Author Archive for peter-swire
posted by Peter Swire
The draft EU Data Protection Regulation would create a new human and economic right — the Right to Data Portability (RDP). The basic idea of the RDP is that individuals would be able to transfer their electronic information, such as a Facebook friend lists or iTunes music, from Facebook or Apple to a competitor, without hindrance.
The idea of the RDP is very appealing. From a market efficiency perspective, it can address the lock-in problem, the worry that high switching costs will strand consumers with a legacy system that is not as good as a new system. From the human rights perspective, the RDP is proposed as a way to enhance a person’s online identity, to give individuals control over “their” content.
I blogged about my initial concerns with RDP here on Concurring Opinions in April and May. Now, the full law review article is posted on SSRN: http://ssrn.com/abstract=2159157. The full version deepens the antitrust critique from the initial blog posts. It adds a big new section on the RDP as a fundamental/human right under EU law. That privacy discussion explores the risks to an existing EU right to data protection — the right to data security. When an individual’s lifetime of data must be exported “without hindrance,” then one moment of identity fraud can turn into a lifetime breach of personal data. In addition, the article addresses more general issues of interoperability, building on sources including Lotus v. Borland and the recent Interop book by John Palfrey and Urs Gasser.
My basic take is that the RDP is much more appealing as a concept than it is as proposed legislation in the Regulation. I think the RDP will be a Big Deal if enacted — its mandates will apply to any ap, consumer software or online service that uses standard formats. Because the Regulation also extends its jurisdiction to any company that sells to EU citizens, the RDP would become a new and significant global software mandate. I think these issues deserve a lot more attention than they have received.
posted by Peter Swire
David Stebenne gave a fascinating talk today about how the personal experiences of Justice Goldberg made him very sensitive to privacy, and led to his strong pro-privacy concurrence in the Griswold case that established a right to privacy for use of contraceptives. David is a legal historian at Ohio State, now has a joint appointment with our law school, and spoke today at a John Marshall Law School conference on the history of privacy from Brandeis to today.
Stebenne has written a biography of Goldberg, and is a master of the historical record. Look at these personal experiences that shaped Justice Goldberg’s views on privacy:
(1) Brandeis and Warren-style press intrusions. Goldberg was the leading lawyer for the Steelworkers Union and the CIO during the 1950′s. The unions were subjected to many hostile press articles, often describing (or exaggerating) union corruption. The sorts of press excesses, at the center of the Brandeis and Warren privacy article, were lived by Goldberg.
(2) Intrusive police surveillance. The Steelworkers and other unions were pervasively wiretapped in the 1950′s. In one 1957 board meeting, the leadership reported that there were so many wiretaps on the line that they could barely hear each other talk.
(3) Mistaken FBI files. The FBI opened a file before World War II about a different person named Arthur Goldberg, who had suspected links to the Communist Party. Years later, Goldberg found out that a huge file had been accumulated on him based on this original, mistaken report. He met with the FBI, and had the unusual good fortune to clear the matter up. But he learned personally how invasive and unreliable FBI files could be.
(4) CIA spy and counter-spy. During World War II, Goldberg worked for the OSS, the predecessor of the CIA. For part of that time he was the target of enemy espionage himself. He knew the CIA kept a close eye on his clients in the labor movement, and thus knew more than most about the nature and scale of domestic surveillance by the government.
In short, Goldberg was not a privileged person who knew he had nothing to hide. Instead, he had direct personal experience with the intrusiveness and mistakes that could result from the media, intelligence agencies, and new technologies.
Insight can come from personal experience. Among other lessons from this history, it suggests some virtues of having judges and justices with a wide range of personal experience.
posted by Peter Swire
I just finished David Brin’s “Existence,” his biggest new novel in years. Brin, as some readers know, has won multiple Hugo and Nebula awards for best science fiction writing. He also wrote the 1999 non-fiction book “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?”. More about that in a bit.
Existence is full of big ideas. A main focus is on the Fermi Paradox, which observes that we would expect to find other forms of life out there among the hundreds of billions of suns, but we haven’t seen evidence of that life yet. If you haven’t ever thought through the Fermi Paradox, I think it is a Genuine Big Question, and well worth contemplating. Fortunately for those who like their science mixed with fiction, Brin weaves fifty or so possible answers to the Fermi Paradox into his 550-page novel. Does climate change kill off other races? Nuclear annihilation? Do aliens upload themselves into computers once they get sophisticated (the “singularity”), so we never detect them across the void? And a lot, lot more.
It took me a little while to get into the book, but I read the last few hundred pages in a rush. I’ve had the pleasure to know Brin for a bunch of years, and find him personally and intellectually engaging. I was pleased to read this, because I think it will intrigue curious minds for a long time as our telescopic views of other planets deepen our puzzlement about the Fermi Paradox.
As for privacy, my own view is that the privacy academics didn’t take his 1999 book seriously enough as an intellectual event. One way to describe Brin’s insight is to say that surveillance in public becomes cheaper and more pervasive over time. For Brin, having “control” over your face, eye blinks, location, etc., etc. becomes futile and often counter-productive once cameras and other sensors are pervasive and searchable. Brin picked up on these themes in his earlier novel, “Earth,” when elderly people used video cameras to film would-be muggers, deterring the attacks. In the new novel, the pervasive use of the 2060 version of Google Glasses means that each person is empowered to see data overlays for any person they meet. (This part is similar to the novel “Rainbow’s End” by Brin’s friend Vernor Vinge.)
Surveillance in public is a big topic these days. I’ve worked with CDT and EFF on USvJones.com, which asked law academics to propose doctrine for surveillance in public. Facial recognition and drones are two of the hot privacy topics of the year, and each are significant steps towards the pervasive sensor world that Brin contemplated in his 1999 book.
So, if you like thinking about Big Ideas in novel form, buy Existence. And, if you would like to retain the Fair Information Principles in a near future of surveillance in public, consider Brin more carefully when you imagine how life will and should be in the coming decades.
posted by Peter Swire
Tonight the U.S. Senate confirmed four of the five nominees for the Privacy and Civil Liberties Oversight Board: Rachel Brand; Elizabeth Cook; Jim Dempsey (of the Center for Democracy and Technology); and Pat Wald (long-time judge on the DC Circuit).
This is good news. The PCLOB has not been up and running for several years, and now it will have a quorum. The importance of having the Board in place has been underscored recently by the Senate’s consideration of the cybersecurity bill. If there is lots of information sharing, then there should be effective oversight of that sharing.
The goods news is incomplete, though. The nominee for Chair is David Medine, who is a great nominee. He was voted out of the Judiciary Committee this year, but on a party-line vote. There are no criticisms I have been able to discover of Medine’s qualifications — he was the senior civil servant for years at the FTC on privacy, and he has counseled major global clients at WilmerHale on privacy and security.
The lack of a chair matters. As discussed in my testimony this week in the Senate Homeland Security Committee, the statute allows only the Chairman to hire staff: “The chairman of the Board … shall appoint and fix the compensation of a full-time executive director and such other personnel as may be necessary to enable the Board to carry out its functions.” Clearly, the Board cannot carry out its work as the statute intends if there is no Chairman in place.
The Board can now begin its work. But it needs a Chairman, and it needs staff. The Senate has more work to do on this.
Are Liberals Under-Estimating the Chances that the Catholic Hospitals Will Win Against the Health Care Act?
posted by Peter Swire
(Disclaimer — I decided soon after law school not to focus most of my efforts on the Supreme Court or con law. There are brilliant people who work on it all the time, and I don’t. But I am a law prof who can’t help noticing some things …)
Last week, liberals went through the near-death experience for the Affordable Care Act — far, far, far closer than the confident predictions of most liberals when the law was passed.
This week, I had the chance to speak in depth with an experienced liberal lawyer about the Next Big Constitutional Thing — the Catholic hospital challenges to the ACA’s requirements that contraception and other coverage must be included for the employees of hospitals, universities, and other Catholic institutions that are not themselves part of the Church.
The lawyer confidently predicted that the Catholic hospitals would lose. After all, everyone knows the peyote case — Employment Division v. Smith, where a neutral state anti-drug law trumped a Free Exercise of religion argument that would have allowed an adherent to use peyote. The lawyer said there was no precedent for the Catholic hospitals to win, such a holding would disrupt innumerable neutral state laws, and even Justice Scalia would be bound by his prior writings to find against the Catholic hospitals.
My reaction — “here we go again.” It felt just like the over-confident predictions that the individual mandate inevitably would be upheld. And my friend sounded like other liberals who have scoffed at the claims of the Catholic hospitals.
My instinct — as a realist prediction of the outcome, and not as a statement of my policy choice — is that the Catholic hospitals very possibly will win if the case goes to final judgment in the courts.
First, I don’t think Justice Scalia will find that a law prohibiting peyote (a “good” and long-standing law) is remotely similar to a law requiring the Catholic Church, for the first time in history, to buy an insurance package that pays for contraceptives. He’ll think that the latter is a “bad” law.
Second, the Catholic Church has tens of millions of members in the U.S., and is not the splinter group at issue in the earlier case. In a realist analysis, the views of a tiny church are not the same as those of the largest organized Church in western history.
Third, the views of the Church on contraception are sincere, widely publicized, and long-standing. Although many individual Catholics don’t follow the doctrine on this issue, the institution of the Church is firmly on record on the issue. This is not a pretext to take mind-altering drugs; it is a major doctrinal tenet.
Fourth, many Catholic hospitals are deeply religious institutions. They often have a cross and a Bible in each room. Many nuns and priests work in the hospitals. Providing health care is deeply rooted in the mission of the Church, and has been for many years. In other words, this is not the equivalent of “unrelated business income.” Instead, religion and healing of the sick are thoroughly intertwined.
Fifth, and my apologies for mentioning it, six of the nine Supreme Court justices are Catholic. I am not saying that a Catholic judge will hold for the Church any more than a white judge holds for whites and a black judge holds for blacks. However, the justices will have deep personal knowledge of the healing tradition of Catholic hospitals. They will read the briefs in the context of their personal knowledge. I don’t think they will lightly assume that they are bound by cases with facts that seem to them quite different.
After we went through this list, my liberal friend said that he had adjusted his prediction. He now thought that some of the district court cases, at least, would go for the Church. He then added an extra idea — the case may arise under the Administrative Procedure Act, on whether the HHS rule was properly promulgated and consistent with the statute. His point was that a court may have a “procedural” way to block the rule from mandating that the Catholic hospitals pay for insurance that covered contraceptives. That might be an easier path for a judge to take than overturning Free Exercise case law, if the judge were inclined to stop the rule from taking effect.
Currently, there are over 20 challenges by Catholic hospitals to this provision. Smart lawyers in each case will be trying to define distinctions that will retain the peyote precedent while letting the hospitals win this case. Randy Barnett and others had a huge success with the “action/inaction” distinction about the individual mandate. My realist instincts are that we will see the emergence of clever, new distinctions for the hospital cases.
I think that many liberal con law experts were complacent when the individual mandate was challenged. If they are complacent again about the Catholic hospital cases, then I, for one, will not be surprised to see the current HHS approach struck down.
posted by Peter Swire
I teach in the summer, so I got to ditch my lesson plan for tonight and we spent an hour of class discussing the health care decision. Most of my summer students here in DC work in federal agencies, so they all had interesting takes on what they had seen today.
Here’s what I haven’t seen in the coverage — what would have happened to the entire system of federal reimbursement and health care payments if the entire law had been struck down. (Links welcome if others have covered this.)
The law was enacted in 2010, and billions of dollars have been spent in reliance on the law — systems changed, reimbursements realigned, and on and on.
The dissent clearly stated that they would have ruled null and void all the major and minor provisions in the 900-page bill. No severability.
If they had a fifth vote, what would our health care system have looked like tomorrow morning? The same Congressional gridlock that couldn’t raise the debt ceiling would have been confronted with a truly mind-bending challenge — rebuild the payment system for 17% of the economy. When no one had a draft bill ready. When we were a million miles from consensus. With no offsets to pay for it. During a close election campaign.
How do you think that would have worked out? How much uncertainty would that have caused the economy? What size dip in GDP would that have resulted in over the next couple of quarters?
So, a prediction based on pure speculation. Historians at some point will assess what Roberts was thinking when he became the fifth vote to uphold. Lots of commentators have said that he wanted to maintain the court’s legitimacy and avoid a partisan bloodbath. My prediction — he also wanted to avoid chaos in the health care system and the economy.
posted by Peter Swire
At the recent Security and Human Behavior conference, I got into a conversation that highlighted perhaps my favorite legal book ever, Arthur Leff’s “Swindling and Selling.” Although it is out of print, one measure of its wonderfulness is that used copies sell now for $125. Then, in my class this week on The Ethics of Washington Lawyering (yes, it’s a fun title), I realized that a key insight from Leff’s book applies to two other areas – what is allowed in campaign finance and what counts as extortion in political office.
Swindling/selling. The insight I always remember from Leff is to look at the definition of swindling: “Alice sells something to Bob that Bob thinks has value.” Here is the definition of selling: “Alice sells something to Bob that Bob thinks has value.” See? The exchange is identical – Bob hands Alice money. The difference is sociological (what society values) and economic (can Bob resell the item). But the structure of the transaction is the same.
Bribing/contributing. So here is a bribe: “Alice gives Senator Bob $10,000 and Bob later does things that benefit Alice, such as a tax break.” Here is a campaign contribution: “Alice gives Senator Bob $10,000 and Bob later does things that benefit Alice, such as a tax break.” Again, the structure of the transaction is identical. There are two likely differences: (1) to prove the bribe, the prosecutor has to show that Bob did the later action because of the $10,000; and (2) Alice is probably careful enough to give the money to Bob’s campaign, and not to him personally.
Extorting/taxing. Here is the classic political extortion: “Alice hires Bob, and Bob has to hand back ten percent of his salary to Alice each year.” Here is how it works when a federal or state government hires someone: “Alice hires Bob, and Bob has to hand back ten percent of his salary to Alice each year.” The structure of the transaction is the same – Bob keeps 90% of the salary and gives 10% to Alice. The difference here? Like the previous example, the existence of bureaucracy turns the bad thing (bribing or extorting) into the acceptable thing (contributing/taxing). In the modern government, Alice hires Bob, and Bob sends the payment to the IRS. The 10% does not go to Alice’s personal use, but the payment on Bob’s side may feel much the same.
For each of these, drawing the legal distinction will be really hard because the structure of the transaction is identical for the lawful thing (selling, contributing, taxing) and for the criminal thing (swindling, bribing, extorting). Skeptics can see every transaction as the latter, and there is no objective way to prove that the transaction is actually legitimate.
I am wondering, did people know this already? Are there citations to previous works that explain all of this? Or, perhaps, is this a simple framework for describing things that sheds some light and merits further discussion?
posted by Peter Swire
It’s been a very interesting first day at the Security and Human Behavior 2012 conference, chaired by computer security guru Bruce Schneier.
A number of speakers agreed on a basic description of computer security vulnerabilities: (1) there is a long run-up period where vulnerabilities exist but are not exploited; and (2) an exploit is developed and other attackers adopt it rapidly.
That raises the question — are the hackers (collectively) being efficient? The analogy is to the debate in economics about the Efficient Capital Markets Hypothesis (ECMH). The ECMH essentially says that you cannot expect to get above-normal returns — the market is efficient and you can’t beat the market. (Since the 2008 crash there has been lots of new doubt about the ECMH among mainstream economists.)
The long period of non-attacks at least raises the possibility that there is “inefficiently low investment in hacking.” I use “inefficient” here in a special sense — the market is “inefficient” if there are attack strategies for the hackers that are likely to get a high risk-adjusted return. When there are so many vulnerabilities that are not attacked, the idea is that hackers collectively quite possibly are leaving money on the table.
Of course, a certain level of non-attacks is rational. Suppose you expect to spend $1000 in time and effort to write an attack, and the expected pay-off is only $700. Then we rationally don’t see that attack. But the large number of existing vulnerabilities at least hints that if you spend $1000 then you might expect a big pay-off, such as $5000. After all, the attacks get used a lot once they are publicized, showing a potential pay-off.
I actually wrote about the ECMH and computer security in a 2004 article called “A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?” But it was a short discussion at the end of a piece that people read for other reasons. The computer security folks at the conference today hadn’t worked through the comparison and seemed intrigued — I think it might be a fruitful way to think about vulnerabilities and hacker behavior.
posted by Peter Swire
Yesterday I gave a presentation on “The Right to Data Portability: Privacy and Antitrust Analysis” at a conference at the George Mason Law School. In an earlier post here, I asked whether the proposed EU right to data portability violates antitrust law.
I think the presentation helped sharpen the antitrust concern. The presentation first develops the intuition that consumers should want a right to data portability (RDP), which is proposed in Article 18 of the EU Data Protection Regulation. RDP seems attractive, at least initially, because it might prevent consumers getting locked in to a software platform, and because it advances the existing EU right of access to one’s own data.
Turning to antitrust law, I asked how antitrust law would consider a rule that, say, prohibits an operating system from being integrated with software for a browser. We saw those facts, of course, in the Microsoft case decided by the DC Circuit over a decade ago. Plaintiffs asserted an illegal “tying” arrangement between Windows and IE. The court rejected a per se rule against tying of software, because integration of software can have many benefits and innovation in software relies on developers finding new ways to put things together. The court instead held that the rule of reason applies.
RDP, however, amounts to a per se rule against tying of software. Suppose a social network offers a networking service and integrates that with software that has various features for exporting or not exporting data in various formats. We have the tying product (social network) and the tied product (module for export or not of data). US antitrust law has rejected a per se rule here. The EU proposed regulation essentially adopts a per se rule against that sort of tying arrangement.
Modern US and EU antitrust law seek to enhance “consumer welfare.” If the Microsoft case is correct, then a per se rule of the sort in the Regulation quite plausibly reduces consumer welfare. There may be other reasons to adopt RDP, as discussed in the slides (and I hope in my future writing). RDP might advance human rights to access. It might enhance openness more generally on the Internet. But it quite possibly reduces consumer welfare, and that deserves careful attention.
May 17, 2012 at 3:56 pm Tags: Antitrust, Privacy, right to data portability Posted in: Administrative Law, Antitrust, Cyberlaw, Economic Analysis of Law, Privacy (Consumer Privacy), Web 2.0 Print This Post No Comments
posted by Peter Swire
Along with a lot of other privacy folks, I have a lot of concerns about the cybersecurity legislation moving through Congress. I had an op-ed in The Hill yesterday going through some of the concerns, notably the problems with the over broad ”information sharing” provisions.
Writing the op-ed, though, prompted me to highlight one positive step that should happen in the course of the cybersecurity debate. The Privacy and Civil Liberties Oversight Board was designed in large part to address information sharing. This past Wednesday, the Senate Judiciary Committee had the hearing to consider the bipartisan slate of five nominees.
Here’s the point. The debate on CISPA and other cybersecurity legislation has highlighted all the information sharing that is going on already and that may be going on in the near future. The PCLOB is the institution designed to oversee problems with information sharing. So let’s confirm the nominees and get the PCLOB up and running as soon as possible.
The quality of the nominees is very high. David Medine, nominated to be Chair, helped develop the FTC’s privacy approach in the 1990′s and has worked on privacy compliance since, so he knows what should be done and what is doable. Jim Dempsey has been at the Center of Democracy and Technology for over 15 years, and is a world-class expert on government, privacy, and civil liberties. Pat Wald is the former Chief Judge of the DC Circuit. Her remarkably distinguished career includes major experience on international human rights issues. I don’t have experience with the other two nominees, but the hearing exposed no red flags for any of them.
The debates about cybersecurity legislation show the centrality of information sharing to how government will respond to cyber-threats. So we should have the institution in place to make sure that the information sharing is done in a lawful and sensible way, to be effective and also to protect privacy and civil liberties.
April 21, 2012 at 5:02 pm Tags: CISPA, civil liberties, cybersecurity Posted in: Administrative Law, Cyber Civil Rights, Cyberlaw, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security) Print This Post One Comment
posted by Peter Swire
On May 16 I am going to speak on a panel on privacy and antitrust at George Mason Law School. Back in 2007, I testified on one issue concerning privacy and antitrust, how privacy can be a non-price aspect of competition. Now I think I’ve found another way the two fields are related, which as far as I can tell has not received any real analysis to date.
Article 18 of the EU draft privacy Regulation sets forth a new Right of Data Portability: “The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.” In the future, the Commission will specific what electronic formats count as “structured and commonly used,” as well technical standards for how the data controller shares the data with the individual data subject.
This Right of Data Portability feels similar to Google’s Data Liberation Front, whose “singular goal is to make it easier for users to move their data in and out of Google products.” It is one time that the Google philosophy of open data flows converges with the EU’s support for individuals’ rights over their data.
I’m wondering, though, whether a mandated right of data portability makes any sense in light of antitrust law. I think antitrust scholars would look at this issue as a vertical restraint, with the two markets being, say, a social network service and a property right for the customer to remove data. Similarly, antitrust scholars could see a tying arrangement, where the (popular) social network service is “tied” to the (unpopular) expense to the consumer in removing data.
Modern antitrust analysis, in both Brussels and DC, has become highly suspicious of government intervention concerning tying and other vertical restraints. Quite strong showings of market power are generally needed for the government to intervene, and the Regulation’s Right of Data Portability would exist generally and not based on that kind of showing of market power.
In the utilitarian calculus of U.S. antitrust law, my instinct is that the Right to Data Portability would be seen as welfare-reducing. I think that would be true under European competition law as well.
In response, a supporter of the Right to Data Portability could say that the right here should trump the utility loss. A Data Liberation supporter could emphasize that the proposal advances what I have called “data empowerment” as well as data protection, and so there is an additional rights-based argument to ignore antitrust law.
These are my initial musings. I welcome comments as I prepare for the May panel.
posted by Peter Swire
(Partial disclaimer — I do teach the privacy torts for part of one class, just so the students realize how narrow they are.)
I was talking the other day with Chris Hoofnagle, a co-founder of the Privacy Law Scholars Conference and someone I respect very much. He and I have both recently taught Privacy Law using the text by Dan Solove and Paul Schwartz. After the intro chapter, the text has a humongous chapter 2 about the privacy torts, such as intrusion on seclusion, false light, public revelation of private facts, and so on. Chris and other profs I have spoken with find that the chapter takes weeks to teach.
I skip that chapter entirely. In talking with Chris, I began to articulate why. It has to do with my philosophy of what the modern privacy enterprise is about.
For me, the modern project about information privacy is pervasively about IT systems. There are lots of times we allow personal information to flow. There are lots of times where it’s a bad idea. We build our collection and dissemination systems in highly computerized form, trying to gain the advantages while minimizing the risks. Alan Westin got it right when he called his 1970′s book “Databanks in a Free Society.” It’s about the data.
Privacy torts aren’t about the data. They usually are individualized revelations in a one-of-a-kind setting. Importantly, the reasonableness test in tort is a lousy match for whether an IT system is well designed. Torts have not done well at building privacy into IT systems, nor have they been of much use in other IT system issues, such as deciding whether an IT system is unreasonably insecure or suing software manufacturers under products liability law. IT systems are complex and evolve rapidly, and are a terrible match with the common sense of a jury trying to decide if the defendant did some particular thing wrong.
When privacy torts don’t work, we substitute regulatory systems, such as HIPAA or Gramm-Leach-Bliley. To make up for the failures of the intrusion tort, we create the Do Not Call list and telemarketing sales rules that precisely define how much intrusion the marketer can make into our time at home with the family.
A second reason for skipping the privacy torts is that the First Amendment has rendered unconstitutional a wide range of the practices that the privacy torts might otherwise have evolved to address. Lots of intrusive publication about an individual is considered “newsworthy” and thus protected speech. The Europeans have narrower free speech rights, so they have somewhat more room to give legal effect to intrusion and public revelation claims.
It’s about the data. Torts has almost nothing to say about what data should flow in IT systems. So I skip the privacy torts.
Other profs might have other goals. But I expect to keep skipping chapter 2.
April 15, 2012 at 11:55 pm Tags: privacy;privacy teaching;torts;intrusion Posted in: Cyberlaw, First Amendment, Privacy, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Teaching Print This Post 4 Comments
posted by Peter Swire
The Maryland General Assembly has just become the first state legislature to vote to ban employers’ from requiring employees to reveal their Facebook or other social network passwords. Other states are considering similar bills, and Senators Schumer and Blumenthal are pushing the idea in Congress.
As often happens in privacy debates, there are concerns from industry that well-intentioned laws will have dire consequences — Really Dangerous People might get into positions of trust, so we need to permit employers to force their employees to open up their Facebook accounts to their bosses.
Also, as often happens in privacy debates, people breathlessly debate the issue as though it is completely new and unprecedented.
We do have a precedent, however. In 1988, Congress enacted the Employee Polygraph Protection Act (EPPA). The EPPA says that employers don’t get to know everything an employee is thinking. Polygraphs are flat-out banned in almost all employment settings. The law was signed by President Reagan, after Secretary of State George Shultz threatened to resign rather than take one.
The idea behind the EPPA and the new Maryland bill are similar — employees have a private realm where they can think and be a person, outside of the surveillance of the employer. Imagine a polygraph if your boss asked what you really thought about him/her. Imagine your social networking activities if your boss got to read your private messages and impromptu thoughts.
For private sector employers, the EPPA has quite narrow exceptions, such as for counter-intelligence, armored car personnel, and employees who are suspected of causing economic loss. That list of exceptions can be a useful baseline to consider for social network passwords.
In summary — longstanding and bipartisan support to block this sort of intrusion into employees’ private lives. The social networks themselves support this ban on having employers require the passwords. I think we should, too.
April 11, 2012 at 1:14 pm Tags: Facebook, Maryland, passwords, polygraph Posted in: Administrative Law, Cyber Civil Rights, Cyberlaw, Privacy, Privacy (Consumer Privacy), Social Network Websites Print This Post 13 Comments
posted by Peter Swire
I strongly agree with the bipartisan consensus in the U.S. that the International Telecommunications Union should not gain new governance powers over the Internet. This coming December, there will be a major ITU conference in Dubai where there have been concerns about significant changes to the underlying ITU treaty.
From talking with people involved in the issue, my sense is that the risk of bad changes has subsided considerably. An administration memorandum from January discusses the progress made in the past year in fending off damaging proposals. Republican FCC Commissioner Robert McDowell recently published an excellent discussion of why those proposals would be bad. (McDowell erred, however, when he gratuitously and incorrectly criticized the administration for not addressing the issue). Civil society writers including Emma Llansó of CDT and Sophia Bekele concur.
In talking recently with one U.S. government official, however, here is one issue concerning the ITU and a possible UN role that has not been well addressed. Many developing countries look to the UN for technical assistance and best practices. These countries are facing a range of legal and policy issues, on topics that have been the subject of legislation in the U.S. and elsewhere: anti-spam, cybersecurity, phishing, domain name trademark disputes, data privacy, etc. If you are working on these issues for Ghana or Sri Lanka or whatever, where do you get that technical assistance about the Internet?
That seems like a good-faith question. Anybody have a good answer?
posted by Peter Swire
Greetings to Concurring Opinion readers. I thank the editors for inviting me to guest blog. I am looking forward to the opportunity to write more informally than I have done for a long time. I am out of the administration, and don’t have to go through the painful process of “clearing” every statement. And I am focusing on researching and writing rather than having clients. So the comments are just my own.
From the latter, I propose “multistakeholder” as the buzzword of the year so far. (“Context” is a close second, which I may discuss another time.) The Department of Commerce has received public comments on what should be done in the privacy multistakeholder process. (My own comment focused on the importance of defining “de-identified” information.)
Separately, the administration has been emphasizing the importance of multistakeholder processes for Internet governance, such as in a speech by Larry Strickling, Administrator of the National Telecommunications and Information Administration.
Here’s a try at making sense of this buzzword. On the privacy side, my view is that “multistakeholder” is mostly a substitute for the old term “self regulation.” Self regulation was the organizing theme when the U.S. negotiated the Safe Harbor agreement with the EU in 2000 for privacy. Barbara Wellbery (who lamentably is no longer with us) used “self regulation” repeatedly to explain the U.S. approach. The term accurately describes the legal regime under Section 5 of the FTC Act – an entity (all by itself) makes a promise, and then it’s legally enforceable by others. As I have written since the mid-1990’s, this self regulatory approach can be better than other approaches, depending on the context.
The term “self regulation”, however, has taken on a bad odor. Many European regulators consider “self regulation” as the theme of the Safe Harbor, which they consider weaker than it should have been. Many privacy advocates have also justifiably said that the term puts too much emphasis on the “self”, the company that decides what promises to make.
Enter stage left with the new term, “multistakeholder.” The term directly addresses the advocates’ issue. Advocates should be in the room, along with regulators, entities from affected industries, and perhaps a lot of other stakeholders. It’s not “self regulation” by a “selfish” company. It is instead a process that includes the range of players whose interests should be considered.
I am comfortable with the new term “multistakeholder” for the old “self regulation.” The two are different in the way that the new term includes more of those affected. They are the same, however, because they stand in contrast to top-down regulation by the government. Depending on the facts, multistakeholder may be better, or worse, than the government alternative.
Shifting to Internet governance, “multistakeholder” is a term that resonates with the bottom-up processes that led to the spectacular flowering of the Internet. Examples include organizations such as the Internet Engineering Task Force and the World Wide Web Consortium. Somehow, almost miraculously, the Web grew in twenty years from a tiny community to one numbering in the billions.
The term “multi-stakeholder” is featured in the important OECD Council Recommendation On Principles for Internet Policy Making, garnering 13 mentions in 10 pages. As I hope to discuss in a future blog post, this bottom-up process contrasts sharply with efforts, led by countries including Russia and China, to have the International Telecommunications Union play a major role in Internet governance. Emma Llansó at CDT has explained what is at stake. I am extremely skeptical about an expanded ITU role.
So, administration support for “multi stakeholder process” in both privacy and Internet governance. Similar in hoping that bottom-up beats top-down regulation. Different, I suspect, in how well the bottom-up has done historically. The IETF and the W3C have quite likely earned a grade in the A range for what they have achieved in Internet governance. I doubt that many people would give an A overall to industry self-regulation in the privacy area.
Reason to be cautious. The same word can work differently in different settings.