Like most Americans, I have concerns about how companies like Google, Amazon, and Facebook handle data about their users. While I expect companies to use this data their own benefit, their actions should not cause me undue harm. Companies should honor the commitments they make in their privacy policies. They should be fairly transparent about their data practices, and they should guard against user data being pilfered for malign purposes. But for these concerns, use and abuse is a better distinction than privacy and disclosure.
The notion of privacy, as Benjamin Wittes and Wells C. Bennett said, is “something of an intellectual rabbit hole.” It is “so contested and ill-defined that it often offers little guidance” on the uses and abuses of personal information. So, Wittes and Bennett suggest the alternative notion of “databuse.”
The Constitution, as they said, “made no mention of privacy.”
The Constitution did not have to, because in the founding era, it was exceedingly difficult to invade privacy interests without also trespassing against personal property or impinging upon an individual’s freedom of conscience or right to keep mum—areas well covered already by the First, Third, Fourth, and Fifth Amendments. This arrangement did not stand up over time, however, given technological advances. Because of those, notions of privacy started to decouple from property and other rights, first in our minds and ultimately in our law. We created privacy because technology left previous doctrines unable to describe the intrusions on our seclusion that we were feeling.
Ironically, today it is privacy itself that no longer adequately describes the violations people experience with respect to large caches of personal data held by others—and it describes those violations less and less well as time goes on. Much of the material that makes up these datasets, after all, involves records of events that take place in public, not in private. Much of this data is sensitive only in aggregation; it is often trivial in and of itself—and we consequently think little of giving it, or the rights to use it, away. As a legal matter, this sort of data by its nature involves material we have disclosed to others in exchange for some benefit, and it thus generally lies outside of the protections of the Fourth Amendment—which does not cover the actions of non-governmental parties. What’s more, we often give this information away with the understanding, implicit or explicit, that it will be aggregated and mined for what it might say about us. It takes a feat of intellectual jujitsu to construct a cognizable and actionable set of privacy interests out of the amalgamation of public activities in which one has engaged knowingly, and which involved trades with strangers in exchange for benefits. The term privacy has become something of a crutch, a description of many different values of quite different weights that neither accurately nor usefully depicts the harms we fear.
Hence the need for a new conceptual frame:
Think of databuse as that core of the privacy spectrum that is most modest in nature. Databuse is different from broader visions of privacy in that it does not presume as a starting point the non-disclosure, non-use, even quarantining from human eyes of data we have willingly transacted in exchange for services. It does not pretend that the companies to which we entrust our data should take it from us with no ambitions to use it for their own gain—or that there is something disreputable or inappropriate about their doing so. It does not begin with the assumption that there is some platonic ideal of seclusion that a company is bound to honor on our behalf, even if we don’t want it or even if we prefer to have our data used to market us products we might want to buy. It does not assume we feel violated by the knowledge that others may have of our lives—particularly if others are machines and using that information to provide us services and conveniences we happen to want. It does not assume we want our fitness monitors to shield the number of steps we take from our friends or from people we have never met; it instead treats the dissemination of such data—in whole or in part—as an option we might or might not want to choose.
Rather, databuse asks only for protection against unwarranted harms associated with entrusting our data to large entities in exchange for services from them. It asks that the costs of our engagement with these companies not be a total loss of control of the bits and pieces of transactional, communications, and locational data that make up the fabric of our day-to-day lives. It asks, in short, that the companies be reasonable and honest custodians—trustees—of the material we have put in their hands. It acknowledges that they will use it for their own purposes. It asks only that those purposes do not conflict with our own purposes or come at our expense.
Wittes brought the same candor and clarity to debates about the National Security Agency. Most of his commentary can be found on the Lawfare blog, in posts like this one and this one. The best statement of his position was the essay “Legal Safeguards, Not Disarmament.”