I neglected to link to Lessons Learned Too Well: Anonymity in a Time of Surveillance, the paper I’m presenting at #yalefesc. A very very small number of people will recognize this as a partial redraft of a paper I started a few years ago, but never published because it didn’t seem quite right. My plan is to get it as right as I can in the next few months, which is why I’m workshopping it.
Category Archives: Writings
The IETF has issued RFC 7258, aka Best Current Practice 188, “Pervasive Monitoring Is an Attack”. This is an important document. Here’s a snippet of the intro:
Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise.
The IETF community’s technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community’s consensus and establishes the technical nature of PM.
The term “attack” is used here in a technical sense that differs somewhat from common English usage. In common English usage, an attack is an aggressive action perpetrated by an opponent, intended to enforce the opponent’s will on the attacked party. The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties.
The conclusion is simple, but powerful: “The IETF will strive to produce specifications that mitigate pervasive monitoring attacks.”
I can’t help but see this as a shining example of the IETF living up to its legitimate-rule-making potential, as I described in my 2003 Harvard Law Review article Habermas@discourse.net: Toward a Critical Theory of Cyberspace.
Below, I reprint my abstract: Continue reading
I just uploaded a draft of my new paper, Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements to SSRN. Be the first on your block to read it!
US law has remarkably little to say about mass surveillance in public, a failure which has allowed the surveillance to grow at an alarming rate – a rate that is only set to increase. This article proposes ‘Privacy Impact Notices’ (PINs) — modeled on Environmental Impact Statements — as an initial solution to this problem.
Data collection in public (and in the home via public spaces) resembles an externality imposed on the person whose privacy is reduced involuntarily; it can also be seen as a market failure caused by an information asymmetry. Current doctrinal legal tools available to respond to the deployment of mass surveillance technologies are limited and inadequate. The article proposes that — as a first step towards figuring out how to understand, value, and ultimately regulate this mass-privacy-destroying behavior — we should borrow from the environmental movement and require anyone planning a large-scale public data collection program to file a Privacy Impact Notice (PIN). The PIN proposal is contrasted to the existing much more limited federal privacy analysis requirement, known as Privacy Impact Assessments. The bulk of the article then explains how PINs would work and defends the idea against three predictable critiques (the claim that there is a First Amendment right to data collection, the claim that EISs are a poor policy tool not worthy of emulation, and the claim that notice-based regimes are in general worthless). It argues that PINs have applications to surveillance and data-collection in online public spaces such as Facebook, Twitter, and other virtual spaces. It also considers what the PINs proposal would have to offer towards addressing the now-notorious problem of the NSA’s drift-net surveillance of telephone conversations, emails, and web-based communications.
Modeling mass surveillance disclosure regulations on an updated form of environmental impact statement will help protect everyone’s privacy: Mandating disclosure and impact analysis by those proposing to watch us in and through public spaces will enable an informed conversation about privacy in public. Additionally, the need to build consideration of the consequences of surveillance into project planning, as well as the danger of bad publicity arising from excessive surveillance proposals, will act as a counterweight to the adoption of mass data collection projects, just as it did in the environmental context. In the long run, well-crafted disclosure and analysis rules could pave the way for more systematic protection for privacy – as it did in the environmental context. Effective US regulation of mass surveillance will require that we know a great deal about who and what is being recorded and about the costs and benefits of personal information acquisition and uses. At present we know relatively little about how to measure these; a privacy equivalent of environmental impact statements will not only provide case studies, but occasions to grow expertise.
I welcome your comments. I really mean that.
And if you are a law review editor, I’ll be sending it out soon…
“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.
U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.
The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.
A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.
I’ve posted a first draft of my new paper, Lessons Learned Too Well, on SSRN. The paper, which is about the regulation of online anonymity, was written for a conference being held
next later this week to celebrate the 10th anniversary of the Oxford Internet Institute, A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society.
I’m the sort of person who prefers to post only more polished drafts — this one has a couple holes I know about and no doubt many I don’t know about too. But the symposium organizers asked us to post our papers on SSRN, and so there it is.
Comments very welcome, either below or in email.
I’m leaving for the UK tomorrow in order to give myself a bit of time to recover from jet lag before it begins, this being my first solo international journey since all my medical excitement. Posting may be light for a few days.
Below I post the introduction, which I thinks gives you some idea of what it’s all about:
A good chunk of my time currently is dedicated to JOTWELL — a new online law journal I dreamed up that I hope will go live in October. Jotwell will be 'The Journal of Things We Like (Lots)' — reviews of recent legal scholarship designed to help people figure out what they should read.
Here's the Jotwell mission statement:
The Journal of Things We Like (Lots)–JOTWELL–invites you to join us in filling a telling gap in legal scholarship by creating a space where legal academics will go to identify, celebrate, and discuss the best new legal scholarship. Currently there are about 350 law reviews in North America, not to mention relevant journals in related disciplines, foreign publications, and new online pre-print services such as SSRN and BePress. Never in legal publishing have so many written so much, and never has it been harder to figure out what to read, both inside and especially outside one’s own specialization. Perhaps if legal academics were more given to writing (and valuing) review essays, this problem would be less serious. But that is not, in the main, our style.
We in the legal academy value originality. We celebrate the new. And, whether we admit it or not, we also value incisiveness. An essay deconstructing, distinguishing, or even dismembering another’s theory is much more likely to be published, not to mention valued, than one which focuses mainly on praising the work of others. Books may be reviewed, but articles are responded to; and any writer of a response understands that his job is to do more than simply agree.
Most of us are able to keep abreast of our fields, but it is increasingly hard to know what we should be reading in related areas. It is nearly impossible to situate oneself in other fields that may be of interest but cannot be the major focus of our attention.
A small number of major law journals once served as the gatekeepers of legitimacy and, in so doing, signaled what was important. To be published in Harvard or Yale or other comparable journals was to enjoy an imprimatur that commanded attention; to read, or at least scan, those journals was due diligence that one was keeping up with developments in legal thinking and theory. The elite journals still have importance — something in Harvard is likely to get it and its author noticed. However, a focus on those few most-cited journals alone was never enough, and it certainly is not adequate today. Great articles appear in relatively obscure places. (And odd things sometimes find their way into major journals.) Plus, legal publishing has been both fragmented and democratized: specialty journals, faculty peer reviewed journals, interdisciplinary journals, all now play important roles in the intellectual ecology.
The Michigan Law Review publishes a useful annual review of new law books, but there’s nothing comparable for legal articles, some of which are almost as long as books (or are future books). Today, new intermediaries, notably subject-oriented legal blogs, provide useful if sometimes erratic notices and observations regarding the very latest scholarship. But there’s still a gap: other than asking the right person, there’s no easy and obvious way to find out what’s new, important, and interesting in most areas of the law.
Jotwell will help fill that gap. We will not be afraid to be laudatory, nor will we give points for scoring them. Rather, we will challenge ourselves and our colleagues to share their wisdom and be generous with their praise. We will be positive without apology.
Tell us what we ought to read!
How It Works
Jotwell will be organized in sections, each reflecting a subject area of legal specialization. Each section, with its own url of the form sectionname.jotwell.com, will be managed by a pair of Section Editors who will have independent editorial control over that section. The Section Editors will also be responsible for selecting a team of ten or more Contributing Editors. Each of these editors will commit to writing at least one Jotwell essay of 500-1000 words per year in which they identify and explain the significance of one or more significant recent works — preferably an article accessible online, but we won’t be doctrinaire about it. Our aim is to have at least one contribution appear in each section on a fixed day every month, although we won’t object to more. Section Editors will also be responsible for approving unsolicited essays for publication. Our initial sections will cover administrative law, constitutional law, corporate law, criminal law, cyberlaw, intellectual property law, the legal profession, and tax law — and we intend to add new sections when there is interest in doing so.
For the legal omnivore, the ‘front page’ at Jotwell.com will contain the first part of every essay appearing elsewhere on the site. Links will take you to the full version in the individual sections. There, articles will be open to comments from readers.
Currently I've gotten a number of subject areas off the ground, with the help of some superb section editors, each of whom is helping recruit additional contributing editors.
- Administrative Law
- Paul Verkuil
- Constitutional Law
- Patrick Gudridge
- Corporate Law
- Caroline Bradley
- William Wilson Bratton
- Criminal Law
- Donna Coker
- Jonathan Simon
- A. Michael Froomkin
- James Grimmelmann
- Intellectual Property
- Pam Samuelson
- Christopher Sprigman
- Professional Responsibility
- John Flood
- Tanina Rostain
- Allison Christians
- George Mundstock
Section and contributing editor will write at least one short review per year; we'll also welcome unsolicited contributions that fit our guidelines (mostly, brevity and praise).
In the long run I hope to have many more, with coverage of at least all the major subject areas. If you'd like to write for Jotwell, or help organize a section of the journal, please let me know by e-mail.
The Jotwell site is still under construction, so although the main graphical outlines are there, there's no actual content, and you should be prepared for some weirdness in the details if you go peek at it now. We're currently doing a last round of testing of the template and the integrated posting system which allows the main page to interact with the various sections, while maintaining each section's editorial independence.
The current plan is to go live in early October and it may go dark for a while before that happens.
If you'd like to be notified of Jotwell's official inauguration, please join the ultra-low-traffic announcement list.
I've posted a draft of my latest paper, Government Data Breaches to SSRN.
This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.
I then argue that the government’s duty to safeguard private data has a Constitutional foundation, either free-standing or based in Due Process, at least in cases where the government failed to take reasonable precautions to safeguard the data. This right is separate from any informational privacy rights that constrain the government's ability to acquire personal or corporate information. The key is Chief Justice Rhenquist’s opinion in DeShaney.
Under the DeShaney logic, victims of many governmental privacy breaches should have a claim against states under § 1983. Similar constitutional claims against the federal government would require a Bivens action but this is unlikely to work under current doctrine. As a result, persons injured by federal data breaches will have substantially inferior remedies available to them than will victims of state errors. And even when suing a state, however, the provision of effective remedies may be hampered by arguments based on governmental immunity, and the problem of valuing the harms caused by a breach.
It's forthcoming in the Berkeley Technology Law Journal