Abstract

From a privacy perspective, the movement towards police body cameras seems ominous. The prospect of a surveillance device capturing massive amounts of data concerning people’s most vulnerable moments is daunting. These concerns are compounded by the fact that there is little consensus and few hard rules on how and for whom these systems should be built and used. But in many ways, this blank slate is a gift. Law and policy makers are not burdened by the weight of rules and technologies created in a different time for a different purpose. These surveillance and data technologies will be modern. Many of the risks posed by the systems will be novel as well. Our privacy rules must keep up.

In this Article, I argue that police body cameras are an opportunity to chart a path past privacy law’s most vexing missteps and omissions. Specifically, lawmakers should avoid falling back on the “reasonable expectation of privacy” standard. Instead, they should use body cameras to embrace more nuanced theories of privacy, such as trust and obscurity. Trust-based relationships can be used to counter the harshness of the third party doctrine. The value of obscurity reveals the misguided nature of the argument that there is “no privacy in public.”

Law and policy makers can also better protect privacy by creating rules that address how body cameras and data technologies are designed in addition to how they are used. Since body-camera systems implicate every stage of the modern data life cycle from collection to disclosure, they can serve as a useful model across industry and government. But if law and policy makers hope to show how privacy rules can be improved, they must act quickly. The path to privacy law’s redemption will stay clear for only so long.

Abstract

It can be easy to get depressed about the state of privacy these days. In an age of networked digital information, many of us feel disempowered by the various governments, companies, and criminals trying to peer into our lives to collect our digital data trails. When so much is in flux, the way we think about an issue matters a great deal. Yet while new technologies abound, our ideas and thinking — as well as our laws — have lagged in grappling with the new problems raised by the digital revolution. In their important new book, Obfuscation: A User’s Guide for Privacy and Protest (2016), Finn Brunton and Helen Nissenbaum offer a manifesto for the digitally weak and powerless, whether ordinary consumers or traditionally marginalized groups. They call for increased use of obfuscation, the deliberate addition of bad information to interfere with surveillance; one that can be “good enough” to do a job for individuals much or even most of the time. Obfuscation is attractive because it offers to empower individuals against the shadowy government and corporate forces of surveillance in the new information society. While this concept represents an important contribution to the privacy debates, we argue in this essay that we should be hesitant to embrace obfuscation fully.

We argue instead that as a society we can and should do better than relying on individuals to protect themselves against powerful institutions. We must think about privacy instead as involving the increasing importance of information relationships in the digital age, and our need to rely on (and share information with) other people and institutions to live our lives. Good relationships rely upon trust, and the way we have traditionally thought about privacy in terms of individual protections creates a trust gap. If we were to double down on obfuscation, this would risk deepening that trust gap. On the contrary, we believe that the best solution for problems of privacy in the digital society is to use law to create incentives to build sustainable, trust-promoting information relationships.

We offer an alternative frame for thinking about privacy problems in the digital age, and propose that a conceptual revolution based upon trust is a better path forward than one based on obfuscation. Drawing upon our prior work, as well as the growing community of scholars working at the intersection of privacy and trust, we offer a blueprint for trust in our digital society. This consists of four foundations of trust — the commitment to be honest about data practices, the importance of discretion in data usage, the need for protection of personal data against outsiders, and the overriding principle of loyalty to the people whose data is being used, so that it is data and not humans that become exploited. We argue that we must recognize the importance of information relationships in our networked, data-driven society. There exist substantial incentives already for digital intermediaries to build trust. But when incentives and markets fail, the obligation for trust-promotion must fall to law and policy. The first-best privacy future will remain one in which privacy is safeguarded by law, in addition to private ordering and self-help.

Abstract

Privacy law is in a bit of a pickle thanks to our love of the Fair Information Practices (“FIPs”). The FIPs are the set of aspirational principles developed over the past fifty years used to model rules for responsible data practices. Thanks to the FIPs, data protection regimes around the world require those collecting and using personal information to be accountable, prudent, and transparent. They give data subjects control over their information by bestowing rights of correction and deletion. While the FIPs have been remarkably useful, they have painted us into a corner.1 A sea change is afoot in the relationship between privacy and technology. FIPs-based regimes were relatively well-equipped for the first wave of personal computing. But automated technologies and exponentially greater amounts of data have pushed FIPs principles like data minimization, transparency, choice, and access to the limit. Advances in robotics, genetics, biometrics, and algorithmic decision making are challenging the idea that rules meant to ensure fair aggregation of personal information in databases are sufficient. Control over information in databases isn’t even the half of it anymore. The mass connectivity of the “Internet of Things” and near ubiquity of mobile devices make the security and surveillance risks presented by the isolated computer terminals and random CCTV cameras of the ‘80s and ‘90s seem quaint.

Abstract

Trust is beautiful. The willingness to accept vulnerability to the actions of others is the essential ingredient for friendship, commerce, transportation, and virtually every other activity that involves other people. It allows us to build things, and it allows us to grow. Trust is everywhere, but particularly at the core of the information relationships that have come to characterize our modern, digital lives. Relationships between people and their ISPs, social networks, and hired professionals are typically understood in terms of privacy. But the way we have talked about privacy has a pessimism problem – privacy is conceptualized in negative terms, which leads us to mistakenly look for “creepy” new practices, focus excessively on harms from invasions of privacy, and place too much weight on the ability of individuals to opt out of harmful or offensive data practices.

But there is another way to think about privacy and shape our laws. Instead of trying to protect us against bad things, privacy rules can also be used to create good things, like trust. In this paper, we argue that privacy can and should be thought of as enabling trust in our essential information relationships. This vision of privacy creates value for all parties to an information transaction and enables the kind of sustainable information relationships on which our digital economy must depend.

Drawing by analogy on the law of fiduciary duties, we argue that privacy laws and practices centered on trust would enrich our understanding of the existing privacy principles of confidentiality, transparency, and data protection. Re-considering these principles in terms of trust would move them from procedural means of compliance for data extraction towards substantive principles to build trusted, sustainable information relationships. Thinking about privacy in terms of trust also reveals a principle that we argue should become a new bedrock tenet of privacy law: the Loyalty that data holders must give to data subjects. Rejuvenating privacy law by getting past Privacy Pessimism is essential if we are to build the kind of digital society that is sustainable and ultimately beneficial to all – users, governments, and companies. There is a better way forward for privacy. Trust us.

Abstract

Everyone seems concerned about government surveillance, yet we have a hard time agreeing when and why it is a problem and what we should do about it. When is surveillance in public unjustified? Does metadata raise privacy concerns? Should encrypted devices have a backdoor for law enforcement officials? Despite increased attention, surveillance jurisprudence and theory still struggle for coherence. A common thread for modern surveillance problems has been difficult to find.

In this article we argue that the concept of ‘obscurity,’ which deals with the transaction costs involved in finding or understanding information, is the key to understanding and uniting modern debates about government surveillance. Obscurity can illuminate different areas where transactions costs for surveillance are operative and explain why making surveillance hard but possible is the central issue in the government-surveillance debates. Obscurity can also explain why the solutions to the government-surveillance problem should revolve around introducing friction and inefficiency into process, whether it be legally through procedural requirements like warrants or technologies like robust encryption.

Ultimately, obscurity can provide a clearer picture of why and when government surveillance is troubling. It provides a common thread for disparate surveillance theories and can be used to direct surveillance reform.

Abstract

Abstract

The Internet of Things (“IoT”) is here, and we seem to be going all in. We are trying to put a microchip in nearly every object that is not nailed down and even a few that are. Soon, your cars, toasters, toys, and even your underwear will be wired up to make your lives better. The general thought seems to be that “Internet connectivity makes good objects great.” While the IoT might be incredibly useful, we should proceed carefully. Objects are not necessarily better simply because they are connected to the Internet. Often, the Internet can make objects worse and users worse-off. Digital technologies can be hacked. Each new camera, microphone, and sensor adds another vector for attack and another point of surveillance in our everyday lives. The problem is that privacy and data security law have failed to recognize some “things” are more dangerous than others as part of the IoT. Some objects, like coffee pots and dolls, can last long after the standard life-cycle of software. Meanwhile cheap, disposable objects, like baby wipes, might not be worth outfitting with the most secure hardware and software. Yet they all are part of the network. This essay argues that the nature of the “thing” in the IoT should play a more prominent role in privacy and data security law. The decision to wire up an object should be coupled with responsibilities to make sure its users are protected. Only then, can we trust the Internet of Heirlooms and Disposable Things.

Abstract

For more than fifteen years, the FTC has regulated privacy and data security through its authority to police deceptive and unfair trade practices as well as through powers conferred by specific statutes and international agreements. Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corp. and LabMD. These recent cases raise a fundamental issue, and one that has surprisingly not been well explored: How broad are the FTC’s privacy and data security regulatory powers? How broad should they be?

In this Article, we address the issue of the scope of FTC authority in the areas of privacy and data security, which together we will refer to as “data protection.” We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. Yet the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss steps the FTC should take to change the way it exercises its power, such as with greater transparency and more nuanced sanctioning and auditing.

Abstract

Consumer robots like personal digital assistants, automated cars, robot companions, chore-bots, and personal drones raise common consumer protection issues, such as fraud, privacy, data security, and risks to health, physical safety, and finances. They also raise new consumer protection issues, or at least call into question how existing consumer protection regimes might be applied to such emerging technologies. Yet it is unclear which legal regimes should govern these robots and what consumer protection rules for robots should look like.

This paper argues that the FTC’s grant of authority and existing jurisprudence are well-suited for protecting consumers who buy and interact with robots. The FTC has proven to be a capable regulator of communications, organizational procedures, and design, which are the three crucial concepts for safe consumer robots.

Abstract

For some crimes the entire law enforcement process can now be automated. No humans are needed to detect the crime, identify the perpetrator, or impose punishment. While automated systems are cheap and efficient, governments and citizens must look beyond these obvious savings as manual labor is replaced by robots and computers.

Inefficiency and indeterminacy have significant value in automated law enforcement systems and should be preserved. Humans are inefficient, yet more capable of ethical and contextualized decision-making than automated systems. Inefficiency is also an effective safeguard against perfectly enforcing laws that were created with implicit assumptions of leniency and discretion.

This Article introduces a theory of inefficiently automated law enforcement built around the idea that those introducing or increasing automation in one part of an automated law enforcement system should ensure that inefficiency and indeterminacy are preserved or increased in other parts of the system.

Abstract

Due to recent advances in computerized analysis and robotics, automated law enforcement has become technically feasible. Unfortunately, laws were not created with automated enforcement in mind, and even seemingly simple laws have subtle features that require programmers to make assumptions about how to encode them. We demonstrate this ambiguity with an experiment where a group of 52 programmers was assigned the task of automating the enforcement of traffic speed limits. A late-model vehicle was equipped with a sensor that collected actual vehicle speed over an hour long commute. The programmers (without collaboration) each wrote a program that computed the number of speed limit violations and issued mock traffic tickets. Despite quantitative data for both vehicle speed and the speed limit, the number of tickets issued varied from none to one per sensor sample above the speed limit. Our results from the experiment highlight the significant deviation in number and type of citations issued during the course of the commute, based on legal interpretations and assumptions made by programmers untrained in the law. These deviations were mitigated, but not eliminated, in one sub-group that was provided with a legally-reviewed software design specification, providing insight into ways to automate the law in the future. Automation of legal reasoning is likely to be the most effective in contexts where legal conclusions are predictable because there is little room for choice in a given model; that is, they are determinable. Yet this experiment demonstrates that even relatively narrow and straightforward “rules” can be problematically indeterminate in practice.

Abstract

We are rapidly approaching a time when automated law enforcement will no longer be an aberration, but rather a viable option for many law enforcement agencies. Consider the following hypothetical based on existing technology: Driving down a highway where the speed limit is 65mph, your vehicle’s built-in GPS receiver detects that you are approaching a large city. Cross-referencing your location with a database of speed limits, the car determines that the speed limit reduces to 55mph in another mile. A pleasant computer-generated contralto emits from the speaker system, “Warning! Speed limit reducing to 55 mph.”

However, there is excellent weather and visibility, and traffic is moving briskly. Unaware of new law enforcement policies in effect, you decide to maintain the prevailing traffic flow at 63 mph. As you cross into the 55mph zone, your vehicle’s pleasant contralto announces, “Posted speed limit exceeded, authorities notified.” Simultaneously, your vehicle’s onboard communications system notifies a nationwide moving-violation tracking system indicating the date, time, location, vehicle registration, and recorded speed. The tracking system determines, based on location, the appropriate agency. The police agency’s computer looks up the appropriate fine and emails a ticket to the person registered as the vehicle’s owner as well as to the company insuring the vehicle. This is an example of “perfect surveillance and enforcement.”6 Alternatively, the vehicle could have been programmed to simply reduce speed to the posted speed limit, a sort of reverse cruise control. This would be an example of “perfect prevention” or “preemption.

Abstract

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.

Abstract

Robots, like household helpers, personal digital assistants, automated cars, and personal drones are or will soon be available to consumers. These robots raise common consumer protection issues, such as fraud, privacy, data security, and risks to health, physical safety and finances. Robots also raise new consumer protection issues, or at least call into question how existing consumer protection regimes might be applied to such emerging technologies. Yet it is unclear which legal regimes should govern these robots and what consumer protection rules for robots should look like.

The thesis of the Article is that the FTC’s grant of authority and existing jurisprudence make it the preferable regulatory agency for protecting consumers who buy and interact with robots. The FTC has proven to be a capable regulator of communications, organizational procedures, and design, which are the three crucial concepts for safe consumer robots. Additionally, the structure and history of the FTC shows that the agency is capable of fostering new technologies as it did with the Internet. The agency generally defers to industry standards, avoids dramatic regulatory lurches, and cooperates with other agencies. Consumer robotics is an expansive field with great potential. A light but steady response by the FTC will allow the consumer robotics industry to thrive while preserving consumer trust and keeping consumers safe from harm.

Abstract

The law of online relationships has a significant flaw—it regularly fails to account for the possibility of an implied confidence. The established doctrine of implied confidentiality is, without explanation, almost entirely absent from online jurisprudence in environments where it has traditionally been applied offline, such as with sensitive data sets and intimate social interactions.

Courts’ abandonment of implied confidentiality in online environments should have been foreseen. The concept has not been developed enough to be consistently applied in environments such as the Internet that lack obvious physical or contextual cues of confidence. This absence is significant because implied confidentiality could be the missing piece that helps resolve the problems caused by the disclosure of personal information on the Internet.

This Article urges a revival of implied confidentiality by identifying from the relevant case law a set of implied confidentiality norms based upon party perception and inequality that courts should be, but are not, considering in online disputes. These norms are used to develop a framework for courts to better recognize implied agreements and relationships of trust in all contexts.

Abstract

Two of the greatest modern challenges to protecting personal information are determining how to protect information that is already known by many and how to create an adequate remedy for privacy harms that are opaque, remote, or cumulative. Both of these challenges are front and center for those who seek to protect socially shared information. Social media and wearable communication technologies like Google Glass present vexing questions about whether information that is known by many can ever be “private,” what the privacy harm might be from this information’s misuse, and how to remedy such harms in balance with competing values such as free speech, transparency, and security. Some law and policy makers have responded to the challenge of protecting privacy in an era of m

Abstract

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

Abstract

Design-based solutions to confront technological privacy threats are becoming popular with regulators. However, these promising solutions have left the full potential of design untapped. With respect to online communication technologies, design-based solutions for privacy remain incomplete because they have yet to successfully address the trickiest aspect of the Internet — social interaction. This Article posits that privacy-protection strategies such as “Privacy by Design” face unique challenges with regard to social software and social technology due to their interactional nature.

This Article proposes that design-based solutions for social technologies benefit from increased attention to user interaction, with a focus on the principles of “obscurity” rather than the expansive and vague concept of “privacy.” The main thesis of this Article is that obscurity is the optimal protection for most online social interactions and, as such, is a natural locus for design-based privacy solutions for social technologies. To that end, this Article develops a model of “obscurity by design” as a means to address the privacy problems inherent in social technologies and the Internet.

Abstract

On the Internet, obscure information has a minimal risk of being discovered or understood by unintended recipients. Empirical research demonstrates that Internet users rely on obscurity perhaps more than anything else to protect their privacy. Yet, online obscurity has been largely ignored by courts and lawmakers. In this Article, we argue that obscurity is a critical component of online privacy, but it has not been embraced by courts and lawmakers because it has never been adequately defined or conceptualized. This lack of definition has resulted in the concept of online obscurity being too insubstantial to serve as a helpful guide in privacy disputes. In its place, courts and lawmakers have generally found that the unfettered ability of any hypothetical individual to find and access information on the Internet renders that information public, and therefore ineligible for privacy protection. Drawing from multiple disciplines, this Article develops a more focused, clear, and workable definition of online obscurity: information is obscure online if it lacks one or more key factors that are essential to discovery or comprehension. We have identified four of these factors: (1) search visibility, (2) unprotected access, (3) identification, and (4) clarity. This framework could be applied as an analytical tool or as part of an obligation. Viewing obscurity as a continuum could help courts and lawmakers determine if information is eligible for privacy protections. Obscurity could also serve as a compromise protective remedy: instead of forcing websites to remove sensitive information, courts could mandate some form of obscurity. Finally, obscurity could form part of an agreement where Internet users bound to a “duty to maintain obscurity” would be allowed to further disclose information so long as they kept the information generally as obscure as they received it.

Abstract

Few website users actually read or rely upon terms of use or privacy policies. Yet users regularly take advantage of and rely upon website design features like privacy settings. To reconcile the disparity between boilerplate legalese and website design, this article develops a theory of website design as contract. The ability to choose privacy settings, un-tag photos, and delete information is part of the negotiation between websites and users regarding their privacy. Yet courts invariably recognize only the boilerplate terms when analyzing online agreements. In this article, I propose that if significant website features are incorporated into the terms of use, or if these features induce reliance, they should be considered enforceable promises. For example, the ability to increase privacy settings could be legitimized as an offer by the website to protect information. A website design could also render an agreement unconscionable if it manipulated, exploited, or confused a user. Finally, website design could serve as evidence of a subsequent agreement, or “operational reality,” between the parties. By providing a theory of website design as contract, this article shifts the focus of online agreements away from unread standard-form legalese to an approach that more accurately reflects the agreement between websites and users.