This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation.
I then argue that the government’s duty to safeguard private data has a Constitutional foundation, either free-standing or based in Due Process, at least in cases where the government failed to take reasonable precautions to safeguard the data. This right is separate from any informational privacy rights that constrain the government's ability to acquire personal or corporate information. The key is Chief Justice Rhenquist’s opinion in DeShaney.
Under the DeShaney logic, victims of many governmental privacy breaches should have a claim against states under § 1983. Similar constitutional claims against the federal government would require a Bivens action but this is unlikely to work under current doctrine. As a result, persons injured by federal data breaches will have substantially inferior remedies available to them than will victims of state errors. And even when suing a state, however, the provision of effective remedies may be hampered by arguments based on governmental immunity, and the problem of valuing the harms caused by a breach.
Lessons from the Identity Trail (Ian Kerr, Valerie Steeves & Carole Lucock, eds.), a whale of a book, is being published today.
During the past decade, rapid developments in information and communications technology have transformed key social, commercial, and political realities. Within that same time period, working at something less than Internet speed, much of the academic and policy debate arising from these new and emerging technologies has been fragmented. There have been few examples of interdisciplinary dialogue about the importance and impact of anonymity and privacy in a networked society. Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society fills that gap, and examines key questions about anonymity, privacy, and identity in an environment that increasingly automates the collection of personal information and relies upon surveillance to promote private and public sector goals.
This book has been informed by the results of a multi-million dollar research project that has brought together a distinguished array of philosophers, ethicists, feminists, cognitive scientists, lawyers, cryptographers, engineers, policy analysts, government policy makers, and privacy experts. Working collaboratively over a four-year period and participating in an iterative process designed to maximize the potential for interdisciplinary discussion and feedback through a series of workshops and peer review, the authors have integrated crucial public policy themes with the most recent research outcomes.
The book is available for download under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Canada License by chapter. Hard copies are available for purchase at Amazon & at Oxford University Press.
“Bottom up” governance. “Self-organization”. These are among the most talismanic virtue-words of modern political discourse. Yet the reality is that in politics, “self-organization” is rare, being hard to initiate and even harder to sustain. As Oscar Wilde once complained about socialism, it “requires too many evenings”. Governance as we tend to know it depends primarily on hierarchical institutions, or on close coordination within small groups. True partnerships, conversations among engaged equals, do not seem to scale. Indeed, whether one believes the fundamental problem to be something about the economics of group formation, the iron law of oligarchy, or something in between, experience demonstrates repeatedly that the problem of group self-organization, not to mention self-governance, is all too real both in politics and other walks of life. Enthusiasts of modern communications have not been slow to point out the ways in which the Internet (and the cell phone) change the ways in which all types of groups form and communicate. For example, Internet-based 'social software' drastically lowers the cost of group formation and offers at least the potential of tools that may make group self-governance more practicable.
While this optimism is valuable and may some day be realized, the current reality falls far short of the ideal and seems likely to do so for the foreseeable future. This paper suggests that existing institutions could be harnessed to grow the tools and nurture the conditions that promote self-organization of groups and democratic decentralized self-governance. I identify eight specific governmental policies that could usefully be adopted in any relatively wealthy liberal democracy to promote the formation of groups and assist them once they are formed:
Democratizing access to communication by ensuring that the communications infrastructure is widely deployed, inexpensive, and of suitable quality.
Enact legal reform (if not already in place) to prevent cyber-SLAPP lawsuits.
Apply competition law aggressively to markets for communications technologies in order to ensure that no software or hardware maker can exert control over citizens' means of communication.
Provide reliable data, and act as honest archivist.
Assist those who desire aid (but only them) to fight spam and other forms of discursive sabotage.
Ensure that Meetup-like services are available at low (or no) cost (if demand for these key services proves to be elastic as to price) and subsidize facilitative technologies, such as group decision-making software.
Enact a digital workers rights policy including a component that encourages digital or even physical meetings.
Provide a corps of subsidized online neutrals to settle non-commercial disputes among members of virtual communities.
Something of a departure for me — while it's not the first time I've gone outside the traditional law review article, or published in a non-legal journal, it's the first time I've attempted to write something scholarly that isn't primarily legal analysis, even if a little sneaks in here and there.
It all started when I tried to think what I should write as a sequel to my Habermas@discourse.net: Toward a Critical Theory of Cyberspace paper. There was one critique of that paper which had enough truth to sting a little — the response that while it might sound nice in theory, it was all too much work for real life, “too many meetings.” I started to think about what would be needed to actualize the ideas (and ideals) I was promoting; for better or worse, this is what came out.
I did too much administration this year, and too little writing. It has been harder than I liked to get back into the swing of it, but now that it's getting fun again I can't understand how I let myself get sucked into doing anything else.
I'm going to have to see about that 139-word sentence. I hope it's that big quote from the court, not something I did….