Category: Privacy (Consumer Privacy)

Reining in the Data Brokers

I’ve been alarmed by data brokers’ ever-expanding troves of personal information for some time. My book outlines the problem, explaining how misuse of data undermines equal opportunity. I think extant legal approaches–focusing on notice and consent–put too much of a burden on consumers. This NYT opinion piece sketches an alternate approach:

[D]ata miners, brokers and resellers have now taken creepy classification to a whole new level. They have created lists of victims of sexual assault, and lists of people with sexually transmitted diseases. Lists of people who have Alzheimer’s, dementia and AIDS. Lists of the impotent and the depressed.

***

Privacy protections in other areas of the law can and should be extended to cover consumer data. The Health Insurance Portability and Accountability Act, or Hipaa, obliges doctors and hospitals to give patients access to their records. The Fair Credit Reporting Act gives loan and job applicants, among others, a right to access, correct and annotate files maintained by credit reporting agencies.

It is time to modernize these laws by applying them to all companies that peddle sensitive personal information. If the laws cover only a narrow range of entities, they may as well be dead letters. For example, protections in Hipaa don’t govern the “health profiles” that are compiled and traded by data brokers, which can learn a great deal about our health even without access to medical records.

There’s more online, but given the space constraints, I couldn’t go into all the details that the book discloses. I hope everyone enjoys the opinion piece, and that it whets appetites for the book!

Enter Privacy Profession 01
2

Advice on How to Enter the Privacy Profession

Over at LinkedIn, I have a long post with advice for how law students can enter into the privacy profession.   I hope that this post can serve as a useful guide to students who want to pursue careers in privacy.

The privacy law field is growing dramatically, and demand for privacy lawyers is high.  I think that many in the academy who don’t follow privacy law, cyberlaw, or law and technology might not realize what’s going on in the field.  The field is booming.

The International Association of Privacy Professionals (IAPP), the field’s primary association, has been growing by about 30% each year.  It now has more than 17,000 members.  And this is only a subset of privacy professionals, as many privacy officials in healthcare aren’t members of IAPP and instead are members of the American Health Information Management Association (AHIMA) or the Health Care Compliance Association (HCCA).

There remains a bottleneck at the entry point to the field, but that can be overcome.  Once in the club, the opportunities are plentiful and there’s the ability to rise quickly.   I’ve been trying to push for solutions to make entry into the field easier, and this is an ongoing project of mine.

If you have students who are interested in entering the privacy law profession, please share my post with them.  I hope it will help.

Interview on The Black Box Society

BBSBalkinization just published an interview on my forthcoming book, The Black Box Society. Law profs may be interested in our dialogue on methodology—particularly, what the unique role of the legal scholar is in the midst of increasing academic specialization. I’ve tried to surface several strands of inspiration for the book.

0

Privacy and Data Security Harms

Privacy Harm 01

I recently wrote a series of posts on LinkedIn exploring privacy and data security harms.  I thought I’d share them here, so I am re-posting all four of these posts together in one rather long post.

I. PRIVACY AND DATA SECURITY VIOLATIONS: WHAT’S THE HARM?

“It’s just a flesh wound.”

Monty Python and the Holy Grail

Suppose your personal data is lost, stolen, improperly disclosed, or improperly used. Are you harmed?

Suppose a company violates its privacy policy and improperly shares your data with another company. Does this cause a harm?

In most cases, courts say no. This is the case even when a company is acting negligently or recklessly. No harm, no foul.

Strong Arguments on Both Sides

Some argue that courts are ignoring serious harms caused when data is not properly protected and used.

Yet others view the harm as trivial or non-existent. For example, given the vast number of records compromised in data breaches, the odds that any one instance will result in identity theft or fraud are quite low.

Read More

5

Carrie Goldberg: IT’S CLEAR: CREATING AMATEUR PORN WITHOUT A PARTICIPANT’S KNOWLEDGE IS ILLEGAL IN NY

This post is by Carrie Goldberg who is the founding attorney at C. A. Goldberg, PLLC in Brooklyn, New York focusing on litigation relating to electronic sexual privacy invasions. She is a volunteer attorney at The Cyber Civil Rights Initiative and its End Revenge Porn campaign.Carrie

Earlier this year, the New York City tabloids and “Saturday Night Live” poked fun at a story about a handsome former Wall Street financial advisor who, after being indicted for recording himself having sex without the women’s permission, blamed the taping on his hyper-vigilant “doggie cam.”

Last week the story re—emerged with an interview by two of the three 30-something year old victims complaining that they’d been wrongly portrayed by the media and the defendant’s high profile criminal team as jealous stalkers when in reality their energetic efforts to reach him was upon discovery of the videos and centered around begging him to destroy them. The humiliation sustained during the ongoing criminal process, such as being forced to view the sex videos alongside the jurists, is palpable.

Many New Yorkers may be unaware that recording yourself having sex without the other person’s knowledge constitutes a sex crime in the state (NY Penal § 250.45) and also breaches our federal video voyeurism laws (18 USCA § 1801). With the proliferation of smart phones and tablets enabling people to­ secretly videotape sexual encounters – including apps that allow for stealth recording – this law is increasingly violated. The harm to victims is palpable and real. It’s deeply humiliating to be turned into an object of pornography without consent.

In 2003, then-Governor George E. Pataki signed New York’s unlawful surveillance statute, known as Stephanie’s Law, making it illegal to use a device to secretly record or broadcast a person undressing or having sex when that person has a reasonable expectation of privacy. The statute is named for Stephanie Fuller, whose landlord taped her using a camera hidden in the smoke detector above her bed. Read More

P
0

The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

P
0

FTC v. Wyndham

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and it has finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.

For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.

The Court’s Opinion and Some Thoughts

1. The FTC’s Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

Read More

Price Tag
1

Differential Pricing and Privacy: Good, Bad, or Otherwise?

The vast and ever increasing collection of information about consumers by search engines, advertisers, data brokers, web merchants, and myriad other online and offline companies raises many concerns. A website that stores (and reads) your emails, records every search you make, knows what addresses you look for on its maps, and holds your documents may know more about you than any other single institution, perhaps even including your family members.

Imagine if your email provider reads your email – or some other data accumulator reads your tweets or social network page – and tells the airlines that you are going to a family funeral across the country. Suddenly, you only find that airlines only offer you seats at a very high price. Think that you can hide your identity by searching before you sign in to buy? Doubtful. Web trackers likely know who you are using IP addresses, cookies, or other tricks invisible to most users.

One of the concerns about this data collection is differential or discriminatory pricing. Consumer advocates and others worry that merchants will use personal information to determine how much each individual consumer is willing to pay for something. That consumer then receives an individual price based on that consumer’s interest, need, income, buying patterns, and other factors. The next consumer pays a different price.

What’s the matter when a merchant charges one consumer a different price than another consumer? This is a surprisingly complicated question to answer.

Economists call the gap between what consumers are willing to pay and the market price the consumer surplus. If consumers lived in the economist’s hypothetical world of many buyers, many sellers, and a fair and transparent marketplace, consumers would expect to find prices based on marginal cost of production with lots of consumer surplus. Differential pricing is a merchant’s dream, with each customer paying a price based on willingness to pay rather than a standard price. Differential pricing could end the consumer surplus.

In the offline world, a merchant typically sets a single price for all consumers. The book is $12.99 to anyone who wants to buy it in the book store. Gasoline is $3.25 a gallon no matter how low a car’s gas tank is or how much the car cost.

In reality, things aren’t that simple in the offline world. The bookstore offers consumers a frequent shopper card (sometimes free. sometimes paid) with a discount on all purchases. The consumer with the card pays less than a consumer without one. The gas station offers a discount on Tuesdays because that’s a slow day. The movie theatre offers lower prices early in the day and higher prices in prime time. Many sellers offer a discount to seniors.

Read More

0

Could Revenge Porn Victims Seek Civil Liability Against Hunter Moore?

Suppose that former revenge porn operator Hunter Moore is convicted of federal crimes of conspiracy to engage in computer hacking. Could individuals whose nude photos appeared on his site next to their home addresses and screenshots of their Facebook profiles sue Moore for intentional infliction of emotional distress and public disclosure of private fact? Probably not, but it’s worth exploring the issue.

The closest case law involves civil penalties provided for under federal criminal law. In M.A. v. Village Voice, a federal district court judge found that Backpage.com enjoyed Section 230 immunity for civil penalties under the child trafficking statute, 18 U.S.C. 2255. Section 2255 allows victims of child trafficking to recover damages from those who had committed or profited from the crimes against them. provides that, “[a]ny person who, while a minor, was a victim of a violation of [criminal statutes concerning child trafficking] and who suffers personal injury as a result of such violation may sue” and “recover actual damages such person sustained.” The representatives of a victim of child trafficking argued that Section 230 immunity was inapplicable because Backpage.com had profited from the plaintiff’s victimization in violation of Section 2255. As the court held, however, Section 2255 was a “civil damages” provision of Title 18, not federal criminal law.

The only remaining question is whether Moore materially contributed to the contested content–nude photos and Facebook screen shots. If so, he could be found liable as a co-developer of the content that often was tantamount to cyber stalking. Of course, the question of liability would remain. Just because a site operator does not enjoy immunity from liability does not mean he would be strictly liable for torts of intentional infliction of emotional distress, for instance. The question would be whether he intentionally inflict emotional distress on particular individuals? Recall that Moore boasted to the press that the more embarrassing and destructive the material, the more money he made. When a reporter told him that revenge porn had driven people to commit suicide, Moore said that he did not want anybody to die, but if it happened, he would be grateful for the publicity and advertising revenue it would generate; “Thank you for the money . . . from all of the traffic, Googling, redirects, and press.” Earlier this year, Moore told Betabeat’s Jessica Roy that he was relaunching his site including not just of people’s Facebook accounts, but their home addresses. “We’re gonna introduce the mapping stuff so you can stalk people,” he told Roy. When talking to Forbes’s Kashmir Hill, Moore backed off his statement, claiming to be drunk, but had tweeted, “I’m putting people’s house info with google earth directions. Life will be amazing.”

More broadly, sites that principally host revenge porn are making a mockery of Section 230. As Citizen Media Law Project’s Sam Bayard explains, a site operator can enjoy the protection of Section 230 while “building a whole business around people saying nasty things about others, and . . . affirmatively choosing not to track user information that would make it possible for an injured person to go after the person directly responsible.” In my book Hate Crimes in Cyberspace, I explore the possibility of Section 230 reform to ensure that the worst actors don’t enjoy immunity. It’s certainly a perverse result that the “Good Samaritan” provision of the Communications Decency Act immunizes from liability sites that solicit and principally host revenge porn and other forms of cyber stalking. More to come in August, when Harvard University Press publishes the book.

 

3

Some Thoughts on Section 230 and Recent Criminal Arrests

We’ve devoted considerable attention on our blog to Section 230 of the Communications Decency Act, which immunizes online service providers/hosts from liability for user-generated content. Site operators are protected from liability even though they knew (or should have known) that user-generated content contained defamation, privacy invasions, intentional infliction of emotional distress, civil rights violations, and state criminal activity. Providing a safe harbor for ISPs, search engines, and social networks is a good thing. If communication conduits like ISPs did not enjoy Section 230 immunity, they would surely censor much valuable online content to avoid publisher liability. The same is true of search engines that index the vast universe of online content and produce relevant information to users in seconds and, for that matter, social media providers that host millions, and some billions, of users. Without Section 230, search engines like Google and Bing and social media providers like Yelp, Trip Advisor, Facebook, YouTube, and Twitter might not exist. The fear of publisher liability would have inhibited their growth. For that reason, Congress reaffirmed Section 230’s importance in the SPEECH Act of 2010, which requires U.S. courts to apply the First Amendment and Section 230 in assessing foreign defamation judgments.

In the past few months, prosecutors have arrested notorious revenge porn site operators Hunter Moore, Kevin Bolleart, and Casey Meyering. Those arrests have raised the question, what about Section 230? Hunter Moore’s arrest is the least controversial. Although Section 230 immunity is broad sweeping, it isn’t absolute. It exempts from its reach federal criminal law, intellectual property law, and the Electronic Communications Privacy Act. As Section 230(e) provides, the statute has “[n]o effect” on “any [f]ederal criminal statute” and does not “limit or expand any law pertaining to intellectual property.” Federal prosecutors indicted Moore for conspiring to hack into people’s computers in order to steal their nude images. According to the indictment, Moore paid a computer hacker to access women’s password-protected computers and e-mail accounts to steal nude photos for financial gain—profits for his revenge porn site Is Anyone Up. Site operators may be held accountable for violating federal criminal law.

What about revenge porn operators Bolleart and Meyerson who are facing state criminal charges? Generally speaking, site operators are not transformed into “information content providers” (who are not immunized from liability) unless they co-developed or co-created the allegedly criminal/tortious content, such as by paying for the illegal content and reselling it or drafting some of the contested content themselves. California Attorney General Kamala Harris’s prosecutions of both Bolleart and Meyerson press the question whether Section 230’s immunity extends to sites that effectively engage in extortion by encouraging the posting of sensitive private information and profiting from its removal.

Let’s take Bolleart’s case. It’s based on a similar theory as the case against Meyerson, who runs WinbyState, a private revenge porn site with a connected site that charges for the take down of photos. In December 2013, Bollaert, operator of revenge porn site UGotPosted, was indicted for extortion, conspiracy, and identity theft. His site featured the nude photos, Facebook screen shots, and contact information of more than 10,000 individuals. The indictment alleged that Bollaert ran the revenge porn site with a companion takedown site, Change My Reputation. According to the indictment, when Bollaert received complaints from individuals, he would send them e-mails directing them to the takedown site, which charged up to $350 for the removal of photos. Attorney General Harris explained that Bollaert “published intimate photos of unsuspecting victims and turned their public humiliation and betrayal into a commodity with the potential to devastate lives.”

Bollaert will surely challenge the state’s criminal law charges on Section 230 grounds. His strongest argument is that charging for the removal of user-generated photos is not tantamount to co-developing them. Said another way, charging for the removal of content is not the same as paying for, or helping develop, it. That is especially true of the identity theft charges because Bollaert never personally passed himself off as the subjects depicted in the photos. Nonetheless, the state has a strong argument that the extortion charges fall outside Section 230’s immunity because they hinge on what Bollaert himself did and said, not on what his users posted. Only time will tell if that sort of argument will prevail. Even if the California AG’s charges are dismissed on Section 230 grounds, federal prosecutors could charge Bollaert with federal criminal extortion charges. Sites that encourage cyber harassment and charge for its removal (or have a financial arrangement with removal services) are engaging in extortion. At the least, they are actively and knowingly conspiring in a scheme of extortion. Of course, this possibility depends on the enforcement of federal criminal law vis-à-vis cyber stalking, which as we have seen is stymied by social attitudes and insufficient training.