Category: Privacy (Consumer Privacy)

0

The Fragility of Desire

In his excellent new book Exposed, Harcourt’s analysis of the role of desire in what he calls the “expository society” of the digital age is seductive. We are not characters in Orwell’s 1984, or prisoners of Bentham’s Panopticon, but rather are enthusiastic participants in a “mirrored glass pavilion” that is addictive and mesmerizing. Harcourt offers a detailed picture of this pavilion and also shows us the seamy side of our addiction to it. Recovery from this addiction, he argues, requires acts of disobedience but there lies the great dilemma and paradox of our age: revolution requires desire, not duty, but our desires are what have ensnared us.

I think that this is both a welcome contribution as well as a misleading diagnosis.

There have been many critiques of consent-based privacy regimes as enabling, rather than protecting, privacy. The underlying tenor of many of these critiques is that consent fails as a regulatory tool because it is too difficult to make it truly informed consent. Harcourt’s emphasis on desire shows why there is a deeper problem than this, that our participation in the platforms that surveil us is rooted in something deeper than misinformed choice. And this makes the “what to do?” question all the more difficult to answer. Even for those of us who see a stronger role for law than Harcourt outlines in this book (I agree with Ann Bartow’s comments on this) should pause here. Canada, for example, has strong private sector data protections laws with oversight from excellent provincial and federal privacy commissioners. And yet these laws are heavily consent-based. Such laws are able to shift practices to a stronger emphasis on things like opt-in consent, but Harcourt leaves us with a disquieting sense that this might just be just an example of a Pyrrhic victory, legitimizing surveillance through our attempts to regulate it because we still have not grappled with the more basic problem of the seduction of the mirrored glass pavilion.

The problem with Harcourt’s position is that, in exposing this aspect of the digital age in order to complicate our standard surveillance tropes, he risks ignoring other sources of complexity that are also important for both diagnosing the problem and outlining a path forward.

Desire is not always the reason that people participate in new technologies. As Ann Bartow and Olivier Sylvain point out, people do not always have a choice about their participation in the technologies that track us. The digital age is not an amusement park we can choose to go to or to boycott, but deeply integrated into our daily practices and needs, including the ways in which we work, bank, and access government services.

But even when we do actively choose to use these tools, it is not clear that desire captures the why of all such choices. If we willingly enter Harcourt’s mirrored glass pavilion, it is sometimes because of some of its very useful properties — the space- and time-bending nature of information technology. For example, Google calendar is incredibly convenient because multiple people can access shared calendars from multiple devices in multiple locations at different times making the coordination of calendars incredibly easy. This is not digital lust, but digital convenience.

These space- and time-bending properties of information technology are important for understanding the contours of the public/private nexus of surveillance that so characterizes our age. Harcourt does an excellent job at pointing out some of the salient features of this nexus, describing a “tentacular oligarchy” where private and public institutions are bound together in state-like “knots of power,” with individuals passing back and forth between these institutions. But what is strange in Harcourt’s account is that this tentacular oligarchy still appears to be bounded by the political borders of the US. It is within those borders that the state and the private sector have collapsed together.

What this account misses is the fact that information technology has helped to unleash a global private sector that is not bounded by state borders. In this emerging global private sector large multinational corporations often operate as “metanationals” or stateless entities. The commercial logic of information is that it should cross political borders with ease and be stored wherever it makes the most economic sense.

Consider some of the rhetoric surrounding the e-commerce chapter of the recent TPP agreement. The Office of the US Trade Representative indicates that one of its objectives is to keep the Internet “free and open” which it has pursued through rules that favour cross-border data flows and prevent data localization. It is easy to see how this idea of “free” might be confused with political freedom, for an activist in an oppressive regime is better off in exercising freedom of speech when that speech can cross political borders or the details of their communications can be stored in a location that is free of the reach of their state. A similar rationale has been offered by some in the current Apple encryption debate — encryption protects American business people communicating within China and we can see why that is important.

But this idea of freedom is the freedom of a participant in a global private sector with weak state control; freedom from the state control of oppressive regimes also involves freedom from the state protection of democratic regimes.

If metanationals pursue a state-free agenda, the state pursues an agenda of rights-protectionism. By rights protectionism I mean the claim that states do, and should, protect the constitutional rights of their own citizens and residents but not others. Consider, for example, a Canadian citizen who resides in Canada and uses US cloud computing. That person could be communicating entirely with other Canadians in other Canadian cities and yet have all of their data stored in the US-based cloud. If the US authorities wanted access to that data, the US constitution would not apply to regulate that access in a rights-protecting manner because the Canadian is a non-US person.

Many see result as flowing from the logic of the Verdugo-Urquidez case. Yet that case concerned a search that occurred in a foreign territory (Mexico), rather than within the US, where the law of that territory continued to apply. The Canadian constitution does not apply to acts of officials within the US. The data at issue falls into a constitutional black hole where no constitution applies (and maybe even international human rights black hole according to some US interpretations of extraterritorial obligations). States can then collect information within this black hole free of the usual liberal-democratic constraints and share it with other allies, a situation Snowden documented within the EU and likened to a “European bazaar” of surveillance.

Rights protectionism is not rights protection when information freely crosses political boundaries and state power piggybacks on top of this crossing and exploits it.

This is not a tentacular oligarchy operating within the boundaries of one state, but a series of global alliances – between allied states and between states and metanationals who exert state-like power — exploiting the weaknesses of state-bound law.

We are not in this situation simply because of a penchant for selfies. But to understand the full picture we do need to look beyond “ourselves” and get the global picture in view. We need to understand the ways in which our legal models fail to address these new realities and even help to mask and legitimize the problems of the digital age through tools and rhetoric that are no longer suitable.

Lisa Austin is an Associate Professor at the University of Toronto Faculty of Law.

Bernard Harcourt Exposed 02
0

Surveillance and Our Addiction to Exposure

Bernard Harcourt ExposedBernard Harcourt’s Exposed: Desire and Disobedience in the Digital Age (Harvard University Press 2015) is an indictment of  our contemporary age of surveillance and exposure — what Harcourt calls “the expository society.” Harcourt passionately deconstructs modern technology-infused society and explains its dark implications with an almost poetic eloquence.

Harcourt begins by critiquing the metaphor of George Orwell’s 1984 to describe the ills of our world today.  In my own previous work, I critiqued this metaphor, arguing that Kafka’s The Trial was a more apt metaphor to capture the powerlessness and vulnerability that people experience as government and businesses construct and use “digital dossiers” about their lives.  Harcourt critiques Orwell in a different manner, arguing that Orwell’s dystopian vision is inapt because it is too drab and gray:

No, we do not live in a drab Orwellian world.  We live in a beautiful, colorful, stimulating, digital world that is online, plugged in, wired, and Wi-Fi enabled.  A rich, bright, vibrant world full of passion and jouissance–and by means of which we reveal ourselves and make ourselves virtually transparent to surveillance.  In the end, Orwell’s novel is indeed prescient in many ways, but jarringly off on this one key point.  (pp. 52-53)

City wet-868078_960_720 pixabay b

Orwell’s Vision

City NYC new-117018_960_720 pixabay b

Life Today

Neil Postman Amusing Ourselves to DeathHarcourt notes that the “technologies that end up facilitating surveillance are the very technologies we crave.”  We desire them, but “we have become, slowly but surely, enslaved to them.” (p. 52).

Harcourt’s book reminds me of Neil Postman’s Amusing Ourselves to Death, originally published about 30 years ago — back in 1985.  Postman also critiqued Orwell’s metaphor and argued that Aldous Huxley’s Brave New World was a more apt metaphor to capture the problematic effects new media technologies were having on society.

Read More

FTC Boston Pub Library Washington News Co 1930-45 postcard 03
0

The 5 Things Every Privacy Lawyer Needs to Know about the FTC: An Interview with Chris Hoofnagle

The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score.

To many, the FTC remains opaque and somewhat enigmatic. The reason, ironically, might not be because there is too little information about the FTC but because there is so much. The FTC has been around for 100 years!

In a landmark new book, Professor Chris Hoofnagle of Berkeley Law School synthesizes an enormous volume of information about the FTC and sheds tremendous light on the FTC’s privacy activities. His book is called Federal Trade Commission Privacy Law and Policy (Cambridge University Press, Feb. 2016).

This is a book that all privacy and cybersecurity lawyers should have on their shelves. The book is the most comprehensive scholarly discussion of the FTC’s activities in these areas, and it also delves deep in the FTC’s history and activities in other areas to provide much-needed context to understand how it functions and reasons in privacy and security cases.

Read More

Privacy Security Novels 02
1

5 Great Novels About Privacy and Security

I am a lover of literature (I teach a class in law and literature), and I also love privacy and security, so I thought I’d list some of my favorite novels about privacy and security.

I’m also trying to compile a more comprehensive list of literary works about privacy and security, and I welcome your suggestions.

Without further ado, my list:

Franz Kafka, The Trial

Kafka’s The Trial begins with a man being arrested but not told why. In typical Kafka fashion, the novel begins badly for the protagonist . . . and then it gets worse! A clandestine court system has compiled a dossier about him and officials are making decisions about him, but he is left in the dark. This is akin to how Big Data can operate today. The Trial captures the sense of helplessness, frustration, and powerlessness when large institutions with inscrutable purposes use personal data and deny people the right to participate. I wrote more extensively about how Kafka is an apt metaphor for privacy in our times in a book called The Digital Person about 10 years ago.

Franz Kafka The Trial

 

Read More

The Black Box Society: Interviews

My book, The Black Box Society, is finally out! In addition to the interview Lawrence Joseph conducted in the fall, I’ve been fortunate to complete some radio and magazine interviews on the book. They include:

New Books in Law

Stanford Center for Internet & Society: Hearsay Culture

Canadian Broadcasting Corporation: The Spark

Texas Public Radio: The Source

WNYC: Brian Lehrer Show.

Fleishman-Hillard’s True.

I hope to be back to posting soon, on some of the constitutional and politico-economic themes in the book.

FTC 01
1

Should the FTC Be Regulating Privacy and Data Security?

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

This is a question that has recently been posed in the privacy and data security arenas, where the FTC has been involved since the late 1990s. Today, the FTC is the most active federal agency enforcing privacy and data security, and it has the broadest reach. Its fingers seem to be everywhere, in all industries, even those regulated by other agencies, such as in the AT&T case. Is the FTC going too far? Is it even the FTC’s role to police privacy and data security?

The Fount of FTC Authority

The FTC’s source of authority for privacy and data security comes from some specific statutes that give the FTC regulatory power. Examples include the Children’s Online Privacy Protection Act (COPPA) where the FTC regulates online websites collecting data about children under 13 and the Gramm-Leach-Bliley Act (GLBA) which governs financial institutions.

But the biggest source of the FTC’s authority comes from Section 5 of the FTC Act, where the FTC can regulate “unfair or deceptive acts or practices in or affecting commerce.” This is how the FTC has achieved its dominant position.

Enter the Drama

Until recently, the FTC built its privacy and security platform with little pushback. All of the complaints brought by the FTC for unfair data security practices quickly settled. However, recently, two companies have put on their armor, drawn their swords, and raised the battle cry. Wyndham Hotels and LabMD have challenged the FTC’s authority to regulate data security. These are more than just case-specific challenges that the FTC got the facts wrong or that the FTC is wrong about certain data security practices. Instead, these challenges go to whether the FTC should be regulating data security under Section 5 in the first place. And the logic of these challenges could also potentially extend to privacy as well.

The first dispute involving Wyndham Hotels has already resulted in a district court opinion affirming the FTC’s data protection jurisprudence. The second dispute over FTC regulatory authority involving LabMD is awaiting trial.

In the LabMD case, LabMD is contending that the U.S. Department of Health and Human Services (HHS) — not the FTC — has the authority to regulate data security practices affecting patient data regulated by HIPAA.

With Wyndham, and especially LabMD, the drama surrounding the FTC’s activities in data protection has gone from 2 to 11. The LabMD case has involved the probable shuttering of business, a controversial commissioner recusal, a defamation lawsuit, a House Oversight committee investigation into the FTC’s actions, and an entire book written by the LabMD’s CEO chronicling his view of the conflict. And the case hasn’t even been tried yet!

The FTC Becomes a Centenarian

And so, it couldn’t be more appropriate that this year, the FTC celebrates its 100th birthday.

To commemorate the event, the George Washington Law Review is hosting a symposium titled “The FTC at 100: Centennial Commemorations and Proposals for Progress,” which will be held on Saturday, November 8, 2014, in Washington, DC.

The lineup for this event is really terrific, including U.S. Supreme Court Justice Steven Breyer, FTC Chairwoman Edith Ramirez, FTC Commissioner Joshua Wright, FTC Commissioner Maureen Ohlhausen, as well as many former FTC officials.

FTC 03 GW

Some of the participating professors include Richard Pierce, William Kovacic, David Vladeck, Howard Beales, Timothy Muris, and Tim Wu, just to name a few.

At the event, we will be presenting our forthcoming article:

The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)

So Is the FTC Overreaching?

Short answer: No. In our paper, The Scope and Potential of FTC Data Protection, we argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but it also has the authority to expand its reach much more. Here are some of our key points:

* The FTC has a lot of power. Congress gave the FTC very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection.

* Overlap in agency authority is inevitable. The FTC’s regulation of data protection will inevitably overlap with other agencies and state law given the very broad jurisdiction in Section 5, which spans nearly all industries. If the FTC’s Section 5 power were to stop at any overlapping regulatory domain, the result would be a confusing, contentious, and unworkable regulatory system with boundaries constantly in dispute.

* The FTC’s use of a “reasonable” standard for data security is quite reasonable. Critics of the FTC have attacked its data security jurisprudence as being too vague and open-ended; the FTC should create a specific list of requirements. However, there is a benefit to mandating reasonable data security instead of a specific, itemized checklist. When determining what is reasonable, the FTC has often looked to industry standards. Such an approach allows for greater flexibility in the face of technological change than a set of rigid rules.

* The FTC performs an essential role in US data protection. The FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced. The FTC’s regulation of data protection gives the U.S. system of privacy law needed legitimacy and heft. Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor agreement and other arrangements that govern the international exchange of personal information would be in jeopardy. The FTC can also harmonize discordant privacy-related laws and obviate the need for new laws.

* Contrary to the critics, the FTC has used its powers very conservatively. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. The FTC should push the development of the norms a little more (though not in an extreme or aggressive way).

* The FTC can and should expand its enforcement, and there are areas in need of improvement. The FTC now sits atop an impressive body of jurisprudence. We applaud its efforts and believe it can and should do even more. But as it grows into this role of being the data protection authority for the United States, some gaps in its power need to be addressed and it can improve its processes and transparency.

The FTC currently plays the role as the primary regulator of privacy and data security in the United States. It reached this position in part because Congress never enacted comprehensive privacy regulation and because some kind of regulator was greatly needed to fill the void. The FTC has done a lot so far, and we believe it can and should do more.

If you want more detail, please see our paper, The Scope and Potential of FTC Data Protection. And with all the drama about the FTC these days, please contact us if you want to option the movie rights.

Cross-posted on LinkedIn

Reining in the Data Brokers

I’ve been alarmed by data brokers’ ever-expanding troves of personal information for some time. My book outlines the problem, explaining how misuse of data undermines equal opportunity. I think extant legal approaches–focusing on notice and consent–put too much of a burden on consumers. This NYT opinion piece sketches an alternate approach:

[D]ata miners, brokers and resellers have now taken creepy classification to a whole new level. They have created lists of victims of sexual assault, and lists of people with sexually transmitted diseases. Lists of people who have Alzheimer’s, dementia and AIDS. Lists of the impotent and the depressed.

***

Privacy protections in other areas of the law can and should be extended to cover consumer data. The Health Insurance Portability and Accountability Act, or Hipaa, obliges doctors and hospitals to give patients access to their records. The Fair Credit Reporting Act gives loan and job applicants, among others, a right to access, correct and annotate files maintained by credit reporting agencies.

It is time to modernize these laws by applying them to all companies that peddle sensitive personal information. If the laws cover only a narrow range of entities, they may as well be dead letters. For example, protections in Hipaa don’t govern the “health profiles” that are compiled and traded by data brokers, which can learn a great deal about our health even without access to medical records.

There’s more online, but given the space constraints, I couldn’t go into all the details that the book discloses. I hope everyone enjoys the opinion piece, and that it whets appetites for the book!

Enter Privacy Profession 01
2

Advice on How to Enter the Privacy Profession

Over at LinkedIn, I have a long post with advice for how law students can enter into the privacy profession.   I hope that this post can serve as a useful guide to students who want to pursue careers in privacy.

The privacy law field is growing dramatically, and demand for privacy lawyers is high.  I think that many in the academy who don’t follow privacy law, cyberlaw, or law and technology might not realize what’s going on in the field.  The field is booming.

The International Association of Privacy Professionals (IAPP), the field’s primary association, has been growing by about 30% each year.  It now has more than 17,000 members.  And this is only a subset of privacy professionals, as many privacy officials in healthcare aren’t members of IAPP and instead are members of the American Health Information Management Association (AHIMA) or the Health Care Compliance Association (HCCA).

There remains a bottleneck at the entry point to the field, but that can be overcome.  Once in the club, the opportunities are plentiful and there’s the ability to rise quickly.   I’ve been trying to push for solutions to make entry into the field easier, and this is an ongoing project of mine.

If you have students who are interested in entering the privacy law profession, please share my post with them.  I hope it will help.

Interview on The Black Box Society

BBSBalkinization just published an interview on my forthcoming book, The Black Box Society. Law profs may be interested in our dialogue on methodology—particularly, what the unique role of the legal scholar is in the midst of increasing academic specialization. I’ve tried to surface several strands of inspiration for the book.

0

Privacy and Data Security Harms

Privacy Harm 01

I recently wrote a series of posts on LinkedIn exploring privacy and data security harms.  I thought I’d share them here, so I am re-posting all four of these posts together in one rather long post.

I. PRIVACY AND DATA SECURITY VIOLATIONS: WHAT’S THE HARM?

“It’s just a flesh wound.”

Monty Python and the Holy Grail

Suppose your personal data is lost, stolen, improperly disclosed, or improperly used. Are you harmed?

Suppose a company violates its privacy policy and improperly shares your data with another company. Does this cause a harm?

In most cases, courts say no. This is the case even when a company is acting negligently or recklessly. No harm, no foul.

Strong Arguments on Both Sides

Some argue that courts are ignoring serious harms caused when data is not properly protected and used.

Yet others view the harm as trivial or non-existent. For example, given the vast number of records compromised in data breaches, the odds that any one instance will result in identity theft or fraud are quite low.

Read More