Privacy, Security & Government Surveillance

Sen. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) have reintroduced their “Do Not Track Kids Act,” which, according to this press release, “amends the historic Children’s Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information and establishes new protections for personal information of children and teens.” I quickly scanned the new bill and it looks very similar to their previous bill of the same name that they introduced in 2011 and which I wrote about here and then critiqued at much greater length in a subsequent Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”).

Since not much appears to have changed, I would just encourage you to check out my old working paper for a discussion of why this legislation raises a variety of technical and constitutional issues. But I remain perplexed by how supporters of this bill think they can devise age-stratified online privacy protections without requiring full-blown age verification for all Internet users. And once you go down that path, as I note in my paper, you open up a huge Pandora’s Box of problems that we have already grappled with for many years now. As I noted in my paper, the real irony here is that the “problem with these efforts is that expanding COPPA would require the collection of more personal information about kids and parents. For age verification to be effective at the scale of the Internet, the collection of massive amounts of additional data is necessary.” Continue reading →

Here’s the video from a recent panel I sat on at the 4th annual Privacy Identity Innovation conference (pii2013) in downtown Seattle on September 17, 2013. The panel was entitled, “Emerging Technologies and the Fine Line between Cool and Creepy,” a topic I have written much about here in recent blog posts as well as in law review articles.  The panel was expertly moderated by the awesome Natalie Fonseca, co-founder and executive producer of the pii2013 event as well as the always excellent Tech Policy Summit. Other panelists included Terence Craig, Co-founder and CEO, PatternBuilders and Co-author, Privacy and Big Data, Jamela Debelak, Technology and Liberty Director, ACLU of Washington, and my friend Larry Downes, Consultant and Author of The Laws of Disruption, among other excellent books. We discussed how to balance out the competing tensions surround new information technologies and stressed the various ways we could alleviate the primary concerns about many of them.

(The video, which is embedded down below, lasts just under 40 minutes. The audio is a little uneven because I was too stupid to keep the microphone close to my mouth. Sorry about that!)

Emerging Technologies and the Fine Line between Cool and Creepy from Privacy Identity Innovation on Vimeo.

Facebook announced some changes to its site today that will make it easier for teen users to share content with not just their friends but also the entire world. (More coverage at The Washington Post here.) No doubt, some privacy advocates will cry foul and rush to policymakers with requests for restrictions. Yet, it’s not clear to me what their case would be. There isn’t any COPPA issue here since we are talking about teens, and they aren’t covered by the law. Moreover, it seems entirely sensible to allow teens to make their voices heard more broadly via Facebook’s platform the same way they can via many other online sites and services. Teens have speech rights, too, after all.

On the other hand, this is another “teachable moment” that parents should take advantage of. When sites (especially larger sites like Facebook) change their policies and make it easier for our kids to share more about themselves and their feelings, that is always a great time to have another chat with them about acceptable online behavior. I’ve spent a lot of time here and elsewhere talking about the importance of “Netiquette,” or proper online etiquette in various social settings and situations. We need to talk to our kids and each other about being more savvy, sensible, respectful, and resilient media consumers and digital citizens. And schools and even governments have a role to play in pushing education and media literacy in pursuit of better “digital citizenship.”

The crucial lesson here — and this certainly has relevance to today’s Facebook announcement — is that we need to constantly be encouraging our kids to think about smarter online hygiene (sensible personal data use) and proper behavior toward others. Continue reading →

Michelle Quinn of Politico was kind enough to call me a few days ago and ask for comment for her story about “California Driving Internet Privacy Policy.” Quinn’s article offers an excellent overview of how the Golden State is gradually taking on a greater regulatory role for the Net, at least as it pertains to matters of online privacy. She opens by noting that:

With the federal government and technology policy shut down in Washington, California is steaming ahead with a series of online privacy laws that will have broad implications for Internet companies and consumers.In recent weeks, Democratic Gov. Jerry Brown has signed a litany of privacy-related legislation, including measures to create an “eraser button” for teens, outlaw online “revenge porn” and make Internet companies explain how they respond to consumer Do Not Track requests. The burst of activity is another sign that the Golden State — home to Google, Facebook and many of the world’s largest tech companies — is setting the agenda for Internet regulation at a time when the White House and Congress are moving at a much more glacial pace.

When she asked me how I felt about this, I noted that: “California seems like it is willing to declare the Internet its own private fiefdom and rule it with its own privacy fist.”  And, no matter how well intentioned any of these new California policies may be, the ends most certainly do not justify the means. Continue reading →

California’s continuing effort to make the Internet their own digital fiefdom continued this week with Gov. Jerry Brown signed legislation that creates an online “Eraser Button” just for minors. The law isn’t quite as sweeping as the seriously misguided “right to be forgotten” notion I’ve critique here (1, 2, 3, 4) and elsewhere (5, 6) before. In any event, the new California law will:

require the operator of an Internet Web site, online service, online application, or mobile application to permit a minor, who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s Internet Web site, service, or application by the minor, unless the content or information was posted by a 3rd party, any other provision of state or federal law requires the operator or 3rd party to maintain the content or information, or the operator anonymizes the content or information. The bill would require the operator to provide notice to a minor that the minor may remove the content or information, as specified.

As always, the very best of intentions motivate this proposal. There’s no doubt that some digital footprints left online by minors could come back to haunt them in the future, and that concern for their future reputation and privacy is the primary motivation for the measure. Alas, noble-minded laws like these often lead to many unintended consequences, and even some thorny constitutional issues. I’d be hard-pressed to do a better job of itemizing those potential problems than Eric Goldman, of Santa Clara University School of Law, and Stephen Balkam, Founder and CEO of the Family Online Safety Institute, have done in recent essays on the issue. Continue reading →

Seriously Uncompromising

by on September 23, 2013 · 2 comments

Many “serious people” are beginning to make the case that it’s time for the outrage and indignation over the NSA’s mass surveillance to subside and give way to a “national conversation” about how much privacy and liberty we are willing to trade for security, which they argue is a “choice we have to make.” Today at Reason I argue that until we have good reason to trust the oversight mechanisms that we are told will keep the system honest—or indeed trust the mechanisms for formulating such an oversight regime—civil libertarians have no reason to feel sheepish about obstinately refusing to make that “choice we have to make.”

Last month, I wrote at The Guardian that NSA surveillance is harming our Internet freedom efforts. Now we have tangible evidence of that. Speaking at the UN Human Rights Council on behalf of Cuba, Venezuela, Zimbabwe, Uganda, Ecuador, Russia, Indonesia, Bolivia, Iran, and China, Pakistan delivered the following statement (video, starts around 52:25). Pay special attention to the last two paragraphs: Continue reading →

Much of my recent research and writing has been focused on the contrast between “permissionless innovation” (the notion that innovation should generally be allowed by default) versus its antithesis, the “precautionary principle” (the idea that new innovations should be discouraged or even disallowed until their developers can prove that they won’t cause any harms).  I have discussed this dichotomy in three recent law review articles, a couple of major agency filings, and several blog posts. Those essays are listed at the end of this post.

In this essay, I want to discuss a recent speech by Federal Trade Commission (FTC) Chairwoman Edith Ramirez and show how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, prompted by the various privacy concerns surrounding “big data” and the “Internet of Things” among other information innovations and digital developments.

First, let me recap the core argument I make in my recent articles and filings. It can be summarized as follows: Continue reading →

GMLR coverI’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals. Continue reading →

In my latest essay for the IAPP “Privacy Perspectives” blog , I ponder the question: Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?  I note that the idea has long been floating around out there, but never gone anywhere. I offer a couple of explanations for why that has likely been the case. But I also note that there may still be some reasons to believe that private data contracting has a future.

Read the whole thing.

(Note: I discuss these issues in greater detail in my forthcoming George Mason Law Review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It will be out before the end of the month and I will post it here once it is live.)