digital fingerprint

There are very few actions as immediately and obviously intrusive as having your mail read. No matter your age or place — or how much you still use physical mail — the right to private communications is an established social norm. Whether I send a letter, text, or email, I expect no one but the intended recipient to read it. This is particularly true for communications that go through certain privileged positions: attorneys, doctors, and, of course, anyone who delivers messages for another. A “common law” right to privacy around certain forms of communication has thus developed, adapting to every new form of technology that comes along.

The state of Maine was following this principle when the governor signed an online privacy protection bill in 2019. Internet service providers (ISPs), who transmit millions of messages each day, have access to large amounts of data — and metadata — about their subscribers. The new law requires ISPs to get consent from their subscribers before using or selling subscriber data. Not surprisingly, ISPs and their trade associations challenged the law in federal court claiming, among other things, that Maine’s ISP privacy statute violates the First Amendment.

Public Knowledge filed an amicus brief with the court, in support of Maine’s law. As we show in the brief, Maine’s law builds upon decades of established American legal principles — and common sense — about confidentiality. Traditionally, the discomfort felt when someone else read your messages or listened in on your phone calls was more than just an emotional response, but a violation of your legal rights and an invasion of your privacy. Each time technology changed, the law changed to protect privacy on the new communications technology. In the 19th century, when the telegraph became integral to commerce and important personal communications, courts and state legislatures formalized the right of privacy against telegraph operators as a form of implied contract. They must pick up our message, take it to the directed place, and — most importantly here — keep the message confidential. The same thing happened in the 20th century with the telephone, and later with cable. These are foundational ideas in American law that are part of our common law, sometimes defined by state legislatures, sometimes defined by common law courts, and more recently defined by Congress.

Despite this lengthy history, ISPs sued the state of Maine arguing that they have a First Amendment right to use the information that broadband subscribers expose to them as a result of using the ISP service. Because the subscriber’s internet access is routed through the ISP, the ISP has access to, among other things, details about message recipients and data use. Not only do they want to have access to all this subscriber information, but they want to use it however they see fit. And because the law limits their collection and usage of subscriber data, they argue that the law unconstitutionally prohibits their speech rights.

If the ISPs’ argument does not make sense to you, that’s because their reading of the First Amendment does not make sense either. There is no First Amendment right to monitor someone’s broadband communications, or to read their mail. If anything, people’s free expression interests are furthered by laws that protect them from having their private information misused.

Like doctors and lawyers, ISPs have privileged access to confidential customer information by virtue of the job they do. Americans understand that attorney-client privilege is one of the most important confidences under the law, similar to the responsibility that doctors have with patient information. These positions require a great deal of trust from the public. Doctors and lawyers hear sensitive information all the time, but we do not want them passing that on to others, or use that information for their own personal gain. To guarantee this confidence, the law allows greater oversight and requires confidentiality. These are long-standing responsibilities that have been folded into American law, and the duty of ISPs not to repeat information they gain because of their position should be viewed from that lens. ISPs are the modern equivalent of the telephone switchboard, given access to personal information because of the nature of the service. They can and should be required to uphold a duty of confidentiality regarding that information — but the ISPs in this case reject that. It would be outrageous to argue that the First Amendment rights of doctors are infringed despite confidentiality restrictions. However, this same confidence would be eroded if Maine’s law is struck down. Laws that protect client, patient, and fiduciary relationships might come under fire if we were to adopt the ISPs’ argument.

Not only that, but the ISPs’ argument ignores the relationship they have with subscribers. That relationship allows the ISP to communicate messages to their subscribers in the normal course of business, using certain information collected from subscribers. For example, the ISP can market a service extension to a subscriber whose contract is expiring. However, the ISPs are asking the court to expand this and allow the ISPs to use that information for other business activities that aren’t related to the subscriber’s service. If the Maine law is struck down, then ISPs can develop new products or to sell consumer data to other parties — something completely unrelated to why the subscriber signed up for the service in the first place.

It’s also important to note how metadata can fit together to create incredibly detailed images of a consumer. This is why it is important to have laws that restrict the final use of data, not just its collection. Without this, massive tech companies can still use legally-gathered information to uncover extremely personal information. Advertisers are very adept at identifying patterns and grouping consumers from very minor interactions — this is how, in one infamous example, Target identified a shopper was pregnant before she or her family knew. A pattern of purchases aligned with other consumers, and targeted advertising kicked in automatically. The key takeaway here is that the data collected by Target was completely legal and normal in their course of business. Privacy laws are insufficient if they do not limit the legal use of all information, metadata or otherwise, gathered from the consumer.

When consumers subscribe to an ISP service, they trust that the messages they send through that service will not be used against them. They trust that the ISP isn’t a courier opening their mail and then using that information to exploit them. They trust that the ISP isn’t collecting information about them and selling that to data aggregators. Unfortunately, this trust has often been misplaced and Maine is now stepping in and regulating in the absence of national direction. This law codifies common sense principles, and should be copied, not struck down.

 

Image credit: Flickr user Cerillion