Harvard Law School > Berkman Center > Open Education > Cyberprivacy > Self-Help > Cryptography > Individuals vs. Marketeers >

PRIVACY IN CYBERSPACE

Another Way to Look at the Encryption Policy Debate: Individuals vs. Marketeers

The January 12, 2000 decision made by the Clinton administration to liberalize encryption laws was hailed as a victory by privacy and civil liberty interest groups as well as by the U.S. computer industry.[78] ACP Co-Chairman, Jack Quinn, praised the decision, stating that:

ACP is extremely gratified by the new encryption regulations. They are more in step with the economic realities of the Information Age, while protecting our nation’s vital security and law enforcement needs. And, they strike a balance between security and America’s commercial interests.[79]

According to both the ACLU and the ACP, the leading opponents of the government-proposed key recovery system, having strong, unfettered encryption would allow individuals to protect themselves: 1) against computer crimes committed by other individuals; and 2) against government’s invasion of their privacy. Classified in general terms, the ACLU and ACP believe that a policy that promotes strong, unfettered encryption will help protect individuals vis-à-vis other individuals as well help protect individuals vis-à-vis the state. Most, if not all, of the encryption debate has revolved around these two power relationships. The debates, however, have not addressed a third relationship that encryption will affect. This relationship concerns the power dynamic between the individuals as consumers and online vendors (henceforth referred to as marketeers). How would a policy that promotes strong, unfettered encryption affect the relationship between individual consumers and marketeers?

According to Stanford Law School Professor, Lawrence Lessig, “encryption technologies are the most important technological breakthrough in the last one thousand years.”[80] Although Lessig himself concedes that his statement may be a “slight exaggeration,”[81] his assertion may not be too far off base. Encryption, as you now know, can be used to encode data in such a way that it is very difficult or impossible to decrypt by unauthorized people. Encryption thus enables a person to control data in certain way -- i.e., by restricting who can access and read his message.[82] Controlling who can access and read an electronic communication is but one way that encryption can be used as a means to control data. With encryption, a person can control precisely what the recipient can read, how long the recipient has to read the message, and whether or not the recipient can store the message for future use. Such control can be applied to files and programs other than just documents or text files (i.e., sound files, graphics, digital videos, and application programs). Furthermore, encryption can be used in a way that will enable the sender of the encrypted information to monitor and track the use of that information. Through this monitoring and tracking, the sender may be able to easily gather personal information about the recipient or his habits without the recipient’s knowledge that he is being tracked. With almost every facet of the economy becoming more computerized, with our society truly becoming a digital society, the control over data that encryption provides is an incredible power. Viewed in this way, perhaps Lessig’s statement is not as much of an exaggeration as it may seem at first glance.

One group that would benefit from encryption is marketeers. Marketeers, such as Amazon.com, can profit in three principle ways. First and most obviously, they make money by selling the products that they advertise on their website. For Amazon.com, that would mean selling their books to Internet users who shop online. Second, marketeers make money through advertisements posted on their website. If you visit Amazon.com or any other online vendor, you are likely to see numerous advertisements that promote merchandise and services of other companies. Those other companies, naturally, pay websites like Amazon.com for that website space, in much the same way that a company would pay a newspaper for publishing their advertisement. Third, and most relevant to encryption, marketeers can make money by selling information that they collect about their website users to other companies. Alternatively (and now more frequently), sites like Amazon or Yahoo can mine the information they collect and market their databases to third parties while keeping control of the information.[83] How does this work? Keep in mind that in the digital age (and the Internet, in particular), one of the most valuable assets is information. Amazon.com can thus sell the information that they gather about their customers to other companies or data marketing firms who want this information just as they would sell any other commodity or asset.[84] Most of the information that Amazon.com and other online vendors gather about their members are obtained during a person’s very first visit to their website. New users to a website such as Amazon.com are required to fill out an informational survey in order to become a member to the site. Because membership is required to make purchases, anyone who wants to use Amazon.com to buy books (or any other product) must provide the requested information.

The information that Amazon.com requires to become a member of their website may seem harmless--name, mailing address, email address, age (or age range), gender, hobbies/interests, and occupation. To many companies and data marketing firms, however, this information is very valuable, particularly when linked to a user’s reading habits.[85] Borrowing Amazon’s database would grant a marketeer access to enormous interior information about a customer. With access to such a database, it would be very easy for you, as (e.g.) Sports Illustrated magazine’s chief of advertising, to market to the 20-25 males sports fanatics who have read reviews of at least five sports related books, and who also read about wine and law. And by gathering many marketeer databases, you would be able to profile large numbers of people who fit that demographic. The ability to target your advertising to that demographic would thus be realistic.

Access to marketeers’ member databases is very valuable to all sorts of companies who want to target their advertising campaigns. As a result, marketeers can generate significant fees by selling marketing information from their databases to other companies. And furthermore, the more information that marketeers can extract and gather from its customers, the more information they can sell to companies who want to buy access to their databases. Therefore, marketeers are constantly looking for ways that they can accumulate more information about their customers’ behavior and preferences.

Encryption provides a structural mechanism by which marketeers can extract ever more detailed information about their customers. Larry Lessig demonstrates how encryption can be utilized not only to restrict access but also to monitor and control usage. Recall that in general, encryption is a mechanism by which a person who sends data can control that data.[86] One of the controls encryption allows is monitoring and tracking of data, including downloaded data.[87] Therefore, the sender can encrypt a piece of information in such a way that he can monitor and track how the recipient uses the information, even to determine the time of day downloaded data might be read or utilized. In the Internet context, encryption enables control of information that would have been unthinkable in an earlier era. It is at least theoretically possible for every bit of downloaded data to carry markers that allow the “seller” of the information to control what information is viewed by what persons, for what period of time, in what context. If the encryption key is housed in an interlinked environment, it is a simple matter for the description of the actual use then to be sent back to the originator. Encryption would enable marketeers such as Amazon.com to encrypt all the information on their website and in downloaded data (such as e-books) in a way that would enable it to gather all sorts of information about members’ online and offline reading habits.

Whereas marketeers who sell database information and the companies that purchase this information stand to benefit from unregulated encryption, individual consumers who use Amazon.com or other marketeers’ websites stand to lose via invasion of their privacy rights. The privacy concerns raised by the spector of an Amazon.com tracking every mouseclick on its website pales in comparison to the encryption-driven potential of monitoring all information that someone reads. Such use of encryption would seem to raise the same privacy concerns that the ACLU and ACP addressed with respect to the government having a “back door” key to all encrypted information. Isn’t the concept of having a “Big Brother” marketeer just as frightening in terms of privacy concerns as having a “Big Brother” government?

If the privacy concern has still not been made clear, consider another example. Suppose that you decide to spend an afternoon at a library or bookstore, perhaps to buy a book, but mainly just to browse and leaf through various books and magazines. Now consider that instead of being able to freely move about the library or bookstore and look at any book without others knowing it, the librarian or store owner follows you around with pen and paper, writing down the title and author of every book that you look at. If you stop for a moment to peruse pages 3, 6-9, 41, and 101-115, the owner keeps track of the pages as well as the amount of time spent on each page. Furthermore, consider that the librarian or bookstore owner takes down your name and email address and markets the list of books that you looked at to various companies and data marketing firms, who subsequently inundate you with advertisements to purchase their products. How would you feel? Not only would you feel a bit annoyed at the inconvenience of receiving unsolicited advertisements, but you might also believe that this whole scheme violates your fundamental privacy rights. This is exactly the situation that strong, unfettered encryption has the potential create in the context of marketeers and online consumers.

The ACLU and ACP have advocated strongly for unfettered encryption, arguing that it will lead to greater protection of individual privacy. But is unregulated encryption a panacea for privacy concerns? It may be true that unregulated encryption protects individuals’ privacy interests vis-à-vis other individuals, as well as their privacy interests vis-à-vis the state. However, as discussed above, a regime with unregulated encryption may actually be a cause for a greater invasion of individuals’ privacy -- vis-à-vis marketeers and companies that purchase information databases from marketeers.

Despite the Clinton administration’s decision to liberalize encryption restrictions,[88] debates will continue over whether or not encryption should be regulated and how much it should be regulated. As concerns for individual privacy are weighed during these debates, we think that one of the important issues that should be considered is the effect that unrestricted encryption could have on the individual consumer’s privacy interests vis-à-vis marketeers. Viewed from this perspective, it is possible that the arguments associated with privacy concerns are not as clear and one-sided as the ACLU and ACP make it out to be.

We do not offer this viewpoint as a means to rebut the ACLU and ACP’s argument and to advocate on behalf of the government’s position. Instead, we mean to present a viewpoint that deserves to be considered when policymakers sit down and debate the merits of having restrictions on encryption. Only with an understanding of the full impact of encryption technology can a meaningful policy on encryption restrictions be formulated.