Speaking for everyone snowed-in in DC, White House Counselor John Podesta remarked that “big snow trumped big data,” while on the phone to open the first of the Obama Administration’s three big data and privacy workshops. This first workshop, which I was eager to attend (if only to continue my streak of annual appearances in Beantown), focused on advancing the “start of the art” in technology and practice. For a mere lawyer such as myself, I anticipated a lot of highly technical jargon, and in that regard I was not disappointed. // Full recap on the Future of Privacy Forum Blog.
The biggest takeaway from Common Sense Media’s School Privacy Zone Summit was, in the words of U.S. Secretary of Education Arne Duncan, that “privacy needs to be a higher priority” in our schools. According to Duncan, “privacy rules may be the seatbelts of this generation,” but getting these rules right in sensitive school environments will prove challenging. As the Family Educational Rights and Privacy Act (FERPA), one of the nation’s oldest privacy laws, turns forty this year, what seems to be apparent is that are schools lack both the resources and training necessary to even understand today’s digital privacy challenges surrounding student data.
Dr. Terry Grier, Superintendent of the Houston Independent School District, explains that his district of 225,000 students is getting training from a 5,000 student district in North Carolina. The myriad of different school districts, varying sharply in wealth and size, has made it impossible for educators to define rules and expectations when it comes to how student data can be collected and used.
Moreover, while privacy advocates charge that schools have effectively relinquished control over their students’ information, several panelists noted that we haven’t yet decided who the ultimate custodian of student data even is. One initial impulse might be to analogize education records to HIPAA health records, which belong to a patient, but Cameron Evans, CTO of education at Microsoft, suggested that it might be counterproductive to think of personalized education data as strictly comparable to individual health records. On top of this dilemma, questions about how to communicate and inform parents have proven difficult to answer as educational technology shifts rapidly, resulting in a landscape that one state educational technology director described as the “wild wild west.”
There was wide recognition by both industry participants at the summit and policymakers that educational technology vendors need to establish best practices – and soon. Secretary Duncan noted there was a lot of energy to address these issues, and that it was “in the best interest of commercial players to be self-policing.” The implication was clear: begin establishing guidelines and helping schools now or face government regulation soon.
My synopsis of Laura Donohue’s The Cost of Counterterrorism: Power, Politics, and Liberty is now up on the JustSecurity blog. A couple of quick thoughts on the book:
First, it was impossible not to read in various Snowden revelations throughout the book. It read very much like a prelude to all of the different programs and oversight problems we have learned about over the past year, which suggests that Snowden’s leaks really just confirmed what security critics were already surmising. Further, considering the book was release right at the start of the smartphone explosion and the rise of “Big Data,” it’s fascinating to see how Professor Donohue talked about the capabilities of these technologies.
Second, my major criticism of the book is that it reads like a bunch of law review articles duct-taped together. This may speak volumes for how legal scholarship is produced, or how many non-fiction books are collections that build upon a certain idea or original essay. Regardless, it was impossible not to notice how jarring portions of the book were. Professor Donohue’s overall framework is to compare the national security regimes of the United States with the United Kingdom, and this leads to chapters that bounce from the Irish Troubles to American military policy in Iraq. The comparison doesn’t always hold, and it some spots feels unwarranted.
Yesterday evening, I found myself at the Mansion on O Street, whose eccentric interior filled with hidden doors, secret passages, and bizarrely themed rooms, seemed as good as any place to hold a privacy-related reception. The event marked the beta launch of my organization’s mobile location tracking opt-out. Mobile location tracking, which is being implemented across the country by major retailers, fast food companies, malls, and the odd airport, first came to the public’s attention last year when Nordstrom informed its customers that it was tracking their phones in order to learn more about their shopping habits.
Today, the Federal Trade Commission hosted a morning workshop to discuss the issue, featuring representatives from analytics companies, consumer education firms, and privacy advocates. The workshop presented some of the same predictable arguments about lack of consumer awareness and ever-present worries about stifling innovation, but I think a contemporaneous conversation I had with a friend better highlights some of the privacy challenges mobile analytics presents. Names removed to predict privacy, of course!
A recent paper by the Technology Policy Institute takes a pro-business look at the Big Data phenomenon, finding “no evidence” that Big Data is creating any sort of privacy harms. As I hope to lay out, I didn’t agree with several of the report’s findings, but I found the paper especially interesting as it critiques my essay from September’s “Big Data and Privacy” conference. According to TPI, my “inflammatory” suggestion that ubiquitous data collection may harm the poor was presented “without evidence.” Let me first say that I’m deeply honored to have my writing critiqued; for better or worse, I am happy to have my thoughts somehow contribute to a policy conversation. That said, while some free market voices applauded the report as a thoughtful first step at doing a a Big Data cost-benefit analysis, I found the report to be one-sided to its detriment.
As ever in the world of technology and law, definitions matter, and neither myself nor TPI can adequately define what “Big Data” even is. Instead, TPI suggests that Big Data phenomenon describes the fact that data is “now available in real time, at larger scale, with less structure, and on different types of variables than previously.” If I wanted to be inflammatory, I would suggest this means that personal data is being collected and iterated upon pervasively and continuously. The paper then does a good job of exploring some of the unexpected benefits of this situation. It points to the commonly-lauded Google Flu Trends as the posterchild for Big Data’s benefits, but neglects to mention the infamous example where Target was able to uncover a teenage customer was pregnant before her family.
At that point, the paper looks at several common privacy concerns surrounding Big Data and attempts to debunk them. Read More…
The arrival of new technologies in the field of education, from connected devices, student longitudinal data systems, and massive open online courses (MOOCs) present both opportunities and potential privacy risks for students and educators. As part of my work at the Future of Privacy Forum, I have started surveying the issue of privacy in education, and early, anecdotal conversations suggest a pressing need for more education and awareness among all stakeholders. With that in mind, I was pleased to see the Electronic Privacy Information Center (EPIC) host an informative discussion on education records and student privacy.
The focus of the discussion was on the growing “datafication” of student’s personal information. Sen. Edward Markey (D-Mass), who has been active in the field of children’s privacy, opened the event with an introduction to the topic area. In addition to discussing his Do Not Track Kids legislation, which would extend COPPA-type protections to 13, 14, and 15 year-olds, the Senator highlighted his new student privacy legislation. The goals of the legislation were explained as follows:
- Student data should never be available for commercial purposes (focus on advertising);
- Parents should have access and rectification rights to data held by private companies, similar to what is afforded for records held by schools;
- Safeguards should be put in place to ensure that there are real protections for student records held by third parties; and
- Private companies must delete information that they no longer need. Student records should not be held permanently by companies, only by parents.
The panel itself featured Marc Rotenberg and Khaliah Barnes of EPIC; Kathleen Styles, Chief Privacy Officer at the Department of Education (DOE); Joel Reidenberg of Fordham Law School; Deborah Peel of Patient Privacy Rights; and Pablo Molina, Chief Information Officer at Southern Connecticut State University.
In 2011, as I was wrapping up law school, I wrote a lengthy, ranting paper about the problems watchdog journalism faced in effectively reporting about national security and foreign affairs. Fueled by a combination of a course on media law, a recent set of disclosures by WikiLeaks, and an unhealthy amount of Sunday morning talk show viewing, I blamed the “systemic professionalization” of our major media for weakening the press’ watchdog function vis-a-vis government. Specifically, I argued that objectivity in journalism had the unintended consequence of making major media extremely susceptible to having its coverage of foreign affairs and national security issues in general manipulated by outside actors, especially the government.
A combination of cost-cutting and the twenty-four hour news cycle has forced the media to rely on information provided directly from government officials, and this sort of access has become arguably as valuable as rigorous documentation, critical analysis, or investigations. This leads to an outcome where government becomes the arbiter of what news the public gets to learn. Over time, my thinking was that reliance on government for the story indirectly reduces the press’s credibility. Since government briefings have become notoriously managed and “spun,” the perverse result is that government information is often considered more reliable or more truthful if it given anonymously and off-the-record, which produces the deluge of anonymous sourcing we see in the media today.
It is my belief that one of the key values of a free press is to serve as a check on government action, but when this sort of government access is combined with a slavish devotion to objectivity, it has the unintended consequence of making our watchdog press more a neutral arbiter than an antagonistic body that oversees government behaviors. Cloaked in secrecy, national security issues provide government officials with an opportunity to shape reality as they wish it — as we have seen repeatedly over the last year. I.F. Stone one famously stated that “every government is run by liars and nothing they say should be believed,” but how often do our most esteemed journalists dare call a politician’s lie a lie?
In 1947, the Commission on Freedom of the Press suggested that market forces and citizen efforts could be used to improve the media’s watchdog capability. When I wrote this paper in 2011, I concluded that this casual observation may be more feasible now than six decades ago due the rise of so-called new media. Collaborative journalism is on the rise:
Reporting is becoming more participatory and collaborative. The ranks of news gatherers now include not only newsroom staffers, but freelancers, university faculty members, students, and citizens. Financial support for reporting now comes not only from advertisers and subscribers, but also from foundations, individual philanthropists, academic and government budgets, special interests, and voluntary contributions from readers and viewers. There is increased competition among the different kinds of news gatherers, but there also is more cooperation, a willingness to share resources and reporting with former competitors.
Maybe now the solution is the professionalize the blogosphere?
In any event, doesn’t this entire enterprise of collaborative journalism sound like exactly how this past year’s reporting on NSA surveillance has been carried out? Glenn Greenwald is, in the best sense of the word, a blogger by tradition, and numerous organizations, from establishment media to ProPublica and independent researchers like Ashkan Soltani, have brought information to the public. In the coming year, Greenwald has teamed with billionaire Pierre Omidyar to launch First Look Media.
I had largely forgotten about the paper, but considering its the new year, I thought it worth something to share publicly. Please feel free to read and criticize — that’s what being a watchdog is all about!
Big national security news yesterday: a federal court judge has ruled that the NSA’s Section 215 metadata collection program is an unconstitutional violation of the Fourth Amendment. TechDirt has a great wrap-up of Judge Leon’s opinion, but more than the excellent legal analysis on display, the case is one of the first big demonstrations of how the federal judiciary is being brought into the surveillance discussion post-Snowden. The secretive structure of FISA Court, and the difficulty – if impossibility – of getting those cases into the Supreme Court or out into the sunshine made it very easy for the the courts to avoid judging the constitutionality of broad government surveillance.
Just last year in Clapper v. Amnesty International, the Supreme Court was able to side-step today’s question by holding that a group of international lawyers and journalists had no standing to challenge the FISA Amendments Act of 2008 because they could prove no harm. The narrow majority deferred to the FISA Court’s ability to enforce the Fourth Amendment’s privacy guarantees, an assertion that has proven to be ridiculous. Snowden’s revelations have changed Clapper‘s standing equation, and this may force the Supreme Court’s hand.
After today, it appears all three branches of government may have a say in the future of the Fourth Amendment, and it seems likely they won’t be in agreement. Involving the Third Branch in an active dialog about surveillance is essential not only because it can clarify the scope of Fourth Amendment but also because it may be in a position to break a separation of powers stalemate between Congress and the President. In the end, the steady stream of lawsuits challenging the NSA’s activities may end up having a bigger legal impact than any congressional theatrics.
Today, some four months after we first announced it, my organization put out our Safe Harbor Report on the effectiveness of the U.S.-EU Safe Harbor in protecting EU citizen privacy and promoting trans-Atlantic data transfers. That’s something of a mouthful, but I’m proud of my contributions to the report, which include the paper’s discussions on enforcement, government access to information (e.g., NSA activity), and some of the recommendations and case studies. I now know entirely too much about trans-Atlantic data transfers under the program, so here’s hope the European Union doesn’t and suspend the Safe Harbor now!
This morning, the European Commission released its report on the state of the US-EU Safe Harbor, a mechanism that provides for international data transfers, proposing a series of recommendations designed “to restore trust in data flows between the EU and the U.S.” Europeans have long been critical of the Safe Harbor — and America’s free-wheeling attitude toward privacy in general — but the Summer of Snowden provided a perfect pretext to “reconsider” the efficacy of the Safe Harbor.
America’s hodgepodge or “sectoral” approach to privacy has increasingly placed U.S. officials on the defensive, and there’s no question the Safe Harbor can be improved. However, conflating Safe Harbor reform with justified anger about expansive NSA snooping is counterproductive. First and foremost, while public and private data sharing is increasingly intermingled, government access to data is not the same as commercial data use. The Safe Harbor was explicitly designed to protect the commercial privacy interests of EU citizens.
It was not created to address national security issues, and the Safe Harbor specifically provides an exception from its requirements “to the extent necessary to meet national security, public interest, or law enforcement requirements.” As FTC Commissioner Julie Brill has noted, national security exceptions to legal regimes are not unusual. For example, the HIPAA Privacy Rule permits the disclosure of private health information in the interest of national security, and even the EU’s stringent Data Protection Directive includes an exception for state security or defense.