FPF Releases Guide to Disclosing Information During School Emergencies
In Blog, FPF Expert Notes School Safety Report “Offers Little Guidance” on Privacy
WASHINGTON, DC – The Future of Privacy Forum released a guide to help school officials understand their ability under the law to share information about students in an emergency situation. The primary federal student privacy law, the Family Educational Rights and Privacy Act (FERPA), allows for exceptions to its general requirement that parents must approve information sharing during emergencies, including natural disasters, health crises, terrorist threats or active shootings. The guide explains:
schools’ obligations
opportunities for discretion under the law
to whom schools can disclose information,
what can be disclosed
limits on schools’ risk of liability.
FPF also published a blog post by Sara Collins, Tyler Park, and Amelia Vance of FPF’s Education Privacy Project, reviewing the very limited discussion of privacy issues in the Federal Commission on School Safety report released yesterday. While the report does include some information on acceptable data sharing during an emergency, it does not address how to implement security measures while including appropriate privacy protections. For example, the report recommends the use of “appropriate systems to monitor social media and mechanisms for reporting cyberbullying incidents” but does not mention the privacy implications of such monitoring or appropriate privacy protections, despite FPF’s comments on this issue.
“Unfortunately, the report offers little practical guidance to school officials on how to consider privacy safeguards as they implement programs to monitor threats, harden schools or train personnel,” said the authors. “Privacy doesn’t seem to have been a top concern for the Commission, even though its members heard testimony about ways to have both security and privacy.”
School Safety Report Neglects Privacy Concerns
By Sara Collins, Tyler Park, and Amelia Vance
Yesterday, the Federal Commissionon School Safety released areport detailing its conclusions, after holding a series of meetings and hearings in the wake of school shootings such as the one at Marjory Stoneman Douglas High School in Florida in February 14th. Nearly every aspect of the Commission’s report focuses on sharing data and, thus, has privacy implications for students, teachers, and the public.
The Commission’s Privacy Recommendations Were Limited and Unhelpful for Districts Seeking to Balance Privacy and Safety
During the Commission’s deliberative process, FPF provided comments and was invited to testify about those privacy issues. We recommended that the Commission’s report consider the full range of privacy risks and harms, as well as the importance of privacy safeguards, in its efforts to improve school safety. Specifically, we underscored the need for better communication to stakeholders about current privacy laws, the importance of creating “privacy guardrails” in the context of school safety plans, and asked that the Commission provide districts with guidance on how to implement such guardrails. It was important for the Commission to provide privacy recommendations because districts may not realize that the school safety measures recommended have serious privacy concerns if implemented improperly. And for districts that do understand the privacy implications, no models or best practices have been provided. While the report recognizes the importance of privacy safeguards, unfortunately it does little to help schools improve safety in a manner that protects students’ privacy.
The report quotes FPF’s John Verdi, who noted during his testimony on July 11 that trust is crucial in the education context, and that “maintaining appropriate safeguards for students’ privacy helps create and maintain trust.” The report also cites the testimony of Jennifer Mathis, of the Bazelon Center for Mental Health Law, who spoke of the importance of HIPAA privacy protections for people with mental health disabilities. The Commission notes that “[w]ithout the assurance of privacy protections, students are less likely to seek help when needed and less likely to engage openly with mental health counselors or other service providers.” The Commission also states, “it is important to incorporate appropriate privacy protections and to comply with privacy laws” but does not elaborate.
Although several sections of the report acknowledge the need for privacy safeguards, the Commission unfortunately offers little guidance—except on acceptable data sharing during emergencies under the federal student privacy law, FERPA—to educators, districts, or states on how to implement security measures while including appropriate privacy protections. This is particularly unfortunate since, throughout the report, the Commission provides specific, useful examples of effective programs at the state and local levels focusing on reporting threats, hardening schools, and training personnel. For example, the report recommends the use of “appropriate systems to monitor social media and mechanisms for reporting cyberbullying incidents” but does not mention the privacy implications of such monitoring or appropriate privacy protections, despite FPF’s comments on this issue. The Commission’s relative neglect of privacy safeguards may indicate that privacy was not a top concern.
A Surprising Call for FERPA “Modernization”
The report articulates ways that schools can share information under FERPA, as it is currently written, to protect students’ safety, noting that the major issue (which FPF identified in our testimony) is that most schools are not aware of FERPA’s flexibility. Unexpectedly, the Commission recommended that Congress revisit FERPA––and this was the only recommendation in the report that clearly called for Congressional action.
The report calls for FERPA revisions in order “to account for changes in technology since its enactment.” A rewrite of FERPA would affect information sharing far more broadly than in the context of school safety, with major implications for the use of data and technology in both K-12 and higher education. The report’s recommendation to revisit FERPA indicates that the Department of Education may plan to actively push for a FERPA revision in Congress in 2019.
No Recommendation for Empirical Research on Root Causes of School Shootings and Effective Prevention Measures
Unfortunately, the Commission did not recommend neutral, expert analysis of empirical data regarding the nature, extent, and leading causes of key privacy and safety risks facing students and schools. FPF’s testimony noted that, as a society, we have imperfect empirical understanding of the causes of school shootings and of measures taken to prevent them. Recommending such research would have been an important step toward improving school safety. Without more research, there is extremely limited evidence that the Commission’s recommended actions will help keep students safe.
Overall, this report is likely to be very useful to schools seeking a fairly comprehensive look at ways, including examples, to keep students safe. However, it seems unlikely that schools would understand from this report that many of the Commission’s recommendations and examples raise major privacy concerns. These concerns are not just about what is allowable or appropriate to share under FERPA; privacy is about more than the law. Schools and communities need resources and advice about what privacy guardrails look like in practice. Models for this are scarce, but the report should have more strongly emphasized the importance of privacy and encouraged districts to think beyond existing law to build privacy guardrails into their school safety programs.
New Resource on FERPA's Health and Safety Emergency
The Future of Privacy Forum has released a new guide, Disclosing Student Information During School Emergencies: A Primer for Schools, which offers four best practices for information disclosure and answers five frequently asked questions about FERPA’s requirements for sharing information during health or safety emergencies.
Read more about this guide in the Future of Privacy Forum’s December 20, 2018 press release.
Amelia Vance's Letter to the Editor in the New York Times
FPF Education Director and Policy Counsel Amelia Vance wrote a letter in response to a New York Times story on student privacy laws published earlier this week. She argued that the best way to address concerns over student privacy is to enforce and fully fund the implementation of existing laws, not add even more laws on top of the hundreds that have been passed in recent years. Read more in her Letter to the Editor.
Privacy Papers 2018: Spotlight on the Winning Authors
Today, FPF announced the winners of the 9th Annual Privacy Papers for Policymakers (PPPM) Award. This Award recognizes leading privacy scholarship that is relevant to policymakers in the United States Congress, at U.S. federal agencies, and for data protection authorities abroad.
From many nominated privacy-related papers published in the last year, five were selected by Finalist Judges, after having been first evaluated highly by a diverse team of academics, advocates, and industry privacy professionals from FPF’s Advisory Board. Finalist Judges and Reviewers agreed that these papers demonstrate a thoughtful analysis of emerging issues and propose new means of analysis that can lead to real-world policy impact, making them “must-read” privacy scholarship for policymakers.
by Jef Ausloos, Postdoctoral Researcher, University of Amsterdam’s Institute for Information Law; and Pierre Dewitte, Researcher, KU Leuven Centre for IT & IP Law
Jef Ausloos is a postdoctoral researcher at the University of Amsterdam’s Institute for Information law (IViR). His research centers around data-driven power asymmetries and the normative underpinnings of individual control empowerment and autonomy in today’s largely privatized information ecosystem. Before joining IViR in December 2018 Jef was a doctoral researcher at the University of Leuven’s Center for IT & IP Law (CiTiP), where he worked on a variety of projects in media and data protection law. In October 2018, he obtained his PhD entitled ‘The right to erasure: safeguard for informational self-determination in a digital society?’. Jef holds degrees in law from the Universities of Namur Leuven and Hong Kong. He has worked as an International Fellow at the Center for Democracy & Technology and the Electronic Frontier Foundation and has been on research stays at the Berkman Center for Internet & Society (Harvard University) in 2012, the Institute for Information Law (University of Amsterdam) in 2015 and the Centre for Intellectual Property and Information Law (Cambridge University) in 2017.
Pierre Dewitte (1993, Brussels) obtained his Bachelor and Master degree of Laws with a specialization in Corporate and Intellectual Property law from the Université Catholique de Louvain in 2016. As part of his Master program, he spent six month in the University of Helsinki where he strengthened his knowledge in European law. In 2017, he then completed the advanced Master of Intellectual Property and ICT law at the KU Leuven with a special focus on privacy, data protection and electronic communications law.
Pierre joined the KU Leuven Centre for IT & IP in October 2017 where he conducts interdisciplinary research on privacy engineering, smart cities and algorithmic transparency. Among other initiatives, his main research track seeks to bridge the gap between software engineering practices and data protection regulations by creating a common conceptual framework for both disciplines and providing decision and trade-off support for technical and organizational mitigation strategies in the software development life-cycle.
by Danielle Keats Citron, Morton & Sophia Macht Professor of Law, University of Maryland Carey School of Law
Danielle Keats Citron is the Morton & Sophia Macht Professor of Law at the University of Maryland Carey School of Law where she teaches and writes about privacy, civil rights, and free speech. Her book Hate Crimes in Cyberspace (Harvard University Press) was named one of the “20 Best Moments for Women in 2014) by Cosmopolitan magazine. Her law review articles have appeared or are forthcoming in Yale Law Journal, California Law Review (twice), Michigan Law Review (twice), Texas Law Review, Boston University Law Review (three times), Notre Dame Law Review(twice), Washington University Law Review (three times), Southern California Law Review, Minnesota Law Review, Washington Law Review (twice), UC Davis Law Review, Fordham Law Review, and Hastings Law Journal. She is a frequent opinion writer for major media outlets including the New York Times, Slate, the Atlantic, and the Guardian. Danielle is an Affiliate Scholar at the Stanford Center on Internet and Society, Affiliate Fellow at the Yale Information Society Project, a Tech Fellow at NYU’s Policing Project, and a member of the Principals Group for the Harvard-MIT AI Fund. Danielle works closely with tech companies such as Twitter and Facebook and federal and state lawmakers on issues of online safety, privacy, and free speech. She is the Chair of the Electronic Privacy Information Center’s Board of Directors. Danielle will be joining the faculty of Boston University School of Law as a Professor of Law in the fall of 2019.
by Lilian Edwards, Professor of Law, Innovation and Society, Newcastle Law School; and Michael Veale, Researcher, Department of Science, Technology, Engineering & Public Policy at University College London
Lilian Edwards is a leading UK-based academic and frequent speaker on issues of Internet law, intellectual property and artificial intelligence. She is on the Advisory Board of the Open Rights Group and the Foundation for Internet Privacy Research and is the Professor of Law, Innovation and Society at Newcastle Law School at Newcastle University, having previously held chairs at Southampton, Sheffield and Strathclyde. She has taught information technology law, e-commerce law, privacy law and Internet law at undergraduate and postgraduate level since 1996 and been involved with law and artificial intelligence (AI) since 1985.
She has co-edited (both with Charlotte Waelde and alone) three editions of a bestselling textbook, Law and the Internet (later Law, Policy and the Internet); a new sole-edited collection, Law, Policy and the Internet appeared in 2018. She won the Barbara Wellberry Memorial Prize in 2004 for work on online privacy and data trusts. A collection of her essays, The New Legal Framework for E-Commerce in Europe, was published in 2005.She is Deputy Director, and was co-founder, of the Arts and Humanities Research Council (AHRC) Centre for IP and Technology Law (now SCRIPT). Edwards has consulted inter alia for the EU Commission, the OECD, and WIPO. Edwards co-chairs GikII, an annual series of international workshops on the intersections between law, technology and popular culture.
Michael Veale is a researcher in responsible public sector machine learning at University College London, specializing in the fairness and accountability of data-driven tools in the public sector, the interplay between advanced technologies, data protection law, and human-computer interaction. His research has been cited by national and international governments and regulators, discussed in the media, as well as debated in Parliament. Michael has acted as expert consultant on machine learning and society for the World Bank, United Nations, European Commission, the Royal Society and the British Academy, and a range of national governments. Michael is a Fellow at the Centre for Public Impact, an Honorary Research Fellow at Birmingham Law School, University of Birmingham, a Visiting Researcher at the BBC DataLab, and a member of the Advisory Council for the Open Rights Group. He previously worked on IoT and ageing policy at the European Commission, and holds degrees from LSE (BSc) and Maastricht University (MSc). A full list of publications can be found at https://michae.lv. He tweets at @mikarv.
by Ira Rubinstein, Senior Fellow, Information Law Institute of the New York University School of Law
Ira Rubinstein is a Senior Fellow at the Information Law Institute (ILI) of the New York University School of Law. His research interests include privacy by design, electronic surveillance law, big data, voters’ privacy, and privacy regulation. Rubinstein lectures and publishes widely on issues of privacy and security and has testified before Congress on these topics on several occasions. Recent work includes papers on co-regulatory models of privacy regulation, anonymization and risk, voter privacy in the age of big data. Additionally, he co-authored a research report on Systematic Government Access to Personal Data: A Comparative Analysis, prepared for the Center for Democracy and Technology. Earlier papers include Big Data: The End of Privacy or a New Beginning published in International Data Privacy Law in 2013 and presented it at the 2013 Computer Privacy and Data Protection conference in Brussels; and Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, co-authored with Nathan Good, which won the IAPP Privacy Law Scholars Award at the 5th Annual Privacy Law Scholars Conference in 2012 and was published in the Berkeley Technology Law Journal.
Prior to joining the ILI, Rubinstein spent 17 years in Microsoft’s Legal and Corporate Affairs department, most recently as Associate General Counsel in charge of the Regulatory Affairs and Public Policy group. Before coming to Microsoft, he was in private practice in Seattle, specializing in immigration law. From 2010-2016, he served on the Board of Directors of the Center for Democracy and Technology. He also served as Rapporteur, of the EU-US Privacy Bridges Project, which was presented at the 2015 International Conference of Privacy and Data Protection Commissioners in Amsterdam. He currently serves on the Board of Advisers of the American Law Institute for the Restatement Third, Information Privacy Principles and the Organizing Committee of the Privacy by Design Workshops sponsored by the Computing Research Association. Rubinstein graduated from Yale Law School in 1985.
by Ari Ezra Waldman, Professor of Law and Founding Director, Innovation Center for Law and Technology at New York Law School
Ari Ezra Waldman is a Professor of Law and the Founding Director of the Innovation Center for Law and Technology at New York Law School. Professor Waldman’s work is forthcoming or has been published in numerous leading scholarly journals, including Law & Social Inquiry (peer reviewed), the Washington University Law Review, the UC Irvine Law Review, and the Cornell Law Review, among many others. His first book, Privacy As Trust: Information Law for an Information Age (Cambridge University Press, 2018), reorients privacy law around sociological principles of trust and argues that privacy law should protect information disclosed in contexts of trust. In 2018, Professor Waldman was honored as the Deirdre G. Martin Memorial Lecturer on Privacy at the University of Ottawa. In 2017, he received the highest award in privacy law, the Best Paper Award at the Privacy Law Scholars Conference in Berkeley, CA. And in 2016, his scholarship was awarded the Otto L. Walter Distinguished Writing Award. Professor Waldman has testified before the U.S. House of Representatives on issues relating to privacy and online social networks. His opinion pieces have appeared in the New York Times, the New York Daily News, The Advocate, among other popular press. He has appeared on Nightline, Good Morning America, MSNBC’s “The Docket,” and appeared as an expert on Syfy’s miniseries, The Internet Ruined My Life. He holds a Ph.D. from Columbia University, a J.D. from Harvard Law School, and a B.A. from Harvard College. He also really loves dogs.
The Finalist Judges also selected two papers for Honorable Mention on the basis of their uniformly strong reviews from the Advisory Board.
The 2018 PPPM Honorable Mentions are:
Regulating Bot Speech, by Madeline Lamo, Law Clerk, United States Court of Federal Claims; and Ryan Calo, Lane Powell and D. Wayne Gittinger Associate Professor of Law, University of Washington School of Law
The Intuitive Appeal of Explainable Machines by Andrew D. Selbst, Postdoctoral Scholar, Data & Society Research Institute; and Solon Barocas, Assistant Professor, Department of Information Science at Cornell University
Additionally, the 2018 Student Paper award goes to:
Diffusion of User Tracking Data in the Online Advertising Ecosystem, by Muhammad Ahmad Bashir, PhD candidate, College of Computer and Information Science at Northeastern University; and Christo Wilson, Associate Professor, College of Computer and Information Science at Northeastern University
The winning authors have been invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey, and Congresswoman Diana DeGette, to present their work at the U.S. Senate with policymakers, academics, and industry privacy professionals. This annual event will be held on February 06, 2019. FPF will subsequently publish a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public. RSVP here to join us.
by Jef Ausloos, Postdoctoral Researcher, University of Amsterdam’s Institute for Information Law; and Pierre Dewitte, Researcher, KU Leuven Centre for IT & IP Law
Abstract:
The right of access occupies a central role in EU data protection law’s arsenal of data subject empowerment measures. It can be seen as a necessary enabler for most other data subject rights as well as an important role in monitoring operations and (en)forcing compliance. Despite some high-profile revelations regarding unsavoury data processing practices over the past few years, access rights still appear to be underused and not properly accommodated. It is especially this last hypothesis we tried to investigate and substantiate through a legal empirical study. During the first half of 2017, around sixty information society service providers were contacted with data subject access requests. Eventually, the study confirmed the general suspicion that access rights are by and large not adequately accommodated. The systematic approach did allow for a more granular identification of key issues and broader problematic trends. Notably, it uncovered an often-flagrant lack of awareness; organisation; motivation; and harmonisation. Despite the poor results of the empirical study, we still believe there to be an important role for data subject empowerment tools in a hyper-complex, automated and ubiquitous data-processing ecosystem. Even if only used marginally, they provide a checks and balances infrastructure overseeing controllers’ processing operations, both on an individual basis as well as collectively. The empirical findings also allow identifying concrete suggestions aimed at controllers, such as relatively easy fixes in privacy policies and access rights templates.
by Danielle Keats Citron, Morton & Sophia Macht Professor of Law, University of Maryland Carey School of Law
Abstract:
Those who wish to control, expose, and damage the identities of individuals routinely do so by invading their privacy. People are secretly recorded in bedrooms and public bathrooms, and “up their skirts.” They are coerced into sharing nude photographs and filming sex acts under the threat of public disclosure of their nude images. People’s nude images are posted online without permission. Machine-learning technology is used to create digitally manipulated “deep fake” sex videos that swap people’s faces into pornography.
At the heart of these abuses is an invasion of sexual privacy—the behaviors and expectations that manage access to, and information about, the human body; intimate activities; and personal choices about the body and intimate information. More often, women, nonwhites, sexual minorities, and minors shoulder the abuse.
Sexual privacy is a distinct privacy interest that warrants recognition and protection. It serves as a cornerstone for sexual autonomy and consent. It is foundational to intimacy. Its denial results in the subordination of marginalized communities. Traditional privacy law’s efficacy, however, is eroding just as digital technologies magnify the scale and scope of the harm. This Article suggests an approach to sexual privacy that focuses on law and markets. Law should provide federal and state penalties for privacy invaders, remove the statutory immunity from liability for certain content platforms, and work in tandem with hate crime laws. Market efforts should be pursued if they enhance the overall privacy interests of all involved.
by Lilian Edwards, Professor of Law, Innovation and Society, Newcastle Law School; and Michael Veale, Researcher, Department of Science, Technology, Engineering & Public Policy at University College London
Abstract:
Algorithms, particularly machine learning (ML) algorithms, are increasingly important to individuals’ lives, but have caused a range of concerns revolving mainly around unfairness, discrimination and opacity. Transparency in the form of a “right to an explanation” has emerged as a compellingly attractive remedy since it intuitively promises to open the algorithmic “black box” to promote challenge, redress, and hopefully heightened accountability. Amidst the general furore over algorithmic bias we describe, any remedy in a storm has looked attractive.
However, we argue that a right to an explanation in the EU General Data Protection Regulation (GDPR) is unlikely to present a complete remedy to algorithmic harms, particularly in some of the core “algorithmic war stories” that have shaped recent attitudes in this domain. Firstly, the law is restrictive, unclear, or even paradoxical concerning when any explanation-related right can be triggered. Secondly, even navigating this, the legal conception of explanations as “meaningful information about the logic of processing” may not be provided by the kind of ML “explanations” computer scientists have developed, partially in response. ML explanations are restricted both by the type of explanation sought, the dimensionality of the domain and the type of user seeking an explanation. However, “subject-centric” explanations (SCEs) focussing on particular regions of a model around a query show promise for interactive exploration, as do explanation systems based on learning a model from outside rather than taking it apart (pedagogical versus decompositional explanations) in dodging developers’ worries of intellectual property or trade secrets disclosure.
Based on our analysis, we fear that the search for a “right to an explanation” in the GDPR may be at best distracting, and at worst nurture a new kind of “transparency fallacy.” But all is not lost. We argue that other parts of the GDPR related (i) to the right to erasure (“right to be forgotten”) and the right to data portability; and (ii) to privacy by design, Data Protection Impact Assessments and certification and privacy seals, may have the seeds we can use to make algorithms more responsible, explicable, and human centered.
by Ira Rubinstein, Senior Fellow, Information Law Institute of the New York University School of Law
Abstract:
Privacy law scholarship often focuses on domain-specific federal privacy laws and state efforts to broaden them. This Article provides the first comprehensive analysis of privacy regulation at the local level (which it dubs “privacy localism”), using recently enacted privacy laws in Seattle and New York City as principle examples. It attributes the rise of privacy localism to a combination of federal and state legislative failures and three emerging urban trends: the role of local police in federal counter-terrorism efforts; smart city and open data initiatives; and demands for local police reform in the wake of widely reported abusive police practices.
Both Seattle and New York have enacted or proposed (1) a local surveillance ordinance regulating the purchase and use of surveillance equipment and technology by city departments (including the police) and (2) a law regulating city departments’ collection, use, disclosure and retention of personal data. In adopting these local laws, both cities have sought to fill two significant gaps in federal and state privacy laws: the public surveillance gap (which refers to the weak constitutional and statutory protections against government surveillance in public places) and the fair information practices gap (which refers to the inapplicability of the federal and state Privacy Acts to government records held by local government agencies).
Filling these gaps is a significant accomplishment and one that exhibits all of the values typically associated with federalism (diversity, participation, experimentation, responsiveness, and accountability). This Article distinguishes federalism and localism and shows why privacy localism should prevail against the threat of federal and (more importantly) state preemption. The Article concludes by suggesting that privacy localism has the potential to help shape emerging privacy norms for an increasingly urban future, inspire more robust regulation at the federal and state levels, and inject more democratic control into city deployments of privacy-invasive technologies.
by Ari Ezra Waldman, Professor of Law and Founding Director, Innovation Center for Law and Technology at New York Law School
Abstract:
In Privacy on the Ground, the law and information scholars Kenneth Bamberger and Deirdre Mulligan showed that empowered chief privacy officers (CPOs) are pushing their companies to take consumer privacy seriously by integrating privacy into the designs of new technologies. Their work was just the beginning of a larger research agenda. CPOs may set policies at the top, but they alone cannot embed robust privacy norms into the corporate ethos, practice, and routine. As such, if we want the mobile apps, websites, robots, and smart devices we use to respect our privacy, we need to institutionalize privacy throughout the corporations that make them. In particular, privacy must be a priority among those actually doing the work of design on the ground—namely, engineers, computer programmers, and other technologists.
This Article presents the initial findings from an ethnographic study of how, if at all, those designing technology products think about privacy, integrate privacy into their work, and consider user needs in the design process. It also looks at how attorneys at private firms draft privacy notices for their clients and interact with designers. Based on these findings, this Article suggests that Bamberger’s and Mulligan’s narrative is not yet fully realized. The account among some engineers and lawyers, where privacy is narrow, limited, and barely factoring into design, may help explain why so many products seem to ignore our privacy expectations. The Article then proposes a framework for understanding how factors both exogenous (theory and law) and endogenous (corporate structure and individual cognitive frames and experience) to the corporation prevent the CPOs’ robust privacy norms from diffusing throughout technology companies and the industry as a whole. This framework also helps suggest how specific reforms at every level—theory, law, organization, and individual experience—can incentivize companies to take privacy seriously, enhance organizational learning, and eliminate the cognitive biases that lead to discrimination in design.
The 2018 PPPM Honorable Mentions are:
Regulating Bot Speech, by Madeline Lamo, Law Clerk, United States Court of Federal Claims; and Ryan Calo, Lane Powell and D. Wayne Gittinger Associate Professor of Law, University of Washington School of Law
Abstract:
We live in a world of artificial speakers with real impact. Bots foment political strife, skew online discourse, and manipulate the marketplace. In response to concerns about the unique threats bots pose, legislators have begun to pass laws that require online bots to clearly indicate that they are not human. This work is the first to consider how such efforts to regulate bots might raise concerns about free speech and privacy.
While requiring a bot to self-disclose does not censor speech as such, it may nonetheless infringe upon the right to speak – including the right to speak anonymously – in the digital sphere. Specifically, complexities in the enforcement process threaten to unmask anonymous speakers, and requiring self-disclosure creates a scaffolding for censorship by private actors and other governments.
Ultimately, bots represent a diverse and emerging medium of speech. Their use for mischief should not overshadow their novel capacity to inform, entertain, and critique. We conclude by providing policymakers with a series of principles to bear in mind when regulating bots, so as not to inadvertently curtail an emerging form of expression or compromise anonymous speech.
The Intuitive Appeal of Explainable Machines by Andrew D. Selbst, Postdoctoral Scholar, Data & Society Research Institute; and Solon Barocas, Assistant Professor, Department of Information Science at Cornell University
Abstract:
Algorithmic decision-making has become synonymous with inexplicable decision-making, but what makes algorithms so difficult to explain? This Article examines what sets machine learning apart from other ways of developing rules for decision-making and the problem these properties pose for explanation. We show that machine learning models can be both inscrutable and nonintuitive and that these are related, but distinct, properties.
Calls for explanation have treated these problems as one and the same, but disentangling the two reveals that they demand very different responses. Dealing with inscrutability requires providing a sensible description of the rules; addressing nonintuitiveness requires providing a satisfying explanation for why the rules are what they are. Existing laws like the Fair Credit Reporting Act (FCRA), the Equal Credit Opportunity Act (ECOA), and the General Data Protection Regulation (GDPR), as well as techniques within machine learning, are focused almost entirely on the problem of inscrutability. While such techniques could allow a machine learning system to comply with existing law, doing so may not help if the goal is to assess whether the basis for decision-making is normatively defensible.
In most cases, intuition serves as the unacknowledged bridge between a descriptive account and a normative evaluation. But because machine learning is often valued for its ability to uncover statistical relationships that defy intuition, relying on intuition is not a satisfying approach. This Article thus argues for other mechanisms for normative evaluation. To know why the rules are what they are, one must seek explanations of the process behind a model’s development, not just explanations of the model itself.
The 2018 PPPM Student Paper Winner Is:
Diffusion of User Tracking Data in the Online Advertising Ecosystem, by Muhammad Ahmad Bashir, PhD candidate, College of Computer and Information Science at Northeastern University; and Christo Wilson, Associate Professor, College of Computer and Information Science at Northeastern University
Abstract:
There are two trends that are currently reshaping the online display advertising industry. First, the amount and precision of data that is being collected by Advertising and Analytics (A&A) companies about users as they browse the web is increasing. Second, there is a transition underway from “ad networks” to “ad exchanges”, where advertisers bid on “impressions” (empty advertising slots on websites) being sold in Real Time Bidding (RTB) auctions. The rise of RTB has forced A&A companies to collaborate with one another, in order to exchange data about users and facilitate bidding on impressions.
These trends have fundamental implications for users’ online privacy. It is no longer sufficient to view each A&A company, and the data it collects, in isolation. Instead, when a given user is observed by a single A&A company, that observation may be shared, in real time, with hundreds of other A&A companies within RTB auctions.
To understand the impact of RTB on users’ privacy, we propose a new model of the online advertising ecosystem called an Interaction Graph. This graph captures the business relationships between A&A companies, and allows us to model how tracking data is shared between companies. Using our Interaction Graph model, we simulate browsing behavior to understand how much of a typical web user’s browsing history can be tracked by A&A companies. We find that 52 A&A companies are each able to observe 91% of an average user’s browsing history, under modest assumptions about data sharing in RTB auctions. 636 A&A companies are able to observe at least 50% of an average user’s browsing history. Even under very strict simulation assumptions, the top 10 A&A companies still observe 89-99% of an average user’s browsing history.
Additionally, we investigate the effectiveness of several tracker-blocking strategies, including those implemented by popular privacy-enhancing browser extensions. We find that AdBlock Plus (the world’s most popular ad blocking browser extension), is ineffective at protecting users’ privacy because major ad exchanges are whitelisted under the Acceptable Ads program. In contrast, Disconnect blocks the most information flows to A&A companies of the extensions we evaluated. However, even with strong blocking, major A&A companies still observe 40-80% of an average users’ browsing history.
This Year’s Must-Read Privacy Papers: The Future of Privacy Forum Announces Recipients of Annual Privacy Papers for Policymakers Award
Washington, DC – Today, the Future of Privacy Forum announced the winners of the 9th Annual Privacy Papers for Policymakers Award. The PPPM Award recognizes leading privacy scholarship that is relevant to policymakers in the U.S. Congress, at U.S. federal agencies, and for data protection authorities abroad. The winners of the 2018 PPPM Award are:
An empirical and legal study arguing that data subject access rights are usually not adequately accommodated, while providing concrete suggestions for data controllers to remedy this issue.
Sexual Privacy, by Danielle Keats Citron, University of Maryland Carey School of Law
A discussion of sexual privacy abuses that disproportionately harm the privacy of women, non-whites, and sexual minorities, while arguing for a legal and market approach to enhance privacy interests.
An argument that a right to an explanation under GDPR is an inadequate remedy for algorithms, which often result in unfairness and discrimination. Other parts of the GDPR; however, could be used to increase algorithm responsibility.
Privacy Localism, by Ira Rubinstein, New York University School of Law
A comprehensive analysis of local privacy regulation (through the use of Seattle and New York City privacy laws), which fill gaps in federal and state privacy laws related to surveillance and fair information practices. Local regulation has the potential to inspire future regulation at the federal and state level.
Findings from an ethnographic study on how those designing technology products integrate privacy, think about privacy, and consider privacy in the design process. The study concludes that privacy barely factors into design, and provides a framework for how reforms can enhance privacy and organizational learning, while eradicating biases.
From many nominated privacy-related papers published in the last year, these five were selected by a diverse team of academics, advocates, and industry privacy professionals from FPF’s Advisory Board. These papers demonstrate a thoughtful analysis of emerging issues and propose new means of analysis that can lead to real-world policy impact, making them “must-read” privacy scholarship for policymakers.
Two papers were selected for Honorable Mention: Regulating Bot Speech, by Madeline Lamo, United States Court of Federal Claims and Ryan Calo, University of Washington School of Law; and The Intuitive Appeal of Explainable Machines, by Andrew D. Selbst, Yale Information Society Project and Solon Barocas, Cornell University.
For the third year in a row, FPF also granted a Student Paper Award. For this award, student work must meet similar guidelines as those set for the general Call for Nominations. The Student Paper Award is presented to Diffusion of User Tracking Data in the Online Advertising Ecosystem, by Muhammad Ahmad Bashir and Christo Wilson, Northeastern University.
“Academic scholarship can serve as a valuable resource for policymakers considering potential privacy legislation,” said Jules Polonetsky, FPF’s CEO. “Now more than ever, topics such as artificial intelligence, algorithmic discrimination, connected cars, and transatlantic data flows are at the forefront of the privacy debate. These papers are ‘must-reads’ for any thoughtful legislator or government executive who wants to make an impact in this rapidly evolving space.”
The winning authors have been invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey and Congresswoman Diana DeGette to present their work at the U.S. Senate with policymakers, academics, and industry privacy professionals. This annual event will be held on February 06, 2019. FPF will subsequently publish a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public.
The PPPM event is free, open to the general public, and widely attended. To RSVP, please visit privacypapersforpolicymakers.eventbrite.com. This event is supported by a National Science Foundation grant. Any opinions, findings and conclusions or recommendations expressed in these papers are those of the authors and do not necessarily reflect the views of the National Science Foundation.
###
The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.
Jules Polonetsky interviewed on C-SPAN's Washington Journal
FPF CEO Jules Polonetsky was interviewed on C-SPAN’s Washington Journal Friday. He discussed the need for federal privacy legislation, internet companies’ data collection practices and the Federal Trade Commission’s authority to stop deceptive practices, among other topics. Watch the appearance here.
The HIPAA Privacy Rule 15 Years Later: What’s Next?
On December 4th, FPF, Intel, and Duke in DC hosted “The HIPAA Privacy Rule 15 Years Later: What’s Next?” The event brought together stakeholders across the health data ecosystem to explore the current challenges related to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule. Specifically, the discussion focused on solutions to mitigate restrictions to data sharing in clinical care and research due to administrative burdens, while at the same time maintain the privacy of protected health information (PHI).
This event follows the release of a Department of Health and Human Services’ (HHS) request for public comment regarding potential revisions to the HIPAA Privacy Rule. HHS seeks the public’s views regarding how the rules could be updated to encourage coordinated care and case management among hospitals, physicians, payors, and patients. The agency will also ask stakeholders to identify regulatory burdens that may impede value-based health care without providing commensurate privacy or security protections for PHI. HHS has the authority to modify HIPAA privacy standards – experts expect the agency’s request for comment to be the first step in a comprehensive reassessment and revision of health privacy rules. Comments are due February 11, 2019.
Health privacy experts highlighted several issues during the panels, including: the current administrative burdens that the notice of privacy practices and the accounting of disclosures requirements place on covered entities; the benefits of HIPAA privacy boards; and the opportunity to align the Common Rule with the HIPAA Privacy Rule.
Below we describe in further detail the panel discussions topics:
Panel Discussion 1: Reducing Burdens and Enhancing Care
The HIPAA Privacy Rule was developed to safeguard the privacy of personal health information while improving the quality of patient healthcare. The rule came into effect in 2003, and the last major amendment to the rule occurred in 2013 with the Omnibus Rule. Some believe HIPAA imposes burdens that hamper coordination and delivery of care and the transition to value-based care. Technologies like the internet of things, electronic health records, and cloud services are transforming how care is delivered. Health technologies that fall outside the scope of HIPAA – such as mhealth apps and wearables — are increasingly used by patients. These developments put pressure on the balances struck by the US health privacy regime. Some challenges related to HIPAA and clinical care were discussed by panelists, who argued that:
There is a need to make the notice of privacy practices requirement simpler and less burdensome.
The Breach Notification Rule requirements discourages companies from entering into business associate agreements (BAAs) due to complexities of complying with state laws in addition to the federal law.
Harm standards could be added into the Breach Notification Rule to align with state laws.
There is uncertainty regarding where an individual right to access and correct their designed record set and derivative data begins and ends.
The accounting of disclosures requirement could be revised to be less burdensome for covered entities.
The perceived presumption of guilt built into the Security Rule and Breach Notification Rule deters data sharing by physicians.
Physicians need further guidance and best practices on implementation of the Security Rule.
Panel Discussion 2: Enabling Research and Maintaining Privacy
Today, the average person generates over 1 million gigabytes of health-related data during a lifetime. New data types are expanding beyond the traditional healthcare setting and beyond HIPAA–such as real world evidence (RWE) and big data–and are being used for healthcare purposes. Researchers also are developing novel techniques–including AI, machine learning, and big data analytics–that were not anticipated when the HIPAA Privacy Rule was written. These advancements are prompting stakeholders to reconsider whether the status quo under the HIPAA Privacy Rule and the Common Rule is sufficient to protect privacy, address the evolving health data ecosystem, and harness the benefits of health data for patients and society. Challenges related to the intersection of HIPAA and medical research were discussed by panelists, who observed that:
There is a lack of clarity around who is an “expert” when it comes to the Expert Determination Method. Further guidance could help to ad
The Common Rule could be better aligned with the HIPAA Privacy Rule.
The use of identifiable records in research is of a different nature than research that physically or psychologically touches human subjects, and this poses a problem since institutional review boards (IRBs) tend to be focused on, and have expertise about, only the latter. This could be addressed by exempting records research, training IRB members on privacy, or producing standards for review.
Standards for waiving authorization for research could improve IRB transparency and consistency.
De-identified PHI could be subject to data use agreements that prohibit re-identification to ensure that data is not misused once outside of HIPAA protections.
The propriety of permitting disclosure of data for research without consent, and with appropriate protections, could be treated in a similar way as treatment, payment, and healthcare operations (TPO).
Panelists also discussed how HIPAA might be addressed by any comprehensive federal privacy legislation, and whether or not exemption from such a law would be the right path forward.
Full house at IAPP Brussels interested in Deciphering Legitimate Interests. Download our LI Report here!
The session that the Future of Privacy Forum organized for the IAPP Europe Congress in Brussels on November 28, Deciphering “legitimate interests”: actual enforcement cases and tested solutions, generated great interest among privacy professionals. We had a full house attending – more than 500 participants, according to the IAPP. The panel was based on a Report published earlier this year by the FPF and Nymity.
The discussion was moderated by Eduardo Ustaran (co-director of the global Privacy and Cybersecurity practice of Hogan Lovells), while the panelists were Joelle Jouret (Legal Officer, European Data Protection Board) together with the co-authors of the FPF-Nymity Report on Legitimate Interests, Gabriela Zanfir-Fortuna (Policy Counsel, FPF) and Teresa Troester-Falk (Chief Global Strategy Director, Nymity).
Given that relying on legitimate interests as a lawful ground for processing under the GDPR always requires a case-by-case analysis, the participants indicated that they appreciated the discussion over concrete cases decided by the Court of Justice of the EU, the summary and discussion of a couple of cases at Member State level involving both decisions of Data Protection Authorities and national Courts, as well as the specific advice on how to operationalize the Legitimate Interest Assessment based on a previous analysis of multiple cases decided by DPAs and courts.
You can download the Report containing summaries of approximately 40 cases where processing on the basis of legitimate interests was at issue following this LINK.
Make sure you SUBSCRIBE to our Newsletter to be the first one to access our future reports and information about our public events!
