Database Nation by Simson Garfinkel

As an experiment, make a list of the data trails that you leave behind on a daily basis. Did you buy lunch with a credit card? Write that down. Did you buy lunch with cash, but visit the automatic teller machine (ATM) beforehand? If so, then that withdrawal makes up your data shadow as well. Every long distance phone call, any time you leave a message inside a voice mailbox, and every web page you access on the Internet—all of these are part of your comprehensive data profile.

You are more likely to leave records if you live in a city, if you pay for things with credit cards, and if your work requires that you use a telephone or a computer. You will leave fewer records if you live in the country or if you are not affluent. This is really no surprise: detailed records are what makes the modern economy possible.

What is surprising, though, is the amount of collateral information that these records reveal. Withdraw cash from an ATM, and a computer records not just how much money you took out, but the fact that you were physically located at a particular place and time. Make a telephone call to somebody who has Caller ID, and a little box records not just your phone number (and possibly your name), but also the exact time that you placed your call. Browse the Internet, and the web server on the other side of your computer’s screen doesn’t just record every page that you download—it also records the speed of your computer’s modem, the kind of web browser you are using, and even your geographical location.

There’s nothing terribly new here, either. In 1986, John Diebold wrote about a bank that seven years earlier

An article about the incident that appeared in the Knight News Service observed: “there’s a bank someplace in America that knows which of its customers paid a hooker last night.”^[2] (Diebold, one of America’s computer pioneers in the 1960s and 1970s, had been an advocate of the proposed National Data Center. But by 1986, he had come to believe that building the Data Center would have been a tremendous mistake, because it would have concentrated too much information in one place.)

I call records such as banks’ ATM archives hot files . They are juicy, they reveal unexpected information, and they exist largely outside the scope of most people’s understanding.

Over the past 15 years, we’ve seen a growing use of hot files. One of the earliest cases that I remember occurred in the 1980s, when investigators for the U.S. Drug Enforcement Agency started scanning through the records of lawn-and-garden stores and correlating the information with data dumps from electric companies. The DEA project was called Operation Green Merchant; by 1993, the DEA, together with state and local authorities, had seized nearly 4,000 growing operations, arrested more than 1,500 violators, and frozen millions of dollars in illicitly acquired profits and assets.^[3] Critics charged that the program was a dragnet that caught both the innocent and the guilty. The investigators were searching out people who were clandestinely raising marijuana in their basements. While the agents did find some pot farmers, they also raided quite a few innocent gardeners—including one who lived next to an editor at the New York Times. The Times eventually wrote an editorial, but it didn’t stop the DEA’s practices.

Americans got another dose of hot file surprise in the fall of 1987, when President Ronald Reagan nominated Judge Robert Bork to the Supreme Court of the United States. Bork’s nomination was fiercely opposed by women’s groups, who said that the judge had a history of ruling against women’s issues; they feared that Bork would be the deciding vote to help the Court overturn a woman’s right to an abortion. Looking for dirt, a journalist from Washington, D.C.’s liberal City Paper visited a video rental store in Bork’s neighborhood and obtained a printout from the store’s computer of every movie that Bork had ever rented there. The journalist had hoped that Bork would be renting pornographic films. As it turned out, Bork’s tastes in video veered towards mild fare: the 146 videos listed on the printout were mostly Disney movies and Hitchcock films.

Nevertheless, Bork’s reputation was still somewhat damaged. Some accounts of the Bork story that have been published and many off-handed remarks at cocktail parties often omit the fact that the journalist came up empty in the search for pornography. Instead, these accounts erroneously give the impression that Bork was a fan of porn, or at least allow the reader to draw that conclusion.

The problem with hot files, then, is that they are too hot: on the one hand, they reveal information about us that many people think a dignified society keeps private; on the other hand, they are easily misinterpreted. And it turns out that these records are also easily faked: if the clerk at the video rental store had wanted to do so, that person could easily have added a few dozen porno flicks to the record, and nobody could have proved that the record had been faked.

As computerized record-keeping systems become more prevalent in our society, we are likely to see more and more cases in which the raw data collected by these systems for one purpose is used for another. Indeed, advancing technology makes such releases all the more likely. In the past, computer systems simply could not store all of the information that they could collect: it was necessary to design systems so that they would periodically discard data when it was no longer needed. But today, with the dramatic developments in data storage technology, it’s easy to store information for months or years after it is no longer needed. As a result, computers are now retaining an increasingly more complete record of our lives—as they did with Judge Bork’s video rental records. Ask yourself this: what business did the video rental store have keeping a list of the movies that Bork had rented, after the movies had been returned?

This sea of records is creating a new standard of accountability for our society. Instead of relying on trust or giving people the benefit of the doubt, we can now simply check the record and see who was right and who was wrong. The ready availability of personal information also makes things easier for crooks, stalkers, blackmail artists, con men, and others who are up to no good. One of the most dramatic cases was the murder of actress Rebecca Schaeffer in 1989. Schaeffer had gone to great lengths to protect her privacy. But a 19-year-old crazed fan, who allegedly wanted to meet her, hired a private investigator to find out her home address. The investigator went to California’s Department of Motor Vehicles, which at the time made vehicle registration information available to anyone who wanted it, since the information was part of the public record. The fan then went to Schaeffer’s house, waited for four hours, and shot her once in the chest when she opened her front door.^[4]

Another insidious problem with this data sea is something I call false data syndrome . Because much of the information in the data sea is correct, we are predisposed to believe that it is all correct—a dangerous assumption that is all too easy to make. The purveyors of the information themselves often encourage this kind of sloppy thinking by failing to acknowledge the shortcomings of their systems.

For example, in 1997, the telephone company NYNEX (now part of Bell Atlantic) launched an aggressive campaign to sell the new Caller ID service to its subscribers. With the headline “See Who’s Calling Before You Pick Up the Phone,” the advertisement read:

Clearly, NYNEX was confusing human identities with telephone numbers. Caller ID doesn’t show the telephone number that belongs to the person who is making the call—it shows the number of the telephone from which the call is being placed. So-called “enhanced” Caller ID services that display a name and number don’t really display the caller’s name—they display the name of the person who is listed in the telephone book. If I make an obscene call from your house during a party, or if I use your telephone to make a threat on the life of the president of the United States (a federal crime), Caller ID will say that you are the culprit—not me.

Nobody set out to build a society in which the most minute details of everyday life are permanently recorded for posterity. But this is the future that we are marching towards, thanks to a variety of social, economic, and technological factors.

Humans are born collectors. Psychologically, it’s much easier to hold on to something than to throw it away. This is all the more true for data. Nobody really feels comfortable erasing business correspondence or destroying old records—you never know when something might be useful. Advancing technology is making it possible to realize our collective dream of never throwing anything away—or at least never throwing away a piece of information.

The first computer that I bought in 1978 stored information on cassette tapes. I could fit 200 kilobytes on a 30-minute cassette, if I was lucky. The computer that I use today has an internal hard disk that can store 6 gigabytes of information—a 30,000-fold increase in just two decades. And this story is hardly unique: all over the world, businesses, governments, and individuals have seen similar improvements in their ability to store data. As a civilization, we’ve used this newfound ability to store more and more minute details of everyday existence. We are building the world’s datasphere: a body of information that describes the Earth and our actions upon it.

Building the world’s datasphere is a three-step process—one that we’ve been blindly following without considering its ramifications for the future of privacy. First, industrialized society creates new opportunities for data collection. Next, we dramatically increase the ease of automatically capturing information into a computer. The final step is to arrange this information into a large-scale database so it can be easily retrieved at a moment’s notice.

Once the day-to-day events of our lives are systematically captured in a machine-readable format, this information takes on a life of its own. It finds new uses. It becomes indispensable in business operations. And it often flows from computer to computer, from business to business, and between industry and government. If we don’t step back and stop the collection and release of this data, we’ll soon have a world in which every moment and every action is permanently “on the record.”

Step 2: Make Data machine-readable

Automatic data collection is the second big step needed to create the datasphere. Automated systems read a piece of information and feed it directly into a computer, without human intervention. Although automated systems can be expensive to set up, once they are operational, they dramatically lower the cost of data collection, making it possible to create huge data sets and to keep them up to date. As a result, when a few major players in an industry start to adopt an automated system, the entire industry quickly follows.

The U.S. banking industry was one of the first major segments of our economy to adopt machine-readable codes. In 1963, a few banks started printing checks using special magnetic ink, so that computers could automatically read the nine-digit bank routing numbers, account numbers, and check numbers stamped across each check’s bottom. It was a good idea: by 1969, 90% of the checks in the United States were printed with the shiny black numbers, greatly decreasing the time

Intel’s Psn

A tracking number that has had a very rough start is the Processor Serial Number (PSN) that Intel introduced with its Pentium III microprocessor. Intel originally designed the serial number in the Pentium III microprocessor to help the company detect “over-clocking” of CPUs (i.e., when a 500 MHz chip is sold as a 600 MHz chip) and to help large companies track computers as they move around through an organization. When upper management found out about the feature, the PSN was given an “e-commerce” spin—Intel suggested that web sites could use special software to read the PSN of their customers’ computers over the Internet.

When Intel announced the PSN in January 1999, the company decided to emphasize the “e-commerce” feature, rather than the asset-tracking capability. Within a week, several consumer groups organized a boycott against the microprocessor, saying that the more likely use of the PSN would be to silently track Internet users as they click through web sites. Meanwhile, cryptography expert Bruce Schneier published a scathing article in which he attacked the PSN because it was a number that could not be obtained in a secure fashion. He wrote:

If a remote Web site queries a processor ID, it has no way of knowing whether the number it gets back is a real ID or a forged ID. Likewise, if a piece of software queries its processor’s ID, it has no way of knowing whether the number it gets back is the real ID or whether a patch in the operating system trapped the call and responded with a fake ID. Because Intel didn’t bother creating a secure way to query the ID, it will be easy to break the security.^[7]

required to process them.^[8] In the 1970s, the banking industry started adding magnetic strips to credit cards so the little pieces of plastic could be swiped through a reader. Before then, the numbers had to be manually entered into a computer after they were transferred to a credit card slip using a piece of carbon paper and a roller.

Other industries have been slower to adopt machine-readable systems. It wasn’t until the mid-1990s that General Motors started supplementing the original VIN plates with machine-readable bar codes. Unlike the old VIN, which could only be read up close by a human, the new bar code can be read from more than 20 feet away using a high-speed laser scanner. Once in place, the bar code VIN quickly gained adherents. One company that jumped on the bandwagon was the car rental agency Avis, which now uses laser scanners to automatically track cars as they are returned at the company’s drop-off locations. In the coming years, these machine-readable VINs will increasingly be a part of most drivers’ lives. For example, urban garages might use the bar codes to automatically open gates for their monthly patrons. Other

Figure 4-1. License Plate Reader

Electronic tags aren’t the only way to track a vehicle on the open road. The U.S. Customs Service has deployed license plate readers at many border crossings between the U.S. and Canada. These systems use a high-resolution video camera to locate and capture the image of a car’s license plate in just milliseconds. From that image, the Perceptics license plate reader can determine both the plate’s number and the issuing state or province. Says the company, “With our License Plate Reader, every highway is an open book.” [Photos courtesy Perceptics]

companies have developed computerized vision systems that can read the license plate of a stopped or moving car, creating another system for automatically identifying automobiles at a distance.

Moving away from magnetic and optical systems, the newest machine-readable tags are scanned using radio waves. The technology, called RFID (short for Radio Frequency Identification Device), consists of two parts: a tiny silicon chip with a small radio antenna, called the tag, and a gun-shaped reader. Each chip is manufactured with a unique code. Point the reader at the chip, and the chip’s code appears on the reader’s display. The code is also sent to an attached computer.

Figure 4-2. Radio Frequency Identification Devices

Radio Frequency Identification Device (RFID) systems make it possible to embed a computer-readable serial number in an automobile, a gas cylinder, a pet, or even a human being. The system is based on an electronic tag that is stimulated using a low-energy radio signal. Once energized, the tag transmits its serial number. RFID tags are made by many different manufacturers; some RFID tags can be read from a distance of several feet. RIFD systems have been used for ski tags, employee badges, and tracking animals. A similar technology is used in most highway automatic toll collection systems. Since these systems are silent and passive, they can be read without the knowledge (or the consent) of the person carrying the radio tag.

Like other identification systems, RFID systems don’t actually identify a car, a pet, or a person: they simply identify the tag. And since no cryptography is employed by today’s RFID systems, an RFID identification response can be eavesdropped, falsified, or otherwise forged. The tags can also be read without the owner’s knowledge. Since today’s tags have no memory, there is no way to determine how many times a tag has been read, only by whom. Neither the producers nor the users of these systems seem to be concerned with the shortcomings of the security that these systems provide. [Photos courtesy Trovan]

The chips have no moving parts, no batteries to wear out, and an indefinite lifetime.

When you point an RFID reader at a transponder and pull the trigger, the gun fires a burst of radio frequency energy in the direction of the chip. The transponder’s antenna picks up this energy and converts it into an electric current, which powers both the transponder’s microchip and its tiny on-board radio transmitter. The transponder then sends back the chip’s unique code (today’s chips use a 64-bit code) on another radio frequency.

Several companies make RFID systems. One of the largest is Trovan, based in the United Kingdom. Trovan’s largest device is about the size of a quarter and can be read from two feet away; the smallest is the size of a grain of rice. Readable from 18 inches, the tiny tag is designed to be sewn into the lining of clothing for inventory tracking. Trovan also makes a special implantable tag which comes in a presterilized, ready-to-use disposable syringe; it can be tucked under the skin of an animal in less than 20 seconds.^[9]

In England, Yamaha dealers are using Trovan to help fight motorcycle theft. For U.K.$65 (about U.S.$100), you can have Trovan chips implanted into your bike’s frame, wheels, tank, and seat. If the bike is stolen or stripped, the parts can be identified when somebody comes in trying to sell them.

In the United States, RFID systems are being used for asset management—a technique through which businesses cut costs by carefully managing the items they have already bought. One application is the tracking of gas cylinders. By drilling a small hole in the neck of the gas cylinder and dropping in an RFID device, it becomes possible to accurately track the location of each cylinder as it is moved between the plant and the customer. Other companies have embedded RFID devices in hand-held tools, which workers are then required to check out and check back in like library books.

Meanwhile, implantable tags are being used by zoos around the world to track exotic animals. And in North America, they’re being used to track pets: by the summer of 1997, at least 200,000 cats and dogs in the U.S. had been implanted with some form of RFID. Several companies now operate a national database that matches the pets’ chip ID numbers with their owners’ names, addresses, and phone numbers, alongside the chip’s identification code. Organizations like the ASPCA in New York City, San Diego County in California, and the cities of Minneapolis and St. Paul are buying readers. Stray animals found on the street are now being scanned when they are brought to a shelter.

As these cases show, the power of RFID is that once the radio tag is implanted into an object, the tag becomes a part of that object. A serial number that’s on a gun can be filed down or etched away with acid. Cars can be stripped of their VINs. Tattoos can be overgrown with hair, or simply covered by clothing. But put a chip on the inside and the serial number becomes invisible, indelible, and detectable at a distance.

Although the obvious motivation for tracking is to prevent loss, other advantages of increased control and knowledge soon come to light. Some U.S. farmers have discovered that once an animal is given a serial number, it becomes possible to keep highly accurate long-term records. By tracking an animal from birth to slaughter, keeping detailed records of each animal’s vaccination history, feed, weight, and handling, and even performing an occasional ultrasound scan, farmers can apply scientific management techniques to their overall operation. Ultimately, the extra work can increase the market value of an animal by approximately $700 to $1000. Meanwhile, the U.S. Department of Agriculture may soon mandate the electronic tracking of cattle in order to combat disease.^[10]

Probably the largest database in the world today is the collection of web pages on the Internet. While much of the Web is filled with pornographic images, magazine articles, and product advertisements, there is a staggering amount of personal information as well: individual home pages, email messages, and postings to the Usenet. This record can be automatically searched for revealing disclosures, unintentional admissions of guilt, or other kinds of potentially valuable information.

Back before the explosive growth of the World Wide Web , Rick Gates, a student and lecturer at the University of Arizona, was interested in exploring the limits of the Internet database. In September 1992, he created the Internet Hunt, a monthly scavenger hunt for information on the Net. Early hunts had the participants locate satellite weather photographs or the text to White House speeches. The hunt was especially popular among librarians, who were at the time trying to make the case that the Internet could be a valuable reference tool.

Figure 4-3. Electronic Toll Collection

This statement from the Orlando-Orange County Expressway Authority shows the comings and goings of a car as it travels along the state’s expressway system. The cars are tracked using a passive electronic tag that is placed on the windshield or under the car’s frame. Although the E-Pass is designed for automatic toll collection, the system can also be used to precisely calculate the speed of automobiles, track cars that are stolen, or even snoop on errant spouses. In the future, these records could be used for marketing as well. Automatic toll collection systems create a goldmine of private information. Nevertheless, there have been few public discussions on the appropriate uses of this data. [Statement courtesy Orlando-Orange County Expressway Authority]

In June 1993, Gates decided to have a different kind of hunt. It was the first where the goal was simply to find as much information as possible about the person behind an email address.

In one week the hunt’s 32 teams eventually discovered 148 different pieces of information about the life of Ross Stapleton.^[16] A computer at the University of Michigan reported that Stapleton had B.A. degrees in Russian Language and Literature and Computer Science. A computer at the University of Arizona reported that he had a Ph.D. in Management Information Systems. A computer operated by the U.S. Military’s Defense Data Network (DDN) Network Information Center divulged Stapleton’s current and previous addresses and phone numbers. And a brochure on a Gopher server operated by the Computer Professionals for Social Responsibility reported that Stapleton was one of the conference’s speakers—and that he was an analyst in the Office of Scientific and Weapons Research at the U.S. Central Intelligence Agency.

But the most revealing information the group assembled came from statements Stapleton himself had made. By scanning messages he had sent to the COM-PRIV mailing list—ironically, a mailing list devoted to privacy issues—the group learned that Stapleton used the OS/2 operating system and didn’t have a fax machine. They learned that he was also affiliated with Georgetown University, where he was an adjunct professor and taught courses on the Information Age. They discovered that Stapleton subscribed to the Arlington Journal, the Chronicle of Higher Education, and Prodigy. He was a member of the AAASS (American Association for the Advancement of Slavic Studies). His Cleveland Freenet Membership number was #ak287.

From the dedication in Stapleton’s thesis dissertation, “Personal Computing in the CEMA Community,” the hunters discovered that Stapleton’s parents were named Tom and Shirle. From the heading of another mail message he sent, they discovered that he was engaged, and that his fiancée’s name was Sarah Gray. Transcripts of Stapleton’s comments at the Second Conference on Computers, Freedom, and Privacy were also unearthed.^[17]

“Stepping back a bit and taking the hunt results as a whole, one can see that there’s an awful lot of information that can be found on someone, even when restricted to freely accessible, publicly available Nets,” said organizer Rick Gates in his report on the hunt. “I hope that people keep that in mind when they are posting to an email listserv or newsgroup. They are really adding to the sum total of the Nets, and what they have to say in some limited discussion of an [obscure] topic may be around for a long time.”

An odd side effect of the global database is that it is easier to seek out information on people who have unique or unusual names. For instance, I tried searching the Internet in February 1998 for the phrase “Tom and Shirle.” HotBot, an Internet search engine, found the word “Tom” on 1,833,334 pages and the word “And” on 63,502,825 pages. But the word “Shirle” was on just 333 pages, and the phrase “Tom and Shirle” was on six pages—all of which, it turns out, were copies of Gates’s June 1993 report.

“I was pleasantly surprised to see the amount of information that I myself put out that they managed to find,” said Stapleton when I interviewed him for this chapter. “Nothing came out during the hunt that I would have said alarmed me.” But Stapleton had been worried that somebody at the CIA might be angry that he had revealed his name and employer in so many public forums. “It was only going to be a matter of time before somebody at work said, ‘Hey, what have you been doing?’”

Perhaps what’s most remarkable about the June 1993 Internet Hunt is that it no longer seems remarkable that such a detailed profile of a person could be constructed from publicly available sources. The explosion of online information sources, combined with advertiser-supported search-and-retrieval services like Yahoo, Lycos, and AltaVista, have made it possible to easily assemble these kinds of detailed profiles. Indeed, several services, such as DejaNews and HotBot, specifically advertise this ability.

Posts to email forums, Usenet groups, and online chat services are all different kinds of public statements . Most people who decide to take their place in cyberspace eventually start making these statements. And these statements are not like any others ever uttered in the course of human history. In the past, statements made in public were frequently lost. Yes, they could be recorded, but those records were almost always hard to retrieve, or even inaccessible. An angry farmer might speak up at a town meeting and have his name recorded in the minutes, but ten years later, somebody trying to do a background investigation on that farmer would be unlikely to find his remarks—especially if the farmer had moved to Seattle and started a new life as a programmer at Microsoft. Letters written to newspapers in the 1950s, 1960s, 1970s, and 1980s were certainly published for everybody to see, but they were rarely indexed in computerized databanks and made instantly available anywhere in the world.

This new generation of public statements is quantitatively different from anything that has ever come before. These are public statements that can be instantly searched out by a prospective employer, by a person with whom you have just had your first date, or by a coworker who means you harm. And once you’ve made a statement, it is out of your control: retraction has become an impossibility.

It is this search capability that is creating a new kind of absolute accountability. It’s a simple matter to use the Internet’s searching capabilities to get a list of people who have admitted to taking LSD, or who have used racist slurs in print, or who have a history of organizing for labor unions. Says Stapleton, “It’s increasingly easy for someone in an HR department to say—'Look, Joe here says that skydiving is cool. Do we want to carry him on the rolls considering that he might die? Jane here is in a lifestyle that the chairman might not find attractive. We might not want to put her forward for the public affairs spot.’ I don’t have any public activities that I don’t want to post about. If I did, I would be very cautious.”

Ultimately, the wide availability of this information might create powerful new social filters through which only the boring and reserved will be able to pass. The existence of this information makes opinionated people vulnerable to all sorts of malicious attacks. Pervasive recording and indexing of public statements might keep the best and the brightest from ever holding elected office.

The end of the 1993 Internet Hunt report contains this prescient note: “In short, we’re dealing with a unique medium here. It sort of feels like verbal discussion, but it’s a lot more enduring, and can reach millions of people.”

Ironically, Gates’ report endures to this day, and will probably endure for decades more. That’s because digitized text is very portable, very compact, and very easy to search. Although the original computer on which he typed and posted his message has long since been retired, the data has been copied again and again and again.

On April 14, 1999, computer maker Hewlett-Packard ran a three-page advertisement in the Wall Street Journal. The first two pages were a massive black-and-white spread showing a rather well-kept garage with a big empty space in the middle. A car has recently been removed. The text reads:

Hewlett-Packard’s vision of an active world begins to hint at the not-so-benevolent future that could await us. Why does the HP chip in the Jaguar block the daughter’s attempt to speed, but not her parents'? Why does the parent get the phone call from the car, and not the local police? Why isn’t the insurance company notified about the unsafe driver? Why doesn’t the car’s dealer get a report of the speeding and use it to invalidate the warranty on the car’s transmission? Perhaps the next chapter of the Internet will allow automobiles to automatically deduct the cost of a speeding ticket directly from your bank account, without the added cost to society of having a police officer chase you down.

Why should you, the data subject, control the data shadow of everything you do today?

Faster machines, bigger hard disks, and intelligent database systems are all ultimately big threats to privacy. While the ability of computers to store information is increasing at something between 60% and 70% per year, the world’s population is only increasing at 1.6%. All things being equal, over time, an increasing percentage of our daily activities will be captured by the world’s datasphere.

So what’s the answer? Are we facing a future in which all of our lives need to be read like an open book, in which all of our secrets are kept inside glass file cabinets? Will we be increasingly monitored by our neighbors, our family, and even our machines, until we are all living inside a transparent society? Perhaps. But we do have a choice. We cannot turn back the clock, but we can build a world in which sensitive data is respected and kept private.

Take the case of Judge Bork. The journalist who pulled Bork’s video rental records triggered a series of hearings on Capitol Hill. Cynics said that the senators and congressmen were worried that their own video records might suddenly become fair game—and that the legislators, unlike Bork, had something to hide. But whatever their reason, the hearings revealed that the Bork incident was far from isolated. “Various examples of demands for video transactional records were mentioned [in the hearings], including an attempt to use video tape records to show that a spouse was an unfit parent, and a defendant in a child molestation case who wanted to show that the child’s accusations were based on movies viewed at home,” reported the Department of Commerce.^[19]

Those hearings weren’t idle chat. Before the end of that legislative session, Congress passed and President Bush signed the Video Privacy Protection Act of 1988 (18 USC 2710). Under the law, “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer” who rents or purchases a videotape is liable for civil action consisting of statutory actual damages of $2,500, punitive damages, reasonable attorney’s fees, and any other relief that the court may deem appropriate. By forbidding your local video store from giving out the titles of the movies you rent (without a court order, that is), the act took video rental records off the table. And by defining statutory damages, Congress eliminated a problem that plagues many privacy suits: the need to prove real damages. Furthermore, by allowing an aggrieved individual to sue for reasonable attorney’s fees and other litigation costs, Congress assured that lawyers would be willing to take such cases on a contingency basis.

In many ways, the 1988 law didn’t go far enough—it permits video stores to maintain rental records after tapes are returned, rather than requiring that the records be destroyed. The law also allows video rental companies to distill individual rental records into aggregate information, which could then be used as the basis of privacy violations. Nevertheless, the Video Privacy Protection Act has been stunningly effective. Violations of the law are extremely rare. Americans know that they can rent whatever videos they wish and not be forced to answer to anybody.

The Video Privacy Protection Act proves what many privacy advocates have been saying since the 1960s: the free market and voluntary privacy standards are frequently not sufficient to protect consumer privacy. An editorial that appeared in USA Today put it this way: “While voluntary compliance might be preferable in an ideal world, it’s not likely to work in the real world. The reality is that the absence of government prodding has resulted in too many companies doing too little to protect consumers’ privacy rights.”^[20]

Many businesses collect large amounts of personal information in the course of day-to-day operations. But just because the data has been collected, it doesn’t follow that the business has the right to make it publicly available, sell it on the open market, or use it for marketing. Data can be taken off the table. Strong privacy laws give businesses the incentive to do so.

An equally valid way to protect privacy is to prevent the accumulation of personal information in the first place. For example, instead of building an Electronic Toll Collection system that keeps account balances and toll-crossing information in a central database, it’s possible to build anonymous toll-collection systems. These systems are based on smart cards and use a form of digital cash for the toll payments. The smart card in these systems can be programmed to keep a record of each toll crossing, for the driver’s own use, or they can be programmed to throw this information away. Distributed smart card systems can be cheaper to build and operate than those based on massive centralized computers. Unfortunately, they are less popular—apparently because the technology is more difficult to explain to decision makers.

Overall, an informed and organized citizenry rarely fails to push through strong privacy measures. Consider Hong Kong: in the mid- 1980s, Hong Kong’s colonial government built a sophisticated system for electronic road pricing. Shortly after the system was deployed, drivers began receiving statements showing where and when they had traveled—and they became alarmed. Fearing that the system could be used to track people for political purposes, especially after the 1997 handover of Hong Kong to the Chinese mainland, the citizens succeeded in having the system shut down.^[21]

Failing responsible decision makers, there is always direct action. When people discover that their information is being used against them, they rebel — either by intentionally withholding their information, or by explicitly planting false data into the system. For example, many Internet users have responded to the problem of unsolicited junk email, also known as spam, by using mangled email addresses on their web pages and in their news postings. More people are using fake or intentionally misspelled names when subscribing to magazines. And many people use cash, rather than credit cards, even when it is inconvenient to do so. If these measures are not sufficient, even more aggressive techniques are likely to follow.