Category Archives: Law: Privacy

New Paper–“Big Data: Destroyer of Informed Consent”

Just posted: A near-final draft of my latest paper, Big Data: Destroyer of Informed Consent. It will appear later this year in a special joint issue of the Yale Journal of Health Policy, Law, and Ethics and the Yale Journal of Law and Technology.

Here’s the tentative abstract (I hate writing abstracts):

The ‘Revised Common Rule’ took effect on January 21, 2019, marking the first change since 2005 to the federal regulation that governs human subjects research conducted with federal support or in federally supported institutions. The Common Rule had required informed consent before researchers could collect and use identifiable personal health information. While informed consent is far from perfect, it is and was the gold standard for data collection and use policies; the standard in the old Common Rule served an important function as the exemplar for data collection in other contexts.

Unfortunately, true informed consent seems incompatible with modern analytics and ‘Big Data’. Modern analytics hold out the promise of finding unexpected correlations in data; it follows that neither the researcher nor the subject may know what the data collected will be used to discover. In such cases, traditional informed consent in which the researcher fully and carefully explains study goals to subjects is inherently impossible. In response, the Revised Common Rule introduces a new, and less onerous, form of “broad consent” in which human subjects agree to as varied forms of data use and re-use as researchers’ lawyers can squeeze into a consent form. Broad consent paves the way for using identifiable personal health information in modern analytics. But these gains for users of modern analytics come with side-effects, not least a substantial lowering of the aspirational ceiling for other types of information collection, such as in commercial genomic testing.

Continuing improvements in data science also cause a related problem, in that data thought by experimenters to have been de-identified (and thus subject to more relaxed rules about use and re-use) sometimes proves to be re-identifiable after all. The Revised Common Rule fails to take due account of real re-identification risks, especially when DNA is collected. In particular, the Revised Common Rule contemplates storage and re-use of so-called de-identified biospecimins even though these contain DNA that might be re-identifiable with current or foreseeable technology.

Defenders of these aspects of the Revised Common Rule argue that ‘data saves lives’. But even if that claim is as applicable as its proponents assert, the effects of the Revised Common Rule will not be limited to publicly funded health sciences, and its effects will be harmful elsewhere.

This is my second foray into the deep waters where AI meets Health Law. Plus it’s well under 50 pages! (First foray here; somewhat longer.)

Posted in AI, Law: Privacy, Writings | Leave a comment

Big Data: Destroyer of Informed Consent

My guest post Big Data: Destroyer of Informed Consent for this Friday’s Yale Workshop on “The Law and Policy of AI, Robotics & Telemedicine” is now online at the Balkanization blog.

Consent, that is ‘notice and choice,’ is a fundamental concept in the U.S. approach to data privacy, as it reflects principles of individual autonomy, freedom of choice, and rationality. Big Data, however, makes the traditional approach to informed consent incoherent and unsupportable, and indeed calls the entire concept of consent, at least as currently practiced in the U.S., into question.

Big Data kills the possibility of true informed consent because by its very nature one purpose of big data analytics is to find unexpected patterns in data. Informed consent requires at the very least that the person requesting the consent know what she is asking the subject to consent to. In principle, we hope that before the subject agrees she too comes to understand the scope of the agreement. But with big data analytics, particularly those based on Machine Learning, neither party to that conversation can know what the data may be used to discover.

I then go on to discuss the Revised Common Rule, which governs any federally funded human subjects research. The revision takes effect in early 2019, and it relaxes the informed consent rule in a way that will set a bad precedent for private data mining and research. Henceforth researchers will be permitted to obtain open-ended “broad consent”–-i.e. “prospective consent to unspecified future research”–-instead of requiring informed consent, or even ordinary consent, on a case-by-case basis. That’s not a step forward for privacy or personal control of data, and although it’s being driven by genuine public health concerns the side-effects could be very widespread.

Posted in AI, Law: Privacy, Talks & Conferences | Leave a comment

Reducing Your Amazon Info-Footprint

This useful article 5 Amazon obscure settings you should change now, from of all places Fox News, has some good advice. I also think it has one error.

In #4 it says you can “stop Amazon from tracking your browsing” but in fact, if you go to the “Your Browsing History” page at Amazon, it appears to offer only to stop showing you your browsing history–it doesn’t actually say they’ll stop collecting it.

Even so, most or all of these steps are worth taking.

Posted in Law: Privacy, Shopping | Leave a comment

UF Privacy & Media Conference

I’m at the University of Florida’s Technology, Media & Privacy Law Conference today, speaking on a panel on “Anonymity in the New Media Landscape: Free Speech or Invasion of Privacy & Defamation?”.

The whole event is being live-streamed in two parts: Morning and Afternoon.

Posted in Law: Privacy, Talks & Conferences | Leave a comment

10 Things You Can Do to Protect e-Privacy & Autonomy

At UM’s Data Privacy Day event I made 10 suggestions about what you can do to protect your e-privacy and autonomy.  Here they are:

  1. Trust cyber-civil liberties NGOs like EFF to recommend things to use and to do. If you take away nothing else, remember this URL: Eff.org.
    1. Use EFF’s Privacy Badger browser plugin.
    2. Take their audit – Panopticlick – of how unique your browser fingerprint is.  Unique fingerprints are a way you can be tracked. Block cookies and super-cookies.
    3. Use their Https Everywhere tool
    4. Find the EFF surveillance self-defense guide. It offers advice tailored for different groups that might have greater / lesser needs for privacy/defense (e.g. LGBTQ, activists, journalists, lawyers, activists).
  2. Use VPNs — virtual private networks.  And only use good ones – be careful about jurisdiction and policies:
    1. The UM off-campus VPN is a valuable service, and good to protect against third parties … but not against UM. Does UM log your usage? Do they record your originating IP#? The sites you visit? Despite some frantic Google searches, I can’t tell — it seems they don’t say. I think therefore you have to assume they do. And if were the UM General Counsel my first instinct would probably be to say they need to do the logging to protect themselves.
    2. Is your VPN service dirt-cheap or free? Does the service cost only a few dollars for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
        1. Look for establishment in a democratic country with a strong commitment to the rule of law.  Without that, even the best promises in the Terms of Service (ToS) to not log web page access OR IP# and access times is meaningless.  Note that many, probably most, VPNs in most other countries are required to do some logging.https://it.miami.edu/a-z-listing/virtual-private-network/index.html
        2. Does the VPN promise to prevent DNS leakage to your ISP?
        3. Ideally, the VPN should support IPv6 as well as IPv4 to prevent leakage when the remote site is on IPv6. This will become more important in the future as more and more sites move to IPv6.
  3. Use Tor as much as possible.  (But see #8 below.)
  4. Inspect your browser settings on your phone and computer to set max privacy options (including blocking 3rd party cookies and enabling Do Not Track).  Use a privacy hardened browser on your phone such as the Warp browser.  On both computer and phone always use a search engine such as Duckduckgo that will not track you.
  5. Encrypt every drive, every email (when possible), and especially all cloud-stored data before uploading it.
  6. Get a password manager and use it – never re-use a password. Use 2-factor authentication for google, other services that support it. (Only 10% of google users do!)
  7. Don’t put any apps on your phone that connect to anything financial (due to risk of ID theft if phone stolen).
  8. Lobby UM to make it easier to use VPNs and Tor, on both the wired and wireless networks.  Ask UM to be more transparent about what cookies its web pages set and what they track and record.  And, importantly, ask UM to not require you take every single UM cookie in order to use the “remember me for 30 days” feature of its authentication app DUO.  Also, ask UM to promise that it has your back, and that it will challenge any request for your data to the maximum extent the law allows (right now it makes no such promises at all; even National Security letters are sometimes withdrawn if the data-holding entity says it will go to court to ask for it to be reviewed).
  9. Lobby for privacy laws that limit data collection – once data are collected major First Amendment issues come into play, making it hard to limit use and re-use of accurate data. Also lobby to stop the US government secretly introducing vulnerabilities into fundamental crypto standards.
  10. Resist the frame: understand that the true definition of the ‘greater good’ is one in which the individual is able to flourish. Remember that ‘terrorist’ is a label that fits best after conviction – before that what we have is a ‘suspect’; conceivably any of us can be a suspect. So arguments that we should control crypto or prevent privacy in order to give law enforcement access to all our data when they decide they need it should be viewed with great caution and a firm eye on how the powers they want could be misused by them or by others who get hold of their tools. And even if we someday find ourselves in a world where things have gone badly wrong, and we do find ourselves subject to pervasive surveillance, follow Vaclav Havel, who in his great work ‘Living in Truth’ reminded us that so long as we choose not to self-censor we have chosen not to surrender a key part of our freedom.

(Some links added after original posting)

Posted in Cryptography, Internet, Law: Privacy, Surveillance, Talks & Conferences | 1 Comment

The U to Forbid Back-In Parking

Man must serve (surveillance) machine as explained in New Parking Technology to Require No-Back-In Policy:

For the past two years, the Department of Parking and Transportation has been developing and implementing its License Plate Recognition (LPR) system, reads vehicle license plates and rapidly informs Parking Services Officers if vehicles are authorized to park on campus. The system has proven itself very beneficial. Permit holders are less likely to find their assigned zone overrun with illegal parkers and, more importantly, parking officers are enhancing campus safety by becoming more efficient eyes for the University of Miami Police Department.

The next step in the evolution of this technology is to switch to virtual permits, thus eliminating the need for plastic hangtags. However, Florida is among the 18 states that require a plate only on the rear of the vehicle, which creates a hurdle for the new technology. LPR-equipped vehicles cannot read the license plates of vehicles that back into parking spaces. As a result, Parking and Transportation will implement a ‘No-Back-In’ Policy starting in the spring 2018 semester.

There will be exceptions to this policy. For example, the drivers of out-of state-vehicles that have both front and back license plates will be able to back into a parking space. Additionally, for a $20 fee, drivers of Florida vehicles who prefer to back in to parking spaces will be able to purchase a front plate with a unique number that is linked to a virtual permit.

But do not fret dear parker, because this new rule is soooo goood for you:

There are many benefits to this new policy:

Permit holders will be able to register all of their vehicles on a single virtual permit, eliminating the need to remember to switch their hangtag permit when they use a different car.

The inconvenience and expense of losing a permit will no longer be an issue. Purchasing a permit will be an immediate transaction, with no need to wait for a mail delivery.

Returning or exchanging a permit will be just as easy, with most transactions not requiring a visit to the Parking Office.

Any questions or comments can be submitted to Parking and Transportation at 305-284-3096, option 2, or at parking.gables@miami.edu.

Don’t tempt me. How long will the records be kept of who parked where might be my first question….

Posted in Law: Privacy, U.Miami | 2 Comments