ARLINGTON, Virginia – Larry Ribstein and Bruce Kobayashi are nothing if not ambitious. They hope to reshape the way Washington thinks about privacy.
Even though many observers of Capitol Hill assume the new Congress will approve regulations aimed at Internet firms, the two George Mason University law professors are betting that legislators can be persuaded to try a more laissez-faire approach.
Instead of the Senate and the House enacting laws, they argue in a paper published this week that state legislatures should be making the decisions. Says Ribstein: "Federal law hasn't turned out to be a salvation in other areas."
Their efforts are part of a nascent – although fast-growing – effort by conservatives and libertarians to target online privacy laws using many of the same tools, strategies, and alliances they've used to battle federal environmental, education, and gun regulations in the past.
On Tuesday, the American Enterprise Institute's Federalism Project convened an invitation-only roundtable where Kobayashi and Ribstein presented their paper to an influential audience that included former OECD ambassador David Aaron, Yale law professor Roberta Romano, Michael Quaranta of Experian, and Bill Niskanen, chairman of the Cato Institute.
AEI's Federalism Project argues that the U.S. national government is an institution that has usurped powers not delegated to it in the Constitution – those powers should rightfully be reserved for states. One 1995 case is a favorite: U.S. v. Lopez, in which the Supreme Court overturned a federal gun law by ruling it "exceeds Congress' Commerce Clause authority."
Still, privacy-federalists realize that not only are they facing a difficult task in Congress – Republicans seem to like data collection laws almost as much as Democrats – but public opinion is not on their side. Even President Bush's advisors said on the campaign trail Bush might favor an opt-in rule for corporate data collection, and a recent policy outline circulated in conservative circles echoes that view.
Some corporations, often the allies of free-marketeers, have begun to say they'd rather have one uniform national law than risk the uncertainty of many state rules. The American Electronics Association (AEA) this month endorsed an anti-federalist approach, asking for federal laws to pre-empt state ones. So did Hewlett-Packard's Carly Fiorina last year.
"This is an ideological battle that they have lost," Marc Rotenberg, director of the Electronic Privacy Information Center (EPIC), said of free-market groups. "This is why you see the AEA come out in favor of privacy legislation."
"I think the free market people are basically paying the price for having engaged in an extended exercise of historical amnesia over the last several years – which ignored the very important rule that privacy rights and law have played in establishing consumer confidence in services involving new technologies," says Rotenberg, who favors federal legislation.
Kobayashi and Ribstein, the professors at George Mason University – which is well-known for its law and economics program – don't see things the same way.
Their 43-page paper says: "Federal law would perversely lock in a single regulatory framework while Internet technology is still rapidly evolving. State law, by contrast, emerges from 51 laboratories (50 states, plus the District of Columbia) and therefore presents a more decentralized model that fits the evolving nature of the Internet."
They predict that some states will try different approaches – ways to require disclosure of privacy practices – and some will demand more regulations than others.
"State law allows for a variety of approaches and facilitates legal experimentation and evolution as well as competition among diverse regimes," the paper says.
In response to complaints about 51 different privacy regulations, they offer a simple, if controversial, solution: Courts should enforce choice of law and choice of forum clauses in privacy policies.
What that means is that if a California resident signs up for AOL service and later sues the company for privacy violations or other wrongdoing, the case must be brought in a Virginia courtroom. Companies would only have to abide by the law of the state where they place their website or headquarters, and some states would become known as pro-business jurisdictions for the Internet, just as Delaware is for incorporating.
"We have had a hard time convincing the people we really want to convince," admits Ribstein. "There are some unpretty aspects of state law. But whatever the Feds do, the states are going to rear their ugly heads."
Kobayashi, an economist by training, predicts that a federal privacy law will give corporations a false sense of security. "The attorneys general are bringing all these cases based on fraud," he says. "And fraud is not preempted under those federal bills. The attorneys general won't be prevented (from continuing)."
Some free-market groups, however, think that Kobayashi and Ribstein are conceding too much to pro-federal regulation groups like EPIC, Junkbusters, or the American Civil Liberties Union.
"I don't share the assumption that there needs to be any regulation," says Solveig Singleton, an analyst at the Competitive Enterprise Institute (CEI). She says that companies already have ample incentive to protect their customers' privacy, and that even the states should back off.
"So far the privacy debate has been very unbalanced," Singleton says. "There's been a lot of hysteria. Our role will be to supply common-sense analysis and analysis of silly legislation." She plans to publish three papers this spring related to financial privacy, opt-in, and the benefits of information-sharing.
An informal group organized by Fran Smith, executive director of Consumer Alert – her husband Fred runs CEI – meets regularly to share notes and strategies on privacy issues from a free-market perspective.
The aptly named Federalist Society – which has GOP notables such as Bush superlawyer Ted Olson and former judge Robert Bork on its advisory board – is also weighing in on Internet privacy.
Eugene Meyer, the Federalist Society's executive director, said the group does not take positions on specific issues, but "what we do want to do is make sure some of these questions get raised."
Meyer is planning to include it in the program of a Mar. 9 and 10 conference in Berkeley, Calif.
Like CEI, the Cato Institute – Washington's largest libertarian think tank – is skeptical of either federal or state data collection regulations.
"Hands off across the board," says Wayne Crews, a Cato policy director.
The Pacific Research Institute (PRI) of San Francisco is taking a slightly different approach: Trying to persuade Silicon Valley not to compromise so readily.
"We're working with local groups like TRUSTe and TechNet to find ways to educate companies in the Valley about what governments are planning in respect to privacy issues," says Sonia Arrison, PRI's director of technology policy.
PRI participates in a 40-member "Silicon Forum" that meets regularly to bring together policy analysts and CEOs. Privacy is the topic of the next meeting, which is scheduled for Feb. 27 and features Ellen Hancock, CEO of Exodus.
"Most companies here in the Valley laugh when they're told that there have been bills proposed that outlaw cookies," Arrison says. "But it's not a laughing matter – if companies don't take government actions seriously, the entire industry will suffer. Just look at what ignoring the government did for Microsoft."
