Danielle Citron is a professor of law at the University of Virginia School of Law, where she specialises in privacy and civil rights. Her new book, The Fight for Privacy: Protecting Dignity, Identity and Love in Our Digital Age, outlines the 21st-century assault on privacy from “Spying Inc”, the companies, governments and individuals that seek to exploit and profit from our most sensitive data. She argues that intimate privacy should be enshrined as a civil right in the US.
We hear a lot about companies collecting our data, yet your book still manages to shock when revealing the extent of these practices. You highlight, for example, that our internet search history is essentially in the public realm and could be purchased by any motivated party. Also that the dating app Grindr was sharing information about users’ HIV statuses to third party data brokers before it got caught.
We don’t viscerally appreciate the ways in which companies and governments surveil our lives by amassing intimate information about our bodies, our health, our closest relationships, our sexual activities and our innermost thoughts. Companies are selling this information to data brokers, who are compiling dossiers with about 3,000 data points on each of us, including if we have been rape victims, use sex toys or have had abortions or miscarriages.
They score us on our likelihood to develop type 2 diabetes and heart disease or the likelihood that we’re going to be in a hospital in the next six months. They score us based on how long we stay on adult sites and what our sexual interests are. This information is used, for example, by third-party employment services that help employers weed through résumés or insurance providers. There are jobs we never interview for, or life insurance premiums we don’t realise are increased, because of this information.
One third of girls and women in the United States use period tracking apps and it can be weaponised against them
Is the situation similar in the UK?
The UK’s general data protection regulation requires consent before processing sensitive data and personal data and the UK’s Information Commissioner’s Office investigated the three biggest credit reference agencies. Two agreed to stop processing sensitive data and one won’t settle. But the ICO hasn’t investigated every one of the 1,000 data brokers. Protection by enforcement is spotty.
You write that this information is used by law enforcement in the US to build legal cases without the requirement for warrants or subpoenas. This practice is even more worrying following the recent overturning of Roe v Wade, with states now criminalising abortion. What kind of data is going to be weaponised against women?
If you travel across state lines or go to another town and visit a health provider or an abortion provider, your phone’s location data circumstantially tells the story that you’ve gone to get an abortion. If you go to a drugstore that same day, to get medication and sanitary pads, your purchases may be tracked. If you have a bonus card, for example, you’re getting “discounts” for your purchase history, which is stored and sold to advertisers and on to data brokers. One third of girls and women in the United States use period tracking apps and it can be weaponised against them. The story of a pregnancy and its termination is a story that’s told by data.
After the overturning of Roe v Wade, we’ve seen an attempt to pressure period tracking apps and internet companies to commit to protecting users against law enforcement. What kind of meaningful action could these companies take?
My view is that the law needs to step in to mandate no-collection and no-sale commitments, especially for reproductive health data and location data. They can process what’s necessary to give you a service, but they should not store the data, because then law enforcement wouldn’t be able to obtain it with a subpoena or warrant.
In the UK, the online safety bill hasn’t passed yet, so victims can’t bring suits against platforms for non-consensual pornography
At the core of your book is the concept of intimate privacy. How do you define that?
It’s the privacy that is afforded to our intimate lives. That includes our bodies, our minds, our close relationships, sexual activities, innermost thoughts, fantasies, emotions and communications. How we document that in the digital age is, of course, our searches, our browsing, all our digital communications.
Privacy is essential to human flourishing, to democratic citizenship and to equality. If you don’t have the ability to set boundaries around those aspects of intimate privacy, it’s hard to develop who you are. I can’t say it better than Charles Fried, professor of law at Harvard Law School, who said that privacy is the oxygen for love. We fall in love by becoming reciprocally vulnerable, and reciprocally sharing information, including the things that we wouldn’t share with anybody else. The argument of the book is that without intimate privacy, we’re shells of ourselves. We can’t participate in citizenship.
Internet companies and data brokers contravene this kind of privacy every day, but your book also speaks about more targeted attacks, such as revenge porn, where people share the intimate photos or videos of others online. It highlights how Section 230, a piece of US legislation that has been at the heart of debate about social media content moderation in recent years, protects this kind of content.
Section 230 of the Communications Decency Act makes it impossible to bring a lawsuit against the party that is in the best position to minimise the harm of sharing intimate information without a person’s consent: the content platforms. You can’t demand that a site take down your nude photos posted without your permission. The site is making money off your photo, they’re making money off the data of everybody subscribing or visiting, but they get to say: “Sorry, too bad.”
In the UK, the online safety bill hasn’t passed yet, so victims can’t bring suits against platforms for non-consensual pornography. If that passes, [platforms] may have a duty of care to mitigate the risks involved with online harms. [But] today, perpetrators can post on sites in the UK and US with little to fear.
After 25 years of the Section 230 legal shield, we need to recognise that although it has emboldened and enabled all sorts of speech and activities online, there are a lot of costs to speech too. Cyber stalking, intimate privacy violations and harassment have chased people offline, often women and minorities. We have clear empirical proof that the status quo is very costly to civil liberties and civil rights.
We’re in a cultural moment where many think it’s socially acceptable to share images of strangers online. Your book is specifically focused on intimate privacy, but do you see this as related?
Part of the book is legal and talking to industry, but it’s also a cultural issue, right? Changing the law within all of us. Because we are careless and unless it happens to us – the shaming, the stigma, the embarrassment – it’s hard for people to understand it. It has to become a lifelong education. Because we human beings have such great potential for joy and love and kindness, but we also have such great potential for cruelty.
The Fight for Privacy: Protecting Dignity, Identity and Love in the Digital Age by Danielle Keats Citron is published by Chatto & Windus (£18.99). To support the Guardian and Observer order your copy at guardianbookshop.com. Delivery charges may apply