A watchful eye can be a good thing. We all want to keep an eye on what’s important. In an increasingly fast-paced world, however, it gets harder. The Internet and advances in mobile technology put so much information at our fingertips that it is difficult to keep up with, or sometimes even to discern, what matters most. But the Internet also makes it possible to stay connected with the people and things we value even when we can’t or don’t need to be physically present. Web cams, for instance, allow us to monitor our homes from afar. You can sit in your office downtown, yet still watch your dog sleeping peacefully at home. You can keep tabs on your teenage driver by tracking his car wherever he goes. Or parents of young children can enjoy a date night with less worry because they can keep a watchful eye on their baby (or their babysitter) with a smartphone app.
But a watchful eye can also be a bad thing—depending on who’s doing the watching. Connectivity through technology is great, but it can also be a chink in the armor. Take, for example, just a few of the recent stories of hacked webcam feeds:
- Hacker hijacks wireless Foscam baby monitor, talks and freaks out nanny
- Family finds thousands of nanny cam pics online
- Peeping into 73,000 unsecured security cameras thanks to default passwords.
In one sense, these instances involve nothing more than the classic Peeping Tom. But instead of binoculars, these perps used the Internet to gain an uninvited view into private homes—and not from standing on the sidewalk, but from potentially anywhere in the world.
We might argue about whether certain data security snafus, reported almost daily, really have any impact on “privacy.” But there are very few who would dispute that a stranger watching my sleeping child in her crib at home is an invasion of privacy. Still, something about these so-called privacy “breaches” in the Information Age is different. In the case of a traditional Peeping Tom, there is little need for debate about what should be done: catch the guy and lock him up. Whether the victim suffered any tangible harm, other than being creeped out, is not part of the equation. But in the case of a cyber-based privacy breach, catching the actual bad guy is often not a realistic option. But someone’s got to pay, right?
Or is it, in fact, right? Certainly, the offensiveness of a “stranger watching my baby sleep” scenario is viscerally easy to grasp. But if you’re not talking about putting the actual wrongdoer behind bars, is there really a social justification for looking for someone else to blame? In other words, does the mere fact that the privacy invasion happened equate to a compensable injury?
To consider this question, we should consider our expectations. The United States Supreme Court long ago recognized that we all have some basic expectation of privacy. But once we walk out into a public place, our reasonable privacy expectations are diminished, if for no other reason than that we know people are watching. That becomes less obvious, though, when we’re accessing the Internet from the confines of our private homes or through our own personal devices. In the physical sense, we presume that our homes and personal devices are private. But in the virtual sense, we’re walking out into a public place. So if the Internet is the modern version of the public square, shouldn’t the reasonableness of our privacy expectations be measured in the context of how we access and use the Internet?
The webcam episodes described above are really no different than the classic Peeping Tom peering through a window into a private home, except that the Internet-connected webcam is the 21st Century’s equivalent of a window. In some cases, the webcam users simply neglected to change the factory default password to something that was unique to them. In other cases, the users needed to install firmware updates made available by the camera-maker. Perhaps, these oversights are the modern-day equivalent of leaving your blinds open. If that happened, you wouldn’t blame the maker of the blinds for the resulting privacy invasion. Let’s say you close the blinds, but they break and fall down—leaving an unobstructed view through your window—and someone standing on the sidewalk looks in. Is the proper course to bring a lawsuit against the maker of the blinds for invasion of privacy?
Certainly, the Internet changes the scale of these creepy Peeping Tom episodes. We’ll never read about 73,000 instances of Peeping Toms going from neighborhood to neighborhood and physically peeking in windows. But is creepiness on a massive scale somehow different than pre-Internet versions of essentially the same activity? And does the difficulty in catching the Internet hacker provide a greater justification for blaming someone else?
Generally, creepy isn’t compensable. Just because our “privacy”—at some level—is compromised, that doesn’t necessarily give rise to a compensable claim. Beyond catching the actual bad guy and locking him up, not much more can be done to redress the privacy invasion absent some demonstrable physical harm or property damage. While the Internet has the capacity to scale up the creepiness factor, it doesn’t make the privacy breach more compensable. In other words, just because the nearly identical privacy breach occurs thousands or millions of times over, that fact alone doesn’t make it any different. And the law recognizes as much: most claims for “invasion of privacy” (including data breaches) are governed today by the same set of laws that existed before the Internet.
But our willingness to freely surrender more and more of our personal data to the Internet, so that we can take advantage of its power and ease our everyday lives, may somehow be moving us toward a day when the ubiquity of the Internet makes it less like the traditional public square—where the choice to participate or not is solely our own—and more like oxygen. We can’t live without it. And that change might ultimately lead to an evolution in the law.
A recent decision in a much-watched case in England –Google v. Vidal-Hall—may be a preview of what’s to come. The case involved Google’s alleged circumvention of privacy settings in Apple’s Safari browser and its use of “cookies.” Users had allegedly chosen to block Google’s cookies when using the Safari browser, and Google had allegedly figured out a way to avoid the user-chosen blocks. This supposedly allowed Google to gather some information about users of particular devices that employed its search engine—like tracking their activity across the Internet. Even though the information included nothing that personally identified the actual user, only the device, users complained that this violated their privacy. Google argued that the users weren’t really harmed. The users, however, claimed emotional distress, despite no actual physical injury or property damage.
The court in Google v. Vidal-Hall found that Google owed its U.K. users an implied duty of confidentiality and breached that duty by collecting information gathered through cookies, which was a misuse of their private information. Significantly, the court disregarded the fact that the information was essentially anonymous—not distinguishing one user from another. The court allowed a damages award for purely emotional distress. Contrast this result with U.S. law, where most jurisdictions require a tangible injury (i.e., physical harm or property damage) before damages can be recovered.
The Google v. Vidal-Hall decision is subject to appeal. But it signals that that scale of privacy breaches implicating the Internet may be effecting a more permanent and fundamental change in the way society views Internet privacy and how courts treat it. If that’s so, creepy may ultimately become compensable.