Category Archives: Law: Privacy

Big Data: Destroyer of Informed Consent

My guest post Big Data: Destroyer of Informed Consent for this Friday’s Yale Workshop on “The Law and Policy of AI, Robotics & Telemedicine” is now online at the Balkanization blog.

Consent, that is ‘notice and choice,’ is a fundamental concept in the U.S. approach to data privacy, as it reflects principles of individual autonomy, freedom of choice, and rationality. Big Data, however, makes the traditional approach to informed consent incoherent and unsupportable, and indeed calls the entire concept of consent, at least as currently practiced in the U.S., into question.

Big Data kills the possibility of true informed consent because by its very nature one purpose of big data analytics is to find unexpected patterns in data. Informed consent requires at the very least that the person requesting the consent know what she is asking the subject to consent to. In principle, we hope that before the subject agrees she too comes to understand the scope of the agreement. But with big data analytics, particularly those based on Machine Learning, neither party to that conversation can know what the data may be used to discover.

I then go on to discuss the Revised Common Rule, which governs any federally funded human subjects research. The revision takes effect in early 2019, and it relaxes the informed consent rule in a way that will set a bad precedent for private data mining and research. Henceforth researchers will be permitted to obtain open-ended “broad consent”–-i.e. “prospective consent to unspecified future research”–-instead of requiring informed consent, or even ordinary consent, on a case-by-case basis. That’s not a step forward for privacy or personal control of data, and although it’s being driven by genuine public health concerns the side-effects could be very widespread.

Posted in AI, Law: Privacy, Talks & Conferences | Leave a comment

Reducing Your Amazon Info-Footprint

This useful article 5 Amazon obscure settings you should change now, from of all places Fox News, has some good advice. I also think it has one error.

In #4 it says you can “stop Amazon from tracking your browsing” but in fact, if you go to the “Your Browsing History” page at Amazon, it appears to offer only to stop showing you your browsing history–it doesn’t actually say they’ll stop collecting it.

Even so, most or all of these steps are worth taking.

Posted in Law: Privacy, Shopping | Leave a comment

UF Privacy & Media Conference

I’m at the University of Florida’s Technology, Media & Privacy Law Conference today, speaking on a panel on “Anonymity in the New Media Landscape: Free Speech or Invasion of Privacy & Defamation?”.

The whole event is being live-streamed in two parts: Morning and Afternoon.

Posted in Law: Privacy, Talks & Conferences | Leave a comment

10 Things You Can Do to Protect e-Privacy & Autonomy

At UM’s Data Privacy Day event I made 10 suggestions about what you can do to protect your e-privacy and autonomy.  Here they are:

  1. Trust cyber-civil liberties NGOs like EFF to recommend things to use and to do. If you take away nothing else, remember this URL:
    1. Use EFF’s Privacy Badger browser plugin.
    2. Take their audit – Panopticlick – of how unique your browser fingerprint is.  Unique fingerprints are a way you can be tracked. Block cookies and super-cookies.
    3. Use their Https Everywhere tool
    4. Find the EFF surveillance self-defense guide. It offers advice tailored for different groups that might have greater / lesser needs for privacy/defense (e.g. LGBTQ, activists, journalists, lawyers, activists).
  2. Use VPNs — virtual private networks.  And only use good ones – be careful about jurisdiction and policies:
    1. The UM off-campus VPN is a valuable service, and good to protect against third parties … but not against UM. Does UM log your usage? Do they record your originating IP#? The sites you visit? Despite some frantic Google searches, I can’t tell — it seems they don’t say. I think therefore you have to assume they do. And if were the UM General Counsel my first instinct would probably be to say they need to do the logging to protect themselves.
    2. Is your VPN service dirt-cheap or free? Does the service cost only a few dollars for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
        1. Look for establishment in a democratic country with a strong commitment to the rule of law.  Without that, even the best promises in the Terms of Service (ToS) to not log web page access OR IP# and access times is meaningless.  Note that many, probably most, VPNs in most other countries are required to do some logging.
        2. Does the VPN promise to prevent DNS leakage to your ISP?
        3. Ideally, the VPN should support IPv6 as well as IPv4 to prevent leakage when the remote site is on IPv6. This will become more important in the future as more and more sites move to IPv6.
  3. Use Tor as much as possible.  (But see #8 below.)
  4. Inspect your browser settings on your phone and computer to set max privacy options (including blocking 3rd party cookies and enabling Do Not Track).  Use a privacy hardened browser on your phone such as the Warp browser.  On both computer and phone always use a search engine such as Duckduckgo that will not track you.
  5. Encrypt every drive, every email (when possible), and especially all cloud-stored data before uploading it.
  6. Get a password manager and use it – never re-use a password. Use 2-factor authentication for google, other services that support it. (Only 10% of google users do!)
  7. Don’t put any apps on your phone that connect to anything financial (due to risk of ID theft if phone stolen).
  8. Lobby UM to make it easier to use VPNs and Tor, on both the wired and wireless networks.  Ask UM to be more transparent about what cookies its web pages set and what they track and record.  And, importantly, ask UM to not require you take every single UM cookie in order to use the “remember me for 30 days” feature of its authentication app DUO.  Also, ask UM to promise that it has your back, and that it will challenge any request for your data to the maximum extent the law allows (right now it makes no such promises at all; even National Security letters are sometimes withdrawn if the data-holding entity says it will go to court to ask for it to be reviewed).
  9. Lobby for privacy laws that limit data collection – once data are collected major First Amendment issues come into play, making it hard to limit use and re-use of accurate data. Also lobby to stop the US government secretly introducing vulnerabilities into fundamental crypto standards.
  10. Resist the frame: understand that the true definition of the ‘greater good’ is one in which the individual is able to flourish. Remember that ‘terrorist’ is a label that fits best after conviction – before that what we have is a ‘suspect’; conceivably any of us can be a suspect. So arguments that we should control crypto or prevent privacy in order to give law enforcement access to all our data when they decide they need it should be viewed with great caution and a firm eye on how the powers they want could be misused by them or by others who get hold of their tools. And even if we someday find ourselves in a world where things have gone badly wrong, and we do find ourselves subject to pervasive surveillance, follow Vaclav Havel, who in his great work ‘Living in Truth’ reminded us that so long as we choose not to self-censor we have chosen not to surrender a key part of our freedom.

(Some links added after original posting)

Posted in Cryptography, Internet, Law: Privacy, Surveillance, Talks & Conferences | 1 Comment

The U to Forbid Back-In Parking

Man must serve (surveillance) machine as explained in New Parking Technology to Require No-Back-In Policy:

For the past two years, the Department of Parking and Transportation has been developing and implementing its License Plate Recognition (LPR) system, reads vehicle license plates and rapidly informs Parking Services Officers if vehicles are authorized to park on campus. The system has proven itself very beneficial. Permit holders are less likely to find their assigned zone overrun with illegal parkers and, more importantly, parking officers are enhancing campus safety by becoming more efficient eyes for the University of Miami Police Department.

The next step in the evolution of this technology is to switch to virtual permits, thus eliminating the need for plastic hangtags. However, Florida is among the 18 states that require a plate only on the rear of the vehicle, which creates a hurdle for the new technology. LPR-equipped vehicles cannot read the license plates of vehicles that back into parking spaces. As a result, Parking and Transportation will implement a ‘No-Back-In’ Policy starting in the spring 2018 semester.

There will be exceptions to this policy. For example, the drivers of out-of state-vehicles that have both front and back license plates will be able to back into a parking space. Additionally, for a $20 fee, drivers of Florida vehicles who prefer to back in to parking spaces will be able to purchase a front plate with a unique number that is linked to a virtual permit.

But do not fret dear parker, because this new rule is soooo goood for you:

There are many benefits to this new policy:

Permit holders will be able to register all of their vehicles on a single virtual permit, eliminating the need to remember to switch their hangtag permit when they use a different car.

The inconvenience and expense of losing a permit will no longer be an issue. Purchasing a permit will be an immediate transaction, with no need to wait for a mail delivery.

Returning or exchanging a permit will be just as easy, with most transactions not requiring a visit to the Parking Office.

Any questions or comments can be submitted to Parking and Transportation at 305-284-3096, option 2, or at

Don’t tempt me. How long will the records be kept of who parked where might be my first question….

Posted in Law: Privacy, U.Miami | 2 Comments

Do You Have a Constitutional Right to Have the Government Safeguard Personal Data It Collects From You?

Most legal academics are happy to be cited by courts–it’s at least proof of relevance. But it’s better if the Judge agrees with you, and that’s not what happened this week when Judge Amy Berman Jackson of the District Court of the District of Columbia, discussed my article Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009).

My article argues, correctly I still believe, that if the government takes your personal data, and then mishandles it so that it leaks to your detriment, the government has committed an actionable harm:

The key case in establishing the contours of the Due Process right to compensation for certain government data breaches is Chief Justice Rehnquist’s opinion in DeShaney [v. Winnebago Cty. DSS, 489 U.S. 189 (1989)]. Chief Justice Rehnquist is an unexpected source for a major information privacy right, and DeShaney is a particularly unexpected locus for its elucidation. DeShaney is notorious as an opinion in which the Supreme Court held that the state of Wisconsin had no duty under the Constitution to protect a boy, the infamous “poor Joshua” of Justice Blackmun’s dissent, from a permanently disabling beating by his father. The absence of a duty was controversial because the state social services were on actual notice that Joshua had been repeatedly injured and was at risk. In finding that the Due Process clause imposed no duty of care on state social services regarding children residing with a parent, at least absent a statutory or regulatory undertaking to protect children from their parents, Chief Justice Rehnquist distinguished Joshua’s case from one where a duty would have existed. Mere notice was not enough; the state would have had a duty only if it had placed Joshua in circumstances where it “renders him unable to care for himself, and at the same time fails to provide for his basic human needs ….” The duty arises “from the limitation which it has imposed on his freedom to act on his own behalf’ not “its failure to act to protect his liberty interests against harms inflicted by other means.’ Chief Justice Rehnquist immediately added in a footnote that, “[e]ven in this situation, we have recognized that the State ‘has considerable discretion in determining the nature and scope of its responsibilities.'”

When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has “by the affirmative exercise of its power” taken the data and “so restrain[ed]” it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s “affirmative duty to protect” the data “arises … from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.’ Again, “it is the State’s affirmative act of restraining the individual’s freedom to act on his own behalf” which creates a duty on the government to keep the data secure. The State created the danger, and thus the State is responsible for the outcome.

The plaintiffs in sought to apply this theory to the massive data breach by the Office of Personnel Management, AKA the OPM hack. Plaintiffs claimed the government breached an actionable duty by failing to protect (or, as plaintiffs put it, being grossly negligent in failing to protect) their personal data.

Unfortunately, Judge Jackson did not agree (footnotes omitted):

Given … the absence of binding precedent one way or the other, this Court also finds it prudent to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so. And it is not necessary here because the NTEU claim is asking the Court to recognize a constitutional violation that no court has even hinted might exist: that the assumed constitutional right to informational privacy would be violated not only when information is disclosed, but when a third party steals it. See NTEU Compl. ¶¶ 96-98; NTEU’s Opp. at 25-44 (arguing that the government has an affirmative duty “grounded in the constitutional right to informational privacy” to safeguard plaintiffs’ private data). In other words, even if an individual who completes an SF 85 or SF 86 has a constitutional right to privacy in the information he or she is being asked to provide, it is well-established that the government has the right to gather that information. And even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty — separate and apart from the statutory requirements enacted by Congress — to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).

The sole source plaintiffs identify for the existence of the affirmative duty they would have this Court enforce is a law review article. NTEU’s Opp. at 37, citing A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009) (“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has `by the affirmative exercise of its power’ taken the data and `so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s `affirmative duty to protect’ the data `arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”). Given the absence of any binding precedent — or even any persuasive writing from other courts — that recognizes a constitutionally based duty to safeguard personal information, and the D.C. Circuit’s expressed skepticism about the existence of a right to informational privacy in the first place, this Court is compelled to hold that plaintiffs have failed to state a constitutional claim.

The thing is, my article anticipates Judge Jackson’s rejoinder:

One might object that the DeShaney holding stands for the proposition that when the government stands by and lets another do harm to a person, that person has no recourse unless the government has taken on an affirmative duty to protect. In this view, exposing private data on the web or losing an unencrypted database is not the harm. Rather, the harm comes from a third party’s use of the data, something for which this reading of DeShany says the government should not be blamed. But this is a misreading of De- Shaney because the analogy is incorrect. In DeShany, the State had no duty because it had never taken Joshua into care. The harms he suffered at his father’s hands were private wrongs, a direct transaction in which the government had no part. […]

Indeed, it was the claim that the government had a duty to intervene which was the heart of the plaintiffs case, and which the majority rejected.

Contrast this to a hypothetical lost database: there is no question that the government had taken full control of the data before it lost them. Once the government takes that control, the subject of the data is completely disempowered with regards to how the data will be protected. Therefore, it is nonsensical to suggest that when the government negligently allows a third party to access the data, that third party is the only relevant actor for Due Process purposes. The government remains the critical intermediary, the one actually responsible for allowing the loss. In the case of information controlled by the government, it is not a bystander, but rather a direct agent. The government’s active role in controlling the data, one that displaces the subject or owner of the data, is what creates the duty of care. Or as the Seventh Circuit stated, “The state must protect those it throws into snake pits, but the state need not guarantee that the volunteer snake charmer will not be bitten.” [Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986).]

In short, Judge Jackson links two issues that I think ought to be seen as separate. One issue is whether the Constitution creates a a generalized right to information privacy. Judge Jackson notes, fairly enough, that currently there is no judicial recognition of such a right. But that’s not the only question at issue here. Even in the absence of a general substantive constitutional duty to protect information privacy, I believe that the rule in Chief Justice Rehnquist’s DeShaney opinion compels the conclusion that when the government demands your data, takes it, and fails to care for it, that creates a valid claim.

Judge Jackson may be right that the D.C. Circuit is not ready to find a general constitutional right to information privacy, a right that likely would extend far beyond data breaches and into, for example, data collection practices. But why, even if we stipulate that Judge Jackson correctly reads the DC Circuit tea leaves on information privacy rights generally, does this tell us anything about the much narrower Due Process claim at issue in the OPM case?

One need not find a generalized right to information privacy to hold, following the logic of DeShaney, that the government has a duty of care when it creates the circumstances which both make the data vulnerable and makes self-help by the data subject impossible. What exactly that duty of care requires could certainly be debated, but whatever the level of care turns out to be, it surely must exceed the gross negligence alleged by the plaintiffs in the OPM case.

I should note that Judge Jackson cites one case in support of her assertion that the Due Process clause cannot create a governmental duty “to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).” I think the citation to Harris is misplaced. Harris is a 1980 case; DeShaney was decided in 1989, and in case of conflict the later case ought to prevail. But in fact there is no conflict: Harris was a challenge to the Hyde Amendment, and in rejecting the challenge the Supreme Court stated that the Due Process Clause could not be invoked to create a requirement that Congress providing funding for something. Given the bedrock principle that “No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law,” U.S. Const. Article I, § 9, Cl. 7, the Harris holding on this point seems clearly correct — but also irrelevant to the OPM case which is not about legislation or funding.

I think it’s only a matter of time before US law recognizes a right to have the government apply at least reasonable safeguards to personal information it holds. This case shows why that rule is necessary. I wonder if the plaintiffs will appeal?

Posted in Law: Constitutional Law, Law: Privacy | Leave a comment