New Privacy Paper Posted

“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.

Abstract:

U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.

The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.

A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.

Comments welcome!

This entry was posted in Civil Liberties, Law: Internet Law, Writings. Bookmark the permalink.

One Response to New Privacy Paper Posted

  1. jones says:

    Section III.D was fascinating, I’d like to see more of that.

    Underlying your article seems to be the unspoken premise that the American people are now engaged in an arms race against their own government. I wonder what are the implications of this for “the consent of the governed.”

    I also notice that abstinence isn’t mentioned as a possible strategy for protecting privacy; while this is clearly an article oriented towards privacy-preserving technology, there is at the same time the assumption that whatever technology is adopted should also be the latest technology. Along these lines, I would be interested in a survey of privacy-preserving practices in the historic Soviet Union or East Germany.

    I imagine that there was a wide variety of strategies ordinary people used to counter electronic surveillance, from cant to tampering to behavioral changes. Consider for example that, in a non-trivial sense, print is a technology, and not especially amenable to surveillance. A print volume of the PGP code is how Phil Zimmerman got around US export restrictions that treated strong crypto as a munition; although once outside the US Zimmerman’s code needed to be retyped, this type of strategy is today facilitated by OCR technology and fonts specially designed to be OCR-friendly. A more modern example might involve “sneaker-net” file sharing conducted with CD’s and DVD’s. A leaked survey recently shows that offline file-sharing is on the rise, perhaps as a consequence of the six-strikes policy adopted by ISP’s:

    http://torrentfreak.com/riaa-online-music-piracy-pales-in-comparison-to-offline-swapping-120726/

    This may have something to do with why Apple no longer sells computers with optical drives.

    I wonder too, with respect to possible litigation, if you’re familiar with this:

    http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2312913

    “The FTC and the New Common Law of Privacy”

    Abstract:
    One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

    Additional implications beyond DRM, which you discuss, extend to corporate personhood: although the “third party doctrine” might render this point moot, when Verizon was caught handing over customer data to the NSA in 2006, they claimed the disclosure was protected first amendment speech

    http://arstechnica.com/tech-policy/2007/05/verizon-says-phone-record-disclosure-is-protected-free-speech/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.