With the federal government and technology policy shut down in Washington, California is steaming ahead with a series of online privacy laws that will have broad implications for Internet companies and consumers.In recent weeks, Democratic Gov. Jerry Brown has signed a litany of privacy-related legislation, including measures to create an “eraser button” for teens, outlaw online “revenge porn” and make Internet companies explain how they respond to consumer Do Not Track requests. The burst of activity is another sign that the Golden State — home to Google, Facebook and many of the world’s largest tech companies — is setting the agenda for Internet regulation at a time when the White House and Congress are moving at a much more glacial pace.
When she asked me how I felt about this, I noted that: “California seems like it is willing to declare the Internet its own private fiefdom and rule it with its own privacy fist.” And, no matter how well intentioned any of these new California policies may be, the ends most certainly do not justify the means. Continue reading →
Many “serious people” are beginning to make the case that it’s time for the outrage and indignation over the NSA’s mass surveillance to subside and give way to a “national conversation” about how much privacy and liberty we are willing to trade for security, which they argue is a “choice we have to make.” Today at Reason I argue that until we have good reason to trust the oversight mechanisms that we are told will keep the system honest—or indeed trust the mechanisms for formulating such an oversight regime—civil libertarians have no reason to feel sheepish about obstinately refusing to make that “choice we have to make.”
Last month, I wrote at The Guardian that NSA surveillance is harming our Internet freedom efforts. Now we have tangible evidence of that. Speaking at the UN Human Rights Council on behalf of Cuba, Venezuela, Zimbabwe, Uganda, Ecuador, Russia, Indonesia, Bolivia, Iran, and China, Pakistan delivered the following statement (video, starts around 52:25). Pay special attention to the last two paragraphs: Continue reading →
Much of my recent research and writing has been focused on the contrast between “permissionless innovation” (the notion that innovation should generally be allowed by default) versus its antithesis, the “precautionary principle” (the idea that new innovations should be discouraged or even disallowed until their developers can prove that they won’t cause any harms). I have discussed this dichotomy in three recent law review articles, a couple of major agency filings, and several blog posts. Those essays are listed at the end of this post.
In this essay, I want to discuss a recent speech by Federal Trade Commission (FTC) Chairwoman Edith Ramirez and show how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, prompted by the various privacy concerns surrounding “big data” and the “Internet of Things” among other information innovations and digital developments.
First, let me recap the core argument I make in my recent articles and filings. It can be summarized as follows: Continue reading →
I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)
My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals. Continue reading →
In my latest essay for the IAPP “Privacy Perspectives” blog , I ponder the question: Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online? I note that the idea has long been floating around out there, but never gone anywhere. I offer a couple of explanations for why that has likely been the case. But I also note that there may still be some reasons to believe that private data contracting has a future.
Read the whole thing.
(Note: I discuss these issues in greater detail in my forthcoming George Mason Law Review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It will be out before the end of the month and I will post it here once it is live.)
Today the Heartland Institute is publishing my policy brief, U.S. Cybersecurity Policy: Problems and Principles, which examines the proper role of government in defending U.S. citizens, organizations and infrastructure from cyberattacks, that is, criminal theft, vandalism or outright death and destruction through the use of global interconnected computer networks.
The hype around the idea of cyberterrorism and cybercrime is fast reaching a point where any skepticism risks being shouted down as willful ignorance of the scope of the problem. So let’s begin by admitting that cybersecurity is a genuine existential challenge. Last year, in what is believed to be the most damaging cyberattack against U.S. interests to date, a large-scale hack of some 30,000 Saudi Arabia-based ARAMCO personal computers erased all data on their hard drives. A militant Islamic group called the Sword of Justice took credit, although U.S. Defense Department analysts believe the government of Iran provided support.
This year, the New York Times and Wall Street Journal have had computer systems hacked, allegedly by agents of the Chinese government looking for information on the newspapers’ China sources. In February, the loose-knit hacker group Anonymous claimed credit for a series of hacks of the Federal Reserve Bank, Bank of America, and American Express, targeting documents about salaries and corporate financial policies in an effort to embarrass the institutions. Meanwhile, organized crime rings are testing cybersecurity at banks, universities, government organizations and any other enterprise that maintains databases containing names, addresses, social security and credit card numbers of millions of Americans.
These and other reports, aided by popular entertainment that often depicts social breakdown in the face of massive cyberattack, have the White House and Congress scrambling to “do something.” This year alone has seen Congressional proposals such as Cyber Intelligence Sharing and Protection Act (CISPA), the Cybersecurity Act and a Presidential Executive Order all aimed at cybersecurity. Common to all three is a drastic increase the authority and control the federal government would have over the Internet and the information that resides in it should there be any vaguely defined attack on any vaguely defined critical U.S. information assets.
Continue reading →
It was my pleasure last night to take part in an hour-long conversation on “Privacy, Security, and the Digital Age,” which was co-sponsored by Mediaite and the Koch Institute. The discussion focused on a wide range of issues related to government surveillance powers, Big Data, and the future of privacy. It opened with dueling remarks from former U.S. Ambassador to the U.N. John Bolton and Ben Wizner of the ACLU. You can view their respective remarks here.
I then sat on a panel that included Atlantic Media CTO Tom Cochrane and Michael R. Nelson, who is affiliated with with Bloomberg Government and Georgetown University. The entire session was expertly moderated by Andrew Kirell of Mediaite. He did an amazing job facilitating the discussion. Anyway, the videos for my panel are below, split into two parts. My comments focused heavily on the importance of separating the government uses of data from private sector uses and explaining the need to create a high and tight firewall between State and Industry when it comes to information sharing. I also argued that we will never get a handle on government-related privacy concerns until we get control of the scope of government power. I used the example of the drug war and our government’s constantly-expanding militaristic activities both abroad and here at home. So long as government is expanding without any rational, constitutional constraint, we are going to have serious surveillance and privacy problems. (See this essay, “It’s About Power, not Privacy,” by my colleague Eli Dourado for more on that theme.)
Continue reading →
Last month, it was my great pleasure to serve as a “provocateur” at the IAPP’s (Int’l Assoc. of Privacy Professionals) annual “Navigate” conference. The event brought together a diverse audience and set of speakers from across the globe to discuss how to deal with the various privacy concerns associated with current and emerging technologies.
My remarks focused on a theme I have developed here for years: There are no simple, silver-bullet solutions to complex problems such as online safety, security, and privacy. Instead, only a “layered” approach incorporating many different solutions–education, media literacy, digital citizenship, evolving society norms, self-regulation, and targeted enforcement of existing legal standards–can really help us solve these problems. Even then, new challenges will present themselves as technology continues to evolve and evade traditional controls, solutions, or norms. It’s a never-ending game, and that’s why education must be our first-order solution. It better prepares us for an uncertain future. (I explained this approach in far more detail in this law review article.)
Anyway, if you’re interested in an 11-minute video of me saying all that, here ya go. Also, down below I have listed several of the recent essays, papers, and law review articles I have done on this issue.
Continue reading →