The Assault on Privacy
A conversation with UVA law professor and privacy expert Danielle Citron
Privacy is not a privilege. It is a human and moral right.
This principle guides privacy expert Danielle Citron in every aspect of her work. Citron, who joined the faculty at the University of Virginia School of Law in 2021, firmly believes an individual’s right to privacy is not up for debate. On the contrary, the right to privacy is indispensable and essential to building a meaningful life, no different than freedom of speech or religion, and therefore should be protected by state and federal law.
Citron’s stance on privacy, while not always shared by those she advises, nonetheless has put her on the map as a highly respected and sought-after privacy expert. In 2019, she testified before the U.S. House Intelligence Committee on threats posed by deepfakes. She has presented her work on cyberstalking and online abuse at congressional briefings and has advised law enforcement, government agencies, think tanks, and legal scholars across the globe. Tech companies like Facebook, Twitter, Spotify, and TikTok have taken note, calling on her expertise as they contend with mounting privacy concerns.
Citron’s recruitment to UVA, made possible by the Jefferson Scholars Foundation, an independent organization whose mission is to attract to UVA exceptionally talented students and faculty, was a major win for the school. At UVA, she serves as the Jefferson Scholars Foundation Schenck Distinguished Professor in Law and the Caddell and Chapman Professor of Law. She also was appointed the inaugural director of the LawTech Center, a new scholarly hub that focuses on critical issues at the intersection of law and technology, and co-host of the podcast Common Law.
Now, her new book, The Fight for Privacy: Protecting Dignity, Identity and Love in the Digital Age, takes a deeper look at the pervasive assault on privacy by the individuals, companies, and governments that seek to exploit—and often profit—from our personal data.
In your book, you refer to privacy as “intimate privacy.” Can you explain what you mean by that, and help us understand why intimate privacy matters?
Intimate privacy involves the extent to which others have access to and information about our bodies and health; our sexual orientation, gender, and sex; our minds (browsing, reading, searches, and communications); and our close relationships. Intimate privacy is a moral right, a human right, and a civil right that everyone deserves, but that is too often denied, especially for women, nonwhites, LGBTQ individuals, many of whom have intersecting vulnerable identities.
We come to know ourselves through our bodies. When we can carve out invisible space with our bodies, alone or with people who we trust, we can figure out who we are and who we want to become. Intimate privacy enables us to enjoy self-respect and social respect. When we can determine who has access to our naked bodies and thoughts and who doesn’t, we have a sense of ourselves of being in charge of our lives and others can see us as whole human beings rather than as body parts. We can’t develop authentic identities, enjoy respect, fall in love, or engage as citizens on equal terms without intimate privacy.
You make a strong case in the book for intimate privacy as a civil right. WIRED Magazine recently ran an excerpt from your book on this very subject. Tell us why this move is central to your work.
When you say something is a civil right, it means that it cannot be denied or traded away without a good reason. It is not good enough to point to efficiency or profits; it is not good enough to say you were just engaged in harmless fun (as many do when caught violating intimate privacy). You need a good reason to jeopardize intimate privacy that we need to flourish, love, and engage as citizens on equal terms. And a civil right to intimate privacy would acknowledge the unique harms suffered by women and minorities and the corrosive impact that discriminatory attitudes have on their careers, psyches, educations, and more.
A civil rights approach would have practical and expressive pay off. Under U.S. law, entities with power over civil rights have obligations to act as the guardians of those rights. Anyone handling intimate data would have to act as the caretaker of that data, not as an exploiter of that data. When it comes to Section 230, sites could enjoy the immunity only if they fulfilled a duty of care to tackle intimate privacy violations, one that would include having processes to respond to complaints about privacy violations and taking down content amounting to IP violations. (Also, sites trafficking in intimate privacy violations should not enjoy the immunity at all.) Companies handling intimate data should have duties of care, loyalty, and nondiscrimination. That might mean not collecting and definitely not selling intimate data to third parties, period the end.
Beyond the practical, the recognition of a civil right to intimate privacy would have expressive power. A civil rights approach gives us the vocabulary to understand its centrality to human flourishing. It would tell victims that their intimate privacy and intimate expression matter, that they matter, and that the law sees and redresses the structural damage to vulnerable groups. It would say to companies that they should design products and services with duties of care in mind, so less intimate information is collected and exploited, so that intimate privacy would be prioritized rather than destroyed or ignored.
"The U.S. is a hotspot for collecting, exploiting, and displaying intimate data. The absence of intimate privacy in the U.S. is its absence wherever access to the internet exists."
How do U.S. laws fall short in protecting citizens from privacy invasions?
Thanks to Section 230 of the Communications Decency Act, the U.S. is a hotspot for collecting, exploiting, and displaying intimate data. The absence of intimate privacy in the U.S. is its absence wherever access to the internet exists.
When a nurse living in Edinburgh discovered that her nude image and name appeared on an infamous revenge porn site, she could not force the site to remove the post: the site was hosted in Las Vegas where it enjoyed immunity from liability under U.S. law. When the Norwegian data protection authority discovered that gay dating app Grindr shared their residents’ sexual preferences, mental health details, and location with advertisers without permission (in violation of their data protection laws), the company apologized, paid a fine, and said it would not do it again.
Enforcement is like a game of whack-a-mole, so people are left unprotected. Silicon Valley builds tools and services used all over the globe. We urgently need legislation in the U.S. that recognizes and protects privacy as a civil and fundamental right to help ensure that intimate privacy is protected around the world.
A culture of misogyny and violation pervades the U.S. and around the globe. That culture is nurtured on the more than 9,500 sites that peddle intimate privacy violations. Most are hosted in jurisdictions where they don’t fear liability, notably the United States where federal law immunizes sites from liability even if they encouraged, solicited, or profited from online abuse. Because intimate privacy violations hosted in the U.S. are viewable everywhere, we export abuse around the globe.
How do U.S. laws fall short in protecting citizens from privacy invasions?
Thanks to Section 230 of the Communications Decency Act, the U.S. is a hotspot for collecting, exploiting, and displaying intimate data. The absence of intimate privacy in the U.S. is its absence wherever access to the internet exists.
When a nurse living in Edinburgh discovered that her nude image and name appeared on an infamous revenge porn site, she could not force the site to remove the post: the site was hosted in Las Vegas where it enjoyed immunity from liability under U.S. law. When the Norwegian data protection authority discovered that gay dating app Grindr shared their residents’ sexual preferences, mental health details, and location with advertisers without permission (in violation of their data protection laws), the company apologized, paid a fine, and said it would not do it again.
Enforcement is like a game of whack-a-mole, so people are left unprotected. Silicon Valley builds tools and services used all over the globe. We urgently need legislation in the U.S. that recognizes and protects privacy as a civil and fundamental right to help ensure that intimate privacy is protected around the world.
A culture of misogyny and violation pervades the U.S. and around the globe. That culture is nurtured on the more than 9,500 sites that peddle intimate privacy violations. Most are hosted in jurisdictions where they don’t fear liability, notably the United States where federal law immunizes sites from liability even if they encouraged, solicited, or profited from online abuse. Because intimate privacy violations hosted in the U.S. are viewable everywhere, we export abuse around the globe.
"The U.S. is a hotspot for collecting, exploiting, and displaying intimate data. The absence of intimate privacy in the U.S. is its absence wherever access to the internet exists."
What can the average citizen do to protect their own intimacy privacy?
As individuals, we can only do so much because the problem is structural. There are simple things we can all do, like saying no to cookies, choosing strong passwords, and covering up the cameras on our laptops and computers when not in use to prevent hackers from recording us. But more importantly, we need companies and lawmakers to fashion solutions. Write to your representatives: we have seen campaigns change the laws. Talk to your loved ones so they join you in advocacy. Follow the work of the Revenge Porn Hotline, and support their efforts. Pressure campaigns work—companies can be convinced to protect intimate privacy to protect their bottom lines. We can win the fight for intimate privacy—we just have to try.
"Because intimate privacy violations hosted in the U.S. are viewable everywhere, we export abuse around the globe."
What can the average citizen do to protect their own intimacy privacy?
As individuals, we can only do so much because the problem is structural. There are simple things we can all do, like saying no to cookies, choosing strong passwords, and covering up the cameras on our laptops and computers when not in use to prevent hackers from recording us. But more importantly, we need companies and lawmakers to fashion solutions. Write to your representatives: we have seen campaigns change the laws. Talk to your loved ones so they join you in advocacy. Follow the work of the Revenge Porn Hotline, and support their efforts. Pressure campaigns work—companies can be convinced to protect intimate privacy to protect their bottom lines. We can win the fight for intimate privacy—we just have to try.
"Because intimate privacy violations hosted in the U.S. are viewable everywhere, we export abuse around the globe."
Learn more about the Jefferson Scholars Foundation’s Distinguished Professorship Program here. This content was paid for and created by Jefferson Scholars Foundation. The editorial staff of The Chronicle had no role in its preparation. Find out more about paid content.