Privacy Papers 2017: Spotlight on the Winning Authors
Today, FPF announced the winners of the 8th Annual Privacy Papers for Policymakers (PPPM) Award. This Award recognizes leading privacy scholarship that is relevant to policymakers in the United States Congress, at U.S. federal agencies, and for data protection authorities abroad.
From many nominated privacy-related papers published in the last year, six were selected by Finalist Judges, after having been first evaluated highly by a diverse team of academics, advocates, and industry privacy professionals from FPF’s Advisory Board. Finalist Judges and Reviewers agreed that these papers demonstrate a thoughtful analysis of emerging issues and propose new means of analysis that can lead to real-world policy impact, making them “must-read” privacy scholarship for policymakers.
by Ryan Calo, Associate Professor of Law, University of Washington
Ryan Calo is the Lane Powell and D. Wayne Gittinger Associate Professor at the University of Washington School of Law. He is a faculty co-director (with Batya Friedman and Tadayoshi Kohno) of the University of Washington Tech Policy Lab, a unique, interdisciplinary research unit that spans the School of Law, Information School, and Paul G. Allen School of Computer Science and Engineering. Professor Calo’s research on law and emerging technology appears in leading law reviews (California Law Review, University of Chicago Law Review, and Columbia Law Review) and technical publications (MIT Press, Nature, Artificial Intelligence) and is frequently referenced by the mainstream media (NPR, New York Times, Wall Street Journal). Professor Calo serves as an advisor to many organizations, including the AI Now Institute, and is a member of the R Street Institute’s board.
by Woodrow Hartzog, Professor of Law and Computer Science, Northeastern University
Woodrow Hartzog is a Professor of Law and Computer Science at Northeastern University, where he teaches privacy and data protection law, policy, and ethics. He holds a joint appointment with the School of Law and the College of Computer and Information Science.Professor Hartzog’s work has been published in numerous scholarly publications such as the Yale Law Journal, Columbia Law Review, California Law Review, and Michigan Law Review and popular national publications such as The Guardian, Wired, BBC, CNN, Bloomberg, New Scientist, Slate, The Atlantic, and The Nation. He has testified twice before Congress on data protection issues. His book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies, is forthcoming in Spring 2018 from Harvard University Press.The Undue Influence of Surveillance Technology Companies on Policing
by Elizabeth E. Joh, Professor of Law, UC Davis School of Law
Elizabeth E. Joh is a Professor of Law at the University of California, Davis School of Law, and is the recipient of the 2017 Distinguished Teaching Award. Professor Joh has written widely about policing, technology, and surveillance. Her scholarship has appeared in the Stanford Law Review, the California Law Review, the Northwestern University Law Review, the Harvard Law Review Forum, and the University of Pennsylvania Law Review Online. She has also provided commentary for the Los Angeles Times, Slate, and the New York Times.
by Craig Konnoth, Associate Professor of Law, Colorado Law, University of Colorado, Boulder
Craig Konnoth Professor Konnoth’s work lies at the intersection of health law and policy, bioethics, civil rights, and technology. His papers consider how health privacy burdens are created and distributed, how medical discourse is used both to enable and harm civil rights and autonomy, and how technology can be used to improve health outcomes. He has examined these issues in in contexts as diverse as religion and biblical counseling, consumer rights and transparency, FDA regulation, and collection of individual data. His publications have appeared in the Yale Law Journal, the Hastings Law Journal, the Penn Law Review, the Iowa Law Review, the online companions to the Penn Law Review & the Washington & Lee Law Review, and as chapters in edited volumes.Before arriving at the University of Colorado, Craig was a Sharswood and Rudin Fellow at Penn Law School and NYU Medical School, where he taught health information law, health law, and LGBT health law and bioethics.Before that he was the Deputy Solicitor General and the Inaugural Earl Warren Fellow at the California Department of Justice where he litigated primarily before the United States Supreme Court, and also before the California Supreme Court and the Ninth Circuit Court of Appeals. Cases involved the contraceptive mandate in the Affordable Care Act, Sexual Orientation Change Efforts, Facebook privacy policies, and cellphone searches. Before moving into government, Craig was the R. Scott Hitt Fellow in Law & Policy at the Williams Institute at UCLA Law School, where he focused on issues affecting same-sex partners, long term care, and Medicaid coverage issues, and drafted HIV rights legislation. He holds a J.D. from Yale, and an M.Phil. from the University of Cambridge. He clerked for Judge Margaret McKeown of the Ninth Circuit Court of Appeals.
by Karen Levy, Assistant Professor, Department of Information Science at Cornell University; and Solon Barocas, Assistant Professor in the Department of Information Science at Cornell University
Karen Levy Karen Levy is an assistant professor in the Department of Information Science at Cornell University and associated faculty at Cornell Law School. She researches how law and technology interact to regulate social life, with particular focus on social and organizational aspects of surveillance. Dr. Levy’s research analyzes the uses of data collection for social control in various contexts, from long-haul trucking to intimate relationships, with emphasis on inequality and marginalization. She holds a Ph.D. in Sociology from Princeton University and a J.D. from Indiana University Maurer School of Law. Before joining Cornell, she was a postdoctoral fellow at NYU’s Information Law Institute and at the Data & Society Research Institute.
Solon Barocas is an Assistant Professor in the Department of Information Science at Cornell University. His current research explores ethical and policy issues in artificial intelligence, particularly fairness in machine learning, methods for bringing accountability to automated decision-making, and the privacy implications of inference. He was previously a Postdoctoral Researcher at Microsoft Research, where he worked with the Fairness, Accountability, Transparency, and Ethics in AI group, as well as a Postdoctoral Research Associate at the Center for Information Technology Policy at Princeton University. Solon completed his doctorate in the Department of Media, Culture, and Communication at New York University, where he remain a Visiting Scholar at the Center for Urban Science + Progress.
by Paul M. Schwartz, Jefferson E. Peyser Professor of Law, Berkeley Law School; and Karl-Nikolaus Peifer, Director of the Institute for Media Law and Communications Law of the University of Cologne and Director of the Institute for Broadcasting Law at the University of Cologne
Paul M. Schwartz is a leading international expert on information privacy law. He is Jefferson E. Peyser Professor at the University of California, Berkeley Law School and a director of the Berkeley Center for Law and Technology. Professor Schwarz is the author of many books, including the leading casebook, “Information Privacy Law,” and the distilled guide, “Privacy Law Fundamentals,” each with Daniel Solove. Schwartz’s over fifty articles have appeared in journals such as the Harvard Law Review, Yale Law Journal, Stanford Law Review, University of Chicago Law Review and California Law Review.
Professor Schwartz is co-reporter of the American Law Institute’s Restatement of Privacy Law Principles. He is a past recipient of the Berlin Prize Fellowship at the American Academy in Berlin and a Research Fellowship at the German Marshall Fund in Brussels. Schwartz is also a recipient of grants from the Alexander von Humboldt Foundation, Fulbright Foundation, and the German Academic Exchange. He is a member of the organizing committee of the Privacy + Security Forum, International Privacy + Security Forum, and Privacy Law Salon. Schwartz publishes on a wide array of privacy and technology topics including cloud computing, financial privacy, European data privacy law, and comparative privacy law.
Karl-Nikolaus Peifer is the Director of the Institute for Media Law and Communications Law of the University of Cologne and Director of the Institute for Broadcasting Law at the University of Cologne. He studied law, economics and romanic languages at the of Universities of Trier, Bonn, Hamburg and Kiel. In 2003 he was appointed to be a judge at the Court of Appeals in Hamm/Germany, in 2013 at the Court of Appeals in Cologne. He was a Visiting Professor at the University of Illinois in 2009 and at the University of California at Berkeley from 2009 to 2012. In 2011 he was among the experts heard during the sessions of the Parliamentary Commission “Internet und Digital Society”. His main fields of research are Intellectual Property and Media Law.
The Finalist Judges also selected three papers for Honorable Mention on the basis of their uniformly strong reviews from the Advisory Board.
The winning authors have been invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey, and the Co-chairs of the Congressional Bi-Partisan Privacy Caucus, to present their work at the U.S. Senate with policymakers, academics, and industry privacy professionals. This annual event will be held on February 27, 2018, the day before the Federal Trade Commission’s PrivacyCon. FPF will subsequently publish a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public. RSVP here to join us.
This Year's Six Must-Read Privacy Papers: The Future of Privacy Forum Announces Recipients of Annual Privacy Award
FOR IMMEDIATE RELEASE
December 12, 2017
Contact: Melanie Bates, Director of Communications, [email protected]
This Year’s Six Must-Read Privacy Papers: The Future of Privacy Forum Announces Recipients of Annual Privacy Award
Washington, DC – Today, the Future of Privacy Forum announced the winners of the 8th Annual Privacy Papers for Policymakers Award. The PPPM Award recognizes leading privacy scholarship that is relevant to policymakers in the U.S. Congress, at U.S. federal agencies, and for data protection authorities abroad. The winners of the 2017 PPPM Award are:
Transatlantic Data Privacy Law, by Paul Schwartz, UC Berkeley School of Law and Karl-Nikolaus Peifer, University of Cologne
From many nominated privacy-related papers published in the last year, these six were selected, after having been first evaluated highly by a diverse team of academics, advocates, and industry privacy professionals from FPF’s Advisory Board. It was agreed that these papers demonstrate a thoughtful analysis of emerging issues and propose new means of analysis that can lead to real-world policy impact, making them “must-read” privacy scholarship for policymakers.
At last year’s event, a new element to the program was introduced — the Student Paper Award. For this award, the student work must meet similar guidelines as those set for the general Call for Nominations. The following paper was selected for the Student Paper Award: The Market’s Law of Privacy: Case Studies in Privacy/Security Adoption, by Chetan Gupta, UC Berkeley.
“Academic scholarship can serve as a valuable resource for policymakers who are often wrestling with challenging privacy issues,” said Jules Polonetsky, FPF’s CEO. Now more than ever, topics such as artificial intelligence, algorithmic discrimination, connected cars, and transatlantic data flows, are at the forefront of the privacy debate. These papers are ‘must-reads’ for any thoughtful policymaker who wants to make an impact in this rapidly evolving space.”
The winning authors have been invited to join FPF and Honorary Co-Hosts Senator Edward J. Markey and Co-Chairs of the Congressional Bi-Partisan Privacy Caucus to present their work at the U.S. Senate with policymakers, academics, and industry privacy professionals. This annual event will be held on February 27, 2018, the day before the Federal Trade Commission’s PrivacyCon. FPF will subsequently publish a printed digest of summaries of the winning papers for distribution to policymakers, privacy professionals, and the public.
This event is supported by National Science Foundation Grant No. 1654085. Any opinions, findings and conclusions or recommendations expressed in these papers are those of the authors and do not necessarily reflect the views of the National Science Foundation.
###
The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.
Unfairness By Algorithm: Distilling the Harms of Automated Decision-Making
Analysis of personal data can be used to improve services, advance research, and combat discrimination. However, such analysis can also create valid concerns about differential treatment of individuals or harmful impacts on vulnerable communities. These concerns can be amplified when automated decision-making uses sensitive data (such as race, gender, or familial status), impacts protected classes, or affects individuals’ eligibility for housing, employment, or other core services. When seeking to identify harms, it is important to appreciate the context of interactions between individuals, companies, and governments—including the benefits provided by automated decision-making frameworks, and the fallibility of human decision-making.
Recent discussions have highlighted legal and ethical issues raised by the use of sensitive data for hiring, policing, benefits determinations, marketing, and other purposes. These conversations can become mired in definitional challenges that make progress towards solutions difficult. There are few easy ways to navigate these issues, but if stakeholders hold frank discussions, we can do more to promote fairness, encourage responsible data use, and combat discrimination.
To facilitate these discussions, the Future of Privacy Forum (FPF) attempted to identify, articulate, and categorize the types of harm that may result from automated decision-making. To inform this effort, FPF reviewed leading books, articles, and advocacy pieces on the topic of algorithmic discrimination. We distilled both the harms and potential mitigation strategies identified in the literature into two charts. We hope you will suggest revisions, identify challenges, and help improve the document by contacting [email protected]. In addition to presenting this document for consideration for the FTC Informational Injury workshop, we anticipate it will be useful in assessing fairness, transparency and accountability for artificial intelligence, as well as methodologies to assess impacts on rights and freedoms under the EU General Data Protection Regulation.
The Chart of Potential Harms from Automated Decision-Making
This chart groups the harms identified in the literature into four broad “buckets”—loss of opportunity, economic loss, social detriment, and loss of liberty—to depict the various spheres of life where automated decision-making can cause injury. It also notes whether each harm manifests for individuals or collectives, and as illegal or simply unfair.
We hope that by identifying and categorizing the harms, we can begin a process that will empower those seeking solutions to mitigate these harms. We believe that a more clear articulation of harms will help focus attention and energy on potential mitigation strategies that can reduce the risks of algorithmic discrimination. We attempted to include all harms articulated in the literature in this chart; we do not presume to establish which harms pose greater or lesser risks to individuals or society.
The Chart of Potential Mitigation Sets
This chart uses FPF’s taxonomy to further categorize harms into groups that are sufficiently similar to each other that they could be amenable to the same mitigation strategies.
Attempts to solve or prevent this broad swath of harms will require a range of tools and perspectives. Such attempts benefit by further categorization of the identified harms, into five groups of similar harms. These groups include: (1) individual harms that are illegal; (2) individual harms that are simply unfair, but have a corresponding illegal analog; (3) collective/societal harms that have a corresponding individual illegal analog; (4) individual harms that are unfair and lack a corresponding illegal analog; and (5) collective/societal harms that lack a corresponding individual illegal analog. The chart includes a description of the mitigation strategies that are best positioned to address each group of harms.
There is ample debate about whether the lawful decisions included in this chart are fair, unfair, ethical, or unethical. Absent societal consensus, these harms may not be ripe for legal remedies.
Responsible Research and Privacy Practices Workshop generates new research opportunities
On November 2-3, 2017, the Future of Privacy Forum’s Research Coordination Network partnered with Facebook, Bentley University and University of Central Florida to host a workshop titled “Bridging Industry and Academia to Tackle Responsible Research and Privacy Practices”. As the title infers, the purpose of the workshop was to bring together key stakeholders from across industry, civil society, and academia to advance the privacy research agenda, focusing on topics including data analytics and privacy-preserving technologies, privacy and ethics in user research and people-centered privacy design.
As initiatives in each of these areas continue to gain considerable momentum, this was the opportune time to identify promising avenues for forming new academic and private sector collaborations. A primary goal of the workshop was to foster new collaborations and start working together to forge meaningful progress in these areas by creating possible research opportunities via “working groups”.
The 43 attendees comprised a mix from industry and academia. Organizations represented included Facebook, Microsoft, Knexus Research Corporation and Swiss Re. From the academic community, attendees included Professors of Computer Science, Law and Public Policy, Assistant Professors, and PhD/Doctoral/Graduate students from institutions such as MIT, Harvard, UC Berkley and NYU.
The workshop began with a thought provoking panel discussion with our distinguished Advisory Board members: Chris Clifton of Purdue University; Lorrie Cranor from Carnegie Mellon University; Lauri Kanerva of Facebook; Helen Nissenbaum from Cornell Tech and New York University; and Jules Polonetsky of Future of Privacy Forum. Participants then joined a working group based on the three main workshop themes mentioned above. These working groups developed concrete project ideas and developed new partnerships across disciplinary lines with the end-goal of working together to bring these project ideas to fruition.
Eight substantive themes were identified within the three main workshop topics. During working sessions, groups spent time developing a clearly defined problem statement for these identified themes. Themes and problem statements generated by the working groups included:
Data Analytics and Privacy Preserving Technologies: Governance – Creating a risk matrix that supports a concrete governance framework for data analytics
Data Analytics and Privacy Preserving Technologies: Outcomes Measurements – Bridging the gaps between computational privacy metrics and perceived privacy
Differential Privacy – Towards practical deployments and interpretability of privacy guarantees
Privacy and Ethics in User Research: Informed Consent – Models for informed consent for research at scale: Informing, consenting, and empowering users at scale
Privacy and Ethics in User Research: Beyond IRB – Drafting clear guidelines for research that falls outside of IRBs (e.g., archived data, public data)
Privacy and Ethics in User Research: Research Practices – Developing and distributing community norms around ethical research practices
People-Centered Privacy Design: Understanding Users and Individual Differences – Developing better technology and policy norms to address peoples’ different perceptions and concerns?
People-Centered Privacy Design: Rich, Complex, and Disconnected UIs –Enabling people to understand what the system knows and does, (b) enabling people to know if they should be worried, and (c) designing systems that allow people to make proactive and reactive choices about their data
The working groups plan to further develop the initial concepts created during the workshop and are expected to present concrete outcomes and deliverables at the next convening in about one year. The outcomes of this inaugural meeting will be sustained through future workshops that will be co-created by our growing community of academics and industry professionals. To learn more about this initiative, contact Margaret Honda at Future of Privacy Forum at [email protected].
This event is partially supported by National Science Foundation Grant No. 1654085. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Financial Data Localization: Conflicts and Consequences
How has the growing trend of global financial data localization laws affected financial institutions handling difficult questions of data privacy? What have been the practical impacts of these laws? FPF addresses these questions in a new info-graphic: “Financial Data Localization: Conflicts and Consequences” (view the info-graphic here) (Pdf).
Financial Data Localization: Conflicts and Consequencesexplores the perceived drivers as well as the potential unintended consequences of the growing trend of global data localization laws. Data localization laws, which require data about a country’s residents be processed or stored inside the geographical boundaries of a country, are often perceived as a way to protect privacy, stimulate a local economy, or maintain national control over data and technology, among other motivations.
Despite the importance of these goals, there may be better ways to safeguard privacy and protect individuals’ financial data (for example, through narrowly tailored and proportionate law enforcement access requests) while avoiding unintended consequences. This info-graphic highlights three ways in which such laws may lead to unintended results: First, legal tension is often created by banks’ conflicting obligations to comply with local privacy laws and international law enforcement requests; second, threat responses may be hampered by cross-border data transfer restrictions that limit banks’ abilities to share security threats from one country to another; and finally, banks’ reporting abilities may be compromised by regulations that restrict cross border data transfer and regulations that require criminal reports to be made locally, increasing the risk that a criminal rejected in one country can open an account in another country.
As more countries consider data localization laws, these issues will continue to grow in importance. Recently, for example, the Brazilian Central Bank proposed cybersecurity regulations that would prohibit financial institutions from using data processing and cloud computing services based abroad. According to some, regulations such as these could have negative implications for banks and consumers, including raising the costs of effective fraud detection.
As U.S. financial institutions grapple with these difficult questions, we hope that this info-graphic will contribute to the growing conversation around data localization laws and how best to protect privacy and security internationally.
Click to view full info-graphic (PDF).
NAI Combines Web, Mobile, and Cross-Device Tracking Rules for 2018
The Network Advertising Initiative (NAI) released its 2018 Code of Conduct yesterday, consolidating the rules for online and mobile behavioral advertising (interest-based advertising). NAI, a non-profit organization in Washington, DC, is the leading self-regulatory association for digital advertising, with over 100 members and a formalized internal review mechanism.
The 2018 NAI Code of Conduct combines the earlier requirements in the web-focused 2015 Code of Conduct and the 2015 Mobile Application Code into one document for both web and mobile — an overall positive change that recognizes the fact that digital advertising in web and mobile are no longer separate or distinct spheres. Instead, most advertisers today combine their digital advertising efforts across web and mobile, with increasing efforts towards measuring advertising effectiveness for a single user across devices, browsers, and platforms through cross-device tracking.
Key takeaways for understanding the 2018 Code of Conduct (read the full Code and Commentary here):
Updates to Key Terminology. The biggest change to the NAI Code is that NAI has updated key terminology to account for the combination of web and mobile and for a shifting legal landscape. The term “Personalized Advertising” now functions as an umbrella term for all online behavioral advertising (interest-based advertising) (OBA/IBA), including re-targeting and cross-app advertising. All of the requirements that previously applied to OBA/IBA and cross-app advertising continue to apply to Personalized Advertising.
“Device-Identifiable Information.” NAI has also replaced the term “non-Personally Identifiable Information” (non-PII) with a new term, “Device-Identifiable Information” (DII) with all of the previous rules continuing to apply. Among other requirements, the Code requires that companies using DII for Personalized Advertising provide users with an easy-to-use mechanism for opting out of advertising-related data collection and use. For privacy advocates, the shift in terminology is a welcome step forward, acknowledging that information tied to devices, e.g. user IDs in cookies or mobile advertising identifiers (IDFA), while less directly identifiable than names and email addresses, still implicate individual privacy and merit robust privacy controls.
“De-Identified Data.” In parallel to the updated terminology above (“non-PII” to “DII”), the 2018 Code also contains an updated definition of de-identified data. Data considered “de-identified” falls outside of the requirements of most privacy laws and regulations, including the NAI Code, because it is usually considered to have fewer privacy implications (or none at all) if properly de-identified through rigorous technical steps. Most definitions mirror the Federal Trade Commission’s “reasonable linkability” analysis set forth in the Commission’s 2012 Privacy Report. The 2018 NAI Code has updated its definition, now considering de-identified data to include “data that is not linked or intended to be linked to an individual, browser, or device,” replacing the previous “not linked or reasonably linkable.” The change, which likely reflects practical challenges for companies that are increasingly holding segmented data-sets not related to personalized advertising, shifts the NAI’s analysis from the nature of the data to its uses. As debates over de-identification continue (see, e.g., arguments from Princeton researchers Arvind Narayanan and Edward Felten, and/or for more information, FPF’s “Shades of Gray: Seeing the Full Spectrum of Practical Data De-identification”), it will be interesting to see whether and how a use-based analysis of de-identified data affects the industry for digital advertising.
Imported Requirements for Cross-Device. In Section II of the 2018 NAI Code of Conduct, the requirements for transparency and notice have been helpfully re-organized, and now incorporate NAI’s 2017 guidance on cross-device tracking. Specifically, the Code includes updates for:
Website Notice. The 2018 Code clarifies that publishers are required to publish “An explanation of the purposes for which data is collected by, or will be transferred to, third parties, including Cross-Device Linking if applicable…” – Section II.B. This is a positive change, particularly in light of findings published last year by the Federal Trade Commission’s Office of Technology Research and Investigation (OTech) on data collected online for purposes of cross-device tracking. According to OTech, out of 100 popular websites tested, “only three sites provided specific information to users about enabling third-party cross device tracking.” NAI’s requirements may help with improving these kinds of consumer-facing disclosures.
User Controls. The 2018 NAI Code maintains the same substantive requirements, including that users must be able to opt out of the use of their device-identifiable information (DII) for Personalized Advertising. The Opt Out also covers Cross-Device Tracking to a limited extent (Section II.C) — Specifically: “While a browser or device is opted out of Personalized Advertising by a member, that member shall: (a) Cease the collection of data for Personalized Advertising on the browser or device on which the user has expressed such choice, for use on that or any other browser or device associated through Cross-Device Linking… [and] (b) Cease Personalized Advertising on the browser or device on which the user has expressed such choice, with any data collected from a browser or device associated through Cross-Device Linking.” In other words, opting out of Personalized Advertising on a given browser or device only functions as an “Opt Out” for that particular browser or device — it does not carry the user’s preference across other devices/browsers, even if they are known to be linked to the same user. In part, this is likely because much of cross-device tracking is probabilistic (and thus more challenging to effectuate privacy choices, such as an Opt Out, across multiple devices). For more, check out the FTC’s 2017 Staff Report on Cross-Device Tracking.
Affirmative Opt In for Sensitive Data, and Precise Location Data. Finally, the 2018 Code keeps its strong requirements for its members to obtain an affirmative “Opt In” for any collection and use of Sensitive Data (defined broadly, and including, e.g. any inferences of a sensitive health condition, regardless of source) and Precise Location Data (defined in accompanying 2015 guidance on determining whether location is precise).
As the tools available in Ad Tech become more expansive, so do the corresponding privacy implications for individuals. In 2017, we have seen controversies over political advertising leading to the introduction of the Honest Ads Act, and influential academic research demonstrating how individuals might use the tools provided by Demand Side Platforms (DSPs) to surveil known targets by targeting advertisements to specific mobile identifiers and tracking when and how the ads are viewed (a process being called “ADINT”). In addition, a growing trend in Ad Tech involves the creation of detailed audience profiles from a variety of “offline” sources — such as loyalty programs and offline shopping habits — in ways that fall outside of the strictures of self-regulatory codes, but nonetheless may be unexpected or surprising to many consumers.
For these reasons, consumer education is more important than ever, and self-regulatory mechanisms such as the NAI Code of Conduct can go farther, even as they represent important baseline privacy protections. While we believe that more can be done to address consumer privacy in Ad Tech, we nonetheless applaud these efforts at building greater industry consensus and collaborating towards responsible data practices.
Where Are They Now? FPF Trains a New Generation of Privacy Leaders
FPF offers up-and-coming privacy professionals fellowship opportunities, often giving new graduates experience in the privacy world. In this post, we will take a look at some of FPF’s former employees who have gone on to successful privacy careers.
Kenesa Ahmad
Formerly: Legal and Policy Fellow, Future of Privacy Forum
Kenesa Ahmad is a partner at Aleada Consulting LLC, one of the first boutique privacy and data protection consulting firms in Silicon Valley. She is also the Chair and Co-Founder of Women in Security and Privacy (WISP) which is a nonprofit organization that aims to advance women in the privacy and security industries. “We [Kenesa and 7 other women] started the organization three years ago because we recognized the converging fields of privacy and security,” said Kenesa. “We want to ensure that there is diversity in this converging field.”
Additionally, Kenesa acts as a Security & Privacy Committee Member for Grace Hopper Celebration for Women in Computing. Previously, she worked for over four years with the Promontory Financial Group, LLC as a Privacy Associate. Kenesa says, “I was very fortunate to get a job with Promontory. I received invaluable experience from a mix of individuals who were just really smart, kind people who set me up for my job now.”
However, prior to her extensive work in these companies and committees, Kenesa received her JD from Ohio State University and LL.M. from Northwestern University. This led to her experience at FPF as a Legal and Policy Fellow for nearly two years. During her time with FPF, she worked closely with Peter Swire on various topics, including government surveillance, encryption, mobile applications, and more. In fact, she was awarded “Privacy Papers for Policy Makers 2012” for her essay “Going Dark vs. the Golden Age of Surveillance.”
“I’m so fortunate because at the time, FPF was much smaller and did not bring on many fellows. They gave me experience that I would not have gotten anywhere else. They gave me a very strong foundation in privacy,” said Kenesa. “I didn’t know it at the time, but FPF really changed my life.”
Heather Federman
Formerly: Legal and Policy Fellow, Future of Privacy Forum
Currently: Director of Enterprise Management & Privacy, Macy’s
Heather Federman attained her JD from Brooklyn Law School before she worked for FPF as a Legal and Policy Fellow from 2012-13. Since then, she has worked at Online Trust Alliance (OTA), American Express (Amex), and Macy’s in positions related to privacy. She reflects on her time at FPF, saying,
“It was a pretty exciting time for mobile privacy – the NTIA was undergoing its multistakeholder mobile app transparency process, the FTC was updating COPPA, and the California AG was tweeting at companies that their apps needed privacy policies. As a FPF Fellow, I had the opportunity to be involved in these efforts as well as our own internal initiatives like Mobile Location Analytics.”
After FPF, Heather became the Public Policy Director for OTA, which advocates for best practices to enhance the protection of security, privacy, and identity, while educating businesses, policymakers, and stakeholders. She met her boss at OTA through her work at FPF.
Heather then proceeded to work in the corporate world for Amex as the Senior Privacy Manager for over a year. At Amex, she focused on Global Branding, Marketing, and Digital Partnerships. She has mentioned that her connections at FPF helped position her for this job at Amex as well. “Sometimes the role of a privacy professional is weighing the benefits vs the risks when it comes to the organization’s data processing activities,” says Heather. “FPF is great because it really tries to walk that middle ground on issues.”
Heather is currently working as the Director of Enterprise Information Management & Privacy (EIM/P) at Macy’s. She is responsible for EIMP’s Policies, Programs, Communications and Training. Once again, Heather acknowledges that her work with FPF, specifically her involvement with the Mobile Location Analytics working group, allowed her to meet some influential people, including her current boss at Macy’s.
Now, approximately five years after her time as a Legal and Policy Fellow, Heather says, “FPF is great in that it has a mixture of policy, advocacy, and academia. Even today, I rely on FPF to keep me up to date on the latest and greatest of research.”
Joseph Jerome, who received his JD from New York University, is working as a Policy Counsel for the Center for Democracy & Technology (CDT). He focuses specifically on the legal and ethical issues that surround smart technologies and big data. Joe also has particular interest in transparency and accountability mechanisms and procedures involved in the use of data. “The best thing about CDT and being in privacy in general is that there is so much variety,” said Joe.
Before CDT, Joe worked as an associate at WilmerHale, focusing on cybersecurity and privacy practice. He dealt with advertising technologies and privacy compliance in the health and financial sectors.
However, before those impressive positions, Joe worked for almost 3 years at FPF as a Policy Counsel. Joe reflected on his time at FPF, saying, “I started there very early in my career, and when you deal with so many companies, people, and issues, you realize how little you know about everything.” Joe worked in several different issues at FPF, including big data, de-identification, geolocation, and much more.
“FPF was a really great launching pad,” said Joe. “Privacy is a pretty small community, and it seems like everybody knows everybody. Being at FPF was a really great way for me to make connections.”
Joe claims that it is unlikely he would have gotten his positions at WilmerHale and then CDT without the experience and connections he got at FPF.
Joe Newman
Formerly: Legal and Policy Fellow, Future of Privacy Forum
Joe Newman joined Ubisoft (a creator, publisher, and distributor of interactive entertainment) as a Senior Legal Counsel specializing in the field of Privacy. He will be focusing on North and South American privacy issues as well as the integration of European privacy laws and practices in Western society.
Before Ubisoft, Joe worked at Electronic Arts Inc. (EA) where he was a Privacy and Consumer Protection Attorney in California. There, Joe provided guidance to game development teams and central EA services, assisting with contract negotiation and resolving disputes. He focused on issues related to children’s privacy, government data requests, data governance, sweepstakes and promotions, international privacy compliance, e-commerce, advertising law, e-sports and competitive gaming, accessibility, end user-facing legal agreements, and data security.
In 2013-14, after obtaining his Juris Doctorate from George Washington University, Joe worked for FPF as a Legal and Policy Fellow. He focused on cutting-edge privacy issues, such as Do Not Track standards, international data transfer through the US-EU Safe Harbor, third-party vendor management, and tracking in modern videogames.
When reflecting on his time as a Legal and Policy Fellow, Joe said, “There was a lot of really exciting stuff going on that is still happening. My favorite project, and by far the most relevant to what I’m currently doing, was a white paper that Joe Jerome and I worked on together about data and privacy in video games. It was called ‘Press Start to Track: New Privacy Problems Raised by Video Game Technology.’” Joe cites that paper, which studied the tracking and usage of consumer data in videogames, as a major contributor to getting his job at EA.
He also values the unique standpoint from which FPF operates, which is “very much about finding real solutions that satisfy both industry and privacy needs.” He says,
“They position themselves in the middle of the road as a neutral party, as opposed to other places that are locked into a specific agenda. This makes a fellowship at FPF particularly good training for in-house work, which is all about finding good compromises.”
According to Joe, FPF helped him become familiar with the landscape, the technology, and the players involved in the industry, which was critical to his privacy career.
Details on the EU-US privacy engineering workshop were published in European Data Protection Supervisor’s latest newsletter. This workshop was organized by the Internet Privacy Engineering Network (IPEN), Future of Privacy Forum, KU Leuven and Carnegie Mellon University, on November 10, in Leuven.
“The organisers and participants will document the outcome of the workshop in research reports and policy recommendations, which should be available from early next year.”
FPF Comments on the FTC and Department of Education Student Privacy and Ed Tech Workshop
On Friday, November 17th, 2017, the Future of Privacy Forum filed comments with the Federal Trade Commission and the Department of Education in conjunction with their upcoming workshop, to be held on December 1st. The workshop will examine the privacy issues inherent to the use of educational technology in schools, and consider the intersection of the Federal Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA). FPF’s comments are focused on two areas that merit additional clarity: 1) when schools’ consent to ed tech providers for data collection about students under thirteen years old is sufficient under COPPA; and 2) whether the rights and safeguards typically provided to parents under COPPA accrue to schools when administrators consent to data collection from young students. In our comments, we argue that schools should be able to provide consent for the use of ed tech tools when they will be used exclusively for educational purposes; and that when schools provide consent for the use of ed tech for educational purposes, COPPA rights and safeguards should accrue to the school.
While FERPA’s requirements for schools, parents, and ed tech providers are fairly clear, COPPA is ambiguous as to how schools may provide consent to the use of ed tech products in schools for children under the age of 13. Section M of the FTC’s FAQ on COPPA states that “schools may act as the parent’s agent and can consent to the collection of kids’ information on the parent’s behalf.” But this statement could be interpreted either as similar to FERPA’s school official exception, or as requiring that, since schools are acting as “the parent’s agent,” they must actively seek out parental consent before they can consent use of an ed tech tool. In some cases, ed tech providers have approached that ambiguity by attempting to shift the liability to the schools via contract, which often places a larger burden on the schools than is appropriate.
In many circumstances, it is appropriate that schools have the authority to provide consent for the use of ed tech products. Certain basic functions that require consent under COPPA would be thrown into disarray were the schools not able to provide that consent. Some schools could be unable to perform basic functions that rely on outside parties, such as operation of administrative information systems, and teachers could also be forced to design lesson plans around some students but not others. Parental consent to share student information is likely still appropriate for less integral functions, like using student information in the yearbook, or announcing the honor roll. When the school is permitted under COPPA to consent to an ed tech product being used, the rights that COPPA confers should also apply to a school, including any rights to control, access, review, and delete data. In some cases, providing parents with that right, while only providing the school with the right to consent on students’ behalf, could raise the specter of parents changing their childrens’ academic results; this would undermine the administrability and intergrity of some ed tech tools.
Increased clarity on FERPA and COPPA responsibilities for schools will allow for the responsible use of valuable and innovative ed tech products to assist students, and we look forward to discussing these issues further at the Student Privacy and Ed Tech workshop on December 1st.
A Conversation with Giovanni Buttarelli about The Future of Data Protection: setting the stage for an EU Digital Regulator
The nature of the digital economy is as such that it will force the creation of multi-competent supervisory authorities sooner rather than later. What if the European Data Protection Board would become in the next 10 to 15 years an EU Digital Regulator, looking at matters concerning data protection, consumer protection and competition law, having “personal data” as common thread? This is the vision Giovanni Buttarelli, the European Data Protection Supervisor, laid out last week in a conversation we had at the IAPP Data Protection Congress in Brussels.
The conversation was a one hour session in front of an over-crowded room in The Arc, a cozy amphitheater-like venue inducing bold ideas being expressed in a stimulating exchange.
To begin with, I reminded the Supervisor that at the very beginning of his mandate, in early 2015, he published the 5-year strategy of the EDPS. At that time the GDPR wasn’t adopted yet and the Internet of Things was taking off. Big Data had been a big thing for a while and questions about the feasibility and effectiveness of a legal regime that is centered around each data item that can be traced back to an individual were popping up. The Supervisor wrote in his Strategy that the benefits brought by new technologies should not happen at the expense of the fundamental rights of individuals and their dignity in the digital society.
“Big data will need equally big data protection“, he wrote then, suggesting thus that the answer to Big Data is not less data protection, but enhanced data protection.
I asked the Supervisor if he thinks that the GDPR is the “big data protection” he was expecting or whether we need something more than what the GDPR provides for. And the answer was that “the GDPR is only one piece of the puzzle”. Another piece of the puzzle will be the ePrivacy reform, and another one will be the reform of the regulation that provides data protection rules for the EU institutions and that creates the legal basis for the functioning of the EDPS. I also understood from our exchange that a big part of the puzzle will be effective enforcement of these rules.
The curious fate of the European Data Protection Board
One centerpiece of enforcement is the future European Data Protection Board, which is currently being set up in Brussels so as to be functional on 25 May 2018, when the GDPR becomes applicable. The European Data Protection Board will be a unique EU body, as it will have a European nature, being funded by the EU budget, but it will be composed of commissioners from national data protection authorities who will adopt decisions, that will rely for the day-to-day activity on a European Secretariat. The Secretariat of the Board will be ensured by dedicated staff of the European Data Protection Supervisor.
The Supervisor told the audience that he either already hired or plans to hire a total of “17 geeks” adding to his staff, most of whom will be part of the European Data Protection Board Secretariat. The EDPB will be functional from Day 1 and, apparently, there are plans for some sort of inauguration of the EDPB celebrated at midnight on the 24th to the 25th of May next year.
These are my thoughts here: the nature of the EDPB is as unique as the nature of the EU (those of you who studied EU Law certainly remember from the law school days how we were told that the EU is a sui generis type of economical and political organisation). In fact, the EDPB may very well serve as test model for ensuring supervision and enforcement of other EU policy areas. The European Commission could test the waters to see whether such a mixt national/European enforcement mechanism is feasible.
There is a lot of pressure on effective enforcement when it comes to the GDPR. We dwelled on enforcement, and one question that inevitably appeared was about the trend that starts to shape up in Europe, of having competition authorities and consumer protection authorities engaging in investigations together with, or in parallel with data protection authorities (see here – here and here).
“It’s time for a big change, and time for the EU to have a global approach“, the Supervisor said. And a change that will require some legislative action. “I’m not saying we will need an European FTC (US Federal Trade Commission – n), but we will need a Digital EU Regulator“, he added. This Digital Regulator would have the powers to also look into competition and consumer protection issues raised by processing of personal data (so, therefore, in addition to data protection issues). Acknowledging that these days there is a legislative fatigue in Brussels surrounding privacy and data protection, the Supervisor said he will not bring this idea to the attention of the EU legislator right now. But he certainly plans to do so, maybe even as soon as next year. The Supervisor thinks that the EDPB could morph into this kind of Digital Regulator sometime in the future.
Another question that had to be asked on enforcement was whether we should expect more concentrated and coordinated action of privacy commissioners on a global scale, in GPEN-like structures. The Supervisor revealed that the privacy commissioners that meet for the annual International Conference are “trying to complete an exercise about our future”. They are currently analyzing the idea of creating an entity with legal personality that will look into global enforcement cases.
Ethics comes on top of legal compliance
Another topic the conversation went to was “ethics”. The EDPS has been on the forefront of including the ethics approach in privacy and data protection law debates, by creating the Ethics Advisory Group at the beginning of 2016. I asked the Supervisor whether there is a danger that, by bringing such a volatile concept into the realm of data protection, companies would look at this as an opportunity to circumvent strict compliance and rely on sufficient self-assessments that their uses of data are ethical.
“Ethics comes on top of data protection law implementation”, the Supervisor explained. According to my understanding, ethics is brought into the data protection realm only after a controller or processor is already compliant with the law and, if they have to take equally legal decisions, they should rely on ethics to take the right decision.
We did discuss about other things during this session, including the 2018 International Conference of Privacy Commissioners that will take place in Brussels, and the Supervisor received some interesting questions from the public at the end, including about the Privacy Shield. But a blog can only be this long.
Note: The Supervisor’s quotes are so short in this blog because, as the moderator, I did my best to follow the discussion and steer it rather than take notes. So the quotes come from the brief notes I managed to take during this conversion.
ngton
Elizabeth E. Joh is a Professor of Law at the University of California, Davis School of Law, and is the recipient of the 2017 Distinguished Teaching Award. Professor Joh has written widely about policing, technology, and surveillance. Her scholarship has appeared in the Stanford Law Review, the California Law Review, the Northwestern University Law Review, the Harvard Law Review Forum, and the University of Pennsylvania Law Review Online. She has also provided commentary for the Los Angeles Times, Slate, and the New York Times.
Craig Konnoth Professor Konnoth’s work lies at the intersection of health law and policy, bioethics, civil rights, and technology. His papers consider how health privacy burdens are created and distributed, how medical discourse is used both to enable and harm civil rights and autonomy, and how technology can be used to improve health outcomes. He has examined these issues in in contexts as diverse as religion and biblical counseling, consumer rights and transparency, FDA regulation, and collection of individual data. His publications have appeared in the Yale Law Journal, the Hastings Law Journal, the Penn Law Review, the Iowa Law Review, the online companions to the Penn Law Review & the Washington & Lee Law Review, and as chapters in edited volumes.Before arriving at the University of Colorado, Craig was a Sharswood and Rudin Fellow at Penn Law School and NYU Medical School, where he taught health information law, health law, and LGBT health law and bioethics.
Karen Levy Karen Levy is an assistant professor in the Department of Information Science at Cornell University and associated faculty at Cornell Law School. She researches how law and technology interact to regulate social life, with particular focus on social and organizational aspects of surveillance. Dr. Levy’s research analyzes the uses of data collection for social control in various contexts, from long-haul trucking to intimate relationships, with emphasis on inequality and marginalization. She holds a Ph.D. in Sociology from Princeton University and a J.D. from Indiana University Maurer School of Law. Before joining Cornell, she was a postdoctoral fellow at NYU’s Information Law Institute and at the Data & Society Research Institute.
Solon Barocas is an Assistant Professor in the Department of Information Science at Cornell University. His current research explores ethical and policy issues in artificial intelligence, particularly fairness in machine learning, methods for bringing accountability to automated decision-making, and the privacy implications of inference. He was previously a Postdoctoral Researcher at Microsoft Research, where he worked with the Fairness, Accountability, Transparency, and Ethics in AI group, as well as a Postdoctoral Research Associate at the Center for Information Technology Policy at Princeton University. Solon completed his doctorate in the Department of Media, Culture, and Communication at New York University, where he remain a Visiting Scholar at the Center for Urban Science + Progress.
Paul M. Schwartz is a leading international expert on information privacy law. He is Jefferson E. Peyser Professor at the University of California, Berkeley Law School and a director of the Berkeley Center for Law and Technology. Professor Schwarz is the author of many books, including the leading casebook, “Information Privacy Law,” and the distilled guide, “Privacy Law Fundamentals,” each with Daniel Solove. Schwartz’s over fifty articles have appeared in journals such as the Harvard Law Review, Yale Law Journal, Stanford Law Review, University of Chicago Law Review and California Law Review.
Karl-Nikolaus Peifer is the Director of the Institute for Media Law and Communications Law of the University of Cologne and Director of the Institute for Broadcasting Law at the University of Cologne. He studied law, economics and romanic languages at the of Universities of Trier, Bonn, Hamburg and Kiel. In 2003 he was appointed to be a judge at the Court of Appeals in Hamm/Germany, in 2013 at the Court of Appeals in Cologne. He was a Visiting Professor at the University of Illinois in 2009 and at the University of California at Berkeley from 2009 to 2012. In 2011 he was among the experts heard during the sessions of the Parliamentary Commission “Internet und Digital Society”. His main fields of research are Intellectual Property and Media Law.
terminology to account for the combination of web and mobile and for a shifting legal landscape. The term “Personalized Advertising” now functions as an umbrella term for all online behavioral advertising (interest-based advertising) (OBA/IBA), including re-targeting and cross-app advertising. All of the requirements that previously applied to OBA/IBA and cross-app advertising continue to apply to Personalized Advertising.
