2010 Participants

Alessandro Acquisti,
Carnegie Mellon University

Joseph Alhadeff,

Anita Allen,
University of Pennsylvania Law School

Raphael Cohen-Almagor,
University of Hull

Meg Ambrose,
University of Colorado

Ken Anderson,
Office of the Information and Privacy Commissioner of Ontario

Annie Anton,
North Carolina State University

Dorothy Attwood,

Samantha Barbas,
Stanford University

Martha Barnett,
Holland & Knight LLP

Ann Bartow,
University of South Carolina School of Law

Carol Bast,
University of Central Florida

Steven Bellovin,
Columbia University

Chantal Bernier,
Office of the Privacy Commissioner of Canada

Francesca Bignami,
George Washington University Law School

Ellen Blackler,

Jody Blanke,
Mercer University

Marc Blitz,
Oklahoma City University School of Law

Matthew Bodie,
Saint Louis University School of Law

Caspar Bowden,

danah boyd,
Microsoft Research

Bruce Boyden,
Marquette University Law School

Julie Brill,

Cheryl Brown,
University of North Carolina at Charlotte

Cynthia Brown,
University of Central Florida

Herbert Burkert,
Research Centre for Information Law, University of St.Gallen

Aaron Burstein,
UC Berkeley School of Information

Ryan Calo,
Stanford Law School’s Center for Internet and Society

Tim Casey,
Case Western Reserve

Fred Cate,
University of Indiana

Nancy Chang,
Open Society Institute

Wade Chumney,
Georgia Institute of Technology

Corey Ciocchetti,
University of Denver

Danielle Citron,
University of Maryland School of Law

Bret Cohen,
Hogan Lovells LLP

Alissa Cooper,
Center for Democracy & Technology / Oxford Internet Institute

Lorrie Cranor,
Carnegie Mellon University

Mary Culnan,
Bentley University

H. Bryan Cunningham,
Morgan & Cunningham llC

Doug Curling,
New Kent Capital

Jamela Debelak,
Fordham Law School

Deven Desai,
Princeton University, Center for Information Technology Policy

Lisena DeSantis,
Open Society Institute

Will DeVries,

Carol DiBattiste,

Laura Donohue,
Georgetown Law School

Cynthia Dwork,
Microsoft Research

Catherine Dwyer,
Pace University

Mark Eckenwiler,
U.S. Department of Justice, Criminal Division

Mark Eichorn,

Mary Fan,
American University Washington College of Law & University of Washington School of Law

Asim Fareeduddin,
LexisNexis Group

Henry Farrell,
George Washington University

Edward Felten,
Princeton University

Darleen Fisher,
National Science Foundation

Tanya Forsheit,
InfoLawGroup LLP

Susan Freiwald,
University of San Francisco School of Law

Louisa Garib,
Office of the Privacy Commissioner of Canada

Loretta Garrison,
Federal Trade Commission

Robert Gellman,
Privacy and Information Policy Consultant

Lauren Gelman,
BlurryEdge Strategies

Nathaniel Good,
Good Research

Marc Groman,
Counsel, House Energy and Commerce Committee

James Grimmelmann,
New York Law School

Jens Grossklags,
Princeton University

Joseph Hall,
UC Berkeley/Princeton

Woodrow Hartzog,
University of North Carolina at Chapel Hill School of Journalism and Mass Communication

Allyson Haynes,
Charleston School of Law

Stephen Henderson,
Widener University School of Law

Steven Hetcher,
Vanderbilt University Law School

Kashmir Hill,
True/Slant and Above the Law

Mike Hintze,

Lance Hoffman,
George Washington University

Marcia Hofmann,
Electronic Frontier Foundation

Chris Hoofnagle,
UC Berkeley Law

Jane Horvath,

Kirsty Hughes,
University of Cambridge

Rebecca Hulse,
William & Mary Law

Anniina Huttunen,
Institute of International Economic Law (KATTI), University of Helsinki

Stuart Ingis,
Venable LLP

Edward Janger,
Brooklyn Law School

Jeff Jonas,

Barbara Jones,
American Library Association

Orin Kerr,
George Washington University Law School

Jennifer King,
UC Berkeley School of Information

Anne Klinefelter,
University of North Carolina at Chapel Hill

Jacqueline Klosek,
Goodwin Procter LLP

Colin Koopman,
University of Oregon

Rick Kunkel,
University of St. Thomas

Maryanne Lavan,
Lockheed Martin Corporation

Naomi Lefkovitz,
Federal Trade Commission

Toby Levin,
formerly with the DHS and FTC

Avner Levin,
Ryerson University

Ariana Levinson,
University of Louisville Brandeis School of Law

Jacqueline Lipton,
Case Western Reserve University School of Law

Jennifer Lynch,
UC Berkeley School of Law

Mark MacCarthy,
Georgetown University

Peder Magee,

Carter Manny,
University of Southern Maine

Aaron Massey,
North Carolina State University

Kristen Mathews,
Proskauer LLP

Andrea Matwyshyn,
University of Pennsylvania

Aleecia McDonald,
Carnegie Mellon

William McGeveran,
University of Minnesota Law School

Anne McKenna,
ToomeyMcKenna Law Group LLC / Catholic University of America

Ryan Means,
UC Berkeley

David Medine,

James Milles,
University at Buffalo Law School

Jon Mills,
University of Florida, Levin College of Law

Mary Minow,

Pablo Molina,
Georgetown University

Deirdre K. Mulligan,
UC Berkeley School of Information and Berkeley Center for Law and Technology

Lisa Nelson,
University of Pittsburgh

Abraham Newman,
Georgetown University

Helen Nissenbaum,
New York University

Greg Nojeim,
Center for Democracy & Technology

Paul Ohm,
University of Colorado Law School

Frank Pasquale,
Seton Hall Law School

Stephanie Pell,
Counsel, House Judiciary Committee

Christina Peters,
Senior Counsel, Security and Privacy, IBM

Karl-Nikolaus Peifer,
University of Cologne/Germany (Koeln)

Scott Peppet,
University of Colorado Law School

Gavin Phillipson,
University of Durham

Vincent Polley,
KnowConnect PLLC

Jules Polonetsky,
Future of Privacy Forum

Lawrence Ponemon,
Ponemon Institute

Marilyn Prosch,
Arizona State University

Katie Ratte,
Federal Trade Commission

Alan Raul,
Sidley Austin LLP

Priscilla Regan,
George Mason University

Joel Reidenberg,
Fordham University School of Law

Virginia Rezmierski,
School of Information and Gerald R. Ford School of Public Policy, University of Michigan

Jessica Rich,
FTC’s Bureau of Consumer Protection

Femi Richards,
LexisNexis Group

Neil Richards,
Washington University School of Law

Eileen Ridley,
Foley & Lardner LLP

Sasha  Romanosky,
Carnegie Mellon University

Jennifer Rothman,
Loyola Law School, Los Angeles

Ira Rubinstein,
NYU Law School, Information Law Institute

Albert Scherr,
Franklin Pierce Law Center

Russell Schrader,
CPO and Associate General Counsel, Global Enterprise Risk Visa, Inc

Wendy Seltzer,
University of Colorado School of Law

Katie Shilton,

Thomas Smedinghoff,
Wildman Harrold

Andrew Smith,
Morrison & Foerster, LLP

Christopher Soghoian,
Indiana University

Daniel Solove,
George Washington University Law School

Lisa Sotto,
Hunton & Williams

Tim Sparapani,

Gerard Stegmaier,
Wilson Sonsini Goodrich & Rosati, P.C.

Tina Stow,

Lior Strahilevitz,
University of Chicago

Katherine Strandburg,
New York University School of Law

Fred Stutzman,
University of North Carolina, Chapel Hill

Harry Surden,
University of Colorado Law School

Latanya Sweeney,

Peter Swire,
National Economic Council, the White House

Andrew Taslitz,
Howard University Law School

Brendon Tavelli,
Proskauer Rose LLP

David Thompson,

Tim Tobin,
Hogan & Hartson LLP

Matthew Tokson,
University of Chicago Law School

Frank Torres,

Michael Traynor,
American Law Institute; Cobalt

Joseph Turow,
University of Pennsylvania

Jennifer Urban,
UC Berkeley

Siva Vaidhyanathan,
The University of Virginia

Stefaan Verhulst,
The Markle Foundation

Daniel Weitzner,
National Telecommunications and Information Administration

Stephen Wicker,
Cornell University

Lauren Willis,
Loyola Law School Los Angeles

Peter Winn,
U.S. Department of Justice

Jane Winn,
University of Washington School of Law

Christopher Wolf,
Partner, Hogan Lovells LLP

Felix Wu,
Cardozo School of Law

Tal Zarsky,
University of Haifa Faculty of Law

Kial Young,
Attorney Advisor to Commissioner Julie Brill, FTC

Michael Zimmer,
School of Information Studies, UW-Milwaukee

Dissent Doe,

Henry Farrell & Abraham Newman, Domestic Security and Privacy Regulation in the Transatlantic Relationship

Henry Farrell & Abraham Newman, Domestic Security and Privacy Regulation in the Transatlantic Relationship

Comment by: Gavin Phillipson

PLSC 2010

Workshop draft abstract:

Many policy and legal observers had hoped that the conclusion of the Safe Harbor Agreement would prevent data privacy as the new “wedge issue” of transatlantic relations.  Since the terrorist attacks of September 11 2001, however, a series of privacy conflicts have roiled the partnership and undermined anti-terrorism cooperation among NATO allies.    However, these conflicts are poorly understood. Most commentary has focused on differences between the EU and US approaches to human rights and internal security as explaining continuing disagreements between the EU and US. However, explanations centered on value clashes don’t explain why the EU and US agree on so much concerning counter-terrorism policy. We argue that one needs to pay attention to institutional change over time in order to understand these clashes. The EU and US have developed and re-developed specific mechanisms of policy oversight, in a sequence where developments in one regime may influence subsequent developments in the other. These policy trajectories produce unstable and temporary international compromises, which plant the seeds of future conflict. We demonstrate this by examining negotiations over airline data, financial information and general privacy principles.   This has important repercussions for the study of privacy. Scholars (whether legal or policy academics) tend to look either at the EU or US in isolation from each other, or to use stylized descriptions (in which the EU is seen as innately more concerned with fundamental privacy rights, and the US more security focused) to capture the differences between the two systems. We show that institutional developments in the two systems are frequently bound up with each other, and that they are not well captured by the standard accounts of EU-US differences.

Joel R. Reidenberg, Transparent Citizens and the Rule of Law

Joel R. Reidenberg, Transparent Citizens and the Rule of Law

Comment by: Rebecca Hulse

PLSC 2010

Workshop draft abstract:

This essay explores the erosion of the boundary between public and private information on the Internet.   The thesis is that the transparency of personal information available online erodes the rule of law in three ways.  First, the transparency of personal information that is created by private sector activities enables government to collect and use personal information available from the private sector in ways that side step political and legal checks and balances. Second, technical self-help in the development of network infrastructure that seeks to assure complete anonymity online may used by individuals and groups to evade legal responsibility and the rule of law.   And third, the transparency of personal information puts national security and legal institutions at risk in ways that will jeopardize faith in the rule of law. The essay concludes with a discussion of governance implications and norms.

Cheryl Brown, China’s Pragmatic Privacy Laws Beyond APEC: Does Generational Culture Matter?

Cheryl Brown, China’s Pragmatic Privacy Laws Beyond APEC: Does Generational Culture Matter?

Comment by: Stefaan Verhulst

PLSC 2010

Workshop draft abstract:

Culture and tradition remain significant influences in China’s conception of privacy and implementation of data protection laws.  At the same time, the National People’s Congress initiation of privacy protection legislation reveals the prospect of evolving laws emphasizing protection of data privacy based on domestic and international developments.  Although a growing literature focuses on surveillance intrusion violations of Internet filtering and social networking mining, this paper will examine five factors influencing national and international perspectives of China’s approach to privacy and data protection: (1) privacy concerns of RFID technology of China’s second-generation national identification card; (2) personal data leaks of consumer information by banks, insurance companies, and real estate companies as China seeks to build consumer trust in the modern banking and financial system; (3) data protection for citizens of countries engaged with China across borders in electronic commerce and outsourcing; (4) privacy compatibility with multinational and regional organizations in a soft power era; and (5) the changing leadership generations with backgrounds in the “soft sciences” of  history, economics, management, business, journalism, and law.  These factors may offer useful comparisons for addressing the convergence of an international framework for privacy laws and data protection.

Lior Strahilevitz, Reunifying Privacy Law

Lior Strahilevitz, Reunifying Privacy Law

Comment by: Ryan Calo

PLSC 2010

Published version available here:

Workshop draft abstract:

In 1890 Samuel Warren and Louis Brandies proposed a unified theory of invasion of privacy tort liability.  Over the subsequent decades, information privacy law became increasingly fragmented and decreasingly coherent.  William Prosser’s 1960 article, Privacy, which heavily influenced the Restatement of Torts, endorsed and hastened this trend toward fragmentation, which spread from tort law to the various statutory branches of information privacy law.  This article argues for the reunification of privacy law in two connected ways.  First, Prosser’s fragmented privacy tort should be replaced with a unitary tort for invasion of privacy that looks to the private or public nature of the information, the degree to which a defendant’s conduct violates existing social norms, and the social welfare implications of the defendant’s conduct.  Second, the reunified common law of torts should become the model for judicial interpretation of various other branches of information privacy law, such as the Freedom of Information Act’s privacy provisions, the Privacy Act, and the constitutional right of information privacy.  The Article explains how this can be done and why it is desirable.  Indeed, in its most recent Freedom of Information Act and Privacy Act cases, the United States Supreme Court has suggested that drawing on common law tort principles is the appropriate methodology for interpreting privacy-related federal statutes.

The final section of the article argues that the pending United States Supreme Court case of Nelson v. NASA is an ideal vehicle for pushing the law of information privacy back towards its relatively coherent and unified origins.  Nelson will be the first Supreme Court privacy case in thirty-three years to confront the question of whether the Constitution protects a right to information privacy apart from the Fourth Amendment context.  Because the common law tort cause of action and constitutional action involve similar harms and considerations, it is appropriate to reconcile the presently divergent doctrines, but this could be done in one of two ways.  The most sensible approach to reunification is to conclude, as the Sixth Circuit has, that there is no such thing as a constitutional right to information privacy, and that such rights are appropriately vindicated via tort remedies.  An alternative approach would be to recognize the existence of a constitutional right, as most circuit courts have, but to hold that the elements of a constitutional violation mimic those associated with the reunified privacy tort.

Anne Klinefelter, Negotiating for Privacy and Confidentiality in Electronic Legal Research

Anne Klinefelter, Negotiating for Privacy and Confidentiality in Electronic Legal Research

Comment by: Michael Zimmer

PLSC 2010

Workshop draft abstract:

Legal researchers’ privacy and confidentiality interests are poorly protected under current laws.  Legal research raises issues of attorney-client privilege as well as concerns about the private nature of facts at issue such as personal health information, trade secrets, and family matters.  Tracking of individuals’ legal research and insecurity of research results posted through cloud computing challenge both individual and societal interests in unfettered intellectual exploration and in a stable and effective legal system.  The porous line between commercial tracking and government surveillance increases the potential for compromise of these privacy and confidentiality interests.  Relatively long-standing systems such as issuance of personal passwords for LexisNexis and Westlaw are now joined by less-apparent tracking in legal resources such as Google Scholar’s offerings of patents, legal opinions and journals.  While state and federal laws fail to provide adequate protection, legal researchers are in a position to demand higher standards for privacy of online legal research and can help build and shape the market for privacy in online reading more generally.

Wendy Seltzer, Privacy, Attention, and Political Community

Wendy Seltzer, Privacy, Attention, and Political Community

Comment by: Stephen Hetcher

PLSC 2010

Workshop draft abstract:

In an era of information overload, some scholars (Lessig, Rosen) have characterized a facet of privacy as a response to the problem of the short attention span: Because onlookers will not spend the time or attention to get the full context of a disclosure, disclosure of some information may produce a distorted view of the subject.  Where others have spoken of privacy as deception (Posner) or a barrier to community governance (Etzioni), I explore privacy-through-limited-disclosure as a constituent of community and political organization.

To organize effectively in a modern liberal democracy, citizens must often aggregate into political groups larger than local or social communities.  Their political organizing (and even common adherence to the political system) can be threatened if differences become more salient than points of common interest — even if those differences are irrelevant to common political goals and outside the political context. Privacy from disclosure may thus be necessary to avoid distraction.

Using John Rawls’s idea of political liberalism an an Overlapping Consensus among groups with different underlying conceptions of the good, I suggest that privacy is an important component of political tolerance and accommodation.  Privacy can support consensus and restore a respect for pluralism even when we lack the time or attention to understand its roots.  As networked communications override some of the traditional architectural support for privacy, we must learn to avert our gaze from glancing disapproval, instead looking deeper or not at all

Christopher Soghoian, An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

Christopher Soghoian, An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

Comment by: Paul Ohm

PLSC 2010

Published version available here:

Workshop draft abstract

Today, when consumers evaluate potential mobile phone carriers – they are likely to consider several differentiating factors: The available handsets, the cost of service, and the firm’s reputation for network quality and customer service. The carriers’ divergent approaches to privacy, and their policies regarding government access to customers’ private data, are not considered in the purchasing process – perhaps because it is practically impossible for consumers to discover this information when they are choosing their carrier.

The differences in the privacy practices of the major players in the telecommunications and Internet applications market are quite significant – some firms retain identifying data for years, while others retain no data at all. For a mobile phone user investigated by the government, this difference in logging practices can significantly impact their freedom.

A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. However, this is not the case. Companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests.

This article will outline the numerous ways in which telecommunications carriers and Internet services currently assist the government, providing easy access to their customers’ private communications and documents. Relying on several case studies, this article will analyze the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. This article will also examine the flow of money between the government and carriers, who are statutorily permitted to demand reasonable compensation for their assistance, and will discuss the public policy advantages of surveillance as either a corporate profit center or a corporate tax.

Overall, this article will attempt to deliver some degree of transparency which is currently missing from the privacy market, and will outline a path to an eventual scenario in which consumers evaluate privacy approaches in advance, and firms can effectively compete for consumers on their willingness to disclose data to the government. Such a degree of transparency will permit the market to punish (or potentially reward) firms that put the governments’ needs first.


Peter Winn, History of the Law of Privacy in the 16th & 17th Century

Peter Winn, History of the Law of Privacy in the 16th & 17th Century

Comment by: Neil Richards

PLSC 2010

Published version available here:

Workshop draft abstract:

The origin of a legal right to privacy is usually traced to the late 19th Century when an article of the same name appeared in the Harvard Law Review by Charles Warren and Louis Brandeis. The belief that a legal right of privacy did not exist before Warren and Brandeis appears to have led many “originalists” to argue that no such right is to be found in the U.S. Constitution — and that claims by the Court in Griswold that there exists a right of privacy “older than the Bill of Rights,” are anachronistic and absurd. Recently, however, several prominent social historians have traced, beginning in the 16th Century, an increasing appreciation of the value of individual privacy in many different areas of European culture. The increased social importance of privacy is reflected by changes in religious practices, in artistic expression, in understandings of sexuality, in eating habits, in architecture, and in clothing. Paralleling these social developments are legal debates beginning in the early 16th Century, and rulings by common law Courts beginning in the 17th Century, challenging the practice of inquisitorial courts to compel an accused person to testify against himself; the investigational use of torture; and the prosecution of individuals based on heretical or treasonous thoughts. At the same time, judges begin to place increasing limits on the ability of state officials to search private homes for evidence. By the middle of the 18th century, as the concept of a sphere of privacy becomes widely recognized in society, one finds a scholar like Blackstone treating as settled law the idea that “private vices” and “particular modes of belief or unbelief” are beyond the jurisdiction of the magistrate to punish. More generally in Blackstone’s work, one can see the concept of privacy developed as an integral part of his concept of liberty. Blackstone’s concept of liberty in turn bears a surprisingly close relationship to the notion of “ordered liberty,” which was developed in late 20th Century Supreme Court decisions, placing Constitutional limits on the power of the state to intrude into the private lives of individuals.

David Thaw, Relationship Between Regulatory Models and Information Security Practices

David Thaw, Relationship Between Regulatory Models and Information Security Practices

Comment by: Gerry Steigmaier

PLSC 2010

Workshop draft abstract:

Two models of regulation are responsible for governing virtually all private-sector information security practices in the United States. The first is industry-specific regulatory delegation, such as that found in HIPAA’s Privacy Rule and GLB’s privacy and security rules. Under this model, federal legislation requires the development of standards for information security practice and ultimately delegates the power to establish and update such standards to industry through various administrative mechanisms. The second is a paradigm in which law ties performance to reputation. This describes the data breach notification laws in effect in most states, under which whenever a firm experiences an incident in which certain information about individuals is lost, that firm must notify the individuals, a central state authority, local media, and/or other measures.

Currently only two industrial sectors – finance and healthcare – are subject to the first type of regulation. All of the current state statutes comprising the second form of regulation are laws of general applicability and thus, given the highly interstate nature of information exchange, apply to nearly all organizations in the United States. To study the effects of these forms of regulation, we employed a mixed qualitative and quantitative methods approach. We first conducted a series of two-hour semi-structured interviews of Chief Information Security Officers (or functional equivalents) at key U.S. organizations in each of the finance, healthcare, consumer products, energy, and information technology sectors. We then performed analysis on the frequency of reported breach incidents based on data maintained by the Open Security Foundation.

Our research and analysis revealed that the two forms of regulation have differential effects on information security practices. Regulatory delegation models encourage collaboration, information sharing, secure information exchange, incorporation of security into system design, and intrusion detection and other perimeter security measures. Laws linking performance to reputation, in contrast, promote good authentication and provenance, auditing, and host security/internal site security.