For policymakers, litigants, and commentators seeking to address the threats digital technology poses for privacy, electronic surveillance law remains a weapon of choice. The debate over how best to respond to the spyware problem provides only the most recent illustration of that fact. Although there is much controversy over how to define spyware, that label encompasses at least some software that monitors a computer user's electronic communications. Federal surveillance statutes thus present an intuitive fit for responding to the regulatory challenges of spyware, because those statutes bar the unauthorized acquisition of electronic communications and related data in some circumstances. Indeed, those who argue that no new federal legislation is needed to address the spyware problem rely in part on the opportunities for criminal prosecution and civil suits under surveillance statutes and related doctrines. As the debate on the need for new federal legislation proceeds, however, there is good reason to question whether federal electronic surveillance statutes can successfully combat anything but the most extreme forms of spyware. Electronic surveillance law does not apply by any reasonable construction to many forms of spyware. Moreover, the overall record on application of surveillance law statutes to a variety of digital-age problems is in fact quite mixed. Courts have reached privacy-protective outcomes on very bad facts, but have also let seemingly problematic practices pass unsanctioned. The difficulty with efforts to apply surveillance law statutes to new privacy problems is that our federal electronic surveillance statutes are emphatically not general data privacy statutes. Unfortunately, efforts to treat them as such have produced a body of confused - even incoherent - case law. That case law, moreover, tends to make many impediments to application of surveillance law seem technical rather than structural or conceptual. To that extent, it diverts attention from important policy questions, including whether Congress should consider legislative solutions tailored to specific privacy threats (such as spyware), or whether broader data privacy statutes are necessary or appropriate. This Article uses the difficulties of applying electronic surveillance law statutes to spyware to illustrate the broader limits of surveillance law. Current case law suggests that electronic surveillance statutes are likely to constrain only the most egregious forms of spyware, and there may even be some difficulties in surveillance law performing that limited task. Efforts to use surveillance law to push for more privacy-sensitive industry practices are likely to fail altogether. My predictive judgments may be controversial, partly because surveillance law is sufficiently unstable that there is room for courts to adopt approaches that are more privacy-protective. I thus consider whether courts should use surveillance law to respond more aggressively to privacy challenges such as spyware. Drawing upon case law from other contexts, I show that there is good reason to be wary of using surveillance law as a vehicle for addressing various information privacy problems. Indeed, if electronic surveillance cases were to more plainly expose the limits of surveillance law, they would generate a more fruitful legislative debate about the propriety of true data privacy legislation, whether broadly or narrowly conceived.
Read full abstract