Computers, Privacy & the Constitution

View   r2  >  r1  ...
AaronChanFirstPaper 2 - 28 Apr 2012 - Main.EbenMoglen
Line: 1 to 1
 
META TOPICPARENT name="FirstPaper"
Deleted:
<
<
 

A Privacy Framework that Changes Little

Line: 9 to 8
 

Introduction

Changed:
<
<
The Obama administration recently released its Consumer Data Privacy Framework advocating for new legislation to comprehensively define consumer data protection rights. Unlike many European countries, the United States does not a law regarding privacy for all aspects of personal data collection on the Internet. Outside of several sectors, such as health care and credit reporting, the Federal government does not have laws protecting consumers from commercial exploitation of personal data. While the Electronic Communications Privacy Act does set up some marginal protection from government intrusion into electronic communications, it does not protect people from third parties. Since third parties are so proficient at collecting personal data, the government certainly has an incentive to not excessively curtail this activity. The Framework, while high in rhetoric, is empty in substance precisely because the government does not truly care about individual privacy.
>
>
The Obama administration recently released its Consumer Data Privacy Framework advocating for new legislation to comprehensively define consumer data protection rights. Unlike many European countries, the United States does not a law regarding privacy for all aspects of personal data collection on the Internet. Outside of several sectors, such as health care and credit reporting, the Federal government does not have laws protecting consumers from commercial exploitation of personal data. While the Electronic Communications Privacy Act does set up some marginal protection from government intrusion into electronic communications, it does not protect people from third parties. Since third parties are so proficient at collecting personal data, the government certainly has an incentive to not excessively curtail this activity. The Framework, while high in rhetoric, is empty in substance precisely because the government does not truly care about individual privacy.
 

What the government says it cares about

In the Framework, the administration claims that the current world lacks “a clear statement of basic privacy principles that apply to the commercial world” (emphasis added). It is true that there is no definitive statement of privacy principles on the books. The Federal Trade Commission has broad powers under § 5 of the FTC Act to prosecute “unfair or deceptive acts” and it has used this power to go after perceived privacy problems with some Internet companies. However, because technology evolves so quickly, it is necessary that the law be based on standards rather than rules. As ECPA demonstrates, clearly defining privacy rules based on contemporary technological practices becomes archaic and pointless. Instead, the Framework embraces setting standards about personal data collection and use based on Fair Information Practice Principles: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. This is certainly the better path to take to ensure that technology does not outpace legal protection.
Line: 31 to 32
 Because the government has an interest in people continuing to voluntarily give away all their information to companies, it can draw a distinction between wrongful collection of personal data and wrongful use. Under collection, the administration can say all it wants about data autonomy and informed consumers, but it knows that consumers do not care enough about their data autonomy for informed consent to mean anything. People do not realize why it is problematic for them to expose their lives and the lives of others to third parties and the government. It does not matter how much is explained to them when convenience trumps privacy.
Changed:
<
<

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
>
>

A very good draft. A few points I would add to your thinking:

 
Changed:
<
<
>
>
First, it will help to consider "the government" a complex entity with many moving parts. The language you quote and on which your political analysis depends should be read as the boundary established in the policy coordination process by the intelligence and internal security entities. As you will have seen over course of the term, DoJ, Homeland Security and the DNI form a coalition that can efffectively resist anything on the "commercial" side. The commercial parties (network operators, Goog, FB, other data miners) have realized that the intelligence and security services are strong enough to demand impunity, and so the commercial parties are insisting on complete immunity from rule of law for all their "good faith" cooperation with the intelligence and security services. FTC, as an "independent" agency, is bucking the WH-DoJ position and going after Google where it can. The privacy guidelines represent the overall WH coordination of the FTC and Commerce Department positions on commercial privacy, minus any animus with Google, which has cemented its relationship with the WH in defeating SOPA/PIPA, and with all the carve-outs demanded by the intelligence and security services, represented for these purposes primarily by the DNI.

Second, we are not very far along in the analysis when we have discovered that formal government policy is speaking out of both sides of its mouth. Thurman Arnold would no doubt say that in politics, any creed embodying only a proposition and its opposite is not yet fully fleshed out. The real strength of your thinking lies in the insight that commercial collection and commercial use implicate different elements of the overall play of governmental interest. You haven't fully considered why the problem is "getting code in" to commercial mining operations, rather than "getting data out," or why the US government has a specific advantage in dealing with the miners on this subject.

Third, your point about collection and convenience as the individual user sees the situation is observationally verified, but it is only guaranteed to be true in the short term. Over the next several decades, people will grow up whose relationship to the Net will be quite different. Depending on the educational effects of our efforts, they will either be completely uninterested in privacy, in which case the Net will become the Matrix, or they will come to identify freedom with changing the behavior of the Net so that it controls them less and assists them more. That's where the work we are doing touches the fundamental nature of human destiny.

 
Deleted:
<
<
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.
 \ No newline at end of file
Added:
>
>

AaronChanFirstPaper 1 - 28 Feb 2012 - Main.AaronChan
Line: 1 to 1
Added:
>
>
META TOPICPARENT name="FirstPaper"

A Privacy Framework that Changes Little

-- By AaronChan - 28 Feb 2012

Introduction

The Obama administration recently released its Consumer Data Privacy Framework advocating for new legislation to comprehensively define consumer data protection rights. Unlike many European countries, the United States does not a law regarding privacy for all aspects of personal data collection on the Internet. Outside of several sectors, such as health care and credit reporting, the Federal government does not have laws protecting consumers from commercial exploitation of personal data. While the Electronic Communications Privacy Act does set up some marginal protection from government intrusion into electronic communications, it does not protect people from third parties. Since third parties are so proficient at collecting personal data, the government certainly has an incentive to not excessively curtail this activity. The Framework, while high in rhetoric, is empty in substance precisely because the government does not truly care about individual privacy.

What the government says it cares about

In the Framework, the administration claims that the current world lacks “a clear statement of basic privacy principles that apply to the commercial world” (emphasis added). It is true that there is no definitive statement of privacy principles on the books. The Federal Trade Commission has broad powers under § 5 of the FTC Act to prosecute “unfair or deceptive acts” and it has used this power to go after perceived privacy problems with some Internet companies. However, because technology evolves so quickly, it is necessary that the law be based on standards rather than rules. As ECPA demonstrates, clearly defining privacy rules based on contemporary technological practices becomes archaic and pointless. Instead, the Framework embraces setting standards about personal data collection and use based on Fair Information Practice Principles: individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability. This is certainly the better path to take to ensure that technology does not outpace legal protection.

The administration claims that consumers need some protection in order to maintain consumer trust in networked technologies and that the Framework will provide such protection. While it may be true that consumers need to trust Internet companies for them to use online services, it is questionable as to what it would take for consumers to lose that trust as almost every new Facebook “feature” was eventually adopted by users. Yet, despite Mark Zuckerberg’s efforts to shift the privacy paradigm into sharing is good, privacy as a concept still sounds desirable to most Americans. This allows the Obama administration to claim that it is looking out for the public interest in promoting privacy.

What the government actually cares about

Despite its public relations side espousing principles of personal data autonomy, the government has an interest in encouraging the public to disregard privacy. There is no need for the government to do its own spying when people voluntarily give up every detail of their lives and their friends’ lives to online companies. The government can rely on these companies to collect the information and freely reach into their databases whenever it needs something that it may otherwise be prohibited from acquiring itself. Hence there is a dichotomy between protecting the public from voracious companies out to ravage personal data while making sure that the government has access when it wants. In other words, it is bad when private companies do gather and sell personal data, but not when it is for the government.

Under the principle of Focused Collection, “[c]ompanies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise” (emphasis added). This “legal obligation” can be broadly read, but it illustrates what the government wants. In the section explaining what potential consumer data privacy protection legislation should avoid, it lists the following, among others:

  • Altering existing statutory or regulatory authorities pursuant to which the government may obtain information that is necessary to assist in conducting border searches, investigating criminal conduct or other violations of law, or protecting public safety and national security.
  • Contravening the ability of law enforcement to investigate and prosecute criminal acts, and ensure public safety.
  • Altering existing statutory, regulatory, or policy authorities that apply to the government’s information practices or address privacy issues outside of a purely commercial, consumer oriented context.

The government can’t be too persuasive in its rhetoric. It still needs its backdoor.

Why the government can say one thing but mean another

Because the government has an interest in people continuing to voluntarily give away all their information to companies, it can draw a distinction between wrongful collection of personal data and wrongful use. Under collection, the administration can say all it wants about data autonomy and informed consumers, but it knows that consumers do not care enough about their data autonomy for informed consent to mean anything. People do not realize why it is problematic for them to expose their lives and the lives of others to third parties and the government. It does not matter how much is explained to them when convenience trumps privacy.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Revision 2r2 - 28 Apr 2012 - 15:48:14 - EbenMoglen
Revision 1r1 - 28 Feb 2012 - 22:23:23 - AaronChan
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM