Slides by Bryce Newell

1. Privacy Law and Policy
Bryce Newell, J.D.
Ph.D. student, UW iSchool
Jan. 13, 2012

2. eReader Privacy
• Librarians Weigh Kindle Ebook Lending against
Reader Privacy
• EFF's take on CA's newly enacted E-Reader
Privacy Law
• Privacy Rights Re-―Kindled‖: eBook Reader
Privacy

3. What is privacy?

4. Privacy: a Fundamental Right, or not?
• Fundamental Right
▫ Europe
▫ Canada
▫ Australia
▫ New Zealand
• Sectored Protection
▫ United States (except in some narrow constitutional
areas)

5. Types of Privacy Protections
• Tort Privacy (common law / state law)
• Informational Privacy (largely guided by
statutory law – i.e. federal legislation)
• Freedom from unreasonable search and
seizure (4th Am.)
• Free speech (1st Am.)
• Fundamental decision (14th Am.)

6. US Privacy Milestones
• 1890 – right to privacy
▫ promoted in article by Warren and Brandeis (tort-based privacy)
• 1928 -- ―the right to be let alone‖
▫ (Brandeis dissent in Olmstead -- search and seizure)
• 1958 – nexus of anonymity and speech
▫ (NAACP v. Alabama) (disclosure of member list)
• 1960 – Prosser’s Torts
▫ based on Warren and Brandeis’s ideas
• 1967 – ―reasonable expectation‖
▫ (Katz v. US -- search and seizure)
• 1977 – no ―zone of privacy‖ where data is protected
and used within broad police powers of state
▫ (Whalen v. Roe -- disclosure of prescription data)

7. Warren & Brandeis (1890)
• ―…now that modern devices afford abundant
opportunities for the perpetration of such
wrongs without any participation by the injured
party, the protection granted by the law must be
placed upon a broader foundation."

8. Warren & Brandeis
• The ―right to be let alone‖
• Elements of privacy from:
▫ defamation law
▫ IP law
▫ Contract law
▫ Property
▫ Olmstead v. US (1928)

9. Warren & Brandeis to Prosser
• Dean Prosser’s four torts (1960):
▫ appropriating the plaintiff's identity for the
defendant's benefit
▫ placing the plaintiff in a false light in the public
eye
▫ publicly disclosing private facts about the
plaintiff
▫ unreasonably intruding upon the seclusion or
solitude of the plaintiff

10. International Privacy Conventions
• Article 8 of the European Convention on Human
Rights
▫ ―Everyone has the right to respect for his private
and family life, his home and his correspondence.‖
• Article 17 of the International Covenant on Civil
and Political Rights (UN)

11. Nissenbaum (2004): Cases
• Public Records Online
▫ Concerns? The info is already public…
• Consumer Profiling and Data Mining
▫ One view: targeted advertising is the most
consumer friendly form of advertising
▫ Is the data really sensitive?
• RFID Tags and Surveillance

12. Surveillance
• US v. Jones (US v. Maynard)
• Toll roads, video cameras in public spaces, facial
recognition (e.g. Google and PittPatt), GPS
tracking….
• DC Police
• PATRIOT Act
▫ Lessens requirements for obtaining Wiretap
warrants
▫ Sneak and Peak Warrants

13. Nissenbaum (2004): Principles
Three principles that dominate public deliberation
• 1) Protecting Privacy of Individuals Against
Intrusive Government Agents
• 2) Restricting Access to Intimate, Sensitive, or
Confidential Information
• 3) Curtailing Intrusions into Spaces or Spheres
Deemed Private or Personal

14. Nissenbaum: Contextual Integrity
• Presiding norms of
▫ Appropriateness
▫ Distribution / Norms of information flow
• Considers the context, nature of information in
relation to context, the roles of those receiving the
info, their relationships to info subjects, terms of
sharing, and terms of further dissemination.
• Is this practical?
• Is it a better way to visualize/protect privacy?

15. Nehf (2005)
• FTC history – law/industry self-regulation
• Market driven solutions led to widespread
adoption of privacy policies
• But policies don’t protect information, only
disclose how it is being sold, used, etc
• ―encouraging posting of privacy policies without
regulating their content‖ = less info privacy for
consumers ―than an efficient market would
produce‖

16. Nehf (2005)
• ―Until privacy becomes a salient attribute
influencing consumer choice, Web site operators
will continue to take and share more personal
information than consumers would choose to
provide in a more transparent exchange.‖

17. Facebook

18. Facebook (2)
• ―Many of the most popular applications, or "apps,"
on the social-networking site Facebook Inc. have
been transmitting identifying information—in effect,
providing access to people's names and, in some
cases, their friends' names—to dozens of advertising
and Internet tracking companies…
• ―The issue affects tens of millions of Facebook app
users, including people who set their profiles to
Facebook's strictest privacy settings. The practice
breaks Facebook's rules, and renews questions
about its ability to keep identifiable information
about its users' activities secure.‖
- Wall Street Journal, Oct 18, 2010

19. Facebook (3)
• Who can see what?
▫ Public
▫ Friends
▫ Apps
• Facebook settles with the
FTC: http://www.nytimes.com/2011/11/30/tech
nology/facebook-agrees-to-ftc-settlement-on-
privacy.html

20. Online Behavioral Advertising
• ABC News Story [link]
• For discussion of someof the recently proposed
"Do Not Track" legislation in Congress look here,
here, and here.

21. Problems
• ―…there is no single definition of what it means to be
tracked, so expressing a preference does not
guarantee users that they will be able to block all
web sites and content that they may view as being
associated with tracking behavior.‖
- From Microsoft.com
• Industry self-regulation does not provide for any
enforcement mechanism beyond current FTC
powers (e.g. to prosecute for engaging in deceptive
practices)

22. What Do “They” Know?
• The Open Data Partnership allows a glimpse
into what information is being collected and by
whom.
▫ http://www.evidon.com/partners/open_data_par
tnership - contains list of 1021 companies that
engage in online behavioral advertising, many of
which also have multiple advertising products.

23. Who Knows?
* Ghostery results from NAI’s
Opt-Out page.

24. FTC Report
• FTC report calls for ―browser based do-not-track
mechanism‖ in December 2010
• Industry self-regulation
▫ Browsers build in do not track options
▫ Industry groups set up opt-out mechanisms (DAA,
NAI)
▫ BUT self-regulation has no teeth (enforcement
mechanism) and may only mean you don’t see
targeted ads, not that you won’t be tracked.
• FTC sues Chitika, reaches settlement

25. AdChoices Evolution

26. Recent Legislation
• Europe
▫ 2009 amendments to the EU ePrivacy Directive
require member states to implement by May 25, 2011
• United States
▫ S. 913: Do-Not-Track Online Act of 2011
▫ S. 799: Commercial Privacy Bill of Rights Act of 2011
▫ H.R. 1528: Consumer Privacy Protection Act of 2011
▫ H.R. 654: Do Not Track Me Online Act
▫ H.R. 1895: Do Not Track Kids Act of 2011
▫ California: S.B. 761