Technology and the law: Will reasonableness be the ruin of privacy?
By: Alex Cameron

August 16, 2005

In a recent ID TRAIL MIX entry titled “A Society Drunk on Technology (or, A Luddite Commissioner Takes Stock)”, Frank Work, Information and Privacy Commissioner of Alberta, blogged some of his insightful observations about the nature of the relationship between technology and “the rules”. This is a fascinating area of inquiry and an essential one in the area of privacy. For this entry, I want to add a brief late-summer observation of my own.

Many modern technologies implicate privacy directly. Some technologies unquestionably enable privacy invasions – these are the key-loggers and other surreptitious surveillance technologies. Other technologies are ostensibly designed to protect against privacy invasions – these are our so-called “Privacy Enhancing Technologies” or “PETs”, such as encryption. Many other technologies lie somewhere in the middle, having some impact on privacy but perhaps an unintentional or peripheral one. Camera phones and RFID tags might fall into this middle category.

In addition to the kinds of direct effects listed above, however, technology can have fundamental implications for privacy law because of the way that most countries have chosen to regulate privacy. Setting aside the issues (and limitations) of consent-based privacy regulation, the use of reasonableness – and in particular the notion of a ‘reasonable expectation of privacy’ – permits technology to undermine the spirit of existing laws by continually influencing or changing the context in which those laws are interpreted. At the very least, this interaction between technology and law suggests that technology, rather than law, is the prime force charting our future privacy landscape.

In order to help understand this point, it is useful to first consider a non-privacy example – the use of geo-location technology by e-commerce businesses. Geo-location technology allows companies to determine the location of potential online customers with a reasonably high degree of accuracy. Knowing the location of a potential customer can be important for an e-commerce business that does not wish to do business in particular jurisdictions, perhaps they do not wish to be hauled into court or face potential legal liability in those jurisdictions. For example, Canadian visitors to the US-based site are met with the following message: “Thanks for visiting Movielink! Unfortunately, we do not offer our service in your region.” As geo-location technology becomes more widely available and adopted, companies may be judged in law according to whether or not they use it. If, for example, a major multi-national company did not use geo-location to limit the jurisdictions that it sells to online, and it could have done so, then that company may be found subject to the laws of all jurisdictions that it was selling to. This analysis may depend on the circumstances of particular cases as well as the extent to which effective geo-location technology is available and generally adopted. The important point is that the technology itself can be used to define the context in which the existing law is interpreted and even become an integral part of the legal test.

In the area of privacy, a similar issue may arise in the context of encryption technology. As it presently stands, most email users likely believe that their email communications are entirely private. That assumption may not always reflect reality (which is not important for the purposes of this blog entry). However, if encryption technology is a virtual guarantee of private email communications, then it is conceivable that future courts or legislators may hold that a person is not legally entitled to an objectively reasonable expectation of privacy in their email if they do not use encryption. This may of course depend on whether encryption technology is generally adopted, available and affordable.

In effect, what is happening here is that an unregulated change in technological context (e.g. the fact that emails can be intercepted and read unless individuals use encryption technology) is driving legal regulation in an area where the latter should arguably drive the former. For example, it is difficult to imagine that the widespread availability and adoption of key-loggers, digital camera phones or infra-red heat scanners, along with the failure of individuals to take technological counter-measures, should mean that we are entitled to less of an expectation of privacy. This is particularly true to the extent that our use of encryption and other privacy-enhancing technologies can be also used against us by suggesting to legal authorities that we must be hiding something. Violations of privacy are what the legal regulation was designed to protect against in the first place! We seemingly should not need to close our curtains in order to be entitled to a reasonable expectation of privacy (though some might suggest that our Supreme Court would have us build our homes with heat-proof walls!).

It seems to put the cart before the horse to allow the effective strength of the regulation (i.e. the reasonableness of the expectation of privacy) to be influenced so strongly and directly by a change in technological context. This effect is unavoidable to some degree but is a reminder that our laws may need to do a better job charting our privacy course, rather than leaving open the reasonableness door for unregulated technological innovation to do it for us. For example, the use of key-loggers today might be just the kind of thing our privacy laws attempt to stop. However, if key-loggers and privacy-protecting countermeasures are still around in even five years, one has to wonder whether they will influence the legal definition of our reasonable expectation of privacy, undermining what that expectation is and is intended to accomplish today.