These Are the Good Old Days?

Or will be if the gloomdogglers are right about the environment,

This is not to downgrade the danger presented by global heating – on the contrary, it presents an existential threat. It is simply that I have come to realise that two other issues have such huge and immediate impacts that they push even this great predicament into third place.

One is industrial fishing, which, all over the blue planet, is now causing systemic ecological collapse. The other is the erasure of non-human life from the land by farming.

And perhaps not only non-human life. According to the UN Food and Agriculture Organisation, at current rates of soil loss, driven largely by poor farming practice, we have just 60 years of harvests left. And this is before the Global Land Outlook report, published in September, found that productivity is already declining on 20% of the world’s cropland.

The impact on wildlife of changes in farming practice (and the expansion of the farmed area) is so rapid and severe that it is hard to get your head round the scale of what is happening.

It all sounds dreadful. Of course historically technical change and market forces overwhelmed Malthusian effects, so it’s possible that late capitalism still has rabbits in the hat….

Posted in Global Warming, Science/Medicine | Leave a comment

Latvian ‘Ocean’

My article Flood Control on the Information Ocean: Living With Anonymity, Digital Cash, and Distributed Databases has been translated into Latvian as “Plūdu kontroli par informāciju, kas okeānā: dzīvo ar anonimitāti, digitālās naudas, un sadalītās datu bāzes” by Arija Liepkalnietis.

Thank you Ms. Liepkalnietis! (But please add a Creative Commons License.)

Posted in Writings | Leave a comment

ACLU Brings Important Freedom-to-Travel Lawsuit

The ACLU’s blog post is actually not over the top here: We’re Suing the Government for Violating the Rights of Passengers on Delta Airlines 1583 in Police-State Fashion.

The full complaint in Amedei v. Duke is online.

Some key bits below the fold: Continue reading

Posted in Civil Liberties, ID Cards and Identification, Law: Right to Travel | Leave a comment

Missing Mass – Half Found

Half the ‘missing mass’ is gas floating between galaxies.

That means there’s 50% less work for the flogiston, sorry I meant aether, sorry I meant Dark Matter to do.

Posted in Science/Medicine | Leave a comment

We Robot 2018 Call for Papers

We Robot 2018 has posted the official Call For Papers.

See you there — Stanford, April 12-14.

Posted in Robots, Talks & Conferences | Leave a comment

Do You Have a Constitutional Right to Have the Government Safeguard Personal Data It Collects From You?

Most legal academics are happy to be cited by courts–it’s at least proof of relevance. But it’s better if the Judge agrees with you, and that’s not what happened this week when Judge Amy Berman Jackson of the District Court of the District of Columbia, discussed my article Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009).

My article argues, correctly I still believe, that if the government takes your personal data, and then mishandles it so that it leaks to your detriment, the government has committed an actionable harm:

The key case in establishing the contours of the Due Process right to compensation for certain government data breaches is Chief Justice Rehnquist’s opinion in DeShaney [v. Winnebago Cty. DSS, 489 U.S. 189 (1989)]. Chief Justice Rehnquist is an unexpected source for a major information privacy right, and DeShaney is a particularly unexpected locus for its elucidation. DeShaney is notorious as an opinion in which the Supreme Court held that the state of Wisconsin had no duty under the Constitution to protect a boy, the infamous “poor Joshua” of Justice Blackmun’s dissent, from a permanently disabling beating by his father. The absence of a duty was controversial because the state social services were on actual notice that Joshua had been repeatedly injured and was at risk. In finding that the Due Process clause imposed no duty of care on state social services regarding children residing with a parent, at least absent a statutory or regulatory undertaking to protect children from their parents, Chief Justice Rehnquist distinguished Joshua’s case from one where a duty would have existed. Mere notice was not enough; the state would have had a duty only if it had placed Joshua in circumstances where it “renders him unable to care for himself, and at the same time fails to provide for his basic human needs ….” The duty arises “from the limitation which it has imposed on his freedom to act on his own behalf’ not “its failure to act to protect his liberty interests against harms inflicted by other means.’ Chief Justice Rehnquist immediately added in a footnote that, “[e]ven in this situation, we have recognized that the State ‘has considerable discretion in determining the nature and scope of its responsibilities.'”

When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has “by the affirmative exercise of its power” taken the data and “so restrain[ed]” it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s “affirmative duty to protect” the data “arises … from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.’ Again, “it is the State’s affirmative act of restraining the individual’s freedom to act on his own behalf” which creates a duty on the government to keep the data secure. The State created the danger, and thus the State is responsible for the outcome.

The plaintiffs in In Re: U.S. Office Of Personnel Management Data Security Breach Litigation, — F.Supp.3d —-, 2017 WL 4129193, MC 15-1394 (ABJ), MDL 2664 (D.D.C. Sept. 19, 2017), sought to apply this theory to the massive data breach by the Office of Personnel Management, AKA the OPM hack. Plaintiffs claimed the government breached an actionable duty by failing to protect (or, as plaintiffs put it, being grossly negligent in failing to protect) their personal data.

Unfortunately, Judge Jackson did not agree (footnotes omitted):

Given … the absence of binding precedent one way or the other, this Court also finds it prudent to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so. And it is not necessary here because the NTEU claim is asking the Court to recognize a constitutional violation that no court has even hinted might exist: that the assumed constitutional right to informational privacy would be violated not only when information is disclosed, but when a third party steals it. See NTEU Compl. ¶¶ 96-98; NTEU’s Opp. at 25-44 (arguing that the government has an affirmative duty “grounded in the constitutional right to informational privacy” to safeguard plaintiffs’ private data). In other words, even if an individual who completes an SF 85 or SF 86 has a constitutional right to privacy in the information he or she is being asked to provide, it is well-established that the government has the right to gather that information. And even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty — separate and apart from the statutory requirements enacted by Congress — to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).

The sole source plaintiffs identify for the existence of the affirmative duty they would have this Court enforce is a law review article. NTEU’s Opp. at 37, citing A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009) (“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has `by the affirmative exercise of its power’ taken the data and `so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s `affirmative duty to protect’ the data `arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”). Given the absence of any binding precedent — or even any persuasive writing from other courts — that recognizes a constitutionally based duty to safeguard personal information, and the D.C. Circuit’s expressed skepticism about the existence of a right to informational privacy in the first place, this Court is compelled to hold that plaintiffs have failed to state a constitutional claim.

The thing is, my article anticipates Judge Jackson’s rejoinder:

One might object that the DeShaney holding stands for the proposition that when the government stands by and lets another do harm to a person, that person has no recourse unless the government has taken on an affirmative duty to protect. In this view, exposing private data on the web or losing an unencrypted database is not the harm. Rather, the harm comes from a third party’s use of the data, something for which this reading of DeShany says the government should not be blamed. But this is a misreading of De- Shaney because the analogy is incorrect. In DeShany, the State had no duty because it had never taken Joshua into care. The harms he suffered at his father’s hands were private wrongs, a direct transaction in which the government had no part. […]

Indeed, it was the claim that the government had a duty to intervene which was the heart of the plaintiffs case, and which the majority rejected.

Contrast this to a hypothetical lost database: there is no question that the government had taken full control of the data before it lost them. Once the government takes that control, the subject of the data is completely disempowered with regards to how the data will be protected. Therefore, it is nonsensical to suggest that when the government negligently allows a third party to access the data, that third party is the only relevant actor for Due Process purposes. The government remains the critical intermediary, the one actually responsible for allowing the loss. In the case of information controlled by the government, it is not a bystander, but rather a direct agent. The government’s active role in controlling the data, one that displaces the subject or owner of the data, is what creates the duty of care. Or as the Seventh Circuit stated, “The state must protect those it throws into snake pits, but the state need not guarantee that the volunteer snake charmer will not be bitten.” [Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986).]

In short, Judge Jackson links two issues that I think ought to be seen as separate. One issue is whether the Constitution creates a a generalized right to information privacy. Judge Jackson notes, fairly enough, that currently there is no judicial recognition of such a right. But that’s not the only question at issue here. Even in the absence of a general substantive constitutional duty to protect information privacy, I believe that the rule in Chief Justice Rehnquist’s DeShaney opinion compels the conclusion that when the government demands your data, takes it, and fails to care for it, that creates a valid claim.

Judge Jackson may be right that the D.C. Circuit is not ready to find a general constitutional right to information privacy, a right that likely would extend far beyond data breaches and into, for example, data collection practices. But why, even if we stipulate that Judge Jackson correctly reads the DC Circuit tea leaves on information privacy rights generally, does this tell us anything about the much narrower Due Process claim at issue in the OPM case?

One need not find a generalized right to information privacy to hold, following the logic of DeShaney, that the government has a duty of care when it creates the circumstances which both make the data vulnerable and makes self-help by the data subject impossible. What exactly that duty of care requires could certainly be debated, but whatever the level of care turns out to be, it surely must exceed the gross negligence alleged by the plaintiffs in the OPM case.

I should note that Judge Jackson cites one case in support of her assertion that the Due Process clause cannot create a governmental duty “to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).” I think the citation to Harris is misplaced. Harris is a 1980 case; DeShaney was decided in 1989, and in case of conflict the later case ought to prevail. But in fact there is no conflict: Harris was a challenge to the Hyde Amendment, and in rejecting the challenge the Supreme Court stated that the Due Process Clause could not be invoked to create a requirement that Congress providing funding for something. Given the bedrock principle that “No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law,” U.S. Const. Article I, § 9, Cl. 7, the Harris holding on this point seems clearly correct — but also irrelevant to the OPM case which is not about legislation or funding.

I think it’s only a matter of time before US law recognizes a right to have the government apply at least reasonable safeguards to personal information it holds. This case shows why that rule is necessary. I wonder if the plaintiffs will appeal?

Posted in Law: Constitutional Law, Law: Privacy | Leave a comment