Monthly Archives: May 2013

Paul Ohm, The Probability of Privacy

By privacylaw | Posted on

Paul Ohm, The Probability of Privacy

Comment by: Michael Frommkin

PLSC 2009

Workshop draft abstract:

Data collectors and aggregators defend themselves against claims that they are invading privacy by invoking a verb of relatively recent vintage—“to anonymize.” By anonymizing the data—by removing or replacing all of the names or other personal identifiers—they argue that they are negating the risk of any privacy harm. Thus, Google anonymizes data in its search query database after nine months; proxy email and web browsing services promise Internet anonymity; and network researchers trade sensitive data only after anonymizing them first.

Recently, two splashy news stories revealed that anonymization is not all it is cracked up to be. First, America Online released twenty million search queries from 650,000 users. Next, Netflix released a database containing 100 Million movie ratings from nearly 500,000 users. In both cases, the personal identifiers in the databases were anonymized, and in both cases, researchers were able to “deanonymize” or “reidentify” at least some of the people in the database.

Even before these results, Computer Scientists had begun to theorize deanonymization. According to this research, none of which has yet been rigorously imported into legal scholarship, the utility and anonymity of data are linked. The only way to anonymize a database perfectly is to strip all of the information from it; any database which is useful is also imperfectly anonymous; the more useful a database, the easier it is to reidentify the personal information in the database.

This Article takes a comprehensive look at both claims of anonymization and theories of reidentification, weaving them into law and policy. It compares online and data privacy with anonymization standards and practices in health policy, where these issues have been grappled with for decades.

The Article concludes that claims of anonymization should be viewed with great suspicion. Data is never “anonymized,” and it is better to speak of “the probability of privacy” of different practices. Finally, the Article surveys research into how to reduce the risk of reidentification, and it incorporates this research into a set of prescriptions for various data privacy laws.

Erin Murphy, Relative Doubt: Partial Match or “Familial” Searches of DNA Databases

By privacylaw | Posted on

Erin Murphy, Relative Doubt:  Partial Match or “Familial” Searches of DNA Databases

Comment by: Peter Winn

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1498807

Workshop draft abstract:

This paper sets forth an architecture for considering the relevant legal standards for familial searches.  Familial searches are searches of a DNA database, using a crime-scene sample profile, that intend to look not for a complete match but rather for partial matches.  Using principles of heritability, such partial matches may allow investigators to identify relatives of the perpetrator in cases in which the perpetrator herself is not in the database.  California recently adopted governing rules for conducting familial searches, and many states and the federal government are contemplating following suit. This article is a collaboration with Dr. Yun Song (Statistics and Computer Science) and Dr. Montgomery Slatkin (Integrative Biology), both of UC Berkeley, who have calculated a formula for determining the likely results (in terms of number of hits) for various partial match searches.  Currently, there is very little legal literature about familial searching (as it is a relatively new idea), and there is virtually no statistical work contemplating the number of profiles likely returned by various levels of searches.  Moreover, in the rush to embrace “familial searching,” legal actors overlook the probabilistic sensitivity of various approaches.  Dr. Song’s formulas provide a springboard from which to examine important legal questions, such as how close a match ought to be to justify:  brief detention (reasonable articulable suspicion); a search warrant or an arrest warrant (probable cause), or perhaps even a subpoena for an evidentiary sample (relevance).

Deirdre Mulligan & Ken Bamberger, From Privacy on the Books to Privacy on the Ground: the Evolution of a New American Metric

By privacylaw | Posted on

Deirdre Mulligan & Ken Bamberger, From Privacy on the Books to Privacy on the Ground: the Evolution of a New American Metric

Comment by: Jeff Sovern

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1568385

Workshop draft abstract:

The sufficiency of U.S. information privacy law is the subject of heated debate.  A majority of privacy scholars and advocates contend that the existing patchwork of U.S. regulation fails to ensure across-the-board conformity with the standard measure of privacy protection: Fair Information Practice Principles (FIPPS) first articulated in the early 1970s.  U.S. law, they argue, further falls far short of the EU’s omnibus privacy regime thereby failing to protect against a variety of privacy based harms.  A smaller group of scholars similarly fault the U.S. for latching onto a watered-down version of FIPPS that emphasizes the procedural requirements of notice and individual choice to the exclusion of a substantive consideration of the harms and benefits to society as a whole that result from flows of personal information, and in the process created bureaucracy in lieu of privacy protection.

These critiques’ positive claims regarding U.S. law’s departure from FIPPS are largely true.  Yet, we argue, these debates generates far more heat than light as to the question of what laws provide meaningful privacy protection.   The emphasis on measuring U.S. privacy protection by the FIPPS metric simply misses the mark, focusing on a largely procedural standard offers limited utility in guiding corporate decisionmaking to protect privacy.  It thus ignores important shifts in the conception of privacy—and therefore, perhaps, how the success of its protection should be assessed—in the United States.

This paper—the first in a series drawing on a qualitative empirical study of privacy practices in U.S. corporations—argues instead that FIPPS no longer represents either the exclusive goal of U.S. privacy policy or the sole metric appropriate for assessing privacy protection.  By contrast, this article demonstrates that U.S. information privacy policy over the last decade, as understood by both regulators and those firms implementing privacy measures through regulatory compliance, evidences a second—and very “American”—definition of informational privacy.  As demonstrated both by the institutional choices regarding privacy regulation and by qualitative data regarding corporate privacy practices, informational privacy protection in the U.S. today is rooted, not in fair notice and process, but in substantive notions of consumer expectations and consumer harm.  The corporate practices resulting from the “expectations and harm” definition of privacy, in turn, often offer the promise of far greater substantive privacy protection than any FIPPS regime could provide.

This initial effort to inquire as to how the form and oversight structure of information privacy law influences its implementation and effect illustrates the value of “holistic evaluation(s) of privacy protection systems” recommended by Charles Raab.  Looking at rights and obligations on paper is insufficient to guide policy: better privacy protection requires analysis of how law works in the wild.

Jon Mills, The New Global Press and Privacy Intrusions: The Two Edged Sword

By privacylaw | Posted on

Jon Mills, The New Global Press and Privacy Intrusions: The Two Edged Sword

Comment by: Eddan Katz

PLSC 2009

Workshop draft abstract:

The free press is a critical global value.  At the same time, the press continually intrudes on another critical global value, individual privacy.  How should these values be balanced in a complex global society?

First, what is the modern press?  “Nontraditional” reporters are publishing news everyday worldwide.  Should free press protections extend to all of these individuals?  Moreover, modern technology has given this new press a multitude of new ways to collect information and the ability to disseminate that information worldwide.

Advancing, or balancing, the values of free press and privacy requires understanding that privacy invasions that occur across borders and legal jurisdictions with inconsistent laws.  The global context is complicated and contradictory. A matrix of international and national law, treaties, state law, codes, and regulations are the background for borderless press and global intrusions.  Countries vary greatly in their treatment of privacy, especially in how they address privacy violations committed by the media.  One example of a decision affecting global media was an Argentinean court order that required Yahoo to censor its search results for the former soccer star, Diego Maradona.  Finding the court’s language to be broad, Yahoo decided to remove all search results of Maradona.   How many courts would have reached the same decision?  Some forums are more favorable to privacy and some more favorable to free press.  Understanding the nature of the modern global press and the hodge podge of global laws is a necessary predicate to articulating principles to balance these vital values.

Jacqueline Lipton, “We, the Paparazzi”: Developing a Privacy Paradigm for Digital Video

By privacylaw | Posted on

Jacqueline Lipton, “We, the Paparazzi”: Developing a Privacy Paradigm for Digital Video

Comment by: Patricia Sanchez Abril

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1367314

Workshop draft abstract:

Digital age privacy law focuses mostly on text files containing personal data.  Little attention has been paid to privacy interests in video files that may portray individuals in an unflattering or embarrassing light.  As digital video technology, including inexpensive cellphone cameras, is now becoming widespread in the hands of the public, this focus needs to shift. Once a small percentage of online content, digital video is now appearing online at an exponential rate.  This is largely due to the growth of online social networking services such as YouTube, MySpace, Flickr, and Facebook.

The sharing of video online has become a global phenomenon.  At the same time, the lack of effective privacy protection for these images has become a global problem.  Digital video poses four distinct problems for privacy arising from:  de-contextualization, dissemination, aggregation, and permanency of online video information.  While video shares some of these attributes with text-based records, this article argues that the unique qualities of video and multi-media files necessitate a place of their own in online privacy discourse.  This article both identifies a rationale for, and critiques potential approaches to, digital video privacy.  It suggests that legal regulation, without more, is unlikely to provide the solutions we need to protect privacy in digital video.  Instead, it advocates a new, more nuanced multi-modal regulatory approach consisting of a matrix of legal rules, social norms, system architecture, market forces, public education, and non-profit institutions.

Jerry Kang, Self-Analytic Privacy

By privacylaw | Posted on

Jerry Kang, Self-Analytic Privacy

Comment by: Susan Freiwald

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1729332

Workshop draft abstract:

[1]        Recent technological innovations present a new problem in the information privacy space:  the privacy of self-analytics.   By “self-analytics,” we mean the collection and processing of data by an individual about that individual in order to increase her self-knowledge for diagnostics, self-improvement, and self-awareness.   Think Google analytics, but as applied to the self and not to one’s website.  In this Article, we describe this new problem space and engage in a transdisciplinary analysis, focusing on the case study of locational traces.

[2]        In undertaking this analysis, we are mindful of what has become the standard script for privacy analyses in the law reviews-(i) identify some new threatening technology; (ii) trot out a parade-of-horribles; (iii) explain why the “market” has not already solved the problem; (iv) recommend some changes in code and law that accord with the author’s values.  This script is standard for sensible reasons, but we aim to go farther.

[3]        In particular, we make two theoretical contributions.  In addition to defining a new category of personal data called “self-analytics,” we distinguish between micro and macro definitions of privacy-the former focused on individual choice regarding or consent to personal data processing, and the latter using instead a system-wide measure of the “speed” of personal data flow.   The macro “system-speed” definition is offered to supplement, not replace, the traditional micro “individual-control” definition.  Still, this supplemental conception of information privacy has substantial consequences.  Indeed, we go so far as to suggest that the nearly exclusively micro- approach to privacy hasbeen a fundamental privacy error.

[4]        In addition to the theoretical interventions, we aim to concrete in our recommendations.  In particular, we provide the design specifications, both technical and legal, of a new intermediary called the “data vault,” which we believe is best suited to solve the privacy problem of self-analytics.   As we make this case, we hope to exhibit the values of a genuinely transdisciplinary engagement across law, engineering, computer science, and technology studies when focusing on solving a concrete problem.

Woodrow Hartzog, A Promissory Estoppel Theory for Confidential Disclosure in Online Communities

By privacylaw | Posted on

Woodrow Hartzog, A Promissory Estoppel Theory for Confidential Disclosure in Online Communities

Comment by: Allyson Haynes

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1473561

Workshop draft abstract:

Revised Abstract:  Is there any safe place to disclose personal information online? Traditional wisdom dictates individuals do not have a legitimate expectation of privacy in information posted online. Nevertheless, Internet users often disclose sensitive information.  The need for confidential disclosure is no more apparent than in online communities, particularly for community members seeking support.  Yet, traditional legal remedies for privacy violations, such as the disclosure tort and intentional infliction of emotional distress, have been generally ineffective in protecting self-disclosed information. This article proposes an alternative theory of protection and recovery for online community members based on an application of the equitable doctrine of promissory estoppel.  In order to ensure mutual accountability, community members could promise to keep other members’ information confidential through a website’s terms of use agreement. Under the third-party beneficiary doctrine or the concept of dual agency, these agreements could create a safe place to disclose information due to mutual availability of promissory estoppel.  While this remedy will not serve as a panacea for privacy harms online, it could serve to protect some of the privacy interests of online community members while also promoting speech through the promise of confidentiality.

Stephen Henderson, Government Access to Private Records

By privacylaw | Posted on

Stephen Henderson, Government Access to Private Records

Comment by: Chris Slobogin

PLSC 2009

Workshop draft abstract:

Although there is room for debate regarding whether the rule is truly monolithic, so far as the provider of information is concerned, there is little to no Fourth Amendment protection for information provided to a third party.  But of course there remain significant legal protections for certain types of third-party information.  A good number of states have constitutionally rejected the federal doctrine, and are working out a more protective constitutional jurisprudence.  And all fifty states and the federal government provide statutory restrictions on government access to certain information in the hands of third parties.  So, the question is not whether the law should provide such restriction, but instead when and how it should do so.  These Standards seek to bring needed uniformity and clarity to the law by providing aspirational “best practices” standards regulating government access to private information in the hands of institutional third parties.  Although very significant decisions are still being made, this includes creating a “privacy hierarchy” of third party information, including articulating how to populate that hierarchy, and then assigning restraints to the various types of information.  While “more private” information is obviously generally deserving of greater restriction upon access, there are difficult decisions to be made regarding how best to enable effective investigations: if there is no way to differentiate different stages of law enforcement activity in an administrable manner, then only relatively light restrictions will be possible.  Moreover, given that law enforcement is increasingly creating databases of information it obtains, it is necessary to craft restrictions on the dissemination and use of third party information previously gathered.  The Standards will address these, and possibly other, concerns.

Eric Goldman, Reputational Information: A Research Agenda

By privacylaw | Posted on

Eric Goldman, Reputational Information: A Research Agenda

Comment by: Jens Grossklags

PLSC 2009

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1754628

Workshop draft abstract:

This paper looks at the supply, demand and regulation of reputational information.  I define “reputational information” as information about an individual or company’s past performance that helps a decision-maker predict the individual or company’s future performance.  Reputational information plays a critical role in marketplaces because it can help reward good producers and punish poor performers.  As a result, any defect in the supply or demand of reputational information can seriously distort the marketplace generally.

My first observation is that consumers know lots of valuable reputational information but that information does not help other consumers make marketplace decisions so long as it remains private information.  Consumers do “communicate” their views through their marketplace decisions (such as continuing as a repeat customer, or switching to a new option), but each individual consumer’s decision is often not readily observable by other consumers, and the rationales for consumer decision-making (such as why the consumer chose one product or competitor over others) is rarely publicly available either.  The marketplace mechanism might improve with better supply of this private information.

My second observation is that many reputational systems exist, but they are regulated quite differently.  For example, compare credit scores, where both supply and demand are heavily regulated, with recommendation letters, which are virtually unregulated.  This heterogeneity of regulatory structures for reputational systems raises some questions.  Why the differences?  Can we use our experiences with one reputational system to craft better regulations of other reputational systems?

Expanding on these two observations, this paper will have four parts.  The first part will inventory the various types of reputational systems and describe their similarities and differences.  The second part will consider supply factors of reputational information, including how financial incentives can stimulate production, how disincentives (such as the threat of legal action for providing negative comments) may suppress supply, the credibility of reputational information (including pay-for-play and how supplying reputational information affect the supplier’s reputation), the role of intermediaries and the role of anonymity.

The third part will consider demand factors of reputational information, including credibility concerns of consumers of reputational information (and how consumers reduce transaction costs by “outsourcing” reputational assessments), privacy concerns and the potential for consumers to misinterpret aggregated reputational information.

The final part will develop policy guidelines for regulatory intervention into the supply and demand of reputational information.  This part will conclude by identifying situations where the heterogeneity of current regulatory structures might be suboptimal.

Kenneth Farrall, Production or Collection? Towards an Alternate Framing of the Problem of Information Privacy

By privacylaw | Posted on

Kenneth Farrall, Production or Collection? Towards an Alternate Framing of the Problem of Information Privacy

Comment by: Colin Bennett

PLSC 2009

Workshop draft abstract:

Bennett (2008) recently demonstrated that for privacy advocates to be effective in resisting the growth of surveillance systems in the 21st century, framing, or the specific language constructs used to articulate a social problem, is a crucial determinant of success or failure. This paper explores the benefits of framing the problem of digital dossiers (Solove, 2004) not in terms of the “collection and use” of personal data, but in terms of their production. Drawing on the theoretical tradition of the “social construction of reality” (Berger & Luckmann, 1966) and Foucault’s (1974) early work on discursive formations, the paper takes the position that personal information does not simply exist “out there” but is always first produced.  Latour & Woolgar (1986), for example, have shown that seemingly objective scientific facts are not discovered but are in fact thoroughly constituted by the material setting of the laboratory. Similarly, the totality of personally identifiable information (PII) comprising an individual dossier is always produced within, and is ultimately contingent upon, specific social, institutional, and technological contexts. Dossier information is not merely an abstract, formless reduction of uncertainty, but an object of discourse with a specific material embodiment — a pattern of ink on parchment or an electromagnetic disturbance on the surface of a metal disk—that may or may not manifest at a specific space-time location.

Using data from government documents, NGO reports, investigative journalism and extant academic research, the paper explores  distinct moments of production within historical and contemporary dossier systems in China and the United States, including the production of paper-based, highly localized “dangan” (dossiers) in mid 80s China and the accelerating production of Suspicious Activity Reports (SARs) within the United States today. Drawing from these and other examples, the paper will identify key factors – legal, economic, technological – driving the production of PII and explore emerging strategies of resistance.