Sen. Edward J. Markey (D-Mass.) and Rep. Joe Barton (R-Texas) have reintroduced their “Do Not Track Kids Act,” which, according to this press release, “amends the historic Children’s Online Privacy Protection Act of 1998 (COPPA), will extend, enhance and update the provisions relating to the collection, use and disclosure of children’s personal information and establishes new protections for personal information of children and teens.” I quickly scanned the new bill and it looks very similar to their previous bill of the same name that they introduced in 2011 and which I wrote about here and then critiqued at much greater length in a subsequent Mercatus Center working paper (“Kids, Privacy, Free Speech & the Internet: Finding The Right Balance”).
Since not much appears to have changed, I would just encourage you to check out my old working paper for a discussion of why this legislation raises a variety of technical and constitutional issues. But I remain perplexed by how supporters of this bill think they can devise age-stratified online privacy protections without requiring full-blown age verification for
all Internet users. And once you go down that path, as I note in my paper, you open up a huge Pandora’s Box of problems that we have already grappled with for many years now. As I noted in my paper, the real irony here is that the “problem with these efforts is that expanding COPPA would require the collection of more personal information about kids and parents. For age verification to be effective at the scale of the Internet, the collection of massive amounts of additional data is necessary.” Continue reading →
I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)
This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy
this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)
My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals. Continue reading →
Today over at the International Association of Privacy Professionals (IAPP) Daily Dashboard blog, I have a guest post entitled, “Let’s Not Place All Our Eggs in the Do Not Track Basket.” The essay builds on my Senate Commerce Committee testimony last week by arguing that:
If there’s one lesson I’ve learned in twenty-one years of covering information technology policy, it’s that there are no simple silver-bullet solutions to complex issues like online safety, hate speech, spam, cybersecurity, data breaches or digital privacy. Problems such as these demand a layered, multifaceted approach that incorporates many solutions, the first among these being education and awareness-based efforts.
I continue on to explain why that means we should be cautious about placing too much faith in privacy techno-fixes like Do Not Track, which won’t likely be any more successful than past silver bullet efforts. (Note: Justin Brookman of CDT will be offering a counterpoint to my essay next week on the IAPP blog. I look forward to seeing what he has to say. He also testified alongside me in the Senate last week.)
By the way, for those of you not familiar with the IAPP, it is “the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data. More than just a professional association, the IAPP provides a home for privacy professionals around the world to gather, share experiences and enrich their knowledge.” In my opinion, the IAPP is doing amazing work and deserves the attention of anyone who cares about the future of privacy and privacy policy. I strongly recommend you check out their excellent site and explore all the important resources they provide and other things they do.
Anyway, if you are interested in the issues discussed in my IAPP guest post, you might also want to check out some of the related essays down below the fold: Continue reading →
Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:
- First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
- Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
- Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.
The testimony also contains 4 appendices elaborating on some of these themes.
Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”) Continue reading →
I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)
The new
Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.
If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. Continue reading →
The world does not owe targeted advertising networks a business model, so I am agnostic about Microsoft’s decision to ship Internet Explorer 10 with “Do-Not-Track” enabled by default. Ryan Singel has a good write-up on Threat Level that covers many dimensions of the issue.
Decisions like this are never driven by a single motivation, but I’m interested in the likelihood that Microsoft made this choice hoping to drive a dagger into Google’s business model. To the extent it did, it’s a nice illustration of how competition among companies can serve consumers’ privacy preferences. There is some demand for privacy, though less than most regulatory types believe. Microsoft saw an angle to get some pro-privacy PR, improve consumers’ privacy by a small margin, and hamstring a competitor. You go, girl. Er, Microsoft.
Now, consumers aren’t falling over themselves for protection from the benign practice of tracking for the purpose of delivering targeted ads. I suspect that counter-punches from ad networks and Google will send the Do Not Track header into the dustbin of privacy history right along with P3P. The idea of putting a signal into the header that says “please do not track” is clumsy, to put it charitably.
If you want to avoid tracking, you can do that already. Use Tracking Protection Lists.
The Computers, Freedom and Privacy conference—the original privacy conference—is June 14th through 16th at the Georgetown University Law School here in D.C.
It has a neat layout this year, with a focus on each of the topics—computers, freedom, and privacy—on each of its three days. I’ve always found that it’s a rollicking conference at which the newest ideas and problems get aired. It’s got some big draws if you’re into that kind of thing: Senator Patrick Leahy (D-VT) will speak on Thursday. But there really is something for everyone. TLFer’s Ryan Radia and Berin Szoka will join yours truly and other experts on a panel entitled “Do Not Track: Yaaay or Boooh?”, which should be fun.
Check out the agenda, then register.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.