By Andrew Cohen
As privacy issues increasingly consume the public, Jennifer Urban ’00 was a fitting choice to present UC Berkeley’s Benjamin Ide Wheeler Society Lecture, a prestigious honor given to one university faculty member each year.
A Berkeley Law professor and chair of the California Privacy Protection Agency, Urban is a renowned expert on privacy and its growing importance amid technology’s expanding reach. On July 19, her lecture titled “Privacy of the People, for the People, and by the People?” illuminated the arc of privacy awareness — and importance — to Americans.
Director of policy initiatives at the Samuelson Law, Technology & Public Policy Clinic, Urban explained how the 21st century began with a myth that people didn’t value privacy much, and were willing to trade a good part of their personal privacy for convenient free services, personalized advertising and, on the heels of 9/11, government protection against external threats. But that myth was never the true or full story, she said.
Instead, as media attention on corporate privacy violations and government surveillance grew, it became clear that the public did care about privacy. Growing understanding — and outrage — sparked demands for greater privacy, including broad legislative efforts to pass comprehensive laws.
Noting that privacy is now “poised at a watershed,” Urban addressed the public backlash against invasive practices, whether current attempts to address it are responsive to public concerns, and the challenges facing efforts to protect privacy rights in a data-hungry age.
“Privacy is something we’ve gotten wrong for awhile — in part because it’s been passed off as ‘of’ or ‘for’ the people when this has not actually been true. But today, privacy is something we may be beginning to get right,” she said. “I believe that privacy policy is democratizing after a long sojourn outside the apparent reach of ordinary folks, and we’re at a point where the decisions of the people are crucial. In other words, privacy can be and must be ‘by the people’ again.”
Early free-for-all
As new technologies allowed information collection, sharing, and use on an unprecedented scale at the turn of the century, “Privacy issues didn’t seem to be of interest to the press,” Urban said.
“There were few scholars focused on privacy … Public interest organizations understandably were focused on what were seen as more immediate and concrete needs: housing, food, medical care. Even civil liberties organizations were mainly focused on government activity: ‘Big Brother’ rather than ‘Little Brother.’”
Because many of the new technologies were rapidly adopted by the public, the fallacious but prevailing narrative, she explained, held that privacy was of little value to consumers who willingly sacrificed it for convenience and connection, especially on social media sites.
“Consumers, especially young people, seemed to many to be insisting on ‘free’ and caring not about privacy,” Urban said, noting that in reality, long and convoluted privacy agreements deterred people from learning the implications of their online activity, and consumer choices were often limited.
The public’s relationship to its government also shaped the landscape, she argued. The Patriot Act was passed only 45 days after 9/11, after revelations that law enforcement and intelligence agencies had failed to share information and connect the dots before the attack.
Urban described how it became a compelling argument to say more information-gathering, surveillance, and observation was necessary to prevent another attack. Security priorities were elevated, and privacy concerns devalued.
Tech targeting
As technology innovations enabled storing and analyzing larger amounts of information at lower costs, targeted advertising — personalized to individual consumers and tailored to the worries, desires, and general preferences embedded in all they posted — exploded. As did the misguided notion that people cared little about online privacy.
While public awareness grew regarding how much personal information was exposed online, so did privacy scholarship. Urban said UC Berkeley played a major role in this development, citing the influence of colleague Deirdre Mulligan (the Samuelson Clinic’s first director, whose research helped prod California to pass the nation’s first data-breach legislation in 2002).
Urban also hailed the work of fellow Berkeley Law professors Pamela Samuelson on data rights management systems that sought to track copyrighted works, Chris Hoofnagle on the practice of Flash-based cookies tracking consumers and respawning after being deleted, and Paul Schwartz on the alarming accessibility to people’s personally identifiable information.
Even with this flood of pathbreaking scholarship and growing public recognition fueling a “return of vocal public demand for better terms,” Urban said people may still feel helpless in trying to navigate enormously complex, lengthy privacy policies.
She sees California offering hope with its “long tradition of leading the United States in privacy and data protection.” The state provides an explicit right to privacy in its Constitution, which can be enforced against both public and private actors.
Also, the California Consumer Privacy Act of 2018, America’s first comprehensive consumer privacy law, was strengthened with more protections through a 2020 citizen ballot initiative. With these laws, Californians now have the right to access their personal information held by many companies, opt out of the sale of their personal information, and other rights. Connecticut, Colorado, Virginia, and Utah recently followed California’s lead in bolstering privacy measures.
Quoting the late privacy law scholar Alan Westin to close her remarks, Urban said: “He presciently wrote: ‘The real need is to move from public awareness of the problem to a sensitive discussion of what can be done to protect privacy in an age when so many forces of science, technology, environment, and society press against it from all sides.’”