Privacy as a right or as a commodity in the online world: the

limits of regulatory reform and selfregulation

Diana Walsh1 James M. Parisi2 Katia Passerini1

Springer Science+Business Media New York 2015

Abstract The increased use of the internet and information technology to enable
online transactions, distribute information and customer reviews through ecommerce
and social networking sites, online advertising, and data mining is both creating
efficiencies and challenging our privacy. This paper highlights the growing fear that
current federal and state laws in the United States are not adequate to protect the
privacy of the data collected while we process electronic transactions or browse the
internet for information. The notion of efficiency and cost-benefit are used to justify
a certain level of privacy loss, thus treating privacy as a commodity to be transacted
rather than a right to be defended. To address developing concerns about personal
privacy invasions, we discuss the role and limits that both government regulation and
self-regulation play in protecting our privacy.

Keywords Privacy Efficiency Regulations Federal statutes Case laws

Freedom of Information Act

& Katia Passerini

pkatia@njit.edu

Diana Walsh
walsh@njit.edu
James M. Parisi jparisi@murphymckeonlaw.com

1
School of Management, New Jersey Institute of Technology, Newark, NJ 07109, USA
2
Law Offices of Murphy McKeon, P.C., Riverdale, NJ 07547, USA

123
 D. Walsh et al.

1 Introduction

As early as 1966, William O. Douglas, Associate Justice of the United States Supreme
Court in his dissent in Osborn versus United States, stated: We are rapidly entering
the age of no privacy, where everyone is open to surveillance at all times; where there
are no secrets from government an alarming trend whereby the privacy and dignity
of our citizens is being whittled away by sometimes imperceptible steps. Taken
individually, each step may be of little consequence. But when viewed as a whole,
there begins to emerge a society quite unlike any we have seena society in which
government may intrude into the secret regions of mans life at will [1].
Scott McNealy, CEO of Sun Microsystems was quoted as saying that You
already have zero privacyget over it [2]. Privacy seems to be one of todays
pivotal concepts, but it lacks a clear definition. More specifically, while privacy
studies and definitions abound (for a comprehensive review see [3]), it is evident that
we do not fully understand how to generalize it in a universal definition or how to
limit its boundaries. When national security is in the picture, the concept of privacy
has minimal boundaries.
Thispaperreviewscurrent examplesofthedirectionthatUScommonorcaselawis
taking in protecting privacy and its governance in a technological, internet-based
society. As an introduction, we focus on a general concept of efficiency. Efficiency
is often used to justify the advantages of technology, especially when it seems
disruptive, such as online personalized advertising and location-based marketing. The
thesis is that the value society attributes to efficiency is so strong that only another
stronger value, privacy, may be able to impede its pervasive growth into all phases of
public and private life. In this value-based view [4], our assertion is that privacy
becomes the compass by which we may limit infringement of personal space and
create boundaries to the fundamental need to be left alone [5].

2 The quest for efficiency

The pursuit of efficiency (accomplishing more for less) is an inevitable goal. It

describes the ability to produce an intended outcome with a minimum input ( capital,
labor, or other resources) [6]. While the notion of efficiency has varying meanings in
different disciplines [7], it is generally viewed as a positive construct. In economic
terms, efficiency enables accomplishing more with less, increases productivity and
generally improves societal welfare [8, 9].
In a technology-supported society, such a quest for efficiency is frequently
rewarded because it leads to higher results and faster outcomes. For example,
location-aware advertising presents opportunities to save time in searching for goods
and products. An online personalized profile enables merchants to push special offers
based on users location or stored preferences [10, 11].

123
Privacy as a right or as a commodity in the online world

The focus on efficiency permeates and improves many industries [12]. Energy
efficient processes to control heating and lighting systems are now said to be creating
more megawatt monetary savings than the current oil and gas boom.
David Unger states that the megawatts saved might total as much as the Saudi Arabian
oil reserve [13]. Funded by Google, Lawrence Berkeley National Laboratory
investigated the energy impact of cloud computing. This research indicates that
moving all office workers in the United States to the cloud could reduce the energy
used by information technology by up to 87 % [14]. There is a major societal benefit
of many efficiency seeking processes across several sectors.
The extension of the efficiency paradigm from systems to human efficiency is also
pervasive. Software is available that facilitates email, scheduling, memos, document
workflow, collaborative efforts, and project management. These systems increase
employees productivity and enable managing interactions in todays workplaces.
Nevertheless, the drawback of using such efficiency improving systems is that much
of the new technology, especially when sourced and accessed through cloud software,
enables monitoring all interactions. With the addition of locationbased technologies
on smart phones, the monitoring opportunities increase. Therefore, while efficiency
is achieved, the possibilities for intrusion on personal space are accelerated. In a few
words, efficiency goals may be directly in contrast with other important goals, such
as protecting individual privacy.
In general, if the remote monitoring and control is benevolent, and privacy is
valued or respected, efficiency is not seen negatively by employees. Users gladly give
up privacy for efficiency. In electronic transactions, this is known as the privacy
paradox whereby users sacrifice (both knowingly and unknowingly) individual
privacy by disclosing personal information if they obtain a specific return, such as a
monetary saving or customized services [1517].
The concern is that once efficiency is accepted as a fundamental goal, it makes all
of its extensions seem logical and changes the attitude towards aspects of workplace,
consumer, and even private, life. Using the example of the workplace, managers could
(and possibly covertly do) aggregate data from social networking sites to hire and fire
efficiently or to replace any less than optimal employee based on information not
directly tied to workplace needs and expectations.
As another extension, if a congenial and friendly workplace was deemed as more
efficient, information disclosure and data collection could include employees
feelings, friendships, romantic attachments, gripes, etc. Understanding employees
private lives, through various technological tools, becomes important in the same way
as health issues and possible personal habits and love lives, as they are all factors that
may affect productivity. In this context, the quest for efficiency can lead to a number
of disruptions, many of which are weakly protected by the current legislative system.
Recent North American tort law cases concluded that employers have the right to
access information stored in employees personal mailboxes, when information is
being exchanged while at work, regardless of the use of a personal email account [18].
While the decision referred to a possible wrong-doing on the part of the employee
who transferred confidential company data to a prospective new employer, a similar

123
 D. Walsh et al.

decision was upheld in another dispute whereby the employer had reviewed emails
sent from a personal account without permission [19]. These cases confirm that
reasonable expectations of privacy are mitigated by company needs for self-
preservation. And the Courts have agreed with this limitation, sometimes siding on
the side of companys needs more than on the protection of individuals privacy.

3 Efficiency shortcomings in high tech environments

With the development of online technologies, a notion of efficiency characterized as

obtaining more for less may lead to shortcomings. For example, in online and
transactional contexts, aggregating more customers data enables increased analytical
possibilities but also creates new issues. The initial goal of targeting a set of
customers information, voters, or unique groups of people, is superseded when data
collected for one purpose can be recombined and aggregated for other secondary
purposes [20].
Recently, this has been most vividly seen in national security examples. The
National Security Agency (NSA)s recording of everybodys phone calls, no matter
their high or low position in a hierarchy, has been condemned by the US Congress
[21]. With the development of facial recognition systems [22] the additional
opportunities for profiling abound. In New York City, it was discovered that police
monitoring of Muslim groups was common, although no terrorist links were known
[22]. In this case, the just-in-case watch everything more data is better
interpretation of efficiency breaches the boundaries of individual privacy.
A controversial area is the transition from statistical targeting of customers or
voters to data mining. Targeting is not a new idea. In the early 1970s, Claritas
Corporation had developed a model for geo-demographic targeting providing the
where and who for particular sub-samples of the population. Claritas locates
the optimum (lowest risk) small geographic areas where people who are most likely
to respond to the message liveThe who part of the plan is determined when data
showing certain outcomes such as the purchase of a magazine or product, the donation
of a contribution, or the stated preference for a political candidate are correlated with
the demographic characteristics of the buyers, donors or voters neighborhood (p.
107) [23].
This was a breakthrough at the time, and still provides a basic model for targeting
political or commercial outreach. Using it as the initial standard, if we now add the
capabilities opened by big data and online and mobile data collection, the risk is to
transform the definition of efficiency into an endlessly more, just in case rather
than a proven tight statistical targeting model [16].
A kind of irrational exuberance (as the economists call it) seems to have taken hold
during the transition from targeting to data mining. The second-largest company in
this field, Acxiom, has 23,000 computer servers that process more than 50 trillion
data transactions per year It claims to have records on hundreds of millions of

123
Privacy as a right or as a commodity in the online world

Americans, including 1.1 billion browser cookies, 200 million mobile profiles, and
anaverageof1500piecesofdataperconsumer.TheCEO,ScottHowe,says,Our
digital reach will soon approach nearly every Internet user in the US [24].
Eventually, the data collected is modeled and statistical correlations are identified.
One miner had 3000 data categories for nearly every American consumer. While
this data may be used simply to determine the products and services offered to a
person, the conclusions can be mistaken. Consumers are placed in social and
demographic groups for marketing purposes with labels like
financially challenged, diabetes interest and smoker in household [25].
These typologies are statistically constructed and, in some cases, the correlation
may simply be spurious. These groups are created to be appealing to the customers of
the company mining the data. One social danger of this categorization is
unintended profiling, that is the creation of categories that attract prejudices,
whether social or economic, without proven foundation. While studies on ecommerce
show that users have different level of tolerance for profiling and generally pay
attention to their privacy (from profiling averse to marginally concerned), under the
right circumstances customers would freely reveal personal information if the online
exchange is entertaining or offers significant returns [26].
Another shortcoming within the concept of efficiency in data collection and mining
is that its apparent ease inflates the notion that anything can be measured.
Overconfidence may stem from success in business and medical management
monitoring systems [24]. What isnt measured, cannot be managed seems a basic
tenet of this movement. But the opposite is not necessarily true, what is measured
often is not necessarily fundamental to efficiency, but is used because it is measurable.
Overreliance on measurement algorithms may create new areas of inefficiency if the
data aggregated is not fully understood [27].
The concern in this context is that it is difficult to reduce the risk of unwanted
intrusions unless we identify a philosophical, economic, or social value stronger than
the value the modern world attributes to efficiency. In the remainder of the paper, we
debate whether privacy, the right to be left alone, is the right social construct that can
limit, or offer boundaries, to the quest for efficiency and whether, in the United States,
we are in a position to better enforce privacy protection, legally or otherwise.

4 Privacy and the internet

No matter how innovative, rational, or disruptive a technology is, it operates within

social values that define and interpret it. The internet is propelled by the value of
efficiency, or fast access to the worlds information at ones own fingertips [28], and
limited by the changing values surrounding privacy violations. These values are the
context for any examination of how privacy and the internet will interact in the future.
Privacy is the most relevant traditional social value that will impact the future of
the internet, and yet it cannot be defined in advance. Lepores axiom states that the

123
 D. Walsh et al.

defense of privacy follows, and never precedes, the emergence of new technologies
for the exposure of secrets. In other words, the case for privacy always comes too
late [29]. Or, we do not know what privacy is until it is intruded upon. Therefore, in
order to predict or understand the future of privacy on the internet, we must first grasp
that no single and encompassing solution is possible as the definition of privacy is
highly affected by its context [30].
Several scholars have attempted to find a comprehensive definition of privacy
varying from value-based definitions (like the one adopted by the authors herein) to
a cognate-based conceptualization which recognizes the individuals mind,
perceptions, and cognition in lieu of an absolute norm or value [3].
In the value-based definition, privacy emerges as the right to develop as
autonomous selves, which is then guaranteed by a legal system [31], or as a
commodity, which means that users assign a certain value to it that can be traded-off
or attenuated by cost-benefit calculations of individuals (self-interest) or society
(public interest) [32]. These definitions chart the interventions that can be taken for
privacy protection, later discussed in the paper in the context of government
regulation and/or self-regulation [15].
Privacy has been also defined as the state of being apart from others and of
limited access to a person or a persons information. This definition focuses the
attention on control of information to be disclosed and protection of sub-states such
as: anonymity, solitude, reserve and intimacy [3].
Other attempts at identifying a universal privacy definition in online internet
transactions have emerged from theories of justice. Such theories describe personal
information trade-offs as influenced by perceptions of fairness of exchanges. If
information collection is identified as a natural result of the exchange (a consumer
and a seller transaction), and such exchange is compensated by a suitable product or
price, the principles of distributive and procedural justice apply and help define
privacy expectations. Figure 1 shows key characteristics of a sample online exchange
with the flow of information from consumers to/from marketers to complete
product/services purchases, participate in online social networking or gather
information.
In this model, privacy is still seen as a commodity and consumers focus on the
fairness of the exchange to assess whether the information they provide is balanced
by the service that they receive (distributive justice). In a few words, if the
information flows on the left side and the right side of Fig. 1 are equitable and a
balance exists, perceptions of a privacy breach will be lower. If procedures to

MARKETER-
EXCHANGE CONSUMER EXCHANGE

123
Privacy as a right or as a commodity in the online world

INTERACTION

Personal Website Informaon

Informaon (informaonal ) collected

Product / service Product / service

needed provided
Ecommerce site
(transaconal )
Online
Online Friends
Financial payment soware
Consumer access informaon Marketer
designers,
soware
providers
Networking site
(collaboraon )
Networking and Group markeng /
social group discounts

Communicaon
Communicaon Email exchange
plaorm

Fig. 1 Sample exchange of consumer-marketer information. Adapted from [33]

guarantee this balance are in place (procedural justice), consumers privacy concerns
will be reduced [4, 33].
Regardless ofthe overarching principles trying to encapsulate privacy, this concept
willbere-definedasthetechnologychanges,andacasebycasedevelopmentisallthat can
be expected. Legal responses to the new privacy invasions will be drawn out and
difficult. When a new technology develops, as in facial recognition, drones, phone
global positioning system (GPS) monitoring and other tracking devices, regulatory
agencies often wait for the developing industry to formulate possible uses and
marketdriven self-regulation, and the industry waits to see the government policy
before taking action, a stalemate that eventually is solved by lawsuits and case law.
To exacerbate this difficulty, there exist the conflict between the search for privacy
and the need for social integration and self-promotion, which is growing
exponentially with the use of social media. The development of a self-promoting
society is an example. The new emphasis on expanded disclosure of self, especially
among the young, inhibits attention to privacy protection [34].
When entering the word self-promotion in Google, about 65,900,000 items are
offered for examination. Many ads for helping individuals job-success appear, but
also many avenues for personal promotion in social media [35]. The phenomenon of
the selfie and its continuous exchange on social media is changing the notion of
privacy protection. Selfies have changed aspects of social interaction, body
language, self-awareness, privacy, and humor, altering temporality, irony, and public
behavior. It has become a new visual genrea type of self-portraiture formally
distinct from all others in history. Selfies have their own structural autonomy [36].
In this self-promoting focus, individuals see their privacy as a commodity that can be
traded in exchange for access to specific advantages. Treating privacy as a commodity
makes it a disposable good rather than a universal right.

123
 D. Walsh et al.

5 Privacy regulation approaches

Approaches that attempt to deal with the surmounting privacy concerns of internet
users [37] have been dealt with a wide range of responses. These responses generally
include a focus on government regulatory intervention or a focus on self-regulation
by the users or by the companies participating in the information exchange.
In 2004, Yale law professor James Whitman made a distinction between
conceptions of privacy in the United States and Europe [2]. Privacy in the United
States is the right to freedom from intrusions by the media or the government,
especially in ones own home. In contrast to the United States perspective is the
European notion of the right to oblivion or the right to be forgiven [38]. For
example, in 2011, two German citizens who had committed murder and served their
prison sentences sued Wikipedia to drop the entry about their crime [39]. In May
2014, the European High Courts ruling supporting the right to oblivion, to be
forgotten, highlights the complexity of trying to agree or enforce an overall definition
of privacy as an unalienable right.
In the European Union, all member states are required to protect the fundamental
right to privacy and restrict data movement across countries (Directive 95/46/EC of
the European Parliament). Even within Europe, though, which of the 28 countries
values will be uppermost, and which country will get to administer the rules that will
make a difference in privacy protection? Finally, how will the EU enforce the ban on
data leaving to other countries? While regulations exist, the capabilities to enforce
such regulations or prevent data leaks may be limited.
The aforementioned ruling that links that are disagreeable, even if true, should be
eliminated from search engines is unlikely to be upheld in the US, with its First
Amendment value on free speech. The real complexity can only be appreciated when
we realize that nothing much will happen. All the articles that will be delinked will
still be available on the original websites or in newspaper morgues. Anyone could
hire a private investigator to do a character check on the internet, similar to what
is done with credit checks. Erasing links to information from Google would do
relatively littletechnologicallyif they have already been archived in other
websites. Privacy protection may need to be much more than a technical fix needing
adequate policies and enforcement mechanisms [29].
In the US, the main approach is not necessarily that of creating overarching
Government regulations like in Europe. Privacy protection is focused on narrow and
specific categories of sensitive data (health care, childrens data, etc.) such as data
held by financial institutions. Beyond these categories of protected data, the approach
is that of relying on self-regulation by establishing privacy standards. For example,
in 1999 the Federal Trade Commission (FTC) developed guidelines for fair
information practices [31], which require companies (sellers or third-party privacy
certification providers such as Trust_e and BBBOnline) to establish privacy practices
that include:

123
Privacy as a right or as a commodity in the online world

(1) Notice/awareness (disclosure of how information will be used);

(2) Choice/consent (consent by opting in and out of providing information in
return for benefits);
(3) Access/participation (enable users to check accuracy when data is combined
from various sources);
(4) Integrity/security (protection from theft or tampering);
(5) Enforcement/redress (credible means of assuring only expected or agreed uses
of data).

While standards-based self-regulation built on the FTC principles enables the free
operation of market forces (demand and supply based on fair information protection
practices [40]), studies have shown that neither legislative intervention nor self-
regulation policies may per se be sufficient [20]. Bowie and Jamal, for example,
carefully compared enforcement across US and EU (notably US and UK) and found
that the mere existence of the EU directive did not guarantee higher data protection
in the UK. In the same study, they also identified shortcomings in the self-regulated
third-party privacy seals certification companies, thus advocating for enforcement
mechanisms (i.e., remove the privacy seal from previously certified web sites) [31].
An overview of the insufficiency of the regulatory framework in the US is
presented in the next pages. The discussion is followed by the recognition that
selfregulation also has its limits, as advocated by consumer activists and exacerbated
by users disconnection between stated privacy preferences (generally high) and
actual behaviors (low attention to personal privacy) [26]. Each possible approach,
government or self-regulation based, has its own limits.

6 Evolution and limits of privacy laws in the US

In 1890, in The Right to Privacy, Warren and Brandeis argued that there exists a
legal right to be left alonea right that had never been defined before. Their essay
lies at the heart of every legal decision that has been made about privacy ever since.
In a precursor to our current concern with technology, the case argued that modernity
had changed the nature of the publicity that earlier generations valued. Publicity had
become intrusive. Making public the deliberations of Congress was a public good;
making public the names of mourners at Mrs. Warrens mothers funeral was not.
The same distinction informed the debate that resulted, in the eighteen-eighties and
nineties, in the adoption of the secret ballot. Citizens votes are private; legislative
votes are public [1].
Since that early formulation, newer privacy laws can be separated into two
categories: (1) laws protecting from intrusion by individuals, organizations, or
corporations, and (2) protections from government intrusions. This issue has been
debated for decades and the subject matter can be overwhelming. This section can

123
 D. Walsh et al.

only provide a brief introduction with the main focus on understanding the privacy
laws arising out of a variety of online activities.
The question becomes whether or not the existing US privacy laws adequately
protect the growing access to private information.
The word privacy cannot be found anywhere in the US Constitution or the Bill
of Rights. However, through the years, the Courts have developed case law that has
created an implicit right of privacy within the Constitution. As the Constitution was
drafted before the age of the internet and the information technology boom, the
drafters could not have possibly contemplated what new technologies would bring.
The judicial branch of the government is assigned the task of interpreting laws,
including the Constitution and the Amendments of the Bill of Rights, in the new
contexts provided by social and technological change.
The traditional law that most believe protects peoples lives from the government,
would be the Fourth Amendment. It states: The right of the people to be secure in
their persons, houses, papers, and effects, against unreasonable searches and seizures,
shall not be violated. The Fourth Amendment has been extended by legislation and
case law to protect, to some extent, individuals and even private corporations from
government searches. However, this protection only inhibits the government from
invading individuals privacy and does not restrain invasion by private companies
and/or other individuals.
In 1965, the Court first recognized an individuals right to privacy under the
Constitution. In Griswold versus Connecticut, the Supreme Court of the United States
found a right of privacy implicit within the First, Third, Fourth, Fifth, and Ninth
Amendments [41]. This was the first time that the Court expressly stated that the
Constitution protects a right of privacy. The Court stated, the right of privacy which
presses for recognition here is a legitimate one [41] (p. 485). In that case, the Court
found a right to privacy in a marital relationship by holding that a law forbidding the
use of contraceptives was unconstitutional (pp. 485486). In that regard, the Court
said that the very idea of allowing police to search the sacred precincts of marital
bedrooms for telltale signs of the use of contraceptivesis repulsive to the notions of
privacy surrounding the marriage relationship [41].
Most Courts since Griswold have implicitly found privacy rights in the
Constitution built upon the principles the Supreme Court engrained in its Griswold
holding. The case is an example of the main point in this paper: it takes a stronger
social value, or a conflict of values, to attain privacy protection. Marital freedom, in
this case prevailed over the right of government to enforce another value-based view.
This reinforces our initial assertion that stronger values can reduce the focus on the
value of efficiency.
However, the right of privacy from the government is not an absolute right. The
Supreme Court in Katz versus US [42] stated the standard by which private
information is protected by the Fourth Amendment, and what is not. In Katz, the
defendant was charged with transmitting wagering information via telephone, in
violation of a federal statute. When FBI agents overheard the defendants telephone

123
Privacy as a right or as a commodity in the online world

conversations from the outside public telephone booth from which he was placing his
calls, the agents then attached an electronic listening and recording device to the
booth. At the trial, the government introduced the defendants recorded telephone
conversations as evidence and found the defendant guilty based on these
conversations. On appeal, the Supreme Court held that the use of these recorded
conversations violated the privacy upon which the defendant justifiably relied while
using the telephone booth.
Most important for this paper, the Supreme Court stated: What a person
knowingly exposes to the public, even in his own home or office, is not a subject of
Fourth Amendment protection. But what he seeks to preserve as private, even in an
area accessible to the public, may be constitutionally protected [42] (p. 351). It was
from the Katz case where the reasonable expectation of privacy standard was
derived.
In addition to the definitions of privacy created by the Courts, governments
administrative agencies have promulgated regulations that protect the right of
privacy, and Congress and State legislatures have enacted statutes to protect privacy.
Space is limited, but a listing will show their wide range and complexity. The main
federal statutes in regards to protection of online privacy are listed below.
The statutes in italics are further discussed in the manuscript [43]:

Freedom of Information Act(FOIA) (1966)

Fair Credit Reporting Act (FCRA) (1970)
Privacy Act (1974)
Family Educational Rights and Privacy Act (1974)
Electronic Communications Privacy Act (ECPA) (1986)
Video Privacy Protection Act (VPPA) (1988)
Drivers Privacy Protection Act (DPPA) (1994)
Health Insurance Portability and Accountability Act (HIPPA) (1996)
Childrens Online Privacy Protection Act (COPPA) (1998)
GrammLeachBliley Act (GLBA) (1999)
Fair and Accurate Credit Transaction Act (FACTA) (2003)
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-
SPAM) (2003)
Federal Trade Commission ActFTC Act (1914)Incorporating U.S. SAFE
WEB Act amendments of 2006

The Freedom of Information Act, enacted in 1966, gives citizens the right to access
information (documents and materials) created and held by federal agencies.
Essentially it gives the public access to information collected or used by government
[44].

123
 D. Walsh et al.

The Privacy Act of 1974 is the first federal statute that expressly protected an
individuals privacy. This Act regulates the collection, maintenance, use, and
dissemination of information about individuals by federal agencies. However, this
Act only applies to federal agencies, not to state governments, or private entities, or
individuals [45].
While the Constitution does not expressly mention privacy, there are ten states
that currently have an expressed right of privacy in their constitutions ( Alaska,
Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina,
and Washington) (p. 183) [43].

7 Limits of legal privacy protection by private entities

As mentioned, the Constitution, as well as the case law that interprets it, only protects
a persons privacy from the government, not from private individuals and
corporations. However, in the private sphere, federal statutes, state statutes, and
common law, all protect a persons privacy. In fact, common law has carved out a tort
referred to as invasion of privacy in order to protect an individuals privacy from
parties other than the government itself. Some statutes that serve this purpose include
the Electronic Communications Privacy Act, the CAN-SPAM Act, and the FTC Act.
The Electronic Communications Privacy Act, which was enacted in 1986, is a
federal law that grants people privacy protections from both the government and
private parties. This Act protects peoples wire, oral, and electronic communications
from unlawful wiretapping, eavesdropping, and other forms of unauthorized access
and disclosure by private businesses, law enforcement, and other government
officials. Under this Act, any person, including businesses and law enforcement
agents, cannot unlawfully and intentionally intercept the contents of telephone and
other electronic communications nor can they gain unauthorized access to the
contents of electronic communications in electronic storage. Included within these
protections are live telephone calls, voice mail messages, email messages, text
messages, and instant messages. Violation of this can lead to being convicted of a
federal crime and also civil liability (p. 196) [43].
There are many different contexts where online privacy issues arise. For example,
Google and other search engines collect and store the information or words that
people use in their search queries. As data collection on internet sites continues to
grow rapidly, the current regulations and protections regarding its use and
dissemination become insufficient.

7.1 Self-regulation (corporate privacy policies)

If regulations are lacking, or as an alternative to them, society and businesses have

relied on self-regulation with little or no government involvement [46] to protect
individuals personal information through their own privacy policy. Almost all

123
Privacy as a right or as a commodity in the online world

websites enact their own privacy policy, which outlines the level of protection they
provide for the user/customers information and the user/customers privacy. As a
type of agreement between the company and the user, the company is held to the
terms of its own policy, and may or may not be liable for breach of (privacy) contract.
Many cases emerged where entities have been sued for failure to adhere to their
own privacy policies. Typically, these cases arise as breach of contract actions. In
Young versus Facebook, Inc. [47], the Court held that while Facebooks privacy
policy places restrictions on users behavior, it does not create any affirmative legal
obligation on Facebook, and thus, there was no breach of contract. On the other hand,
in FenF LLC versus Healio Health, Inc. [48], the Court held that requiring the transfer
of the defendants customer information would violate the terms of a privacy policy
in which the defendant was precluded from sharing customer information with third
parties (p. 9) [48]. While individuals might not prevail against entities for breach of
privacy principles, this does not mean that the entity will be clear from liability.
The FTC has brought enforcement actions against companies for failing to adhere
to their own privacy policies and for false and deceptive statements made in these
policies [43]. Although such enforcement actions may not directly benefit individuals,
they indirectly give an incentive to create reasonable privacy policies and to adhere
to them.
Even if self-regulation exists, users behaviors may limit its effectiveness.
Regretfully, most users seldom read a websites privacy policy before using it. In
addition, these policies can be long, confusing, and filled with legal terms. Almost all
privacy policies contain a provision which allows unilateral modification of the
policy, at any time. Currently, federal and state statutes regarding online privacy
policies are lacking, but lobbying efforts are undergoing in Congress to enact such
laws (p. 210) [43].

8 Limits of legal privacy protection in social networking, advertising and

mining

Privacy issues increase exponentially with social networking because of the pictures,
videos, and other personal information that users post on such sites. What level of
protection does the law provide for the use and dissemination of this information?
The answer is very little to none. In United States versus Miller [49] , the United
States Supreme Court held that under the Fourth Amendment, an individual has no
reasonable expectation of privacy of information that is voluntarily disclosed to a
third party. Although decided in 1976, this case has been applied in many social
networking cases.
In Miller, the Court stated that even if the information is revealed to the third party
to be used only for a limited purpose, with the confidence placed in the third party
that it will not be betrayed, the assumption of privacy does not hold. In essence, if a
person uploads a photograph, video, or any other personal information to a social
networking site, that person relinquishes any reasonable expectation of privacy. [49].

123
 D. Walsh et al.

In Courtright versus Madigan [50], the Court cited the Miller case when it held that
the plaintiff had no reasonable expectation of privacy for the information contained
in his MySpace.com account to remain private. There is no prohibition on prospective
employers from accessing that information for a background check. There is also no
prohibition that such information be used as evidence in a legal proceeding, including
in a criminal proceeding.
At this point in time, the protections from the use and dissemination of a persons
information posted on a social media website are extremely limited compared to the
scope and extent of data gathering in these sites. However, the legislature is steering
towards some form of regulation. In fact, in 2011, the Commercial Privacy Bill of
Rights Act, also known as Do Not Track Me Online Act, was introduced to Congress.
This Act imposes rules on companies who gather personal data about their users,
including offering people access to data about them or the ability to block that
information from being used or distributed. Although this bill has not yet been enacted
into actual law, it is a step in the direction of regulation of the right to privacy in
regards to social media websites [51].
Search queries on a social networking site can contain personal information or
information that users may not want to disclose (for example, information on who
looked at ones own profile in LinkedIn is available for a fee). In fact, search queries
have been used as evidence in criminal proceedings. In United States versus Schuster
[52], the defendant was convicted of intentionally accessing and recklessly causing
damage to a protected computer in violation of a federal statute. In its decision, the
Court used the defendants search queries as evidence of the defendants culpable
conduct.

8.1 Internet advertising

Internet advertising has become one of the most useful forms of advertising because
of the ability to reach the target market by using online personal information. Some
limited privacy protections from targeted advertising in the forms of federal and state
laws exist. Two of the most important of these federal laws, discussed earlier, include
the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003
(CAN-SPAM Act) and the FTC Act. The CAN-SPAM Act provides for protection
and regulation of unsolicited commercial emails, also known as spam email. This Act
provides for both criminal and civil liability against parties that do not adhere to the
restrictions placed on spam email by the Act [43]. Much of the regulation in this Act
is designed to prevent deception and harassment as a result of spam email, by
requiring certain information to be clearly stated in such emails.
The Federal Trade Commission Act prohibits unfair or deceptive conduct in
advertising, including internet advertising. This Act requires that advertisers be
truthful and prevent misleading consumers. As a result of these two laws, companies
that use online advertising must ensure that they adhere to the regulations in regards

123
Privacy as a right or as a commodity in the online world

to unfair and deceptive advertising which are contained in the CAN-SPAM Act and
the FTC Act [53].

8.2 Data mining

Data mining has also become a serious issue for online privacy concerns. Online data
mining entails a vast search for online personal information to form a database and
profile of users who have their personal information online [54]. The government
uses data mining in its administration of programs, such as Medicare, and to
investigate potential terrorism. The newly aggregated data can then be used by data
brokers, which are entities that collect, buy, and sell personal information. They may
get their information from various sources, and sell their information to private
entities and even the government. One such data broker is LexisNexis [43]. This
practice presents several Constitutional issues as it essentially allows the government
to monitor individuals based on their personal information online.
As seen above in the Miller case, individuals have no reasonable expectation of
privacyininformationthattheydisclosetothirdparties.Therefore,asthisinformation is
bought, collected and sold to and from commercial entities, the individuals have very
little protection from its secondary use and dissemination (p. 214) [43].

9 Conclusions

Are the current online privacy protections in the United States adequate? As seen in
the Miller case and other cases reviewed, individuals do not have a universal
expectation of privacy protection, especially when the information is voluntarily
released to a third party.
Regulation on internet transactions will be an intensifying controversial issue as
ecommerce continues to grow. By reviewing the two main concepts that drive this
controversy (the value of efficiency and the value of privacy) and the current legal
framework,we can predict future actions in thisarea such as the need to accelerate and
tie legislative interventions to technological evolution. Efficiency is a central value in
Western society and a reasonable goal for social and economic development, but how
it is defined and valued may lead to unintended consequences. The intrusions that are
already recognized as privacy invasions in law provide clearer clues to what will
become the next controversies, many of which are tied to data re-aggregation in data
mining and online comprehensive click collections. How quickly and distinctly
will it be possible to profile individuals search information on web sites? Should the
information gathered to complete a transaction be reused elsewhere?
As discussed in this paper, much of the private information on the internet is not
protected. Privacy rules may not be sufficiently enforced against companies,
protection of information found on social media platforms is highly unregulated, and

123
 D. Walsh et al.

the same occurs with search queries. In addition, data mining and targeted advertising
are increasing activities that lack adequate regulation.

Should Congress move towards stronger protection of an individuals right to

privacy regarding personal online information or should we rely on
selfregulation?

One argument in favor of self-regulation is that private entities have the incentive
to create strong self-imposed privacy protections of their users online information
because of market competition and the negative publicity that would follow security
breaches. These companies have the incentive to keep users satisfied with their level
of privacy
protectioninordertoavoidchurntowardsacompetitorsservices.Argumentsagainstselfre
gulation state thatcompaniescontinueto shield themselvesfrom liabilityin their online
information access policies by creating opt-in/opt-out clauses that push data release.
A user of online services may need to accept burdensome clauses if s/he wishes to
access services provided by a transactional site. In addition, and regardless of a
companys adequate actions, studies show that users pay limited attention to policies
and these policies can be unilaterally changed [31].
Nevertheless, there is a cogent argument in favor of self-regulation. It suggests that
legislative intervention (regulation) will be inadequate, and this assertion is not based
on an esoteric idea of flaws in the system or in the characters of producers, but on the
inherent unpredictability of developments. This analysis reinforces Lepores axiom
[1] that privacy will always be a developing concept and definitions of its invasion
even more unpredictable.
The international debate between the EUs centralized emphasis on the right to be
forgotten and the USs concern for freedom of speech brings new perspectives on
cross-national regulation but confirms some of the challenges. Studies on the
effectiveness of European tighter regulations show that enforcement is still
inadequate. The profiles of sub-populations whose data is being collectedvoters,
patients, fans, persons of interest to national security or law enforcement, as well as
online customersare so diverse that any regulation will be, at the very least, not
comprehensive enough. Adding the data-mining of cell-phones, emails, audio files,
and social media postings, as well as other records, increases the possibilities for
infringement when enforcement may be limited at best.
A popular business book, Targeted [55], discusses new data aggregation in online
advertising, and live auctioning of advertising based on dynamic user preferences.
Media companies are monetizing the actual online interactions and clicks,
aggregating all sorts of dynamic data. The field changes too fast to predict the next
invention and to be able to regulate effectively. The dissemination of new advertising
techniques and personalization methods will likely lead to the invention of new
efficiencies that may require further re-examination.
Therefore, also self-regulation may not be the best avenue as monetization
opportunities endanger privacy [15]. The more for less, or more and moreno matter
the cost when national security is concerneddrive the collection of often irrelevant,

123
Privacy as a right or as a commodity in the online world

but intrusive data. Furthermore, todays development of the selfpromoting society

seems to drive people to expose formerly private items to friends. Such items may be
used in unintended ways by future employers or other observers.
The debate is ongoing because the existing US privacy laws are not able to ensure
conformity. The existing laws follow new technologies as they develop and each
development is debated. Possibly, the only non-debatable item is that the assumption
of privacy is no longer valid. As Scott McNealy, CEO of Sun Microsystems said,
get over it [2], privacy as we knew it, or thought we knew it, is gone. Each
individual must be attentive and intentionally safeguard personal information when
undertaking any transaction on the internet.

References

1. Lepore, J. (2013, June). Privacy in an age of publicity. http://www.newyorker.com/reporting/2013/

06/24/130624fa_fact_lepore?currentPage=all. Accessed 15 Mar 2015.
2. Halbert, T., & Ingulli, E. (2014). Law and ethics in the business environment (Legal Studies in
Business). Stamford: Cengage Learning.
3. Smith, H. J., Dinev, T., & Xu, H. (2011). Information privacy research: An interdisciplinary review.
MIS Quarterly, 35(4), 9891016.
4. Culnan, M. J., & Bies, R. J. (2003). Consumer privacy: Balancing economic and justice considerations.
Journal of Social Issues, 59(2), 323342.
5. Li, Y. (2012). Theories in online information privacy research: A critical review and an integrated
framework. Decision Support Systems, 54(1), 471481.
6. Arrow, K. J., Chenery, H. B., Minhas, B. S., & Solow, R. M. (1961). Capital-labor substitution and
economic efficiency. The Review of Economics and Statistics, 43, 225250.
7. Harold, O. (1993). The measurement of productive efficiency: Techniques and applications
Techniques and applications. Oxford: Oxford University Press.
8. Arrow, K. J. (1973). Social responsibility and economic efficiency. Public Policy, 21(3), 303317.
9. Westin, A. F. (2003). Social and political dimensions of privacy. Journal of Social Issues, 59(2) , 431
453.
10. Sheng, H., Nah, F. F.-H., & Siau, K. (2008). An experimental study on ubiquitous commerce adoption:
Impact of personalization and privacy concerns. Journal of the Association for Information Systems,
9(6), 15.
11. Xu, H., Luo, X. R., Carroll, J. M., & Rosson, M. B. (2011). The personalization privacy paradox: An
exploratory study of decision making process for location-aware marketing. Decision Support
Systems, 51(1), 4252.
12. Page, T. (2013). Conservation and economic efficiency: An approach to materials policy. London:
Routledge.
13. Unger, D. J. (2013, October). Energy efficiency: How the internet can lower your electric bill. http://
www.csmonitor.com/Environment/2013/1006/Energy-efficiency-How-the-Internet-can-lower-
yourelectric-bill/(page)/2. Accessed 15 Mar 2015.
14. Unknown. (2014). How green is the internet?
https://www.google.com/green/efficiency/industrycollaboration/. Accessed 15 Mar 2015.
15. Taylor, D. G., Davis, D. F., & Jillapalli, R. (2009). Privacy concern and online personalization: The
moderating effects of information control and compensation. Electronic Commerce Research, 9(3) ,
203223.

123
 D. Walsh et al.

16. Earp, J. B., & Baumer, D. (2003). Innovative web use to learn about consumer behavior and online
privacy. Communications of the ACM, 46(4), 8183.
17. Taddicken, M. (2014). The Privacy Paradox in the social web: the impact of privacy concerns,
individual characteristics, and the perceived social relevance on different forms of self-disclosure.
Journal of Computer-Mediated Communication, 19(2), 248273.
18. Case. (2012). Pneus Touchette Distribution inc. c. Pneus Chartrand inc. - 2012 QCCS 3241 (CanLII)
Quebec, Canada. http://www.canlii.org/fr/qc/qccs/doc/2012/2012qccs3241/2012qccs3241.html.
Accessed 1 Mar 2015.
19. Case. (2012). Images Turbo inc. c. Marquis - 2012 QCCS 4386 - Quebec, Canada. http://www.canlii.
org/fr/qc/qccs/doc/2012/2012qccs4386/2012qccs4386.pdf. Accessed 1 Mar 2015.
20. Ren, Y., Cheng, F., Peng, Z., Huang, X., & Song, W. (2011). A privacy policy conflict detection
method for multi-owner privacy data protection. Electronic Commerce Research, 11(1), 103121.
doi:10.1007/s10660-010-9067-8.
21. Landau, S. (2013). Making sense from Snowden. IEEE Security & Privacy Magazine, 4, 5463.
22. MPR. (2013). Conflict between privacy rights and security is nothing new. http://www.mprnews.org/
story/2013/06/18/daily-circuit-government-surveillance. Accessed 15 Mar 2015.
23. Robbin, J. E. (1980). Geodemographics: The new magic. Campaigns and Elections, 1(1), 106125.
24. Marwick, A. E. (2014, January). How your data are being deeply mined. http://www.nybooks.com/
articles/archives/2014/jan/09/how-your-data-are-being-deeply-mined/. Accessed 15 Mar 2015.
25. Lohr, S. (2014, May). New curbs sought on the personal data industry. http://www.nytimes.com/
2014/05/28/technology/ftc-urges-legislation-to-shed-more-light-on-data-collection.html?hpw&rref=
busines&_r=0. Accessed 15 Mar 2015.
26. Berendt, B., Gunther, O., & Spiekermann, S. (2005). Privacy in e-commerce: Stated preferences vs.
actual behavior. Communications of the ACM, 48(4), 101106.
27. Henderson, S. C., & Snyder, C. A. (1999). Personal information privacy: Implications for MIS
managers. Information & Management, 36(4), 213220.
28. Kleinberg, J. (2006). The world at your fingertips. Nature, 440(7082), 279280.
29. Miller, C. C. (2014, May). Its not as simple as asking to Be Forgotten by google. http://www.
nytimes.com/2014/05/27/upshot/its-not-as-simple-as-asking-to-be-forgotten-by-google.html?hpw&
rref=&_r=1. Accessed 15 Mar 2015.
30. Antoniou, G., & Batten, L. (2011). E-commerce: Protecting purchaser privacy to enforce trust.
Electronic Commerce Research, 11(4), 421456. doi:10.1007/s10660-011-9083-3.
31. Bowie, N. E., & Jamal, K. (2006). Privacy rights on the internet: self-regulation or government
regulation? Business Ethics Quarterly, 16, 323342.
32. Hahn, R. W., & Layne-Farrar, A. (2002). The benefits and costs of online privacy legislation.
Administrative Law Review, 54, 85171.
33. Ashworth, L., & Free, C. (2006). Marketing dataveillance and digital privacy: Using theories of justice
to understand consumers online privacy concerns. Journal of Business Ethics, 67(2) , 107123.
34. Dwyer, C., Hiltz, S., & Passerini, K. (2007). Trust and privacy concern within social networking sites:
A comparison of Facebook and MySpace: Proceedings of AMCIS 2007 (p. 339).
35. Raji, F., Miri, A., Jazi, M. D., & Malek, B. (2011). Online social network with flexible and dynamic
privacy policies: CSI International Symposium on Computer Science and Software Engineering
(CSSE), 2011 (pp. 135142). IEEE.
36. Saltz, J. (2014, January). Art at arms length: A history of the selfie. http://www.vulture.com/2014/01/
history-of-the-selfie.html. Accessed 15 Mar 2015.
37. Palmer, D. E. (2005). Pop-ups, cookies, and spam: Toward a deeper analysis of the ethical significance
of Internet marketing practices. Journal of Business Ethics, 58(13), 271280.
38. Kakutani, M. (2014, May). Snowdens story, behind the scenes. http://www.nytimes.com/2014/05/13/
books/no-place-to-hide-by-glenn-greenwald.html?_r=1. Accessed 15 Mar 2015.
39. Whitman, J. Q. (2004). The two western cultures of privacy: Dignity versus liberty. Yale Law Journal,
113(6), 11511221.

123
Privacy as a right or as a commodity in the online world

40. Preibusch, S., Kubler, D., & Beresford, A. R. (2013). Price versus privacy: An experiment into the
competitive advantage of collecting less personal information. Electronic Commerce Research, 13(4),
423455. doi:10.1007/s10660-013-9130-3. Accessed 15 Mar 2015.
41. Case. (1965). Griswold versus Connecticut, 381 U.S. 479 - US Supreme Court. http://laws.findlaw.
com/us/381/479.html.
42. Case. (1967). Katz versus US, 389 U.S. 347 - US Supreme Court. https://supreme.justia.com/cases/
federal/us/389/347/case.html. Accessed 15 Mar 2015.
43. Craig, B. (2013). Cyberlaw: The law of the internet and information technology. Prentice Hall: Pearson
Education Inc.
44. DOJ. (1966). What is FOIA. http://www.foia.gov/about.html. Accessed 15 Mar 2015.
45. Schultz, B. S. (1999). Electronic money, internet commerce, and the right to financial privacy: A call
for new federal guidelines. University of Cincinnati Law Review 67, 779, 791792.
46. Hirsh, D. D. (2011). The law and policy of online privacy: Regulation, self-regulation, or coregulation.
The Seattle University Law Review, 439, 457458.
47. Case. (2010). Young versus Facebook, Inc - U.S. Dist. - (N.D.Cal. Oct. 25, 2010). https://scholar.
google.com/scholar_case?case=14196698777849520612&q=Young?v.?Facebook&hl=en&as_sdt=
2,5&as_ylo=2011. Accessed 15 Mar 2015.
48. Case. (2010). FenF, LLC versus Healio Health, Inc. - U.S. Dist. https://scholar.google.com/scholar_
case?case=9276471333322576008&q=FenF,?LLC?v.?Healio?Health,?Inc&hl=en&as_sdt=6,33&
as_vis=1. Accessed 15 Mar 2015.
49. Case. (1976). United States versus Miller - 425 U.S. 435, 443 - US Supreme Court. http://caselaw.lp.
findlaw.com/scripts/getcase.pl?court=US&vol=425&invol=435. Accessed 15 Mar 2015.
50. Case. (2010). Courtright versus Madigan - Civil No. 09-CV-208-JPG WL 3713654 (S.D.Ill. Nov. 4 ,
2009). https://scholar.google.com/scholar_case?case=7495388096977244675&q=Courtright?v.
?Madigan&hl=en&as_sdt=6,33&as_vis=1. Accessed 15 Mar 2015.
51. Kang, C. (2011, April). Kerry, McCain offer bill to protect web users privacy rights, p. 203.
52. Case. (2006). United States versus Schuster - 467 F.3d 614, 616 (7th Cir. 2006). https://casetext.com/
case/us-v-schuster-4. Accessed 15 Mar 2015.
53. BCP. (2009). The CAN-SPAM act: A compliance guide for business - the federal trade commission.
http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business/. Accessed 15 Mar
2015.
54. Cate, F. H. (2008). Government data mining: The need for a legal framework. Harvard Civil
RightsCivil Liberties Law Review (CR-CL), 43, 435438.
55. Smith, M. (2014). Targeted: How technology is revolutionizing advertising and the way companies
reach consumers. New York: AMACOM Div American Mgmt Assn.

Diana Walsh M.A., J.D. (NJ Bar). Graduated from Seton Hall University School of Law of New Jersey in
1989 with a Doctor Degree in Justice. Earned a Bachelor and Masters degrees in Sociology and
Psychology at William Patterson University, Magna Cum Laude in 1987. A faculty member at New Jersey
Institute of Technology Ms. Walsh teaches Legal & Ethical Issues, Internet Law and Policy Issues, and
Business Law. Ms. Walsh has received Excellence in Teaching Awards from the School of Management.
Admitted to the New Jersey Bar and to the U.S. District Court of New Jersey in 1989. As a certified
mediator, Ms. Walsh has been appointed by the Superior Court of New Jersey to act as an attorney in
guardianship cases, and taught various seminars on Construction Contract Law for the Regional Alliance
of the Port Authority of New Jersey. Ms. Walsh is a member of the firm of Murphy McKeon, P.C. Her
activities at the law firm are primarily focused on Computer and Internet laws, general commercial and
real estate matters, ethics and professional responsibility, as well as intellectual property. Ms. Walsh is an
active member of the New Jersey Bar.

James M. Parisi J.D. (NJ and NY Bar). Graduated from New York Law School in 2011 with a Juris

123
 D. Walsh et al.

Doctor, with studies focused on intellectual property law, specifically copyright and trademark law. Earned
a Bachelor of Science degree in Finance from the Robert H. Smith School of Business at the University of
Maryland, College Park in 2008. Admitted to the New Jersey Bar and to the U.S. District Court of New
Jersey in November of 2011. Admitted to the New York Bar in January of 2012. Mr. Parisi was hired out
of law school as a legal associate of the law firm Murphy McKeon, P.C., located in Riverdale, New Jersey,
in August of 2011, and is currently still at the same firm. Mr. Parisi performs a variety of legal work at
Murphy McKeon, P.C., including, but not limited to, matters involving municipal law, corporate law,
intellectual property law, real estate law, landlord tenant law, and personal injury/insurance defense. Mr.
Parisi is still currently an active member of both the New Jersey and New York Bar.

Katia Passerini is Professor and the Hurlburt Chair of Management Information Systems (20062015) at
the School of Management of the New Jersey Institute of Technology, where she teaches courses in MIS,
knowledge management, and IT strategy. She also serves as the Dean of the Albert Dorman Honors
College at NJIT. Dr. Passerini has been published in several refereed journals and proceedings. She also
co-authored a book on Information Technology for Small Business (Springer 2012). Her professional
background includes multi-industry projects at Booz Allen Hamilton (now part of
PricewaterhouseCoopers) and the World Bank where she focused on information technology projects in
Europe, North America and the South Pacific. Dr. Passerini holds degrees in political science (LUISS
University, Italy), economics (University of Rome IITor Vergata, Italy), MBA and PhD degrees from
The George Washington University, and a certificate in business project management from New York
University.

123