Category Archives: Law: Privacy

Faculti Video on ‘Safety as Privacy’ Posted

An outfit called Faculti, which presents as a sort of (anti?-)TED talk for nerdier, more detail-oriented people, recently did an interview with me about Safety as Privacy, a paper (co-authored with Phillip Arencibia & P. Zak Colangelo-Trenner), that should be published soon in the Arizona Law Journal. There’s a near-final version of Safety as Privacy at SSRN.

Faculti published the video interview and you are invited to enjoy it. I probably won’t: I don’t much like to listen to myself, much less watch myself, and I can’t shake the idea that I have an ideal face for radio. But the questions they set me in advance were substantive, and I hope the answers were too.

Here’s the paper’s abstract:

New technologies, such as internet-connected home devices we have come to call the Internet of Things (IoT), connected cars, sensors, drones, internet-connected medical devices, and workplace monitoring of every sort, create privacy gaps that can cause danger to people. In prior work [New technologies, such as internet-connected home devices we have come to call the Internet of Things (IoT), connected cars, sensors, drones, internet-connected medical devices, and workplace monitoring of every sort, create privacy gaps that can cause danger to people. In prior work1, two of us sought to emphasize the deep connection between privacy and safety to lay a foundation for arguing that U.S. administrative agencies with a safety mission can and should make privacy protection one of their goals. This Article builds on that foundation with a detailed look at the safety missions of several agencies. In each case, we argue that the agency has the discretion, if not necessarily the duty, to demand enhanced privacy practices from those within its jurisdiction, and that the agency should make use of that discretion.

Armed with the understanding that privacy is or causes safety, several U.S. agencies tasked with protecting safety could achieve substantial gains to personal privacy under their existing statutory authority. Examples of agencies with untapped potential include the Federal Trade Commission (“FTC”), the Consumer Product Safety Commission (“CPSC”), the Food and Drug Administration (“FDA”), the National Highway Traffic Safety Administration (“NHTSA”), the Federal Aviation Administration (“FAA”), and the Occupational Safety and Health Administration (“OSHA”). Five of these agencies have an explicit duty to protect the public against threats to safety (or against risk of injury) and thus—as we have argued previously—should protect the public’s privacy when the absence of privacy can create a danger. The FTC’s general authority to fight unfair practices in commerce enables it to regulate commercial practices threatening consumer privacy. The FAA’s duty to ensure air safety could extend beyond airworthiness to regulating spying via drones.

The CPSC’s authority to protect against unsafe products authorizes it to regulate products putting consumers’ physical and financial privacy at risk, thus sweeping in many products associated with the IoT. NHTSA’s authority to regulate dangerous practices on the road encompasses authority to require smart car manufacturers to include precautions protecting drivers from misuses of connected car data due to the carmaker’s intention and due to security lapses caused by its inattention. Lastly, OSHA’s authority to require safe work environments encompasses protecting workers from privacy risks that threaten their physical and financial safety on the job.

Arguably, an omnibus federal statute regulating data privacy would be preferable to doubling down on the United States’s notoriously sectoral approach to privacy regulation. Here, however, we say only that until the political stars align for some future omnibus proposal, there is value in exploring methods that are within our current means. It may be only second best, but it is also much easier to implement. Thus, we offer reasonable legal constructions of certain extant federal statutes that would justify more extensive privacy regulation in the name of providing enhanced safety, a regime that we argue would be a substantial improvement over the status quo yet not require any new legislation, just a better understanding of certain agencies’ current powers and authorities. Agencies with suitably capacious safety missions should take the opportunity to regulate to protect relevant aspects of personal privacy without delay.


  1. A. Michael Froomkin & Zak Colangelo, Privacy as Safety, 95 Wash. L. Rev. 141 (2020). []
Posted in Administrative Law, Law: Privacy, Talks & Conferences | Leave a comment

New Paper: “Safety as Privacy”

Three or four years ago I sat down to write a paper about how, even without any new privacy legislation, there was a lot that U.S. administrative agencies could do under existing powers to enhance personal privacy if they were so minded. As I started writing the introduction to that piece, I went looking for a citation for a proposition that I thought was obvious, and that many other people also take for granted: that often privacy enhances safety. To my amazement, I couldn’t find a clear statement of the proposition anywhere, although there were plenty of people willing to explain why they thought anonymity made people unsafe, as it let the bad guys toil in the darkness. Which is undoubtedly true sometimes, but far from the whole story.

So, back then, instead of writing the paper I wanted to write, I wrote what I thought of as the prequel, which became Privacy as Safety, 95 Wash. L. Rev. 141 (2020), (with Zak Colangelo).

Now, finally, I, along with co-authors Phillip Arencibia and P. Zak Colangelo-Trenner, have a draft of the paper I originally wanted to write. We’ve just put it up on SSRN as Safety as Privacy.

Here’s the abstract:

New technologies, such as internet-connected home devices we have come to call ‘the Internet of Things (IoT)’, connected cars, sensors, drones, internet-connected medical devices, and workplace monitoring of every sort, create privacy gaps that can cause danger to people. In Privacy as Safety, 95 Wash. L. Rev. 141 (2020), two of us sought to emphasize the deep connection between privacy and safety, in order to lay a foundation for arguing that U.S. administrative agencies with a safety mission can and should make privacy protection one of their goals. This article builds on that foundation with a detailed look at the safety missions of several agencies. In each case, we argue that the agency has the discretion, if not necessarily the duty, to demand enhanced privacy practices from those within its jurisdiction, and that the agency should make use of that discretion.

This is the first article in the legal literature to identify the substantial gains to personal privacy that several U.S. agencies tasked with protecting safety could achieve under their existing statutory authority. Examples of agencies with untapped potential include the Federal Trade Commission (FTC), the Consumer Product Safety Commission (CPSC), the Food and Drug Administration (FDA), the National Highway Traffic Safety Administration (NHTSA), the Federal Aviation Administration (FAA), and the Occupational Safety and Health Administration (OSHA). Five of these agencies have an explicit duty to protect the public against threats to safety (or against risk of injury) and thus – as we have argued previously – should protect the public’s privacy when the absence of privacy can create a danger. The FTC’s general authority to fight unfair practices in commerce enables it to regulate commercial practices threatening consumer privacy. The FAA’s duty to ensure air safety could extend beyond airworthiness to regulating spying via drones. The CPSC’s authority to protect against unsafe products authorizes it to regulate products putting consumers’ physical and financial privacy at risk, thus sweeping in many products associated with the IoT. NHTSA’s authority to regulate dangerous practices on the road encompasses authority to require smart car manufacturers include precautions protecting drivers from misuses of connected car data due to the car-maker’s intention and due to security lapses caused by its inattention. Lastly, OSHA’s authority to require safe work environments encompasses protecting workers from privacy risks that threaten their physical and financial safety on the job.

Arguably an omnibus, federal statute regulating data privacy would be preferable to doubling down on the U.S.’s notoriously sectoral approach to privacy regulation. Here, however, we say only that until the political stars align for some future omnibus proposal, there is value in exploring methods that are within our current means. It may be only second best, but it is also much easier to implement. Thus, we offer reasonable legal constructions of certain extant federal statutes that would justify more extensive privacy regulation in the name of providing enhanced safety, a regime that would we argue would be a substantial improvement over the status quo yet not require any new legislation, just a better understanding of certain agencies’ current powers and authorities. Agencies with suitably capacious safety missions should take the opportunity to regulate to protect relevant personal privacy without delay.

And here’s the table of contents:

It’s just a draft so comments (and offers to publish in a law review) are welcome!

Posted in Law: Privacy, Writings | Leave a comment

Dystopian Fiction in Everyday Life

The Tampa Bay Times has the scoop on a new surveillance plan in Pasco County, Florida.  The Sheriff’s Department there is targeting people for enhanced police scrutiny based on what it claims is an “unbiased, evidence-based risk assessment designed to identify prolific offenders in our community.”

“As a result of this designation,” the Sheriff’s office warns targeted residents, “we will go to great efforts to encourage change in your life through enhanced support and increased accountability.”

Naturally, there’s a federal lawsuit.

Indeed, last year, the paper reports, “a Tampa Bay Times investigation revealed that the Sheriff’s Office creates lists of people it considers likely to break the law based on criminal histories, social networks and other unspecified intelligence. The agency sends deputies to their homes repeatedly, often without a search warrant or probable cause for an arrest.”  In addition, there’s “a separate program that uses schoolchildren’s grades, attendance records and abuse histories to label them potential future criminals.”

To rub salt in the wound, the Sheriff’s Office has a video telling the program’s victims of increased harassment that inclusion is “good news” because it will give them opportunities to receive “assistance”. A hint of what that looks like comes in its letter to the surveilled, which warns, “Our desire to help you will not hinder us from holding you fully accountable for your choices and actions,” and promises that recipients’ names and criminal histories with get sent to local, state and federal law enforcement agencies to ensure “the highest level of accountability” for any future crimes they commit.

Spotted via Crooks & Liars’s Susie Madrak, Dept. Of Pre-Crime: Florida Sheriff Harassing Pre-Criminals — What could possibly go wrong, other than civil rights violations?. Photo Licensed via Creative Commons Attribution 4.0 International License by Fabius Maximus Blog

Posted in Law: Criminal Law, Law: Privacy, Surveillance | 5 Comments

Apple’s Great New Privacy Commercial vs Reality

Apple has unveiled a terrific new video/commercial for the privacy features of the iPhone:

While I do think Apple deserves real credit for resisting government attempts to get a back door into iPhone encryption, I can’t help but view that video a little cynically in light of reports, not so long ago, that more than half of the App Store privacy labels were false.

Bonus shout-out to “Mind Your Own Business” by Delta 5 which provides the background.

Posted in Kultcha, Law: Privacy, Sufficiently Advanced Technology | 8 Comments

‘Contact Tracing in the Real World’

Excellent essay by Ross Anderson on Contact Tracing in the Real World, especially apposite in light of a number of government and private tracker apps being floated and even implemented.

Posted in COVID-19, Cryptography, Law: Privacy | 1 Comment

New Article: Privacy as Safety

Fresh up on SSRN, a pre-publication draft text of Privacy as Safety, co-authored with Zak Colangelo and forthcoming in the Washington Law Review.  Here’s the abstract and TOC:

The idea that privacy makes you safer is unjustly neglected: public officials emphasize the dangers of privacy while contemporary privacy theorists acknowledge that privacy may have safety implications but hardly dwell on the point. We argue that this lack of emphasis is a substantive and strategic error, and seek to rectify it. This refocusing is particularly timely given the proliferation of new and invasive technologies for the home and for consumer use more generally, not to mention surveillance technologies such as so-called smart cities.

Indeed, we argue—perhaps for the first time in modern conversations about privacy—that in many cases privacy is safety, and that, in practice, United States law already recognizes this fact. Although the connection rarely figures in contemporary conversations about privacy, the relationship is implicitly recognized in a substantial but diverse body of U.S. law that protects privacy as a direct means of protecting safety. As evidence we offer a survey of the ways in which U.S. law already recognizes that privacy is safety, or at least that privacy enhances safety. Following modern reformulations of Alan Westin’s four zones of privacy, we explore the safety-enhancing privacy protections within the personal, intimate, semi-private, and public zones of life, and find examples in each zone, although cases in which privacy protects physical safety seem particularly frequent. We close by noting that new technologies such as the Internet of Things and connected cars create privacy gaps that can endanger their users’ safety, suggesting the need for new safety-enhancing privacy rules in these areas.

By emphasizing the deep connection between privacy and safety, we seek to lay a foundation for planned future work arguing that U.S. administrative agencies with a safety mission should make privacy protection one of their goals.


Enjoy!

Posted in Law: Privacy, Writings | 1 Comment