Author: Peter Swire


New Report on Antitrust & Privacy Problems with Proposed EU Right of Data Portability

The draft EU Data Protection Regulation would create a new human and economic right — the Right to Data Portability (RDP).  The basic idea of the RDP is that individuals would be able to transfer their electronic information, such as a Facebook friend lists or iTunes music, from Facebook or Apple to a competitor, without hindrance.

The idea of the RDP is very appealing.  From a market efficiency perspective, it can address the lock-in problem, the worry that high switching costs will strand consumers with a legacy system that is not as good as a new system.  From the human rights perspective, the RDP is proposed as a way to enhance a person’s online identity, to give individuals control over “their” content.

I blogged about my initial concerns with RDP here on Concurring Opinions in April and May.  Now, the full law review article is posted on SSRN:  The full version deepens the antitrust critique from the initial blog posts.  It adds a big new section on the RDP as a fundamental/human right under EU law.  That privacy discussion explores the risks to an existing EU right to data protection — the right to data security. When an individual’s lifetime of data must be exported “without hindrance,” then one moment of identity fraud can turn into a lifetime breach of personal data. In addition, the article addresses more general issues of interoperability, building on sources including Lotus v. Borland and the recent Interop book by John Palfrey and Urs Gasser.

My basic take is that the RDP is much more appealing as a concept than it is as proposed legislation in the Regulation.  I think the RDP will be a Big Deal if enacted — its mandates will apply to any ap, consumer software or online service that uses standard formats.  Because the Regulation also extends its jurisdiction to any company that sells to EU citizens, the RDP would become a new and significant global software mandate.  I think these issues deserve a lot more attention than they have received.


Why Justice Goldberg Cared So Much About Privacy

David Stebenne gave a fascinating talk today about how the personal experiences of Justice Goldberg made him very sensitive to privacy, and led to his strong pro-privacy concurrence in the Griswold case that established a right to privacy for use of contraceptives.  David is a legal historian at Ohio State, now has a joint appointment with our law school, and spoke today at a John Marshall Law School conference on the history of privacy from Brandeis to today.

Stebenne has written a biography of Goldberg, and is a master of the historical record. Look at these personal experiences that shaped Justice Goldberg’s views on privacy:

(1) Brandeis and Warren-style press intrusions.  Goldberg was the leading lawyer for the Steelworkers Union and the CIO during the 1950’s.  The unions were subjected to many hostile press articles, often describing (or exaggerating) union corruption.  The sorts of press excesses, at the center of the Brandeis and Warren privacy article, were lived by Goldberg.

(2) Intrusive police surveillance.  The Steelworkers and other unions were pervasively wiretapped in the 1950’s.  In one 1957 board meeting, the leadership reported that there were so many wiretaps on the line that they could barely hear each other talk.

(3) Mistaken FBI files.  The FBI opened a file before World War II about a different person named Arthur Goldberg, who had suspected links to the Communist Party.  Years later, Goldberg found out that a huge file had been accumulated on him based on this original, mistaken report.  He met with the FBI, and had the unusual good fortune to clear the matter up.   But he learned personally how invasive and unreliable FBI files could be.

(4) CIA spy and counter-spy.  During World War II, Goldberg worked for the OSS, the predecessor of the CIA.  For part of that time he was the target of enemy espionage himself.  He knew the CIA kept a close eye on his clients in the labor movement, and thus knew more than most about the nature and scale of domestic surveillance by the government.

In short, Goldberg was not a privileged person who knew he had nothing to hide. Instead, he had direct personal experience with the intrusiveness and mistakes that could result from the media, intelligence agencies, and new technologies.

Insight can come from personal experience.  Among other lessons from this history, it suggests some virtues of having judges and justices with a wide range of personal experience.


Brin’s “Existence,” the Fermi Paradox, and the Future of Privacy

I just finished David Brin’s “Existence,” his biggest new novel in years.  Brin, as some readers know, has won multiple Hugo and Nebula awards for best science fiction writing.  He also wrote the 1999 non-fiction book “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?”.  More about that in a bit.

Existence is full of big ideas.  A main focus is on the Fermi Paradox, which observes that we would expect to find other forms of life out there among the hundreds of billions of suns, but we haven’t seen evidence of that life yet.  If you haven’t ever thought through the Fermi Paradox, I think it is a Genuine Big Question, and well worth contemplating.  Fortunately for those who like their science mixed with fiction, Brin weaves fifty or so possible answers to the Fermi Paradox into his 550-page novel.  Does climate change kill off other races?  Nuclear annihilation?  Do aliens upload themselves into computers once they get sophisticated (the “singularity”), so we never detect them across the void?  And a lot, lot more.

It took me a little while to get into the book, but I read the last few hundred pages in a rush.  I’ve had the pleasure to know Brin for a bunch of years, and find him personally and intellectually engaging.  I was pleased to read this, because I think it will intrigue curious minds for a long time as our telescopic views of other planets deepen our puzzlement about the Fermi Paradox.

As for privacy, my own view is that the privacy academics didn’t take his 1999 book seriously enough as an intellectual event.  One way to describe Brin’s insight is to say that surveillance in public becomes cheaper and more pervasive over time.  For Brin, having “control” over your face, eye blinks, location, etc., etc. becomes futile and often counter-productive once cameras and other sensors are pervasive and searchable.  Brin picked up on these themes in his earlier novel, “Earth,” when elderly people used video cameras to film would-be muggers, deterring the attacks.  In the new novel, the pervasive use of the 2060 version of Google Glasses means that each person is empowered to see data overlays for any person they meet.  (This part is similar to the novel “Rainbow’s End” by Brin’s friend Vernor Vinge.)

Surveillance in public is a big topic these days.  I’ve worked with CDT and EFF on, which asked law academics to propose doctrine for surveillance in public.  Facial recognition and drones are two of the hot privacy topics of the year, and each are significant steps towards the pervasive sensor world that Brin contemplated in his 1999 book.

So, if you like thinking about Big Ideas in novel form, buy Existence.  And, if you would like to retain the Fair Information Principles in a near future of surveillance in public, consider Brin more carefully  when you imagine how life will and should be in the coming decades.


4 Confirmed (at last) for Privacy and Civil Liberties Oversight Board

Tonight the U.S. Senate confirmed four of the five nominees for the Privacy and Civil Liberties Oversight Board: Rachel Brand; Elizabeth Cook; Jim Dempsey (of the Center for Democracy and Technology); and Pat Wald (long-time judge on the DC Circuit).

This is good news.  The PCLOB has not been up and running for several years, and now it will have a quorum.  The importance of having the Board in place has been underscored recently by the Senate’s consideration of the cybersecurity bill.  If there is lots of information sharing, then there should be effective oversight of that sharing.

The goods news is incomplete, though.  The nominee for Chair is David Medine, who is a great nominee.  He was voted out of the Judiciary Committee this year, but on a party-line vote.  There are no criticisms I have been able to discover of Medine’s qualifications — he was the senior civil servant for years at the FTC on privacy, and he has counseled major global clients at WilmerHale on privacy and security.

The lack of a chair matters.  As discussed in my testimony this week in the Senate Homeland Security Committee, the statute allows only the Chairman to hire staff:  “The chairman of the Board … shall appoint and fix the compensation of a full-time executive director and such other personnel as may be necessary to enable the Board to carry out its functions.” Clearly, the Board cannot carry out its work as the statute intends if there is no Chairman in place.

The Board can now begin its work.  But it needs a Chairman, and it needs staff.  The Senate has more work to do on this.


Are Liberals Under-Estimating the Chances that the Catholic Hospitals Will Win Against the Health Care Act?

(Disclaimer — I decided soon after law school not to focus most of my efforts on the Supreme Court or con law.  There are brilliant people who work on it all the time, and I don’t.  But I am a law prof who can’t help noticing some things …)

Last week, liberals went through the near-death experience for the Affordable Care Act — far, far, far closer than the confident predictions of most liberals when the law was passed.

This week, I had the chance to speak in depth with an experienced liberal lawyer about the Next Big Constitutional Thing — the Catholic hospital challenges to the ACA’s requirements that contraception and other coverage must be included for the employees of hospitals, universities, and other Catholic institutions that are not themselves part of the Church.

The lawyer confidently predicted that the Catholic hospitals would lose.  After all, everyone knows the peyote case — Employment Division v. Smith, where a neutral state anti-drug law trumped a Free Exercise of religion argument that would have allowed an adherent to use peyote.  The lawyer said there was no precedent for the Catholic hospitals to win, such a holding would disrupt innumerable neutral state laws, and even Justice Scalia would be bound by his prior writings to find against the Catholic hospitals.

My reaction — “here we go again.”  It felt just like the over-confident predictions that the individual mandate inevitably would be upheld.  And my friend sounded like other liberals who have scoffed at the claims of the Catholic hospitals.

My instinct — as a realist prediction of the outcome, and not as a statement of my policy choice — is that the Catholic hospitals very possibly will win if the case goes to final judgment in the courts.

First, I don’t think Justice Scalia will find that a law prohibiting peyote (a “good” and long-standing law) is remotely similar to a law requiring the Catholic Church, for the first time in history, to buy an insurance package that pays for contraceptives.  He’ll think that the latter is a “bad” law.

Second, the Catholic Church has tens of millions of members in the U.S., and is not the splinter group at issue in the earlier case.  In a realist analysis, the views of a tiny church are not the same as those of the largest organized Church in western history.

Third, the views of the Church on contraception are sincere, widely publicized, and long-standing.  Although many individual Catholics don’t follow the doctrine on this issue, the institution of the Church is firmly on record on the issue.  This is not a pretext to take mind-altering drugs; it is a major doctrinal tenet.

Fourth, many Catholic hospitals are deeply religious institutions.  They often have a cross and a Bible in each room.  Many nuns and priests work in the hospitals.  Providing health care is deeply rooted in the mission of the Church, and has been for many years.  In other words, this is not the equivalent of “unrelated business income.”  Instead, religion and healing of the sick are thoroughly intertwined.

Fifth, and my apologies for mentioning it, six of the nine Supreme Court justices are Catholic.  I am not saying that a Catholic judge will hold for the Church any more than a white judge holds for whites and a black judge holds for blacks.  However, the justices will have deep personal knowledge of the healing tradition of Catholic hospitals.  They will read the briefs in the context of their personal knowledge.  I don’t think they will lightly assume that they are bound by cases with facts that seem to them quite different.

After we went through this list, my liberal friend said that he had adjusted his prediction.  He now thought that some of the district court cases, at least, would go for the Church.  He then added an extra idea — the case may arise under the Administrative Procedure Act, on whether the HHS rule was properly promulgated and consistent with the statute.  His point was that a court may have a “procedural” way to block the rule from mandating that the Catholic hospitals pay for insurance that covered contraceptives.  That might be an easier path for a judge to take than overturning Free Exercise case law, if the judge were inclined to stop the rule from taking effect.

Currently, there are over 20 challenges by Catholic hospitals to this provision.  Smart lawyers in each case will be trying to define distinctions that will retain the peyote precedent while letting the hospitals win this case.  Randy Barnett and others had a huge success with the “action/inaction” distinction about the individual mandate. My realist instincts are that we will see the emergence of clever, new distinctions for the hospital cases.

I think that many liberal con law experts were complacent when the individual mandate was challenged.  If they are complacent again about the Catholic hospital cases, then I, for one, will not be surprised to see the current HHS approach struck down.


What Didn’t Happen: A Non-Functioning Health Care System if the Entire Law Was Overruled

I teach in the summer, so I got to ditch my lesson plan for tonight and we spent an hour of class discussing the health care decision.  Most of my summer students here in DC work in federal agencies, so they all had interesting takes on what they had seen today.

Here’s what I haven’t seen in the coverage — what would have happened to the entire system of federal reimbursement and health care payments if the entire law had been struck down.  (Links welcome if others have covered this.)

The law was enacted in 2010, and billions of dollars have been spent in reliance on the law — systems changed, reimbursements realigned, and on and on.

The dissent clearly stated that they would have ruled null and void all the major and minor provisions in the 900-page bill. No severability.

If they had a fifth vote, what would our health care system have looked like tomorrow morning?  The same Congressional gridlock that couldn’t raise the debt ceiling would have been confronted with a truly mind-bending challenge — rebuild the payment system for 17% of the economy.  When no one had a draft bill ready.  When we were a million miles from consensus.  With no offsets to pay for it. During a close election campaign.

How do you think that would have worked out?  How much uncertainty would that have caused the economy?  What size dip in GDP would that have resulted in over the next couple of quarters?

So, a prediction based on pure speculation.  Historians at some point will assess what Roberts was thinking when he became the fifth vote to uphold. Lots of commentators have said that he wanted to maintain the court’s legitimacy and avoid a partisan bloodbath.  My prediction — he also wanted to avoid chaos in the health care system and the economy.


Swindling/Selling, Bribing/Contributing, Extorting/Taxing

At the recent Security and Human Behavior conference, I got into a conversation that highlighted perhaps my favorite legal book ever, Arthur Leff’s “Swindling and Selling.”  Although it is out of print, one measure of its wonderfulness is that used copies sell now for $125.  Then, in my class this week on The Ethics of Washington Lawyering (yes, it’s a fun title), I realized that a key insight from Leff’s book applies to two other areas – what is allowed in campaign finance and what counts as extortion in political office.

Swindling/selling.  The insight I always remember from Leff is to look at the definition of swindling: “Alice sells something to Bob that Bob thinks has value.”  Here is the definition of selling: “Alice sells something to Bob that Bob thinks has value.”  See?  The exchange is identical – Bob hands Alice money.  The difference is sociological (what society values) and economic (can Bob resell the item).  But the structure of the transaction is the same.

Bribing/contributing.  So here is a bribe: “Alice gives Senator Bob $10,000 and Bob later does things that benefit Alice, such as a tax break.”  Here is a campaign contribution: “Alice gives Senator Bob $10,000 and Bob later does things that benefit Alice, such as a tax break.”  Again, the structure of the transaction is identical.  There are two likely differences: (1) to prove the bribe, the prosecutor has to show that Bob did the later action because of the $10,000; and (2) Alice is probably careful enough to give the money to Bob’s campaign, and not to him personally.

 Extorting/taxing.  Here is the classic political extortion: “Alice hires Bob, and Bob has to hand back ten percent of his salary to Alice each year.”  Here is how it works when a federal or state government hires someone: “Alice hires Bob, and Bob has to hand back ten percent of his salary to Alice each year.”  The structure of the transaction is the same – Bob keeps 90% of the salary and gives 10% to Alice.  The difference here?  Like the previous example, the existence of bureaucracy turns the bad thing (bribing or extorting) into the acceptable thing (contributing/taxing).  In the modern government, Alice hires Bob, and Bob sends the payment to the IRS.  The 10% does not go to Alice’s personal use, but the payment on Bob’s side may feel much the same.

For each of these, drawing the legal distinction will be really hard because the structure of the transaction is identical for the lawful thing (selling, contributing, taxing) and for the criminal thing (swindling, bribing, extorting).  Skeptics can see every transaction as the latter, and there is no objective way to prove that the transaction is actually legitimate.

I am wondering, did people know this already?  Are there citations to previous works that explain all of this?  Or, perhaps, is this a simple framework for describing things that sheds some light and merits further discussion?


Are Hackers Inefficient?

It’s been a very interesting first day at the Security and Human Behavior 2012 conference, chaired by computer security guru Bruce Schneier.

A number of speakers agreed on a basic description of computer security vulnerabilities: (1) there is a long run-up period where vulnerabilities exist but are not exploited; and (2) an exploit is developed and other attackers adopt it rapidly.

That raises the question — are the hackers (collectively) being efficient? The analogy is to the debate in economics about the Efficient Capital Markets Hypothesis (ECMH).  The ECMH essentially says that you cannot expect to get above-normal returns — the market is efficient and you can’t beat the market.  (Since the 2008 crash there has been lots of new doubt about the ECMH among mainstream economists.)

The long period of non-attacks at least raises the possibility that there is “inefficiently low investment in hacking.”  I use “inefficient” here in a special sense — the market is “inefficient” if there are attack strategies for the hackers that are likely to get a high risk-adjusted return.  When there are so many vulnerabilities that are not attacked, the idea is that hackers collectively quite possibly are leaving money on the table.

Of course, a certain level of non-attacks is rational.  Suppose you expect to spend $1000 in time and effort to write an attack, and the expected pay-off is only $700.  Then we rationally don’t see that attack.  But the large number of existing vulnerabilities at least hints that if you spend $1000 then you might expect a big pay-off, such as $5000. After all, the attacks get used a lot once they are publicized, showing a potential pay-off.

I actually wrote about the ECMH and computer security in a 2004 article called “A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?”  But it was a short discussion at the end of a piece that people read for other reasons.  The computer security folks at the conference today hadn’t worked through the comparison and seemed intrigued — I think it might be a fruitful way to think about vulnerabilities and hacker behavior.


The Right to Data Portability (RDP) as a Per Se Anti-tying Rule

Yesterday I gave a presentation on “The Right to Data Portability: Privacy and Antitrust Analysis” at a conference at the George Mason Law School. In an earlier post here, I asked whether the proposed EU right to data portability violates antitrust law.

I think the presentation helped sharpen the antitrust concern.  The presentation first develops the intuition that consumers should want a right to data portability (RDP), which is proposed in Article 18 of the EU Data Protection Regulation.  RDP seems attractive, at least initially, because it might prevent consumers getting locked in to a software platform, and because it advances the existing EU right of access to one’s own data.

Turning to antitrust law, I asked how antitrust law would consider a rule that, say, prohibits an operating system from being integrated with software for a browser.  We saw those facts, of course, in the Microsoft case decided by the DC Circuit over a decade ago.  Plaintiffs asserted an illegal “tying” arrangement between Windows and IE.  The court rejected a per se rule against tying of software, because integration of software can have many benefits and innovation in software relies on developers finding new ways to put things together.  The court instead held that the rule of reason applies.

RDP, however, amounts to a per se rule against tying of software.  Suppose a social network offers a networking service and integrates that with software that has various features for exporting or not exporting data in various formats.  We have the tying product (social network) and the tied product (module for export or not of data).  US antitrust law has rejected a per se rule here.  The EU proposed regulation essentially adopts a per se rule against that sort of tying arrangement.

Modern US and EU antitrust law seek to enhance “consumer welfare.”  If the Microsoft case is correct, then a per se rule of the sort in the Regulation quite plausibly reduces consumer welfare.  There may be other reasons to adopt RDP, as discussed in the slides (and I hope in my future writing).  RDP might advance human rights to access.  It might enhance openness more generally on the Internet.  But it quite possibly reduces consumer welfare, and that deserves careful attention.


Cybersecurity Legislation and the Privacy and Civil Liberties Oversight Board

Along with a lot of other privacy folks, I have a lot of concerns about the cybersecurity legislation moving through Congress.  I had an op-ed in The Hill yesterday going through some of the concerns, notably the problems with the over broad  “information sharing” provisions.

Writing the op-ed, though, prompted me to highlight one positive step that should happen in the course of the cybersecurity debate.  The Privacy and Civil Liberties Oversight Board was designed in large part to address information sharing.  This past Wednesday, the Senate Judiciary Committee had the hearing to consider the bipartisan slate of five nominees.

Here’s the point.  The debate on CISPA and other cybersecurity legislation has highlighted all the information sharing that is going on already and that may be going on in the near future.  The PCLOB is the institution designed to oversee problems with information sharing.  So let’s confirm the nominees and get the PCLOB up and running as soon as possible.

The quality of the nominees is very high.  David Medine, nominated to be Chair, helped develop the FTC’s privacy approach in the 1990’s and has worked on privacy compliance since, so he knows what should be done and what is doable.  Jim Dempsey has been at the Center of Democracy and Technology for over 15 years, and is a world-class expert on government, privacy, and civil liberties.  Pat Wald is the former Chief Judge of the DC Circuit.  Her remarkably distinguished career includes major experience on international human rights issues.  I don’t have experience with the other two nominees, but the hearing exposed no red flags for any of them.

The debates about cybersecurity legislation show the centrality of information sharing to how government will respond to cyber-threats.  So we should have the institution in place to make sure that the information sharing is done in a lawful and sensible way, to be effective and also to protect privacy and civil liberties.