FPF Comments on the FTC Informational Injury Workshop

On Friday, October 27, 2017, the Future of Privacy Forum filed comments with the Federal Trade Commission in advance of the December 12, 2017 Informational Injury Workshop. The purpose of the workshop is to examine consumer injury in the context of privacy and data security. FPF’s comments focus on describing the harms that can arise from automated decision-making as well as highlighting existing risk-based privacy analyses.

Analysis of personal data can be used to improve services, promote inclusion, and combat discrimination. However, such analysis can also create valid concerns about differential treatment of individuals or disparate impacts on vulnerable communities. In FPF’s preliminary review of the relevant literature and public policy regarding automated decision-making, we found that the concerns identified by leaders in this space fall into four broad categories of potential harms: (1) loss of opportunity; (2) economic loss; (3) social stigmatization; and (4) loss of liberty. Depending on the context and circumstances, we determined that each of these categories of harms can accrue to individuals, groups, or society as a whole. Notably, not all harms described in existing literature will necessarily be legally cognizable – although they may be widely considered unfair – while some may already be illegal under existing laws.

Regarding potential solutions, we explain strategies that generally fall in one of four categories: (1) algorithmic design solutions; (2) business process solutions; (3) legal and policy solutions; or (4) data methods solutions. As with harms, these potential solutions describe the universe of proposals rather than specific recommended solutions. It is also important to recognize that proposed solutions may sometimes impact other important values, such as freedom of speech or economic competition. Their use may need to be considered on a case-by-case basis and by a balancing of the benefits and risks of intervention.

The challenges of conceptualizing informational injury are increasingly relevant as risk-based privacy analyses become more common in law, policy, and internal business practices. One long-standing legal basis for processing data in the European Union is the “legitimate interests” framework, which has similarities to the FTC’s unfairness analysis under Section 5 of the FTC Act. Under this basis for lawful processing, companies may engage in lawful data processing if their legitimate interests are not “overridden by the interests or fundamental rights and freedoms of the data subject.” In addition, under the General Data Protection Regulation (GDPR) that will come into effect in May 2018, companies are required to carry out a data protection impact assessment if data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” In each of these benefit-risk analyses, the underlying risk relies on an accurate assessment of the nature of informational injuries.

We see a promising set of solutions arising in literature and regulatory conversations on the topic of automated decision-making and risk-based analyses, and we look forward to a robust conversation on these issues at the upcoming FTC workshop.

READ COMMENTS

2nd Annual McGowan Forum on Ethics: The Challenge of Big Data

On October 26, 2017, John Verdi, FPF’s Vice President of Policy, served as a panelist for the National Archives Foundation’s 2nd Annual McGowan Forum on Ethics: The Challenge of Big Data. The panel discussed the ethical responsibility of those who compile and track citizens’ personal data.  The conversation focused around what responsibility corporations and governments have to protect their customers and be transparent in regard to possible data hacks. 

The session was moderated by Kim Hart, the Technology Editor at Axios. Other panelists included Neil Chilson, Acting Chief Technologist, Federal Trade Commission; Marc DaCosta, Co-founder and Chairman, Enigma; and Michelle De Mooy, Director of the Privacy & Data Project at the Center for Democracy & Technology.

Thank you for hosting, National Archives Foundation! You can watch full event below.

Video

TEDx Wilmington: What's Driving the Connected Car? Data, It Turns Out.

On Tuesday, October 17, 2017, Lauren Smith, FPF Policy Counsel, presented at the TEDx Wilmington Salon, Who’s in the Driver’s Seat? The Transformation of Transportation. The TEDx included an exciting line up of the leading voices in the connected car space, including FTC Commissioner Maureen Ohlhausen. Lauren’s talk was titled, What’s Driving the Connected Car? Data, It Turns Out, and emphasized the importance of responsible data management in autonomous vehicles. FPF staff and friends gathered at our offices in Washington, DC to watch Lauren’s presentation. She explained:

“I am going to argue that in a world where 94% of car crashes are caused by human error, the case is so much stronger for opting in and sharing data with your car than even your phone—something we have all already chosen to do. As with smartphones your car will need to collect information, and sometimes send it, in order to enable these features. And as with smartphones, the companies involved will need to safeguard your privacy in order for you to use and trust the technology. The truth is that yes, your car will be learning more about you, but what it learns may save your life.”

Videos

Press

• Speakers, topics announced for TEDx transportation salon (Delaware Business Now)
• Topics announced for TEDxWilmington Salon on future of transportation (Technically Delaware)
• TEDxWilimingtonSalon tackles privacy, tech and safety in transportation (Delaware Business Times)

Blogs

• Meet the Speakers: Lauren Smith
• The TEDx Process: Lauren Smith for TEDxWilmington

General Information

• Event Page
• Livestream
• Photographs

DQC Report: Effective Data Use and Research Partnerships between SEAs and Education Researchers

Today, the Data Quality Campaign (DQC) released a new infographic and resource on education research, Roadmap for Effective Data Use and Research Partnerships between State Education Agencies and Education Researchers. DQC brought together education researchers and policy experts, including FPF’s Education Policy Counsel Amelia Vance, to create these new resources.

The new infographic explains how education research “is about answering questions,” “support[ing] individual students,” “inform[ing] better decisions,” “build[ing] knowledge for the future,” and helping “students and schools succeed.” The new “roadmap” resource discusses how “safeguarding student information is paramount to successful [state education agency and] research partnerships,” and provides practical tips on improving privacy and security (page 13) and engaging and being transparent with the public about state research efforts (page 11).

DQC’s new resources are especially important as policymakers consider how to improve evidence-based policymaking. In the past few years, several states have passed laws limiting or eliminating sharing data with researchers due to privacy concerns even though, as the DQC roadmap highlights, education research and effective educational policies go hand-in-hand.

FPF looks forward to continuing to work with DQC on education research and student privacy issues.

DQC’s roadmap is part of a larger conversation about how best to protect student privacy while promoting data-driven research that can improve education outcomes.  It is crucial for researchers to embrace privacy safeguards and review mechanisms beyond traditional institutional research boards (IRBs) in some circumstances. It is also important for researchers to articulate the value of data and communicate with stakeholders regarding privacy-protective practices.  Stakeholder support can make or break data driven education initiatives.  Two of the best ways to to earn stakeholder trust are to implement meaningful privacy protections and communicate effectively with the community.

FPF-CAN Speaker Series featuring Mary Madden and Michele Gilman

The FPF-Capital Area Academic Network invites you to join us for a roundtable discussion featuring Mary Madden (Researcher, Data & Society Institute) and Michele Gilman (Venable Professor of Law and Director of Clinical Education, University of Baltimore School of Law). Mary and Michele will discuss their latest research: “Privacy, Poverty and Big Data: A Matrix of Vulnerabilities for Poor Americans.”

On Wednesday, October 25, 2017, from 3:00 – 4:00pm, Mary and Michele will share their research with us and engage in a discussion about their findings. An opportunity to network with the authors and fellow attendees will follow the discussion from 4:00 – 5:00pm. Please R.S.V.P. to reserve your seat — space is limited.

When:

Wednesday, October 25, 2017

3:00 PM – 5:00 PM ET

Where:

Future of Privacy Forum

1400 I Street Northwest

Suite #450

Washington, DC 20005

REGISTER HERE

We look forward to seeing you on the 25th!

Can’t join us in person? Join us virtually using the following Zoom link:

https://zoom.us/j/788560376

This event is supported by the National Science Foundation under Grant No. 1654085

About the Research:

This Article examines the matrix of vulnerabilities that low-income people face as a result of the collection and aggregation of big data and the application of predictive analytics. It reports on original empirical findings from a large, nationally-representative telephone survey with an oversample of low-income American adults, and highlights how these patterns make particular groups of low-status Internet users uniquely vulnerable to various forms of surveillance and networked privacy-related problems. In particular, a greater reliance on mobile connectivity, combined with lower usage of privacy-enhancing strategies, may contribute to various privacy and security-related harms. The Article then discusses three scenarios in which big data—including data gathered from social media inputs—is being aggregated to make predictions about individual behavior: employment screening, access to higher education, and predictive policing. As policymakers consider reforms, the Article urges greater attention to impacts on low-income persons and communities.

About the presenters:

Mary Madden is a veteran technology researcher, writer and public speaker, having studied trends in American internet users’ behaviors and attitudes for more than a decade. She is currently leading a Data & Society initiative to understand the privacy and security experiences of low-socioeconomic status populations. Supported by a grant from the Digital Trust Foundation, the project will provide freely accessible survey data to researchers working in this area and will seek to answer key questions that can help ground current policy conversations and debates about privacy and security in the digital age.

Mary is also an Affiliate at the Berkman Center for Internet and Society at Harvard University where she has collaborated with the Berkman Center’s Youth and Media Project to apply quantitative and qualitative research methods to study adolescents’ technology use and privacy management on social media. Prior to her role at Data & Society, Mary was a Senior Researcher for the Pew Research Center’s Internet & American Life Project. She is a nationally recognized expert on privacy and technology, trends in social media use, and the impact of digital media on teens and parents. Mary is also a member of the National Cyber Security Coalition’s Data Privacy Day Advisory Committee and the Research Advisory Committee for the Future of Music Coalition’s Artist Revenue Streams Project.

Michele Gilman is the Venable Professor of Law and Director of Clinical Education at the University of Baltimore School of Law. Professor Gilman teaches in the Civil Advocacy Clinic, where she supervises students representing low-income individuals and community groups in a wide range of litigation, legislation, and law reform matters. She also teaches evidence, federal administrative law, and poverty law. Professor Gilman writes extensively about privacy, poverty, and social welfare issues, and her articles have appeared in journals including the California Law Review, the Vanderbilt Law Review, and the Washington University Law Review. She is a co-director of the Center on Applied Feminism, which works to apply the insights of feminist legal theory to legal practice and policy. She received her B.A. from Duke University, and her J.D. from the University of Michigan Law School.

REGISTER HERE

The Top 10: Student Privacy News (September 2017)

The Future of Privacy Forum tracks student privacy news very closely, and shares relevant news stories with our newsletter subscribers.* Approximately every month, we post “The Top 10,” a blog with our top student privacy stories. This blog is cross-posted at studentprivacycompass.org. 

The Top 10

1. Cyber Terrorism in Schools: Ransom letters were sent to the Columbia Falls School District in Montana and Johnston Community School District in Iowa, threatening to disclose sensitive student information if their demands were not met. The hackers also had access to school security cameras in Montana. In Iowa, the group “used stolen contact details to send out threatening messages en masse. ‘I’m going to kill some kids at your son’s high school,’ some of the texts said.” The group also posted “Student names, addresses and telephone numbers have been posted on a publicly accessible website.” Montana parents were also extremely concerned (especially since the letter their district received alluded to Sandy Hook), and an expert stated that the reason the district “was chosen had less to do with what type of organization it is, a school, as opposed to the fact it was an easy target.”
2. What should schools and ed tech companies do when law enforcement asks them for student information, such as immigration status? This month, FPF released “Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers.” The Electronic Privacy Information Center (EPIC) has asked the “Senate to Enforce Privacy Safeguards for ‘Dreamers.’” Many news outlets also discussed education and immigration issues, including “The Cruel Irony of the DACA Database;” a 3-part series from The 74 and The Guardian, “‘Sanctuary schools’ across America defy Trump’s immigration crackdown,” “Trump order could give immigration agents a foothold in US schools,” and “Trump’s immigration crackdown is traumatizing a generation of children;” “‘Dreamers’ worry Trump will use their personal data against them;” and “Immigration crackdown taking heavy toll on California students.”
3. The FTC and Department of Education are hosting a Workshop on Student Privacy and Ed Tech on December 1^st to discuss open questions about how the Rule implementing COPPA applies in the school context and intersects with FERPA. The general public is invited to attend in person or via webcast. They are seeking public comments before the workshop that are due November 17.
4. The Data Quality Campaign released their annual report on state legislation on education data, including student privacy. According to DQC, “26 states passed 53 new laws focused on student data during the 2017 legislative session — with most legislative activity focusing on privacy concerns.” Stay tuned for FPF’s upcoming white paper diving in on this year’s new student privacy state legislative trends.
5. The Commission on Evidence-Based Policymaking finally released their final report, which has many implications for student data (and many great privacy suggestions). You can read my blog about the report and education here. Speaker Ryan and Senator Murray both expressed in the press conference releasing the report that Congress plans to pass a law adopting many of the report recommendations. However, at least one article said that, at the Congressional hearing on the report, Congress had difficulty understanding that the Commission argued that the data be used for research purposes only, and not to “root out individual cases of waste, fraud, and abuse.” Many organizations, including the Electronic Privacy Information Center, expressed support for the report.
6. Common Sense Media has published a list of “Essential Student Privacy and Safety Questions” to ask your child’s school.
7. “[Higher Ed] Schools Must Adhere to Cybersecurity Regulations or Risk Losing Title IV Eligibility,” via Duane Morris LLP.
8. A new journal article examines “Young people’s uses of wearable healthy lifestyle technologies; surveillance, self-surveillance and resistance.” One finding: “Young people oppose Fitbits in schools.”
9. EdSurge published a great article on a recent California panel with two companies that had “high-profile breaches” in 2017, a data privacy expert, and a district representative.
10.  “Education Data Breaches Double in First Half of 2017,” via Campus Technology.

Image: “Security” by David Goehring  is licensed under CC BY 2.0.