Privacy Law and PolicyBryce Newell, J.D.Ph.D. student, UW iSchoolJan. 13, 2012

eReader Privacy

•Librarians Weigh Kindle Ebook Lending against Reader Privacy

•EFF's take on CA's newly enacted E-Reader Privacy Law 

•Privacy Rights Re-“Kindled”: eBook Reader Privacy

What is privacy?

Privacy: a Fundamental Right, or not?

•Fundamental Right▫Europe▫Canada▫Australia▫New Zealand

•Sectored Protection▫United States (except in some narrow

constitutional areas)

Types of Privacy Protections•Tort Privacy (common law / state law)•Informational Privacy (largely guided

by statutory law – i.e. federal legislation)

•Freedom from unreasonable search and seizure (4th Am.)

•Free speech (1st Am.)•Fundamental decision (14th Am.)

US Privacy Milestones• 1890 – right to privacy

▫ promoted in article by Warren and Brandeis (tort-based privacy)

• 1928 -- “the right to be let alone” ▫ (Brandeis dissent in Olmstead -- search and seizure)

• 1958 – nexus of anonymity and speech▫ (NAACP v. Alabama) (disclosure of member list)

• 1960 – Prosser’s Torts ▫ based on Warren and Brandeis’s ideas

• 1967 – “reasonable expectation” ▫ (Katz v. US -- search and seizure)

• 1977 – no “zone of privacy” where data is protected and used within broad police powers of state ▫ (Whalen v. Roe -- disclosure of prescription data)

Warren & Brandeis (1890)•“…now that modern devices afford

abundant opportunities for the perpetration of such wrongs without any participation by the injured party, the protection granted by the law must be placed upon a broader foundation."

Warren & Brandeis

•The “right to be let alone”•Elements of privacy from:

▫defamation law▫IP law▫Contract law▫Property

▫Olmstead v. US (1928)

Warren & Brandeis to Prosser

•Dean Prosser’s four torts (1960):▫appropriating the plaintiff's identity for

the defendant's benefit▫placing the plaintiff in a false light in the

public eye▫publicly disclosing private facts about

the plaintiff▫unreasonably intruding upon the

seclusion or solitude of the plaintiff

International Privacy Conventions•Article 8 of the 

European Convention on Human Rights▫“Everyone has the right to respect for his

private and family life, his home and his correspondence.”

•Article 17 of the International Covenant on Civil and Political Rights (UN)

Nissenbaum (2004): Cases

•Public Records Online▫Concerns? The info is already public…

•Consumer Profiling and Data Mining▫One view: targeted advertising is the most

consumer friendly form of advertising▫Is the data really sensitive?

•RFID Tags and Surveillance

Surveillance

•US v. Jones (US v. Maynard)•Toll roads, video cameras in public

spaces, facial recognition (e.g. Google and PittPatt), GPS tracking….

•DC Police•PATRIOT Act

▫Lessens requirements for obtaining Wiretap warrants

▫Sneak and Peak Warrants

Nissenbaum (2004): Principles

Three principles that dominate public deliberation

•1) Protecting Privacy of Individuals Against Intrusive Government Agents

•2) Restricting Access to Intimate, Sensitive, or Confidential Information

•3) Curtailing Intrusions into Spaces or Spheres Deemed Private or Personal

Nissenbaum: Contextual Integrity• Presiding norms of

▫Appropriateness▫Distribution / Norms of information flow

• Considers the context, nature of information in relation to context, the roles of those receiving the info, their relationships to info subjects, terms of sharing, and terms of further dissemination.

• Is this practical?• Is it a better way to visualize/protect privacy?

Nehf (2005)

•FTC history – law/industry self-regulation•Market driven solutions led to widespread

adoption of privacy policies•But policies don’t protect information,

only disclose how it is being sold, used, etc

•“encouraging posting of privacy policies without regulating their content” = less info privacy for consumers “than an efficient market would produce”

Nehf (2005)

•“Until privacy becomes a salient attribute influencing consumer choice, Web site operators will continue to take and share more personal information than consumers would choose to provide in a more transparent exchange.”

Facebook

Facebook (2)• “Many of the most popular applications, or "apps," on

the social-networking site Facebook Inc. have been transmitting identifying information—in effect, providing access to people's names and, in some cases, their friends' names—to dozens of advertising and Internet tracking companies…

• “The issue affects tens of millions of Facebook app users, including people who set their profiles to Facebook's strictest privacy settings. The practice breaks Facebook's rules, and renews questions about its ability to keep identifiable information about its users' activities secure.”

- Wall Street Journal, Oct 18, 2010

Facebook (3)

•Who can see what?▫Public▫Friends▫Apps

•Facebook settles with the FTC: http://www.nytimes.com/2011/11/30/technology/facebook-agrees-to-ftc-settlement-on-privacy.html

Online Behavioral Advertising

•ABC News Story [link]

•For discussion of someof the recently proposed "Do Not Track" legislation in Congress look here, here, and here.

• “…there is no single definition of what it means to be tracked, so expressing a preference does not guarantee users that they will be able to block all web sites and content that they may view as being associated with tracking behavior.”

- From Microsoft.com

• Industry self-regulation does not provide for any enforcement mechanism beyond current FTC powers (e.g. to prosecute for engaging in deceptive practices)

Problems

•The Open Data Partnership allows a glimpse into what information is being collected and by whom.▫http://

www.evidon.com/partners/open_data_partnership - contains list of 1021 companies that engage in online behavioral advertising, many of which also have multiple advertising products.

What Do “They” Know?

Who Knows?

* Ghostery results from NAI’s Opt-Out page.

•FTC report calls for “browser based do-not-track mechanism” in December 2010

• Industry self-regulation ▫Browsers build in do not track options▫Industry groups set up opt-out mechanisms

(DAA, NAI)▫BUT self-regulation has no teeth (enforcement

mechanism) and may only mean you don’t see targeted ads, not that you won’t be tracked.

•FTC sues Chitika, reaches settlement

FTC Report

AdChoices Evolution

• Europe▫2009 amendments to the EU ePrivacy Directive

require member states to implement by May 25, 2011

• United States▫S. 913: Do-Not-Track Online Act of 2011▫S. 799: Commercial Privacy Bill of Rights Act of 201

1▫H.R

. 1528: Consumer Privacy Protection Act of 2011▫H.R. 654: Do Not Track Me Online Act▫H.R. 1895: Do Not Track Kids Act of 2011▫California: S.B. 761

Recent Legislation