By Lauren Barland LL.M. 2023
In today’s digital age, personal information can be bought, traded, and sold by anyone with an internet connection. From our health and dietary habits to our sexual and romantic preferences, companies are collecting sensitive data on a massive scale, posing significant threats to privacy. In her new book, The Fight for Privacy, Danielle Keats Citron argues that failure to adequately protect digital privacy could have a chilling effect on the public’s ability to exercise their first amendment rights to free expression.
According to Citron, intimate privacy is more than a consumer protection issue; it is a “precondition to love, friendship, and civic engagement.”1 This argument conflicts with the tension often found in scholarly discourse between freedom of expression and digital privacy. While many scholars argue that enhancing digital privacy regulations would hinder free speech, Citron believes that recognizing intimate privacy as a civil right will empower us to fully engage with the online apps and platforms that have become an integral part of our lives.
The first two sections of this article summarize arguments made by Citron in her new book The Fight for Privacy. The first section briefly outlines the various types of privacy violations addressed by Citron, while the second section focuses on her assertion that the existing legal framework is inadequate in addressing intimate privacy violations and highlights some of her proposed legal reform arguments. The third and final section addresses the scholarly discourse surrounding the conflict between free expression and increased privacy regulation, and concludes with Citron’s arguments that increased protection of intimate privacy enables individuals to freely express themselves.
I. The End of Privacy in an Increasingly Digitized Era
In The Fight for Privacy, Citron reveals that privacy is disappearing. She recounts that in July 2021, The Pillar, an online Catholic News website, published an investigation on Monsignor Jeffrey Burrill, the secretary general of the U.S Conference of Catholic Bishops.2 The investigation revealed that Burrill regularly used the LGBTQ dating app, Grindr, and disclosed that he had repeatedly visited gay bars when traveling for work.3 The Pillar revealed Burrill’s secret life and outed the priest by uncovering his sexual orientation.4 How did The Pillar obtain this sensitive information? In its investigation, The Pillar disclosed that it had obtained the information from a data broker.5 Grindr sold Burrill’s private data to advertising networks.6 These networks subsequently sold his information to a data broker.7 The Pillar then bought the information from the data broker and outed Burrill as gay. Each of these transactions was completely legal.
Citron explains that corporate surveillance has created “digital doppelgangers”8 and exposed the United States’s hidden data-broker industry.9 By 2020 approximately 4000 data brokers had obtained information about 98 percent of the American population.10 While the industry is legal, it poses serious issues about privacy. Data brokers often collect information on intimate aspects of an individual’s life, such as their health, sexual orientation, and dating history, and sell this information to companies, marketers, and insurers who use it to target advertising, assess risk, and make decisions about credit and employment.11 For example, BeenVerified.com, which claims to be the “Everyday Information Company,” sells information like social media records, names of romantic partners, and website browsing histories for $24.86 per month12 Citron also reveals that some data brokers sell lists of individuals who may have been raped, who may have HIV or AIDs, and who may have searched for abortion services.13
Corporate surveillance is not the only type of privacy invasion we face. Emerging surveillance technologies intended for personal use have enabled intimate privacy violations that disproportionately harm women and minorities.14 For example, cyberstalking apps, also known as stalkerware, can be installed on a person’s phone or computer to grant access to their text messages, videos, photos, and social media activity.15 In some cases, the technology even allows the activation of the device’s microphone or camera.16 Even after victims discover the presence of stalkerware, law enforcement often lacks the expertise needed to properly remove the cyberstalking app from the device.17 Citron discusses digital sexual identity fraud: “deepfake” technology manipulates pornography by superimposing an individual’s face on someone else’s naked body.18 Victims of these types of privacy violations experience severe trauma and a loss of control over their sexual autonomy. As Citron describes, victims feel “virtually raped.” 19
II. Intimate Privacy: A Missing Piece in the Civil Rights Puzzle
Intimate privacy encompasses the most personal aspects of who we are as people and how we live our lives. Citron defines intimate privacy as the “social norms” that govern the degree to which others can access our identities, aspirations, past experiences, and preferences.20 She argues that the recognition of intimate privacy as a civil right enables individuals to live freely and meaningfully.21 For Citron, this recognition is necessary to combat the insidious effects posed by privacy invasions.22
State and federal laws prohibit public and private entities from discriminating against individuals based on their race, age, national origin, religion, gender, disability, and sexual orientation.23 People have the right to secure work, education, loans, and housing regardless of who they are or where they come from.24 However, the harms caused by intimate privacy violations disproportionately impact women, LGBTQ individuals, and people of color. For example, the femtech industry offers a variety of apps designed to assist women in tracking various aspects of their reproductive health, including periods, fertility, pregnancies, miscarriages, and sexual habits.25 These apps invite women and young girls to disclose personal information such as medication usage, menstrual cycles, sex drives, moods and contraception choices.26 One popular period-tracking app, Flo, has 13 billion data points from its 30 million subscribers.27 Citron also notes the inadequate privacy protection these apps have in place, with studies revealing that the most popular femtech apps share data with “at least a half-dozen or more advertisers.”28
Citron argues that safeguarding intimate privacy as a civil right is consistent with historical reasons behind the protection of other civil rights.29 Intimate privacy is essential for individuals to thrive, socialize, and engage as citizens, and helps further equality since its violation is a common tool for discrimination and oppression. Importantly, recognizing intimate privacy as a civil right would communicate its moral significance to corporations, individuals, and the government.30 It would highlight the need for strong protection and serious consequences for its violations.31 Additionally, recognition as a civil right would address the unique and disproportionate harms that women and minorities face when their intimate privacy is breached.32 Citron explains that intimate privacy enables individuals to explore ideas, shape their identities, and forge relationships without the fear of being scrutinized or judged.33 The ability to reveal intimate aspects of ourselves on our terms is vital to our sense of autonomy over our lives and relationships.
Citron advocates for comprehensive legal reform. Current criminal, tort, contract, and consumer protection laws are inadequate in providing remedies for victims of intimate privacy violations, and fail to acknowledge the seriousness of these violations.34 For example, tort law only recognizes four privacy torts, none of which were designed to target the disclosure of an individuals’ personal data online.35 Moreover, the intangible nature of the harms associated with intimate privacy violations has led to the dismissal of plaintiffs’ claims in most cases.36 Civil claims such as negligence, breach of contract, and unfair and deceptive actions often require the showing of tangible injuries such as economic or physical damage.37 Narrow harm requirements pose a significant hurdle for victims of intimate privacy violations who often suffer from intangible harms such as a loss of autonomy or trust, anxiety, discrimination, or a damaged reputation.38 Furthermore, federal statutes regulating data collection practices are outdated and only apply to specific industries such as healthcare and financial services, leaving the broad data collection practices of private entities unaddressed.39 Although consumer protection laws require companies to disclose their data collection practices, they are not required to provide justifications for such practices.40 As long as companies have privacy policies and do not deceive consumers, the law permits them to collect and use intimate data.41 Tech companies are not required to explain their surveillance to legislators, courts, or agencies unless they are under investigation. Citron suggests that recognizing intimate privacy as a civil right would categorize its violation as presumptively but rebuttably unacceptable.
Citron also examines the role of Section 230 of the Communication Decency Act (CDA) in preventing victims from seeking relief from online platforms.42 Often considered the Internet’s First Amendment, Section 230 has facilitated growth of the online ecosystem. In 1996, Congress enacted the provision with the goal of creating online environments that would promote innovation and free speech while also incentivizing online platforms to moderate user generated content in good faith, without fear of legal liability.43 The statute affords two types of protection: it shields “interactive computer services” from liability as a “publisher or speaker” of third-party content, and it provides legal immunity to online providers who restrict user access to “objectionable” material deemed so in good faith.44 Citron describes Section 230 CDA as the reason why the internet is overflowing with everything from informative articles to restaurant reviews to non-consensual porn.45
According to Citron, US courts have misinterpreted Section 230 beyond its intended purpose: incentivizing platforms to moderate their content.46 Instead of providing legal immunity for platforms that moderate content in good faith, the provision has been used as a shield for “bad samaritans” that knowingly republish illegal content.47 In the case of Herrick v. Grindr, for example, the boyfriend of Jeremy Herrick created a fake profile on Grindr, impersonating Herrick and disclosed his address to others to act out rape fantasies.48 Despite Herrick’s multiple complaints and Grindr’s failure to take down the profile, the court ruled that Grindr was not liable under Section 230.49 The decision exemplifies the shortcomings of Section 230, which shields online platforms from being held accountable for the content posted by their users, even when platforms are aware of the harm caused by such content. Ultimately, Herrick was left without legal recourse against the company for the harm he suffered.50
Despite the demonstrated drawbacks of section 230, Citron believes that it should be fixed rather than scrapped altogether.51 She argues that laws aimed at individuals are not sufficient to protect intimate privacy as a civil right; companies and government entities must also be incentivised to do so.52 Specifically, she proposes amending Section 230 to reserve immunity only for platforms that act as “responsible guardians” of intimate privacy.53 In order to qualify for this immunity, online platforms would have to demonstrate that they have taken proactive steps in addressing the type of illegal content at issue.54 This would incentivize platforms to elaborate clear policies about the kinds of content prohibited, create roadmaps in combating illegal content, and empower users to report policy violations.55 Currently, content moderation practices of online platforms are lacking. Citron draws upon the example of Herrick’s case with Grindr: the application had no design in place that allowed the app to ban users in response to user complaints.56
III. A Never-Ending Conflict: The Relationship Between Privacy and Free Speech in Scholarly Discourse
The relationship between privacy and free speech is a contentious issue within scholarly discourse. Many scholars have criticized the expansion of privacy laws because of the possibility that they will hinder free speech. Eugene Volokh, an influential first amendment scholar, raised concerns about the increase of privacy legislation and its possible implications for free speech in the early 2000s. He explained that existing free speech doctrines are incompatible with privacy laws because it would be difficult for such laws to meet the strict scrutiny requirements of the First Amendment.57 For Volokh, the right to information privacy is a “right to have the government stop you from speaking about me,” but restriction of truthful speech is inconsistent with First Amendment principles.58 Volokh was not the only one who was skeptical about increasing privacy legislation.
Solveig Singleton, a former director of information studies at the Cato Institute, questioned whether there were functional differences between commercial tracking and gossip.59 She explained that although “gossip may be despised,” it is legal60 For Singleton, oral and email gossip was perfectly comparable to the collection of transactional data in the commercial sector.61 Both exchange information about reputation, behavior, and trustworthiness, which are crucial elements of human society.62 She suggested that the use of technologies like cookies have become a natural part of the functioning of the internet.63 Technologies used to collect personal information act as a natural substitute for the vast amount of information that people used to obtain through gossip.64 The similarities between gossip and consumer databases imply that there is no need to consider the growth of databases as a crisis.65 Singleton argues that collections of consumer data are more likely to be accurate than gossip because companies are incentivized to sell correct information to their customers.66 While Singleton conceded that the collection of personal information may make people uncomfortable, she believed any harm caused by this would likely not be greater than the harm that could result from vicious gossip.67
In 2014 law professor Jane Bambauer published Is Data Speech?, in which she argued that the mass collection of data by corporations is protected under the First Amendment, and that data collection is a form of expression.68 In her opinion, governments should not restrict data collection practices, but rather explore the ways in which data should be used.69 In recent years many interest groups and corporations have contributed to this discourse by using the First Amendment as a tool to challenge privacy regulations. In 2019, the Maine legislature passed legislation to protect consumer privacy by restricting internet service providers from using and sharing data without consumers’ consent.70 Advocacy groups challenged the law in Court, claiming it violated the First Amendment. In a 2021 lawsuit defending a claim from the ACLU, Clearview AI—a facial recognition company that collected billions of faceprints from public social media platforms—argued that the First Amendment protected the company’s right in doing so.71
Those who oppose restrictions on the collection, use, and sale of intimate data, as well as increased privacy protections, often fail to acknowledge the difference between limiting access to private information and restricting speech on matters of public interest. Protecting intimate privacy does not necessarily hinder public debate or the exchange of ideas; rather, it seeks to give individuals control over their personal information. The US Supreme Court recognized this difference in Snyder v. Phelps, ruling that speech on matters of public interest cannot be the basis of liability for emotional distress.72 Protecting an individual’s intimate privacy in the digital world does not stifle meaningful dialogue because the collection of intimate information by private entities such as facial recognition companies like Clearview AI are not matters of public interest.
Recent Supreme Court decisions, such as Carpenter v. The United States, reflect changing expectations of privacy in the digital age. 73 In Carpenter, the Court acknowledged that the government needs a warrant in order to access cell site location information generated by mobile phones.74 The Court recognized that persistent surveillance can provide an “intimate window into a person’s life,” revealing not only a person’s location but also familial, political, professional, religious, and sexual associations.75 Individuals expect that the privacy afforded in their home and personal effects are extended to their digital selves. 76
In her book, Citron presents a compelling argument that increased protection of intimate privacy can actually enable free expression. To fully enjoy our First Amendment rights of speech, intimate privacy must be protected. Citron suggests implementing measures such as restricted collection zones, consent requirements, and anti-discrimination policies to regulate the surveillance of personal information. These measures would not stifle free speech, but rather create a safe and secure environment for it to thrive.77 When individuals trust companies to prioritize their privacy, they are more likely to use those services to explore ideas and form close relationships.78 Intimate privacy is vital in leading a fulfilling life, allowing us to explore ourselves and others, experiment with new ideas, and redefine our identities in ways that feel authentic.79 When we can enjoy private spaces both online and offline, without fear of judgment, we are truly able to express ourselves.80 It empowers us to define and develop our sense of self, and to share that with others.81