyone with a personal computer equipped with a CD-Rom drive [ 28 ].

Opposition to the product prevented its release [ 29 ]. Larry Seiler, a computer consultant, organized this opposition by way of a letter sent to Lotus citing his privacy concerns about the product. After Mr. Seiler distributed this letter on an electronic mail ("e-mail") system, readers sent some 30,000 angry letters of protest to Lotus and Equifax [ 30 ]. As a result of this overwhelming public outcry, Lotus and Equifax never released the product [ 31 ].

Consumers have reacted strongly to the selling of e-mail addresses compiled from individual activity in Usenet newsgroups, visits to World Wide Web sites, and visits to chat rooms on the Internet. For example, the Marketry company planned to rent an "E- mail Internet Interest Selector List" to direct marketers [ 32 ]. Marketry did not compile the list itself. Instead, the list was compiled by a company that maintains sites for other companies with a presence on the Web [ 33 ]. The creator of the list, however, had not implemented any privacy protections for Internet users, such as notice of the collection and use of e-mail addresses or opt-out procedures enabling individuals to have their e- mail address removed from the list [ 34 ].

The announced plan to sell e-mail addresses was met by criticism from the media, privacy advocacy groups such as the Electronic Privacy Information Center ("EPIC"), and consumers [ 35 ]. Even the Direct Marketing Association ("DMA") expressed concern [ 36 ]. Patricia Faley, DMA vice president of consumer affairs, said "the availability of the Marketry list probably signifies the need for an e-mail suppression file, much like the one that trade association created for consumers who do not want to receive unsolicited direct mail or telemarketing calls." [ 37 ]. Faced with such criticism, the company announced it would not act as the manager of the e-mail address list.[ 38 ]

These illustrations show the need to establish and maintain the trust of subscribers concerning the collection and use of personal data, and the public’s frustration and reaction to use of their personal information without their knowledge, consent, and involvement [ 39 ].

Protection of Privacy

While rapid technological developments have affected our personal privacy, our legal framework to address privacy issues has evolved slowly. There is currently no umbrella privacy law in the United States applicable to the collection and dissemination of personal information by private entities (including interactive service providers). [ 40 ].Instead, private sector data practices have been subject to government regulation only in specific industries such as cable television, video rentals, or the use of credit data. The Clinton Administration has issued two reports discussing how to protect personal privacy over digital networks. These reports have emphasized the value of industry self-regulatory efforts and individually empowering users to protect their privacy through notice, choice and technology.

Many privacy experts believe that personally empowering technologies can offer users better privacy protection than new government privacy initiatives and enforcement efforts. For example, experienced internet users already employ several methods to protect personal privacy such as encryption and anonymous remailers [ 41 ]. In addition, new technology developments may offer users the opportunity to prevent the collection of much information about their online "surfing," research, or browsing habits [ 42 ]. Current software designed to filter access and provide parental control can be modified so that users can configure their web browsers to leave only anonymous "mouse droppings" and block access to web sites that do not expressly offer strong privacy express disclosure policies [ 43 ]. In fact, the identities of users who are accessing the World Wide Web through online services are currently made anonymous because they access the Web through proxy servers which strip the identity of individual users.

Additionally, as explained above, the sheer force of public outrage will likely lead to stronger privacy safeguards as interactive service providers increasingly compete based on the strength of the privacy policies and practices. Also, industry organizations such as the Interactive Services Association ("ISA") and the Direct Marketing Association ("DMA"), as well as other federal agencies such as the National Telecommunications and Information Administration ("NTIA"), increase the pressure on companies to adopt strong privacy measures by highlighting privacy issues for the public and focusing attention on individual company policies and practices. [ 44 ]

CURRENT LAW

1. U.S. FEDERAL LEGISLATION

The privacy laws in the United States have been adopted in a piecemeal fashion to govern data collection, use and dissemination "depending on how it is acquired, by whom, and how it will be used."[ 45 ]. The most comprehensive privacy protection legislation is The Privacy Act of 1974 (the "Privacy Act")[ 46 ] which regulates the collection and disclosure of personal information by government agencies.[ 47 ]. The protections of the Privacy Act, however, have been weakened by overly-broad interpretations of exceptions to the Act. Specifically, the Privacy Act permits disclosure of records for "routine uses compatible with the purposes for which the records were collected."[ 48 ]. For example, the U.S. Postal Service has interpreted this provision to enable it to sell personal information about changes of address to third parties for marketing purposes.[ 49 ]

The Privacy Act also has been criticized because there is no governing body to enforce the privacy protection regulations pertaining to government agencies.[ 50 ]. Such a body was originally proposed but never implemented [ 51 ]. A bill is currently pending in Congress that would create a national privacy commission with authority to oversee enforcement of the Privacy Act. [ 52 ]

The regulation of industry-specific privacy and data practices include the following: (i) the Fair Credit Reporting Act of 1970 [ 53 ], which prohibits consumer credit reporting agencies from disclosing personal data except in certain circumstances, [ 54 ](ii) the Cable Communications Policy Act of 1984, [ 55 ]which, inter alia, requires cable operators to obtain written consent from their subscribers before disclosing personal information, (iii) the Right to Financial Privacy Act of 1978 [ 56 ], which requires financial institutions to provide their customers with notice before any records are disclosed to government agencies, (iv) the Video Privacy Act of 1988 [ 57 ], which prohibits disclosure of certain customer rental information held by videotape rental services, and (v) the Telephone Consumer Protection Act of 1991 [ 58 ], which requires telemarketers to maintain a "do not call" database from individuals who request to be removed from calling lists.

The only privacy statute which applies directly to online services is the Electronic Privacy Communications Act ("ECPA") [ 59 ]. ECPA protects against the unauthorized surveillance of private electronic messages or release to third parties of the content of those messages and restricts the government’s right to access customer records of interactive service providers [ 60 ]. Although ECPA establishes important protections for private electronic messages and customer records, it does not directly govern the use or disclosure of individual information for marketing purposes. However, one possible, but yet untested interpretation of ECPA, is that the statute’s broad definitions of the terms "contents" and "electronic communication" might be construed to prohibit providers from disclosing to third parties very specific individual usage information which identified "the substance, purport, or meaning of that communication."[ 61 ]. However, there is no indication of any legislative intent to interpret ECPA so broadly as to prohibit the disclosure to private parties of specific usage or transactional data.[ 62 ]

Privacy advocates claim that the existing statutory schemes protecting privacy are undermined by "exceptions that gut the protection."[ 63 ]. As explained by Ellen Alderman and Caroline Kennedy in their book, The Right to Privacy,

Perhaps the biggest problem with the statutory scheme is that there is no overall privacy policy behind it. As even a partial list of privacy laws indicates, they address a hodgepodge of individual concerns. The federal statutory scheme most resembles a jigsaw puzzle in which the pieces do not fit. That is because the scheme was put together backwards. Rather than coming up with an overall picture and then breaking it up into smaller pieces that mesh together, Congress has been sporadically creating individual pieces of legislation that not only do not mesh neatly but also leave gaping holes [ 64 ].
While the U.S. approach to privacy might be viewed as a series of piecemeal laws with no coherent theme towards personal privacy, this privacy framework in part reflects the unique historical perspective in which the U.S. government, not private parties, has been viewed as posing the most fundamental threat to individual privacy and liberty. For this reason, the U.S. has much stronger protections (e.g., the Electronic Communications Privacy Act) preventing government access to private electronic communications and records than many European nations. Viewed in this light, it is easier to understand the rationale underlying the current patchwork of privacy laws and historical resistance to establishing a federal watchdog agency.
2. U.S. Case Law

U.S. courts, on occasion, have examined the issue as to whether the control of personal information by individuals is a fundamental right protected by the Fourteenth Amendment of the Constitution. However, these cases have focused on government acts, not private actors. In Paul v. Davis, the Supreme Court held that individual control of personal information was not a fundamental right protected by the Fourteenth Amendment [ 65 ]. Rather, the Paul court held that fundamental privacy rights encompass only those relating to marriage, procreation, contraception, family relationships, child- rearing and education.[ 66 ]

In subsequent cases, courts have been equally reluctant to create an individual right to informational privacy [ 67 ]. For example, in Nixon v. Administrator of General Services [ 68 ], the Supreme Court held that the President’s interest in the informational privacy of his official records was outweighed by a public interest in the documents. In cases where the Supreme Court has found informational privacy is outweighed by the public’s interest, there was an express grant of statutory protection. One example includes Rowan v. U.S. Post Office Dept., 397 U.S. 728 (1970), where the Court decided in favor of an individual’s right to removal -- at the consumer’s request -- of consumers’ names from mailing lists of pandering advertisements selling sexually provocative materials. This statute was limited in its scope to removal of names only from mailing lists for materials of a sexual or erotic nature.

Individuals have also brought actions based in tort, property, and contract against private entities in state courts. In actions based in tort, state courts have been reluctant to find the user of the information liable because of the individual’s inability to prove injury from the disclosure of information [ 69 ].

Although courts have not recognized a property interest in personal information, they may face an increasing number of claims that personal information is property. For example, a resident of Virginia recently asserted a property interest in his name and/or likeness [ 70 ]. This is a novel argument because typically this common law right is asserted by a celebrity whose name or likeness has potential commercial value [ 71 ]. In Avrahami v. U.S. News & World Report, Inc., the plaintiff, a non-celebrity, asserted that the defendant violated a particular provision of Virginia law regarding the unauthorized use of the name or picture of any person [ 72 ]. That provision, Section 8.01-40 of the Code of Virginia, of 1950, states that a person may bring suit and claim damages against "any person, firm or corporation" using an individual’s "name, portrait or picture" for advertising or trade purposes without that person’s written consent. [ 73 ]

The plaintiff, Avrahami, alleged that the defendant, U.S. News & World Report, "willfully used his property (i.e., name and/or likeness) without his consent" and thus, appropriated his property [ 74 ]. In this case, U.S. News & World Report had rented from the Smithsonian magazine, Avrahami’s name as part of a subscriber list without his knowledge or consent.[ 75 ]

This case is unique. While the plaintiff sued under state privacy rights, his claims focused on the violation of his property -- rather than privacy -- rights [ 76 ]. Since the case raised some novel claims, it is unfortunate that the court ruled that it did not have jurisdiction [ 77 ]. If, on appeal, this case or others like it recognize that such individual information is property, marketers who want to use such information would have to purchase such information from the individual [ 78 ]. Such a result would constitute a major departure from existing case law and a fundamental paradigm shift in the concept of personal privacy under U.S. law.
3 European Privacy Law

In contrast to the United States’ piecemeal, ad-hoc legislative approach to privacy and data protection, European nations have enacted comprehensive privacy and data protection regulatory frameworks. A brief examination of the recently enacted EU Data Protection Directive demonstrates the different perspective Europeans bring to protecting their citizens’ privacy as they adopt the use of global digital networks.

The Council of the European Union approved the EU Data Protection Directive [ 79 ]on July 20, 1995 [ 80 ]. This directive applies to Member States of the European Union (including the U.K., France, Germany, Italy, and Benelux countries) and directs that they "shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data." [ 81 ]. The EU Data Protection Directive requires Member States to enact laws within three years which impose strict obligations limiting the processing of personal data [ 82 ], requiring prior notification to the data subject, permitting the data subject to access and change personal data, and giving the data subject the right to object to processing of personal data and the right to notify supervisory authorities of suspected violations.

The EU Data Protection Directive expressly sets forth the only reasons for which personal data may be processed. These include:

(a) the data subject has given his consent unambiguously; (b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).[ 83 ]
In addition to limiting the situations in which personal data may be processed, the EU Data Protection Directive requires the following notification:
(a) the identity of the data controller and his representative, if any; (b) the purpose of the processing of personal information; (c) any other recipients of the data; (d) whether replies to the questions are obligatory or voluntary; (e) the possible consequences of the failure to reply to any questions asked by the controller; and (f) the existence of the right of access to and the right to rectify the data concerning the individual.[ 84 ]
Article 12 of the Directive also provides that Member States "shall guarantee for every data subject the right to obtain from the controller the following: (a) confirmation of processing of data, the purposes of collection and the categories concerned; (b) the correction of data; and (c) notification to third parties of any corrections requested by the data subject to the information collected."[ 85 ]

In addition, the Directive requires all collectors to register with the supervisory authority of each Member State before processing information on data subjects located therein [ 86 ]. Once collectors of information have registered with a supervisory authority, they must make extensive disclosures to the supervisory authority concerning their use of personal information [ 87 ]. This supervisory authority has the power to monitor compliance with the Directive within the Member State’s territory.[ 88 ]

Finally, the EU Data Protection Directive requires that "no data be exported to a country with laws that do not give an ‘adequate level of protection’ for data collection." [ 89 ]. However, there is an exception to this requirement when the transfer of data is "necessary for the performance of a contract between the data subject and the controller" and the data subject has been informed of this [ 90 ]. To invoke this exception, the data subject must be informed in all instances that the country receiving the export does not provide "an adequate level of protection."[ 91 ]

Western Europe’s extensive privacy protections provide a contrast to the U.S. approach. The United States only regulates the privacy and data practices of particular industries and relies on market demands, public pressure, and industry self-regulation to afford privacy protection. However, since U.S. based interactive service providers do business on a global network, they will have to comply with the European Union’s Directive at least for their European Community [EC] subscribers. The cost of administering globally different data protection policies and the possibility that non- European customers could perceive that they are receiving a lesser degree of privacy protection than European customers, will lead some U.S. service providers to adopt a global privacy policy that complies with the EC Directive.

Existing Privacy Principles, Policies and Guidelines

Two Clinton Administration reports on privacy, industry guidelines and individual company privacy policies mark recent initiatives to invoke self-regulatory principles applicable to the collection and use of personal data. These principles focus on customer notice, choice and self-empowerment technologies (e.g. privacy pics) to protect user privacy. The Administration’s Federal Trade Commission has indicated it may use existing consumer protection laws to prevent any false or misleading practices relating to the collection, use and disclosure of personal information on interactive networks.
1. NII Principles

The Privacy Working Group of the Information Infrastructure Task Force (“IITF”) has issued principles (the "IITF Principles") for acquiring and disclosing individual information over digital networks [ 92 ]. The IITF Principles recognize that the development of the National Information Infrastructure ("NII") will result in the increased accumulation and utilization of individual information -- thus creating a potential for an increased threat to privacy.

The IITF developed three types of principles to guide participants in the information environment: (i) General Principles for all NII participants; (ii) Principles for Users of Personal Information; and (iii) Principles for Individuals Who Provide Personal Information.[ 93 ]

Under the General Principles, three fundamental guidelines apply to all participants: (a) personal information should be acquired, disclosed and used only in ways that respect an individual’s privacy; (b) personal information should not be improperly altered or destroyed; (c) personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used.[ 94 ]

The Principles for Users of Personal Information are particularly pertinent to interactive service providers as users of information. These principles address acquisition, notice to individuals, protection, fairness, and education of individuals. [ 95 ]. The notice principles are designed to require information users who obtain information directly from individuals to provide those individuals with adequate, relevant information about: (a) the reasons for data collection; (b) the expected use of the information; (c) the steps that will be taken to protect the confidentiality, integrity and quality of the data; (d) the consequences of providing or withholding information from the collector of the data; and (e) any rights of redress.[ 96 ]

With respect to the principle of consent [ 97 ], the IITF recommends that express (opt-in) or implicit (opt-out) consent be given depending on the use of the information. The more sensitive the use, the greater the need for explicit consent [ 98 ]. The IITF Principles recognize that there may be certain circumstances in which a compelling public interest may justify use of personal information beyond the individual’s understanding of how the information will be used. The use of personal information in a law enforcement investigation provides an example in which the suspect’s consent would be unlikely and any request by law enforcement personnel for such consent would be counterproductive to the investigation.[ 99 ]

The Principles for Individuals Who Provide Personal Information applies to the individual about whom information is being collected. These principles focus on individual awareness, empowerment and redress [ 100 ]. They are markedly different from the EU Data Protection Directive, in that these principles place an affirmative duty on consumers, whereas the EU Data Protection Directive places a heavy burden on the collector and user of personal information. The IITF Principles encourage individuals to become involved and take responsibility for controlling the collection and use of personal information. This approach appears consistent with the actual technology which is being developed for the Internet and with the U.S. historical perspective which tends to view the government not as a protector, but as a potential intruder upon individual privacy and freedom.
2. NTIA’s Framework

In its "white paper," Privacy and the NII, Safeguarding Telecommunications-Related Personal Information, the National Telecommunications and Information Industry Administration ("NTIA") released guidelines applicable to the use of personal information [ 101 ]. The goal of the NTIA is to create uniformity by self-regulation among telecommunications providers concerning their collection and disclosure of personal information. The proposed framework developed by NTIA is similar to the IITF’s Principles but is targeted to the telecommunications industry and particularly to online service providers.

The proposal has two fundamental elements: provider notice and customer consent [ 102 ]. The NTIA white paper advises interactive service providers to give the following information to each individual prior to any unrelated or ancillary use of specific personal information: (1) reasons for collection; (2) expected uses; and (3) the steps that will be taken to protect confidentiality, integrity, and quality.[ 103 ]

This notice should be "conspicuous and in plain language."[ 104 ]. In addition, the interactive service provider should obtain consent from its customer before using any personal information. Whether this consent is to be explicit (through opt-in procedures) or implicit (through opt-out procedures), is to be determined by the type of information being collected [ 105 ]. This is the same flexible determination for consent contained in the IITF Principles. As do the IITF Principles, the NTIA recommends consumer education to allow empowerment and understanding by consumers [ 106 ]. The report similarly rejects a privacy approach on the European model, as well as the need to create a centralized governmental privacy agency.
3. Industry Guidelines

The direct marketing industry grew explosively in the 1980s, such that marketing information on particular services and products to individuals has become a $183 billion- a-year business in the United States alone [ 107 ]. Many companies, such as American Express and Equifax, have access to enormous amounts of personal data, which they collect and use for their own benefit and sell to others for marketing purposes. In fact, the average individual is on approximately one hundred mailing lists [ 108 ]. Transaction-generated information is recorded during everyday actions, including shopping at the grocery store, calling an 800 number, or using a major credit card.[ 109 ]

As a means to address privacy concerns which have (not surprisingly) developed as a result of the explosive growth of the direct marketing industry, the Direct Marketing Association has provided consumers the opportunity to remove their names from direct marketers’ mailing lists [ 110 ], and to receive annual updates on how personal data is being utilized [ 111 ]. However, reports indicate that only a relatively small number of consumers have taken the initiative to opt-out of these marketing mailing lists [ 112 ]. The small number of opt-outs may be attributed to several factors, including the public’s low awareness of the mailing list process, cumbersome opt-out procedures, or simply lack of interest.

The Interactive Services Association has developed Guidelines for Online Services, The Renting of Subscriber Mailing Lists ("Guidelines"), which are similar to those adopted by the Direct Marketing Association [ 113 ]. The Guidelines acknowledge the importance of establishing trust with the consumer by providing protections for personal information. [ 114 ]. These Guidelines demonstrate the ability of the online industry to organize and regulate itself. The Guidelines call for active notice to online subscribers before making any mailing lists available [ 115 ]. Active notice is defined as "the process of notifying subscribers of mail list practices in a direct format that requires no action to view and requires action to delete or bypass."[ 116 ]. Other recommended procedures include: (i) providing the subscribers the option to have their names removed from mailing lists; (ii) releasing names to companies or organizations that are marketing only legitimate products or services; (iii) monitoring mailing list purchasers for abuse; and (iv) investigation and affirmative action as appropriate and necessary against any known intentional misuse of mailing lists [ 117 ]. These Guidelines also provide that "material released to third parties will only include the subscribers’ names and addresses, characteriz[ing] a subscriber only according to broad usage patterns and . . . not includ[ing] any individual session activities."[ 118 ]

In conjunction with a two-day workshop on online privacy issues organized by the Federal Trade Commission, the ISA and DMA recently released several draft principles and guidelines applicable to the collection and use of individual information, unsolicited marketing email, and marketing to children. The ISA characterized its draft proposals as a "first step" which it hoped would "encourage a dialogue among Internet users , business, government regulators and legislators and we will continue to refine these ideas and try to build a consensus around them."[ 119 ]. The guidelines provide for notice and opt-out procedures that would inform consumers about the types of information collected and how it is used and provide consumers with an option to limit marketing communications. In its guidelines for unsolicited marketing e-mail [ 120 ], the ISA suggests a convention for flagging messages that would allow consumers to screen their incoming mail and require marketers to provide notice to consumers that they are collecting individual information and an easy opt-out mechanism so that consumers can protect themselves against unwanted commercial solicitations.

Although these principles still exist in draft form only, they mark an important step in the industry’s attempt to address consumers privacy concerns and limit online marketing activities. A key to any successful self-regulatory regime is supporting guidelines with actions that penalize bad actors and ensure that responsible companies are rewarded for their vigilant compliance efforts. Therefore, any industry self-regulatory effort should consider supplementing guidelines with enforcement actions and education outreach to the public and industry.
4. Company Privacy Policies

All the major online providers have, on their own initiative, developed privacy policies relating to their members personal information. The Center for Democracy and Technology recently launched a privacy web site which examined the privacy and data policies of the four largest consumer online services: America Online, Compuserve, Microsoft Network, and Prodigy [ 121 ]. The CDT initially chose to examine the major online providers in part because web site providers do not commonly release policies covering the collection and use of personal information. The CDT’s privacy chart and related information is intended to heighten consumers’ awareness of privacy issues encountered online. The chart will also likely intensify competition among online providers to issue policies that provide greater privacy protections relative to their competitors. If consumers actually manifest their expressed concern for online privacy, they will consider the strength of the providers’ privacy protections in evaluating which service to use.

America Online has recently issued a comprehensive privacy policy informing its members about the collection, storage, use and disclosure of individual information. America Online’s privacy policy divides individual information into three categories: member identity information (e.g. name, address, screen name); navigational and transactional information (e.g. online areas visited, online purchases); and private communications content (e.g. private e-mail and real-time private electronic communications such as "instant messages" and "private chat-room" conversations). Under the policy, America Online "will not disclose any Individual Information except in limited circumstances as specifically provided" in the policy (e.g., to comply with applicable law or valid legal process). While America Online reserves the right to rent its mailing lists, such mailing lists do not include any individual navigational or transactional information, and members may opt out out of the mailing lists at any time through a simple and accessible online mechanism.[ 122 ]

CompuServe’s privacy policy focuses on the privacy of e-mail and the use of mailing lists. CompuServe allows subscribers to opt out of the use of personal information for mailing lists before and during the sign-up process. [ 123 ]

Prodigy also notifies its subscribers of its information policies. The Prodigy Service Member Agreement notifies subscribers of Prodigy’s practices and policies regarding subscriber information. Subscribers must accept this practice as a condition of their membership. Prodigy also allows its subscribers to update their personal information or supplement existing information

Microsoft Network ("MSN") has developed a detailed policy concerning the use of personal information [ 124 ]. The "Member Agreement" between Microsoft Online Services Partnership ("MSP") which operates the online service, and Members, allows "MSP to provide locator information, which includes name, e-mail address, and physical address, to Microsoft Corporation so that Microsoft may notify Members directly of special offers and communications regarding Microsoft products."[ 125 ]. This same information is not given to Independent Content Providers ("ICP"'s) which maintain content areas on MSN. Instead, ICPs are prohibited from using any locator information for direct marketing purposes [ 126 ]. MSP may, at its discretion, provide limited individual information to an ICP for special offers or communications [ 127 ]. Moreover, the ICP is required to obtain permission from the subscriber before the member is placed on the ICPs "listserve or equivalent means for compiling an online mailing list."[ 128 ]. However, permission is not required for MSP to collect and disclose personal member information to the Microsoft Corporation. Although MSN members are allowed to opt-out of marketing solicitations from the Microsoft Corporation, ICPs, and online merchants [ 129 ] , members cannot opt out of marketing communications by MSP. Microsoft’s imposition of special limitations on marketing activities by its ICPs has been both praised and criticised. Some privacy advocates have commented that Microsoft’s data policy provides its members stronger protection against the marketing activities of its independent content providers and merchants. On the other hand, critics have alleged that the policy is being employed by Microsoft to give it an unfair advantage over its own vendors.[ 130 ]

Conclusion

While the advent of the digital age presents unprecedented opportunities for individuals, it also poses new challenges to individual autonomy and privacy. Interactive service providers must address the complex privacy and data use issues posed by the rapid expansion of digital networks into the daily fabric of our lives. Although Big Brother images are too often invoked, users’ anxiety that personal information will be collected and traded without their control is very real. As a new and rapidly emerging industry, interactive service providers must develop and retain users’ trust that their personal privacy will be taken seriously and protected vigorously. Only by taking the initiative will the industry ensure that the privacy debate does not devolve into inflammatory rhetoric which might produce regulation of online communication which ignores the unique qualities of this medium. Interactive services have the potential to develop into the most individually empowering and democratic medium the world has ever seen. The responsible use of information by interactive service providers can make using digital networks easier, more personalized and more affordable. The industry, consumers, and the public must take steps to fulfill this potential, thus empowering individuals to communicate and gain knowledge and enhancing the contributions of interactive service providers to the global networked community.

Footnotes

  1. Ellen Kirsh is Vice President, Secretary, and General Counsel of America Online Inc. (“AOL”); David Phillips is Associate General Counsel of AOL; and Donna McIntyre served as a law clerk at AOL and is a law student at the American University. The authors appreciate the editorial contributions of several individuals in the AOL legal department, in particular Alan Lewine, Rhonda McClendon, and Glynna Parde. This article expresses the views of the authors in their personal capacity and does not reflect the views, positions, or policies of AOL or its affiliates.
  2. Individual information (sometimes referred to as personal information) that may be collected by interactive service providers falls into two broad categories: subscriber identity information and navigational and transaction information. Subscriber identity information includes such information as the subscriber’s name, address, and telephone numbers and general payment information. Navigational information, sometimes referred to as “mousedroppings” or “click-stream” information, includes information about online areas visited by a subscriber, and the products or services purchased online by the subscriber. See infra, text accompanying notes 14-17.
  3. The term “interactive service providers” is used broadly herein to refer to online providers (e.g., America Online and CompuServe), Internet service providers (e.g., either “browser” or “access” firms such as Netscape or Netcom respectively) , and independent content providers (e.g., New York Times, MTV) who distribute their content either through online services or the World Wide Web protocols of the Internet (the “Web”)).
  4. ELLEN ALDERMAN & CAROLINE KENNEDY, THE RIGHT TO PRIVACY 323 (1995) (noting that “[b]efore computers, personal information about us was out there in the world, but it was relatively secure because a system based on pieces of paper is so unwieldy”).
  5. As noted by the National Telecommunications and Information Administration (“NTIA”), “privacy” has many different meanings depending on the context. NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, U.S. DEP’T OF COMMERCE, PRIVACY AND THE NII: SAFEGUARDING PERSONAL INFORMATION 4 (1995) (electronic version) [hereinafter PRIVACY AND THE NII]. Some privacy concerns of the general public are protection from illegal search and seizures by the government which is protected by the Fourth Amendment; privacy in private property; privacy in one’s name and image, which is also referred to as the right of publicity; privacy in one’s affairs; privacy in not having embarrassing facts disclosed; the privacy of private citizens compared to public officials and public figures [generally applicable in libel and defamation cases]; privacy in medical and or health information; and the privacy of familial and sexual affairs. See PRIVACY AND THE NII, supra at 2 n.9. For purposes of interactive service providers, individuals are concerned with informational privacy.
  6. ALDERMAN & KENNEDY, supra note 4, at 326.
  7. American Civil Liberties Union v. Reno, Civ. No. 96-963 (E.D.Pa. opinion on motion for preliminary injunction filed June 11, 1996) (as of this writing, June 17, 1996, the Department of Justice is expected to, but has not yet, filed a petition for certiorari before the Supreme Court).
  8. See infra text accompanying notes 21 - 27 (discussing recent consumer polls showing that privacy over the information highway is a mainstream concern and that the U.S. public is acutely concerned about its privacy while using electronic networks. At the same time, those polls show that the public senses the irony of empowering government as the individual privacy watchdog and is skeptical of introducing government regulation of the private uses of data.).
  9. ALDERMAN & KENNEDY, supra note 4, at 324 (stating that “[p]oint-of-sale scanning at your grocery store can create a data profile revealing your taste in everything from soft drinks to supermarket tabloids”).
  10. Id. at 323 (stating that “the device that has outstripped all other threats to privacy is the computer”).
  11. PRIVACY AND THE NII, supra note 5, at Executive Summary.
  12. “Mouse-droppings” are “a user’s mouse-click patterns and trails over the Internet.” PRIVACY AND THE NII, supra note 4, at 3n.14.
  13. See supra note 2 regarding types of individual information potentially available to interactive service providers.
  14. In addition, users are concerned about the privacy of their electronic mail communications. While the privacy of electronic mail communications is protected by federal legislation, information about online behavior is not expressly regulated. See infra accompanying notes 60 to 62 discussing the Electronic Communications Privacy Act (ECPA, 18 U.S.C. § 2510 et seq. (1988)). This Article does not address the privacy of the content of communications.
  15. See Richard Leiby, Farewell, Web Heads, WASHINGTON POST, JUNE 9, 1996, at C1. (commenting on low percentage of worthwhile online content. “[T]he Internet is little more than a glorified post office, copying machine and water cooler. . . . So far, much of the Web’s offerings merely duplicate the crass commercialism and self- indulgent dross available in other mass media.” Leiby nonetheless concedes the practical potential of the medium to “students, researchers, and hobbyists.”).
  16. James Fallows, Navigating the Galaxies, THE ATLANTIC MONTHLY, April, 1996 available at http://www.theAtlantic.com/atlantic/issues/96apr/computer/computer.htm.
  17. See AUTONOMOUS AGENTS PROJECT at the Massachusetts Institute of Technology (MIT) Media Lab, available online at http://lcs.www.media.mit.edu:80/groups/agents/research.html; see also, for information on Internet agents in current use, WORLD WIDE WEB ROBOTS, WANDERERS, AND SPIDERS, available online at http://info.webcrawler.com/mak/projects/robots/robots.html.
  18. See the Visible Language Workshop at MIT’s media Lab, available online at http://vlw.www.media.mit.edu/groups/vlw/; see also the Design Interactions Paradigms Project at the MIT Media Lab, available online at http://design-paradigms.www.media.mit.edu/projects/design-paradigms/.
  19. See PRIVACY AND THE NII, supra note 5, at 4 (describing a survey of members of the U.S. Chamber of Commerce and a survey by the Privacy Rights Clearinghouse).
  20. LOUIS HARRIS & ASSOCIATES & ALAN F. WESTIN, REPORTS FROM AND COMMENTARIES ON A NATIONAL SURVEY OF “CONSUMERS, INTERACTIVE SERVICES, AND PRIVACY,” reprinted in FIFTH CONFERENCE ON COMPUTERS, FREEDOM & PRIVACY, PRIVACY OF CONSUMER TRANSACTION RECORDS IN FUTURE HOME INTERACTIVE SERVICES: WHAT THE PUBLIC SAYS--WHAT THE PUBLIC WANTS 41 (March 1995) (on file with the authors) [hereinafter HARRIS SURVEY] .
  21. HARRIS SURVEY, supra note 20, at 39.
  22. Id.
  23. Id.
  24. Id.
  25. Id.
  26. ANNE WELLS BRANSCOMB, WHO OWNS INFORMATION? FROM PRIVACY TO PUBLIC ACCESS 17 [BASIC BOOKS 1994]; see also ALDERMAN & KENNEDY, supra note 4, at 328-29.
  27. Id.
  28. ALDERMAN & KENNEDY, supra note 4, at 328-29.
  29. BRANSCOMB, supra note 26 at 17.
  30. Id.
  31. Id.
  32. Privacy Success-Marketry Drops Plan to Sell Net Data, EPIC Alert (Electronic Privacy Information Center, Washington D.C.) Oct. 23, 1995 v. 2.12 at 6. [Available at EPIC World Wide Web Site - url: http://epic.org/alert/EPIC Alert 2.12 text]
  33. Id.
  34. Id. In the Marketry matter, an angry Internet user solicited other users to express their opposition to Marketry’s distribution of the e-mail addresses, by sending e-mail to the company. Inside Lines, users.plenty.mad, Computerworld, Oct. 23, 1995, at 144. This illustrates how easy it is for individuals to communicate their dissent and amass other users’ statements of opposition.
  35. John Schwartz, When Direct Mail Meets E-Mail, Privacy Issue Is Not Fully Addressed, WASH. POST, Oct. 9, 1995, at F19; Inside Lines at 144; Larry Jaffee, First Large E-mail List Offered Has 250,000 ‘Net User Addresses: Controversy already swirling around Bellevue, WA company’s file, DM News, Oct. 16, 1995, at 1.
  36. Larry Jaffee, supra note 35, at 1.
  37. Id.
  38. Controlling unsolicited advertising through e-mail, often referred to on the Internet as “spamming,” has become a growing problem for the interactive service industry of late. Most online services prohibit mass e-mail solicitations as well as the harvesting of member screen names from public areas of their service. MCI Telecommunications Corporation recently released a comprehensive policy on spamming, which it defines in part to be the sending of “unsolicited mass e-mailings to more than twenty-five e-mail users, if such unsolicited e-mailings provoke complaints from the recipients” MCI Telecommunications Corporation and Affiliates Policy on Spamming at 1. The ISA and DMA are in the process of drafting principles for unsolicited marketing e-mail which would establish guidelines employing notice and opt-out concepts and a convention for flagging marketing messages to enable consumers to screen such solicitations.
  39. For an extensive analysis of trust and confidence in networks generally, see Joel R. Reidenberg & Francoise Garnet-Pol, The Fundamental Role of Privacy and Confidence in the Network, 30 WAKE FOREST L. REV. 105 (Spring 1995).
  40. PRIVACY AND THE NII, supra note 5, at 6; see also ALDERMAN & KENNEDY, supra note 4, at 326-27 (noting that “there is simply no comprehensive body of law established to deal with all of the privacy concerns arising in the digital age”).
  41. Id. (defining encryption as “a method of scrambling computerized information so that it appears to be gibberish to anyone who does not know the code”). However, the practical use of encryption in the United States on the globally accessible Internet is hampered by current U.S. export control laws which govern the “export” of encryption software.
  42. System operators are able to gather a wide array of information about the people that visit their sites, including the files, pictures, or other information the visitor found most interesting (and what she ignored), by noting how long the visitor examined a particular page, image or file, the previous and the next site visited. Web servers must collect this kind of transactional information in order to allow the system operator to perform necessary system maintenance, auditing, and other essential system functions. However, when correlated with other sources of readily available personal information, such as phone books, marketing databases, and voter registration lists, etc., a detailed profile of an individual’s online activities can be created without her knowledge or consent. For a demonstration of how the process works, see the PRIVACY DEMONSTRATION at the web site of the CENTER FOR DEMOCRACY AND TECHNOLOGY at http://www.13x.com/cgi-bin/cdt/snoop.pl .
  43. Current software, and other programs under development have begun to address the issue of user privacy while browsing the Web. For example, one Internet Service Provider, Community Connexion, recently developed and released for free use and distribution, a product called the Anonymizer which allows individuals to surf the Internet without revealing transactional data to the Web sites they visit. This piece of software can strip away many of the mouse droppings which would otherwise be left behind in a web surfer’s wake. See http://www.anonymizer.com.

    44. Participants in a recent FEDERAL TRADE COMMISSION WORKSHOP ON CONSUMER PRIVACY ON THE GLOBAL INFORMATION INFRASTRUCTURE attended by the authors, expressed expectations of more sophisticated add-ons available soon for software such as the Platform for Internet Content Selections (PICS). PICS has been developed as a values-neutral platform to enable parents to exercise control over children's access to inappropriate material. Workshop participants discussed the development of applications on this kind of software platform that would maximize individual control over information by allowing individuals to set their “privacy preferences” in such a way that their browser would not enter a website which did not offer the desired privacy standards.
  44. The DMA and ISA have recently released draft guidelines on privacy, electronic solicitations, and child marketing.
  45. PRIVACY AND THE NII, supra note 5, at 6; see also ALDERMAN & KENNEDY, supra note 4, at 326-27.
  46. 5 U.S.C. § 552a (1988).
  47. id.; See also Joshua D. Blackman, A Proposal for Federal Legislation Protecting Informational Privacy Across the Private Sector, 9 Santa Clara Computer & High Tech. L.J. 431, 438 (1993).
  48. Id. at 438; 5 U.S.C. § 552a(b)(3) (1988).
  49. See Branscomb, supra note 26, at 9-10; see also Current Legislation Pending in U.S. House of Representatives to prevent the U.S. Postal Service from disclosing the names and addresses of any postal patrons or other persons, except under certain conditions; Postal Privacy Act of 1995, H.R. 434, 104th Cong., 1st Sess. (1995).
  50. Blackman, supra note 47, at 138.
  51. Id.
  52. H.R. 184, 104th. Cong. 1st Sess. (1995).
  53. 15 U.S.C. § 1681 (1988).
  54. Id. §§ 1681-1681t.
  55. 47 U.S.C. § 521 (1988).
  56. 12 U.S.C. § 3401 (1988).
  57. 18 U.S.C. § 2710 (1988).
  58. Pub. L. No. 102-243 and Pub. L. No. 102-556 (codified in scattered sections of 47 U.S.C.). See Reidenberg, supra note 38, at 115.
  59. 18 U.S.C. §§ 2510-2521 (1988).
  60. Id.
  61. 18 U.S.C. Section 2510 (8) (1988)
  62. While the disclosure of transaction data to private entities is unclear under ECPA, after Congress amended ECPA with the passage of the Digital Telephony Act disclosure of such data to law enforcement is clearly prohibited unless the government obtains a probable cause search warrant. See 18. U.S.C. Section 2703.
  63. ALDERMAN & KENNEDY, supra note 4, at 330.
  64. Id. at 330-31.
  65. 424 U.S. 693, 712 (1976); Blackman, supra note 38, at 433.
  66. Paul, 424 U.S. at 712.
  67. For a detailed analysis, see Blackman, supra note 38, at 433.
  68. 433 U.S. 425 (1970).
  69. See Blackman, supra note 38, at 43
  70. Avrahami v. U.S. News & World Report, Inc., No. 95-7479 (Arlington County Gen. Dist. Ct. filed Oct. 1995).
  71. Electronic Privacy Information Center, Who Owns Personal Information? Anatomy of a Privacy Case (available on the Internet at http://www.epic.org/privacy/junk-mail/)
  72. VA. CODE ANN. § 8.01-40 (Michie 19__).
  73. EPIC Junk Mail-The Law, Who Owns Personal Information? Anatomy of a Privacy Case (EPIC Oct. 1995) (available on World Wide Web at url:http://epic.org/junk mail/law) [hereinafter EPIC Junk Mail]. This statute was enacted in response to a law review article, written over a hundred years ago, by Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890), wherein the authors argued that the law should allow a person to control the use of his or her name or likeness. Id.
  74. Avrahami, No. 95-7579.
  75. Id.
  76. Junk-Mail Hater Seeks Profits from Sale of His Name, WALL STREET J., Oct. 13, 1995.
  77. EPIC, Avrahami-US News Trial Delayed Again (available at http://www.epic.org/privacy/junk.mail).
  78. ALDERMAN & KENNEDY, supra note 4, at 329 (recognizing that “another view is that not only should we be compensated for use of our personal information, but such information should be considered our property. . . . This more extreme proposal is unlikely to take effect in the near future, however, as it runs counter to the free flow of information so essential to our democracy. The idea that one can “own” a name or other basic identifying information raises serious First Amendment concerns”).
  79. The formal name of the EU Data Protection Directive is the European Directive On the Protection of Individuals With Regard to the Processing of Personal Data and On the Free Movement of Such Data.
  80. The European Parliament and the Council of the European Union, Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (Directive 95, 12003/4/94 REV 4) (Brussels 1995) [hereinafter EU Data Protection Directive].
  81. EU Data Protection Directive, supra note 83, at Art. 1. “Personal data” is defined to include “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
  82. Id. at Article 6(b)
  83. Id. at Art. 7(a).
  84. Id. at Art. 10.
  85. Id. at Art. 12.
  86. Id. at Art. 18 and 28.
  87. Id. at Art. 19.
  88. Id. at Art. 28.
  89. Id. at Art. 26, 28.
  90. Id.
  91. Id.
  92. Information Infrastructure Task Force, Privacy Working Group, Privacy and the National Information Infrastructure, Principles for Providing and Using Personal Information (June 1995) [hereinafter IITF Principles].
  93. Id.
  94. Id. at 5.
  95. Id. at 6-9.
  96. Id. at 6.
  97. Id. at 8.
  98. Id.
  99. Id.
  100. Id. at 10.
  101. Nat’l Telecommunications and Information Administration, U.S. Dept. of Commerce (October 1995).
  102. Id. at Executive Summary.
  103. Id. at 21.
  104. Id.
  105. Id. at 25.
  106. Id. at 26.
  107. BRANSCOMB, supra note 26, at 11.
  108. Id.
  109. Id.
  110. See Direct Marketing Association, Direct Marketing Association Guidelines for Mailing List Practices; Direct Marketing Association Guidelines for Personal Information Protection; Direct Marketing Guidelines for Ethical Business Practice.
  111. See BRANSCOMB, supra note 26, at 22-24.
  112. Id. at 15.
  113. Interactive Services Association (June 1995).
  114. Id. at 2.
  115. Id.
  116. Id. at 4.
  117. Id.
  118. Id. at 3.
  119. Press Release of the Interactive Service Association, June 4, 1996, “Interactive Services Association Issues Positions on Privacy and Online Marketing.”
  120. Unsolicited commercial marketing e-mail is sometimes referred to as “spam,” and the process of mass postings of such solicitations is correspondingly known as “spamming.”
  121. Center for Democracy and Technology Privacy Policy Chart, http://www.cdt.org/privacy/.
  122. In addition, America Online has a Terms of Service Agreement which new members agree to during the sign- up process. This agreement details under what conditions private conversations may be monitored and under what circumstances a member’s identity will be disclosed to third parties. See America Online Terms of Service (TOS) agreement.
  123. PRIVACY AND THE NII, supra note 5, at 18 n.76.
  124. Microsoft Network, Statement of Principles on Gathering, Processing, Using and Storing Member Information (April 1995) (on file with the author).
  125. Microsoft Network, Member Agreement, par. 1.3 (April 25, 1995) (on file with author).
  126. Id.
  127. Id.
  128. Microsoft Network, Statement of Principles at par. 4.a.
  129. Id. at par. 1.4.
  130. See Don Clark, Microsoft’s On-line Service to Withhold Subscriber Names From Its Own Vendors, Wall St. J. 2 (June 21, 1995). See also, Jill Gambon and Mary Thyfault, Microsoft Network Probed, Company to withhold customer information, Information Week 22 (July 3, 1995).

About the Authors

     Ellen Kirsh is Vice President, General Counsel and Secretary of America Online, Inc. She joined AOL in October 1993, and founded the Company's legal department. She is responsible for management of the legal affairs and public policy for AOL and its subsidiaries. Ellen is Director of the Washington Metropolitan Area Corporate Counsel Association, Director of the District of Columbia Computer Law Forum and Director of the Computer Law Association. She is co-chair of the American Bar Association's Subcommittee on Software Contracting and Technology Licensing and recently became Vice Chair of the ABA's Committee on Domestic Telecommunications and Information Services. Ms. Kirsh also serves on the Sidwell Friends School's Development Counsel. She earned a J.D. (with Honors) from Rutgers University (1975); and an M.A. from the University of Pennsylvania (1972); and a B.A. from Boston University (1970). She is a member of the New Jersey and Maryland Bars.

     David W. Phillips is Associate General Counsel of America Online, Inc. David joined AOL's legal department in July of 1994 as AOL's second lawyer. He has a background in technology law and international trade and is principally responsible at AOL for content licensing, online conduct, and electronic privacy matters. Previously, David practiced with the Washington DC law firms of Hogan and Hartson and Cameron & Hornbostel and served as Vice President and General Counsel of ComTech World Trading Corporation, in Reston Virginia. David is Co-Chair of the American Bar Association's new Subcommittee on Interactive Services (Committee on the Law of Commerce on Cyberspace, Business Law Section). He has lectured frequently on the rights and responsibilities of on-line providers and electronic communities. David earned a J.D. from University of Chicago Law School (1988), and a B.A. from Pomona College in California. He is a member of the District of Columbia and Maryland bars.

     Donna McIntyre is a law clerk at America Online, Inc. She is a J.D. candidate for the Class of 1997 at the Washington College of Law of the American University in Washington, D.C. She is the recipient of a New England Scholar Award for academic achievement and an American Jurisprudence Award for legal research. She is a member of the American Bar Association, Student Divsion.