Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control and Fair Information Practices

Abstract

In Code, the most influential book yet written about law and cyberspace, Lawrence Lessig makes an intriguing proposal for shaping privacy on the Internet: (1) the legal assignment to every individual of a property interest in her own personal information, and (2) the employment of software transmission protocols, such as P3P, to permit the individual to structure her access to Web sites. In Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control, and Fair Information Practices, 2000 Wisc. L. Rev. 743, I respond to this approach with a number of criticisms and a competing proposal. My initial criticism of Lessig's proposal for privacy concerns how it contradicts his stand against PICs, a software transmission protocol for filtering Internet content reminiscent of P3P. Once we place privacy in a social context, moreover, P3P seems far less attractive an option. In place of Lessig's underlying paradigm, which seeks to increase personal control of data. I develop a concept of constitutive privacy. In my view, information privacy is a constitutive value that safeguards participation and association in a free society. Rather than simply seeking to allow more and more individual control of personal data, we should view the normative function of information privacy as inhering in its relation to participatory democracy and individual self-determination. A privacy market can play a role in helping information privacy fulfill this constitutive function. Yet, Lessig's propertization of privacy raises a further set of difficulties. In my view, propertization a la Lessig will only heighten flaws in the current market for personal data. This consequence follows from numerous shortcomings in this market and structural difficulties that indicate the unlikelihood of a self-correction in it. Moreover, in revisiting Calabresi and Melamed's work regarding the comparative merits of property and liability regimes, I find that a mixed regime is to be preferred for Internet privacy over Lessig's property regime. Part III of this Article turns from criticism to prescription and develops the mixture of property and liability rules necessary for establishment of information privacy standards in cyberspace. It proposes recourse to Fair Information Practices (FIPs) to establish rules for the fair treatment of personal data on the Internet. Yet, FIPs are not without potential shortcomings if structured only as command-and-control rules. My suggestion therefore is that an American Internet privacy law consisting of FIPs should include both mandatory and default elements.