This dispatch of the PEP report takes a fly-over view of the year that just came to a close. Here are a few of the most important developments in policy and research related to privacy, data security, and data stewardship.
Story of the Year
Cambridge Analytica
News that Cambridge Analytica collected data on millions of Facebook users and exploited it to perform political consulting services has caused a seismic shift in privacy debates. For many observers, the scandal moved our attention to the particulars of data ownership over to more fundamental questions about the nature of data-related harm. Most of the observations from civil society describe that harm in terms of manipulation and deceit. For example, a report by the New America Foundation summarizes the Cambridge Analytica events and other related scandals this way:
“The central theme in these scandals is the power of the major digital media platforms to track, target, and segment people into audiences that are highly susceptible to manipulation. These companies have all profited enormously from this market structure, and they have done little to mitigate potential harms.”
I, too, have found the aftermath of the Cambridge Analytica story enlightening, but for a very different reason. I am struck by how many different theories of harm there are, with vastly different policy implications. As I explain in a new PEP White Paper, none of the popular theories on the nature of harm can be targeted by new regulations unless we are prepared to seriously damage and undermine the Internet as we know it. I therefore recommend caution and deliberation before making significant changes to the law. (In other words, like Eric Goldman, I advise against following California’s example by rushing comprehensive privacy legislation.)
For those who want to do a deeper dive into the dynamics of networked communications and its effect on U.S. elections, please read Network Propaganda: Manipulation, Disinformation, and Radicalization in American Politics by Yochai Benkler, Robert Faris, and Hal Roberts. This book analyzes a huge set of news content in order to test varying theories about political influence. They conclude that our current state of hyper-partisan culture was decades in the making, and that newcomers to the communications landscape (like Facebook) are much less relevant than mainstream media institutions like Fox News. There is a lot more nuance and intrigue in the book than I can summarize here, and the books is also detailed enough for readers to draw their own conclusions in areas of mixed empirical facts. It’s a must-read for anybody who wants to have an educated opinion about media manipulation.
Sleeper Story of the Year
The U.S. Census Bureau is adopting Differential Privacy for all of its data releases—a decision that is likely to drastically reduce the accuracy of the research that relies on Census Bureau data. Everybody who relies on Census data for research on voter disenfranchisement, neighborhood segregation, income inequality, education, or anything else should pay attention to this development. Stever Ruggles, one of the Principal Investigators of IPUMS, has prepared a primer summarizing the history of Census Bureau privacy precautions and the stakes involved in this recent change.
Statute/Regulation of the Year
The whole world wide web noticed when the EU’s General Data Protection Regulation (GDPR) went into effect. There are many primers available to become acquainted with the statute (see, for example, this one produced by Columbia University’s Tow Center for Digital Journalism), but the implications of the law will have to await interpretation by European regulators.
On the surface, the requirements of the GDPR and the specter of massive penalties suggest the law is likely to slow down or reverse digital services in Europe, but scholars who anticipate potential clashes between GDPR and innovation are starting to put forward interpretations that could allow developments in Machine Learning and AI to progress. (See, e.g., this book chapter on the topic.) But amid the uncertainty, the short-run effects of GDPR on Europe’s economy and venture capital investment are a bit grim.
Sleeper Statute of the Year
The OPEN Government Data Act managed to rally bipartisan support for easier access to machine-readable data held by the government. It passed December 31st. Here’s the Data Coalition’s press release about President Trump’s recent signing of the bill.
Cases
The Supreme Court decided that police must get a warrant before accessing cell site data on criminal suspects, thereby limiting the scope of the much-maligned Third Party Doctrine (which had treated government access to records held by third party records as not a Fourth Amendment “search” at all.)
Related commentary:
Sharon Bradford Franklin at LawFare
Orin Kerr at Volokh Conspiracy and in this book chapter
As I argued in my own work on the Third Party Doctrine, I hope police departments will start to use third party data in a way that is crime-driven rather than suspect-driven. The city of Raleigh apparently has started to do this, with the oversight of the warrant process.
The 11th Circuit found that the FTC’s enforcement action against LabMD for insufficient data security went beyond the scope of the agency’s Section 5 powers because the standards that applied were too imprecise.
“In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.”
This case could have significant implications for the FTC’s regulation of privacy-related practices as well. It could also moot the incisive and thoroughly-researched work of Daniel J. Solove and Woodrow Hartzog in their treatise, The Ultimate Unifying Approach to Complying with All Laws and Regulations. : ) (In all seriousness, though, Dan and Woody provide excellent guidance on the FTC’s enforcement actions in the privacy and data security space in their excellent Columbia Law Review article from 2014.)
The Supreme Court was set to decide an important issue related to cy pres awards, but the case took a turn after oral arguments when the Court asked for supplemental briefing on the issue of whether technical privacy violations are a sufficient “injury” to support Article III standing. And so, Frank v. Gaos may now be a vehicle for fleshing out the parameters of injury that were left unclear in Spokeo v. Robins. Here’s Will Baude’s commentary on Volokh Conspiracy.
This case may wind up shedding light on the intracircuit split that has emerged in the 7th Circuit in cases related to Illinois’ Biometric Privacy Act. In Rivera v. Google, one court recently decided that a privacy lawsuit against Google Photos for storing facial maps without complying with the requirements of BIPA was not a concrete injury under a Spokeo analysis. But it’s hard to square that case with Patel v. Facebook, where the plaintiff class overcame a motion to dismiss on similar facts.
Google and Facebook are on the defensive in lots of consumer protection litigation. They recently succeeded in dismissing cases brought by victims of the 2015 San Bernardino terrorist attack that alleged the companies aided the shooter. And the companies are facing many antitrust challenges based on perceived bias and distortion. (The Freedom Watch case, brought by a conservative media outlet, is a good reminder that antitrust violation is an equal opportunity accusation
Scholarship and Research
Ignacio Cafone’s overview of the law and economics literature on privacy
Matthew Kugler & Lior Strahilevitz on Assessing the Empirical Upside of Personalized Criminal Procedure
Niva Elkin-Koren & Michal Gal on The Chilling Effect of Governance-by-Data on Innovation
Jeff Kosseff’s article identifying gaps in the definition and treatment of cybersecurity law
Sasha Romanosky on Are Firms and Consumers Investing Enough in Data Security? (A PEP White Paper).
The Blogosphere
Eugene Volokh on sealing cases at Volokh Conspiracy
Gunes Acar on how hashed emails create complications for deidentification expectations at Freedom to Tinker
DIY Privacy
Edward Snowden’s Haven app, which converts your phone into a physical security device
What Should I Worry About This Year?