Category: Privacy (Consumer Privacy)

0

Why There’s No First Amendment Right to Sell Personal Data

There are a number of really interesting cases pending in the First Circuit and its lower federal courts that raise questions of confidentiality and free speech in the context of the commercial trade in prescription drug information. In New Hampshire, Maine, and Vermont, data mining companies have raised First Amendment challenges to state laws that restrict the ability of pharmacists to sell information about which doctors prescribed which drugs. More information about these cases from the AP can be found here. I’ve written about this phenomenon here, arguing that there are sound doctrinal, jurisprudential, and policy reasons to reject any idea that regulation of the commercial data trade raises any serious First Amendment problems.

These cases all involve laws passed by states concerned about the sale of prescription information to data mining companies, who buy information about which doctors prescribe which drugs from pharmacies and then massage the data for use in marketing and other industry purposes. The laws vary in their particulars, but basically forbid or regulate the ability of pharmacies to sell the information. In April, a federal district court in the New Hampshire case struck down New Hampshire’s law under the Central Hudson test as violating the companies’ free speech rights. The First Amendment argument can be boiled down as follows: because the laws stop pharmacies from telling other people about their customers, they violate the pharmacy companies’ free speech rights and are therefore unconstitutional.

I think this is a silly argument, as I explain after the jump.

Read More

From First Amendment Absolutism to Financial Meltdown?

There is a very interesting post by William Birdthistle on potential rating agency responsibility for the subprime mortgage meltdown contagion. As the WSJ reported,

In 2000, Standard & Poor’s made a decision about an arcane corner of the mortgage market. It said a type of mortgage that involves a “piggyback,” where borrowers simultaneously take out a second loan for the down payment, was no more likely to default than a standard mortgage. While its pronouncement went unnoticed outside the mortgage world, piggybacks soon were part of a movement that transformed America’s home-loan industry: a boom in “subprime” mortgages taken out by buyers with weak credit.

Here come the regulators. Some economists are quick to criticize the ratings agencies:

[T]the real-estate bubble of recent years, like the stock bubble of the late 1990s, both caused and was fed by widespread malfeasance. Rating agencies like Moody’s Investors Service, which get paid a lot of money for rating mortgage-backed securities, seem to have played a similar role to that played by complaisant accountants in the corporate scandals of a few years ago. In the ’90s, accountants certified dubious earning statements; in this decade, rating agencies declared dubious mortgage-backed securities to be highest-quality, AAA assets.

But there’s a big difference between accountants and raters: the latter get first amendment protection for their assessments. Is this a wise extension of the first amendment? It’s a difficult question, but I think the new scandals will lead to increasing calls for regulation, if not liability, of the ratings agencies.

Read More

RIAA’s Turn to Be a Defendant

Matthew Sag has convincingly argued that RIAA’s litigation war against downloaders is rational for the industry: it’s basically self-financing, as just about every defendant is too terrified of massive statutory damages to put up a fight. But the record industry’s declining fortunes may make its court victories Pyrrhic.

Moreover, a scorched earth litigation strategy against infringers is getting less viable as a few defendants fight back. For example, one litigant has found a creative way of subjecting RIAA’s tactics to public scrutiny:

Former RIAA defendant Tanya Andersen is now suing the major record labels and the RIAA for negligent and illegal investigation and prosecution. In a thirteen count civil suit filed in Oregon District Court, she alleges that record labels didn’t use properly licensed investigators and violated her privacy.

I’m still waiting for someone to bring the antitrust lawsuit that was forestalled by Bertelsmann’s purchase of Napster a few years ago. As Napster-slaying Judge Patel said of the RIAA’s distribution strategy then, “These ventures look bad, smell bad and sound bad” from an antitrust perspective.

Of course, given the lassitude of federal authorities, the antitrust case will be hard to make. But I look forward to more privacy challenges. As Sonia Katyal has argued,

recent developments in copyright law. . . have invited intellectual property owners to create extrajudicial systems of monitoring and enforcement that detect, deter, and control acts of consumer infringement. As a result, . . . intellectual property rights have been fundamentally altered—from a defensive shield into an offensively oriented type of weapon that can be used by intellectual property creators to record the activities of their consumers, and also to enforce particular standards of use and expression. . . .

If agencies fail to police these tactics, perhaps only individuals can fight for themselves. But as Bruce Scheier asks, why doesn’t the US have a privacy commissioner?

Hat Tip: BoingBoing.

Black Boxes Bite Back

blackbox.jpgAs interest rates jump, piggybacking has become all the rage in “credit repair” circles. For a fee, groups like Instant Credit Builders will let you “borrow” (part of) another person’s credit score by becoming an “authorized borrower” on his cards. Here is ICB’s overheated defense of the practice:

ICB has developed a system to counter the harmful societal impacts of an emerging market called “subprime lending”. Mob-like blood suckers under the umbrella of legitimate lending institutions are targeting those who have poor credit scores but fall short of being beyond credit risk acceptance.

To explain why subprime lenders are in such an opportunistic industry, take this example: The commission payable to a financial adviser or mortgage broker from an actual prime lender on a $100,000 deal yields a broker about $250. Yet the same $100,000 deal using a subprime lender yields them $2,000 to $2,500. This niche market banking industry is getting paid well to enslave most minorities, low-income borrowers, even victims of identity theft with interest rates that can be up to 3.5% higher than average.

Needless to say, mortgage lenders are hoppin’ mad. The godfather of credit scores, FICO, has claimed that “piggy-backing will soon come to an end on its watch.” One irony here is that, as lenders crack down, “they may actually increase demand for some of the services that these Web sites offer.”

A lot of the commentary on these sites has been harsh, but let me offer something like an “unclean hands” defense. Credit scores have long come under attack for having a “a disparate impact on poor and minority populations.” Moreover, the scoring is opaque; scorers claim that transparency would undermine their “trade secrets.” So consumers are navigating a world where they can have only a vague idea of the rules. Lenders shouldn’t be surprised when entrepreneurs reverse-engineer the ratings system and the technology bites back.

Moreover, these rules themselves may be self-fulfilling prophecies: if you decree that one missed $10 payment for a family of 4 earning $30,000 per year lowers their credit score by 200 points, they probably are going to end up being more likely to default because they are going to be paying much more in interest for any financing they get. Again, because the scores are black boxes, we have no assurance that the companies that offer them try to eliminate such endogenicity or whether they actually try to profit from such self-fulfilling prophecies.

As long as credit ratings are so shrouded in secrecy, the lenders who rely on them should expect gaming of the system. Watch for a debate over “black hat” vs. “white hat” credit repair builders as controversial (and interminable) as that now occurring in the world of search engine optimization.

1

Requiring Banks to Disclose Identity Theft Statistics

creditcard-6a.jpgKudos to my friend Chris Hoofnagle (Samuelson Clinic at Berkeley Law School) who had his paper on SSRN written about by the New York Times:

The Senate Judiciary Committee’s subcommittee on terrorism, technology and homeland security will take up the issue in a scheduled hearing today titled “Identity Theft: Innovative Solutions for an Evolving Problem.” . . . .

The subcommittee will also hear a radical new idea on a way to obtain reliable numbers on the extent of identity theft.

The proposal, submitted by Chris Jay Hoofnagle, a lawyer and senior fellow at the Berkeley Center for Law and Technology at the University of California, recommends that lending institutions like banks and credit card companies, and payment firms like PayPal, be required to report their internal figures on fraud and identity theft publicly.

Unfortunately, as is typical with the mainstream media, no information is provided about how to locate Chris’s paper let alone a hyperlink. In his paper, Identity Theft: Making the Known Unknowns Known, Chris proposes that banks be compelled to disclose identity theft data. From the abstract:

Read More

9

Privacy’s Other Path

confidential5a.jpgProfessor Neil Richards (Washington University School of Law) and I have posted on SSRN our new article, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Georgetown Law Journal __ (forthcoming 2007). The article engages in an historical and comparative discussion of American and English privacy law, a topic that has been relatively unexplored in America.

Although the tort law of privacy in America and England arose from the very same common law cases, the law has developed on very different paths in each country. For example, in England, a friend, spouse, lover, or nearly anybody else who violates a confidence can be liable. In America, people are said to assume the risk of betrayal for many breaches of confidence; the law, however, protects against the invasion of privacy by strangers. How and why did the law develop so differently in America and England? Our new article explores the answers to these questions and debunks many myths in the conventional wisdom about privacy law.

You can download and read the article for free on SSRN. If you don’t like it, we provide a full money-back guarantee. With a deal like this, how can you lose?

Here’s the abstract:

The familiar legend of privacy law holds that Samuel Warren and Louis Brandeis “invented” the right to privacy in 1890, and that William Prosser aided its development by recognizing four privacy torts in 1960. In this article, Professors Richards and Solove contend that Warren, Brandeis, and Prosser did not invent privacy law, but took it down a new path. Well before 1890, a considerable body of Anglo-American law protected confidentiality, which safeguards the information people share with others. Warren, Brandeis, and later Prosser turned away from the law of confidentiality to create a new conception of privacy based on the individual’s “inviolate personality.” English law, however, rejected Warren and Brandeis’s conception of privacy and developed a conception of privacy as confidentiality from the same sources used by Warren and Brandeis. Today, in contrast to the individualistic conception of privacy in American law, the English law of confidence recognizes and enforces expectations of trust within relationships. Richards and Solove explore how and why privacy law developed so differently in America and England. Understanding the origins and developments of privacy law’s divergent paths reveals that each body of law’s conception of privacy has much to teach the other.

We welcome any comments and suggestions for the article.

1

How Should Data Security Breach Notification Work?

In 2005, a series of data security breaches affected tens of millions of records of personal information. I blogged about them here, here, here, here, and here.

One of the major issues with data security breaches involves what kind of notification companies should provide. The spate of data security breach announcements began in February 2005, when ChoicePoint announced its breach pursuant to California’s data breach notification law. At the time, California was the only state that mandated individual notice following a breach. Subsequently, numerous states passed laws requiring that companies notify individuals of breaches. Federal legislation is currently being considered to create a national security breach provision. But key questions remain in hot contention. First, what kind of breach should trigger a notification? If the risk of harm is low, some companies contend, then providing notice can be quite costly with little benefit in return. Second, what kind of notice should be given? Notice to each individual affected? Notice to the media or FTC only?

Professors Paul Schwartz (law, Berkeley) and Ted Janger (law, Brooklyn) have posted on SSRN their article, Notification of Data Security Breaches, 105 Mich. L. Rev. 913 (2007), which seeks to answer these questions. From the abstract:

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

For anybody interested in data security, this article is definitely worth checking out.

2

The Free Credit Reports That Aren’t Free

freecreditreport1.jpg

You’ve probably seen the commericals, which run incessantly on CNN and other cable channels. A happy young man says: “I’m thinking of a number . . . ” That number is a credit score, which you can obtain at a website called FreeCreditReport.com. You probably have heard that under a new federal law, credit reporting agencies are required to provide each person with a free credit report once a year. That website, however, has the much more obscure name AnnualCreditReport.com. I previously blogged about my experiences using AnnualCreditReport.com. One of the problems is that if you don’t know that the correct website is AnnualCreditReport.com, then it is very easy to go to the FreeCreditReport.com website. After all, it is featured quite prominently in a Google search for “free credit report.”

But there’s one catch — it ain’t free. Far from it. From the fine print:

When you order your free report here, you will begin your free trial membership in Triple AdvantageSM Credit Monitoring. If you don’t cancel your membership within the 30-day trial period, you will be billed $12.95 for each month that you continue your membership.

ConsumerInfo.com and Freecreditreport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to www.annualcreditreport.com.

FreeCreditReport.com is run by Experian, one of the credit reporting agencies. Experian also has another website offering free credit reports: ConsumerInfo.com. Recently, the FTC settled a case against ConsumerInfo.com website. According to an FTC news release:

Read More

15

The Rise of Customer Blacklists

hotel1a.jpgBlacklists appear to be the rage these days. With the ease of storing and sharing personal information — coupled with lax privacy law restrictions on such activities — companies can increasingly create blacklists of bad customers. In this article from the Ottawa Citizen, hotels in Australia and Canada (and soon the United States) are signing up for a service that compiles a blacklist against “bad” hotel guests:

Blacklisting everyone from the whisky-swilling scoundrels whose partying sabotaged your last vacation to the louts who channel Pink Floyd by dismantling their rooms, the new Australian database — which is expected to expand to Canada and the U.S. by year’s end — helps prevent unsavoury individuals from obtaining short-term accommodations.

“People are becoming less considerate of the space they’re staying in,” says Josh Ginty, project manager of the Guests Behaving Badly registry.

“What we hope to do is proactively advertise to those people … that their details will be recorded if they breach house rules. That in itself is often a strong enough deterrent.”

Accessible only to operators of hotels, motels and vacation homes, the membership-based registry tracks five levels of guest misconduct. These range from “lower-level blatant disregard” for regulations, such as smoking in non-smoking rooms or swimming in the pool after hours (several staff warnings must be ignored before the activity is reported on the registry) to higher-level infractions such as non-payment of the hotel bill, assault or vandalism.

“If you steal a couple of towels, we’re interested in tracking that,” says Mr. Ginty. “But it doesn’t compare to someone who has verbally or physically abused the night manager.”

More than 1,000 properties have signed up for the service since it launched in December 2006. Expansion to other continents is planned to begin in six months, depending on how easily the database can be adapted to each country’s privacy laws.

Customers have the ability to rate hotels with websites such as TripAdvisor.com. So why shouldn’t hotels be able to rate customers?

I don’t view the situations as symmetrical. Customers have long been spreading their opinions about hotels and other businesses — this is how the market produces good products and services. Word about bad hotels gets out and it leads to less business, thus creating an incentive for hotels to improve their service. But what happens when a similar process works against customers? True, some hotel guests are obnoxious and destructive, but do we really want to live in a country where people find themselves routinely blacklisted from various hotels and other businesses (stores, etc.)? In a Seinfeld episode, Elaine once found herself on a blacklist by doctors for being a bad patient. Perhaps this is the trend of the future. I sure hope not.

1

A Guide to Lobbyist Arguments on Consumer Protection

deck-cards.jpgChris Hoofnagle (Berkeley’s Samuelson Clinic) has posted on SSRN his paper, The Denialists’ Deck of Cards: An Illustrated Taxonomy of Rhetoric Used to Frustrate Consumer Protection Efforts. From the abstract:

The Denalists’ Deck of Cards is a humorous illustration of how libertarian policy groups use denialism. In this context, denialism is the use of rhetorical techniques and predictable tactics to erect barriers to debate and consideration of any type of reform, regardless of the facts. Giveupblog.com has identified five general tactics used by denialists: conspiracy, selectivity, the fake expert, impossible expectations, and metaphor.

The Denialists’ Deck of Cards builds upon this description by providing specific examples of advocacy techniques. The point of listing denialists’ arguments in this fashion is to show the rhetorical progression of groups that are not seeking a dialogue but rather an outcome. As such, this taxonomy is extremely cynical, but it is a reflection of and reaction to how poor the public policy debates in Washington have become.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

The paper is quite humorous and well-done — essential reading for any policy wonk.