Site Meter

Category: Privacy (ID Theft)

2

Big Data Brokers as Fiduciaries

In a piece entitled “You for Sale,” Sunday’s New York Times raised important concerns about the data broker industry.  Let us add some more perils and seek to reframe the debate about how to regulate Big Data.

Data brokers like Acxiom (and countless others) collect and mine a mind-boggling array of data about us, including Social Security numbers, property records, public-health data, criminal justice sources, car rentals, credit reports, postal and shipping records, utility bills, gaming, insurance claims, divorce records, online musings, browsing habits culled by behavioral advertisers, and the gold mine of drug- and food-store records.  They scrape our social network activity, which with a little mining can reveal our undisclosed sexual preferences, religious affiliations, political views, and other sensitive information.  They may integrate video footage of our offline shopping.  With the help of facial-recognition software, data mining algorithms factor into our dossiers the over-the-counter medicines we pick up, the books we browse, and the pesticides we contemplate buying for our backyards.  Our social media influence scores may make their way into the mix.  Companies, such as Klout, measure our social media influence, usually on a scale from one to 100.  They use variables like the number of our social media followers, frequency of updates, and number of likes, retweets, and shares.  What’s being tracked and analyzed about our online and offline behavior is accelerating – with no sign of slowing down and no assured way to find out.

As the Times piece notes, businesses buy data-broker dossiers to classify those consumers worth pursuing and those worth ignoring (so-called “waste”).  More often those already in an advantaged position get better deals and gifts while the less advantaged get nothing.  The Times piece rightly raised concerns about the growing inequality that such use of Big Data produces.  But far more is at stake.

Government is a major client for data brokers.  More than 70 fusion centers mine data-broker dossiers to detect crimes, “threats,” and “hazards.”  Individuals are routinely flagged as “threats.”  Such classifications make their way into the “information-sharing environment,” with access provided to local, state, and federal agencies as well as private-sector partners.  Troublingly, data-broker dossiers have no quality assurance.  They may include incomplete, misleading, and false data.  Let’s suppose a data broker has amassed a profile on Leslie McCann.  Social media scraped, information compiled, and videos scanned about “Leslie McCann” might include information about jazz artist “Les McCann” as well as information about criminal with a similar name and age.  Inaccurate Big Data has led to individuals’ erroneous inclusion on watch lists, denial of immigration applications, and loss of public benefits.  Read More

0

Facebook Subpoenas, Open Court Records, Here We Go Again

The Boston Phoenix has an article about what Facebook coughs up when a subpoena is sent to the company. The paper came across the material as it worked on an article called Hunting the Craigslist Killer. The issues that come to mind for me are

1. Privacy after death? In may article Property, Persona, and Preservation which uses the question of who owns email after death, I argue that privacy after death isn’t tenable. The release of information after someone dies (the man committed suicide), (From ZDNET “he man committed suicide, which meant the police didn’t care if the Facebook document was published elsewhere, after robbing two women and murdering a third.”) brings up a question Dan Solove and I have debated. What about those connected to the dead person? The facts here matter.

2. What are reasons to redact or not release information? Key facts about redaction and public records complicate the question of death and privacy. I’m assuming the person has no privacy after death. But his or her papers may reveal information about those connected to the dead person. In this case the police did not redact, but the paper did. Sort of.

This document was publicly released by Boston Police as part of the case file. In other case documents, the police have clearly redacted sensitive information. And while the police were evidently comfortable releasing Markoff’s unredacted Facebook subpoena, we weren’t. Markoff may be dead, but the very-much-alive friends in his friend list were not subpoenaed, and yet their full names and Facebook ID’s were part of the document. So we took the additional step of redacting as much identifying information as we could — knowing that any redaction we performed would be imperfect, but believing that there’s a strong argument for distributing this, not only for its value in illustrating the Markoff case, but as a rare window into the shadowy process by which Facebook deals with law enforcement.

As the comments noted and the explanation admits, the IDs and other information of the living are arguably in greater need of protection. It may have been that the police needed all the information for its case, but why release it to the public?

Obvious Closing: As we put more into the world, it will come back in ways we had not imagined. I doubt that bright line rules will ever work in this space. But it seems to me that some sort of best practices informed by research (think Lior Strahilevitz’s A Social Networks Theory of Privacy) could allow for reasonable, useful privacy practices. The hardest part for law and society in general is that this area (information-related law) is not likely to be stable for some time. That being said, I think that the insane early domain name law (yes someone could think that megacorpsucks.com is sponsored by megacorp) corrected in about 10 years. Perhaps privacy and information practices will reach an equilibrium that allows the law to stabilize. Until then, practices, businesses, science, and the law will twirl around each other as society sorts what balance makes sense (until something messes with that moment).

HT: CyberNetwork News

0

Dockets and Data Breach Litigation

Alessandro Acquisti, Sasha Romanosky, and I have a new draft up on SSRN, Empirical Analysis of Data Breach Litigation.  Sasha, who’s really led the charge on this paper, has presented it at many venues, but this draft is much improved (and is the first public version).  From the abstract:

In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated, which are not? Which lawsuits settle, or are dismissed? Using a unique database of manually-collected lawsuits from PACER, we analyze the court dockets of over 230 federal data breach lawsuits from 2000 to 2010. We use binary outcome regressions to investigate two research questions: Which data breaches are being litigated in federal court? Which data breach lawsuits are settling? Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach. We also find that defendants settle 30% more often when plaintiffs allege financial loss from a data breach, or when faced with a certified class action suit. While the compromise of financial information appears to lead to more federal litigation, it does not seem to increase a plaintiff’s chance of a settlement. Instead, compromise of medical information is more strongly correlated with settlement.

A few thoughts follow after the jump.

Read More

0

The Year in Privacy Books 2011

Here’s a list of notable privacy books published in 2011.

Previous lists:

Privacy Books 2010

Privacy Books 2009

Privacy Books 2008

 

Saul Levmore & Martha Nussbaum, eds., The Offensive Internet (Harvard 2011)

 

This is a great collection of essays about the clash of free speech and privacy online.  I have a book chapter in this volume along with Martha Nussbaum, Cass Sunstein, Brian Leiter, Danielle Citron, Frank Pasquale, Geoffrey Stone, and many others.

Daniel J. Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale 2011)

 

Nothing to Hide “succinctly and persuasively debunks the arguments that have contributed to privacy’s demise, including the canard that if you have nothing to hide, you have nothing to fear from surveillance. Privacy, he reminds us, is an essential aspect of human existence, and of a healthy liberal democracy—a right that protects the innocent, not just the guilty.” — David Cole, New York Review of Books

Jeff Jarvis, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live (Simon & Schuster 2011)

 

I strongly disagree with a lot of what Jarvis says, but the book is certainly provocative and engaging.

Daniel J. Solove & Paul M. Schwartz, Privacy Law Fundamentals (IAPP 2011)

 

“A key resource for busy professional practitioners. Solove and Schwartz have succeeded in distilling the fundamentals of privacy law in a manner accessible to a broad audience.” – Jules Polonetsky, Future of Privacy Forum

Eli Pariser, The Filter Bubble (Penguin 2011)

 

An interesting critique of the personalization of the Internet.  We often don’t see the Internet directly, but through tinted goggles designed by others who determine what we want to see. 

Siva Vaidhyanathan, The Googlization of Everything (U. California 2011)

 

A vigorous critique of Google and other companies that shape the Internet.  With regard to privacy, Vaidhyanathan explains how social media and other companies encourage people’s sharing of information through their architecture — and often confound people in their ability to control their reputation.

Susan Landau, Surveillance or Security? The Risk Posed by New Wiretapping Technologies (MIT 2011)

 

A compelling argument for how designing technologies around surveillance capabilities will undermine rather than promote security.

 


Kevin Mitnick, Ghost in the Wires (Little Brown 2011)

 

A fascinating account of the exploits of Kevin Mitnick, the famous ex-hacker who inspired War Games.  His tales are quite engaging, and he demonstrates that hacking is often not just about technical wizardry but old-fashioned con-artistry.

Matt Ivester, lol . . . OMG! (CreateSpace 2011)

 

Ivester created Juicy Campus, the notorious college gossip website.  After the site’s demise, Ivester changed his views about online gossip, recognizing the problems with Juicy Campus and the harms it caused.  In this book, he offers thoughtful advice for students about what they post online.

Joseph Epstein, Gossip: The Untrivial Pursuit (Houghton Mifflin Harcourt 2011)

 

A short engaging book that is filled with interesting stories and quotes about gossip.  Highly literate, this book aims to expose gossip’s bad and good sides, and how new media are transforming gossip in troublesome ways.

Anita Allen, Unpopular Privacy (Oxford 2011)

 

My blurb: “We live in a world of increasing exposure, and privacy is increasingly imperiled by the torrent of information being released online. In this powerful book, Anita Allen examines when the law should mandate privacy and when it shouldn’t. With nuance and thoughtfulness, Allen bravely tackles some of the toughest questions about privacy law — those involving the appropriate level of legal paternalism. Unpopular Privacy is lively, engaging, and provocative. It is filled with vivid examples, complex and fascinating issues, and thought-provoking ideas.”

Frederick Lane, Cybertraps for the Young (NTI Upstream 2011)

 

A great overview of the various problems the Internet poses for children such as cyberbullying and sexting.  This book is a very accessible overview for parents.

Clare Sullivan, Digital Identity (University of Adelaide Press 2011)

 

Australian scholar Clare Sullivan explores the rise of “digital identity,” which is used for engaging in various transactions.  Instead of arguing against systematized identification, she sees the future as heading inevitably in that direction and proposes a robust set of rights individuals should have over such identities.  This is a thoughtful and pragmatic book, with a great discussion of Australian, UK, and EU law.

0

New Edition of Information Privacy Law Casebooks

The new edition of my casebook, Information Privacy Law (4th edition) (with Paul M. Schwartz) is hot off the presses.  And there’s a new edition of my casebook, Privacy, Information, and Technology (3rd edition) (with Paul M. Schwartz).   Copies should be sent out to adopters very soon.  If you’re interested in adopting the book and are having any difficulties getting a hold of a copy, please let me know.

You also might be interested in my concise guide to privacy law, also with Paul Schwartz, entitled Privacy Law Fundamentals.   This short book was published earlier this year.  You can order it on Amazon or via IAPP.  It might make for a useful reference tool for students.

 

0

New Privacy Law Reference Book: Privacy Law Fundamentals

Professor Paul Schwartz (Berkeley School of Law) and I recently published a new book, PRIVACY LAW FUNDAMENTALS.  This book is a distilled guide to the essential elements of U.S. data privacy law. In an easily-digestible format, the book covers core concepts, key laws, and leading cases.

The book explains the major provisions of all of the major privacy statutes, regulations, cases, including state privacy laws and FTC enforcement actions. It provides numerous charts and tables summarizing the privacy statutes (i.e. statutes with private rights of action, preemption, and liquidated damages, among other things). Topics covered include: the media, domestic law enforcement, national security, government records, health and genetic data, financial information, consumer data and business records, government access to private sector records, data security law, school privacy, employment privacy, and international privacy law.

This book provides an concise yet comprehensive overview of the field of privacy law for those who do not want to labor through lengthy treatises.  Paul and I worked hard to keep it under 200 pages — our goal was to include a lot of information yet do so as succinctly as possible.   PRIVACY LAW FUNDAMENTALS is written for those who want a handy reference, a bird’s eye view of the field, or a primer for courses in privacy law.

We wrote this book to be a useful reference for practitioners — ideally, a book they’d keep at the corner of their desks or in their briefcases.

We also think it can serve as a useful study aid for students taking privacy law courses.

You can check it out here, where you can download the table of contents.

0

Economic Analysis of Tort Law, Why Bother?

In previous posts (here and here), I suggested that analytical modeling can be useful to better understand data breaches, information disclosure laws and the costs to both companies and individuals because of these laws. I’d like to now expand on those ideas.

To be clear, there are many kinds of models and modeling approaches but what I’m interested in is the economic analysis of tort law. For those not aware, this approach is concerned with the cost of accidents to an injurer and a victim and it analyzes how various policy rules (typically regulation or liability) can minimize the sum of those costs.

The way I’ve come to interpret and apply models (e.g. mathematical equations) is to illustrate how agent’s incentives change under different policy interventions. For example, if companies are forced to notify consumers of a data breach, will they be induced to spend more or less money protecting consumer data? Will individuals take more or less care once notified? Will these actions together increase or decrease overall social costs?

Read More

4

Evolution of Privacy Breach Litigation?

In addition to empirical work on data breaches and breach disclosure laws, I’ve also become very interested in data breach litigation. While plaintiffs have seen very little success with legal actions brought against companies that suffer data breaches, I still believe there is some very interesting empirical work that can be done regarding these lawsuits.

In a recent post, Daniel Solove cited  a paper by Andrew Serwin (found here) who described in great detail the legal theories and statutes  that plaintiffs use when bringing legal actions against companies that suffer data breaches. It isn’t my purpose to repeat that work, but rather to identify an interesting pattern that appears to have emerged over the past 5 to 10 years of privacy breach litigation. Special thanks to Paul Bond of Reed Smith LLP who first brought this to my attention. 

Category 1: You lost my data, now I will sue you.
This first category could be characterized by what is classically considered a data breach: plaintiffs suing a company simply because their personally identifiable information (PII) was lost, stolen, or improperly disposed. For example, Choicepoint, TJX, Hannaford, Heartland, etc. Plaintiffs claim that this disclosure of data has harmed, or will harm them, and that they are justified in seeking relief for actual fraud losses, monitoring costs, future expected loss, or emotional distress. Plaintiffs bring these actions under many kinds of tort and contract theories, but generally lose because they’re unable to prove a harm that’s legally recognized (as we discuss further below). The defining characteristic of this category is that the burden lies with the alleged victims to show they were harmed in a legally meaningful way.

Read More

4

Three Policy Interventions for Reducing Privacy Harms

Thanks so much to Danielle and Concurring Opinions for inviting me to blog. This is an exciting opportunity and I look forward to sharing my thoughts with you. Hopefully you will find these posts interesting.

There are many policy interventions that legislators can impose to reduce harms caused by one party to another. Two that are very often compared are safety regulations (mandated standards) and liability. They lend themselves well to comparison because they’re generally employed on either side of some harmful event (e.g. data breach or toxic spill): ex ante regulations are applied before the harm, and ex post liability is applied after the harm.

A third approach, one that we might consider ‘sitting between’ regulation and liability, is information disclosure (e.g. data breach disclosure (security breach notification) laws). I’d like to take a few paragraphs to compare these alternatives in regards to data breaches and privacy harms.

Three Interventions

 

Read More

6

The Year in Privacy Books 2010

Here’s a list of notable privacy books published in 2010.

Previous lists:

Privacy Books 2009

Privacy Books 2008

This list contains a few books published late in 2009 that I missed on the 2009 list.

Adam D. Moore, Privacy Rights: Moral and Legal Foundations (Penn. St. U. Press 2010)


My blurb: “Privacy Rights is a lucid and compelling examination of the right to privacy.  Adam Moore provides a theoretically rich and trenchant account of how to reconcile privacy with competing interests such as free speech, workplace productivity, and security.”

Cass Sunstein, On Rumors (Farrar , Strauss and Giroux 2009)


A very short essay on the damage wrought by false online rumors and a discussion of how and why such rumors spiral out of control, such as the phenomena of social cascades and group polarization.  The book is worth reading, but quite short for a book (only 88 pages of primary text, in a very tiny book the size of a paperback).

Stewart Baker, Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism (Hoover Institution Press 2010)


A provocative argument for stronger security protections and a vigorous attack on privacy.  The arguments against privacy are often glib and dismissive, but the book is worth reading for Baker’s extensive personal experience dealing with the issues.


Christena Nippert-Eng, Islands of Privacy (U. Chicago 2010)


A fascinating sociological account of people’s attitudes toward privacy and their behaviors with regards to preserving their privacy.  It contains numerous interviews, quoted copiously, of people in their own voices discussing how they conceal their secrets.  Engaging and compelling reading.


Hal Niedzviecki, The Peep Diaries: How We’re Learning to Love Watching Ourselves and Our Neighbors (City Lights Press 2009)


This book is an extended essay on self-exposure online.  It is filled with many interesting anecdotes.  The book has a journalistic style and raises observations and questions more than it proposes solutions or policies.  The “notes” at the end consist only of a brief bibliography for each chapter, and there are no indications of which facts in the book came from which particular sources — a pet peeve of mine.

Bill Bryson, At Home: A Short History of Private Life (Doubleday 2010)


An extensive history of the home, which as I’ve explored in some of my own writings, plays an important role in the history of privacy.  Bryson’s narrative reads well, but he only supplies a bibliography at the end — no endnotes or indications of the sources of particular facts and details.  I find this practice to be quite problematic for a work of history.

Shane Harris, The Watchers: The Rise of America’s Surveillance State (Penguin 2010)


An engaging narrative that chronicles the surveillance and security measures the United States undertook after 9/11.  Filled with interesting facts, the book reads like a story.

Robin D. Barnes, Outrageous Invasions: Celebrites’ Private Lives, Media, and the Law (Oxford 2010)


There are some very interesting parts of this book, but it at times seems like a grab bag of topics relating to celebrities and its central argument could use more development.  Nevertheless, it is worth reading because it discusses some interesting cases and explores comparative legal perspectives on the issues.


David Kirkpatrick, The Facebook Effect (Simon& Schuster 2010)


A fascinating account of the rise of Facebook.  There are times when Kirkpatrick seems too sympathetic to Mark Zuckerberg and Facebook, but overall, this book is illuminating and engaging.

Viktor Mayer-Schonberger, Delete: The Virtue of Forgetting in the Digital Age (Princeton 2009)


An interesting discussion of the “right to be forgotten.”  Some of the ground in this book appears to be already well-trodden, but Mayer-Schonberger’s keen insights on data retention and destruction make it a worthy addition to the literature.