A. Michael Froomkin, Privacy Impact Notices

A. Michael Froomkin, Privacy Impact Notices

Comment by: Stuart Shapiro

PLSC 2013

Workshop draft abstract:

The systematic collection of personal data is a big and urgent problem, and the pace of that collection is accelerating as the cost of collection plummets.  Worse, the continued development of data processing technology means that this data can be used and cross-indexed increasingly effectively and cheaply.  Add in the fact the that there is more and more historical data — and self-reported data — to which the sensor data can be linked, and we will soon find ourselves in the equivalent of a digital goldfish bowl.

It is time – or even past time – to do something.  In this paper I suggest we borrow home-grown solutions from US environmental law.   By combining the best features of a number of existing environmental laws and regulations, and — not least — by learning from some of their mistakes, we can craft rules about data collection that would go some significant distance towards stemming the tide of privacy-destroying technologies being, and about to be, deployed.

I propose that we should require Privacy Impact Notices (PINs) before allowing large public or private projects which risk having a substantial impact on personal information privacy or on privacy in public. [“Privacy Impact Statements” would make for better parallelism with Environmental Impact Statements but the plural form of the acronym would be unfortunate.] The PINs requirement would be modeled on existing environmental laws, notably the National Environmental Policy Act of 1969 (NEPA), the law that called into being  the Environmental Impact Statement (EIS).  A PINs rule would be combined with other reporting requirements modeled on the Toxics Release Inventory (TRI). It would also take advantage of progress in ecosystem modeling, particularly the insight that complex systems like ecologies, whether of living things or the data about them, are dynamic systems that must be re-sampled over time in order to understand how they are changing and whether mitigation measures or legal protections are working.

The overarching goals of this regulatory scheme are familiar ones from environmental law and policy-making: to inform the public of decisions being considered (or made) that affect it, to solicit public feedback as plans are designed, and to encourage decision-makers to consider privacy — and public opinion — from an early stage in their design and approval processes.  That was NEPA’s goal, however imperfectly achieved. In addition, however, because the relevant technologies change quickly, and because the accumulation of personal information by those gathering data can have unexpected synergistic effects as we learn new ways of linking previously disparate data sets, we now know from the environmental law and policy experience that it is also important to invest effort in on-going, or at least annual, reporting requirements in order to allow the periodic re-appraisal of the legitimacy and net social utility of the regulated activity (here, data collection programs).

There is an important threshold issue. Privacy regulation today differs from contemporary environmental regulation in one particularly important way: there are relatively few data privacy (or privacy-in-public) -protective laws and rules on the books.  Thus, privacy law today more resembles anti-pollution law before the Clean Air Act or the Clean Water Act. NEPA’s rules are triggered by state action: a government project, or a request to issue a permit.  In order to give the PINs system traction outside of direct governmental data collection, additional regulation reaching private conduct will be required.  That could be direct regulation of large private-sector data gathering or, as a first step, it could be something less effective but easier to legislate such as a rule reaching all government contractors and suppliers.  Legislation could be federal, but it might also be effective at the state level.

The proposals in this paper intersect with active and on-going debates over the value of notice policies.  They build on, but in at least one critical way diverge from, the work of Dennis D. Hirsch, who in 2006 had the important insight — even truer today — that many privacy problems resemble pollution problems and that therefore privacy-protective regulation could profitably be based on the latest learning from environmental law.

Stuart Shapiro, Categorical Denial: Deconstructing Personally Identifiable Information

Stuart Shapiro, Categorical Denial: Deconstructing Personally Identifiable Information

Comment by: Lance Hoffman

PLSC 2012

Workshop draft abstract:

The concept of personally identifiable information (PII) has been drawing increased attention of late, sparked by problems with de-­‐identification. Depending on who you talk to, PII is a distinction without meaning or an inescapable necessity for bounding regulation. Irrespective of their conclusions, one trait common to all these analyses of the “PII problem” is their failure to look at PII as the construct it fundamentally is: a category.

Categories constitute a basic conceptual building block of human thought, related to but distinct from other building blocks such as analogies. They are both socially and cognitively constructed and grounded in both objective and subjective perceptions. Most importantly for the purpose of analyzing the PII problem, they exhibit structure and a host of associated properties which continue to be investigated by researchers in a variety of fields, including cognitive science.

To fully grasp the problems and possibilities of PII, we must take it seriously as a category, as opposed to a legal or technical label. This paper aims to rigorously analyze PII as a category, leveraging the substantial body of existing research on how humans construct and use categories. This includes situating PII with respect to different types of categories, inferring its internal structure and related characteristics, and drawing out the implications of differential sorting behavior among subject matter experts and laypersons.

The problems with PII will not be resolved by abandoning the concept or by introducing ad hoc constructions. Ensuring the viability of PII as a category requires more explicit understanding and treatment of it as such. Doing so reveals new avenues both for understanding current difficulties and for addressing them in a coherent fashion consistent with what we know about categories qua categories.