Data and Goliath (63 page)

We don’t perceive:
Jacquelyn Burkell et al. (2 Jan 2014), “Facebook: Public space, or private space?”
Information, Communication and Society
, http://www.tandfonline.com/doi/abs/10.1080/1369118X.2013.870591.

But because we didn’t bother:
Even if we had, we would have found that the agreement was vague, and gave the company
the right to do whatever it wanted . . . and to change the agreement at will without
notice or consent.

These laws don’t apply:
Scott Lybarger (1999), “Conduit or forum? Regulatory metaphors for the Internet,”
Free Speech Yearbook
37, http://www.tandfonline.com/doi/abs/10.1080/08997225.1999.10556239.

things we say on Facebook:
Noah D. Zatz (Fall 1998), “Sidewalks in cyberspace: Making space for public forums
in the electronic environment,”
Harvard Journal of Law & Technology
12, http://jolt.law.harvard.edu/articles/pdf/v12/12HarvJLTech149.pdf. Laura Stein
(Jan 2008), “Speech without rights: The status of public space on the Internet,”
Communication Review
11, http://www.tandfonline.com/doi/abs/10.1080/10714420801888385. Lyrissa Lidsky
(Dec 2011), “Public forum 2.0,”
Boston University Law Review
91, http://www.bu.edu/law/central/jd/organizations/journals/bulr/volume91n6/documents/LIDSKY.pdf.

14: Solutions for Corporations

what sorts of inventions:
It is much more likely that we will invent our way out of the ecological disaster
that is climate change than conserve our way out of it. Bjørn Lomborg (2001),
The Skeptical Environmentalist: Measuring the Real State of the World
, Cambridge University Press, https://encrypted.google.com/books?id=JuLko8USApwC.

1980 OECD Privacy Framework:
Organization for Economic Cooperation and Development (2013), “The OECD privacy framework,”
http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

EU Data Protection Directive:
European Parliament and Council of Europe (24 Oct 1995), “Directive 95/46/EC of the
European Parliament and of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data,”
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. Neil
Robinson et al. (2009), “Review of the European Data Protection Directive,” Report
TR-710-ICO, Information Commissioner’s Office,
RAND Corporation, http://ico.org.uk/~/media/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.ashx.

American corporations:
Karlin Lillington (14 May 2014), “Analysis: Google takes another hit with EU privacy
rulings,”
Irish Times
, http://www.irishtimes.com/business/sectors/technology/analysis-google-takes-another-hit-with-eu-privacy-rulings-1.1793749.
Price Waterhouse Coopers (Jul 2014), “EU data protection reforms: Challenges for businesses,”
http://www.pwc.com/en_US/us/risk-assurance-services/publications/assets/pwc-eu-data-protection-reform.pdf.

bringing that law up to date:
European Commission (25 Jan 2012), “Commission proposes a comprehensive reform of
the data protection rules,” http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.
European Commission (25 Jan 2012), “Why do we need an EU data protection reform?”
http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf.
European Commission (12 Mar 2014),”Progress on EU data protection now irreversible
following European Parliament vote,” http://europa.eu/rapid/press-release_MEMO-14-186_en.htm.

OECD Privacy Framework (1980):
Organization for Economic Cooperation and Development (2013), “The OECD privacy framework,”
http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf.

By raising the cost of privacy breaches:
This is a good introduction to the economics of data privacy. Tyler Moore (2011),
“Introducing the economics of cybersecurity: Principles and policy options,” in
Proceedings of a Workshop on Deterring CyberAttacks: Informing Strategies and Developing
Options for U.S. Policy
, National Academies Press, http://cs.brown.edu/courses/csci1800/sources/lec27/Moore.pdf.

doing this in the US with healthcare data:
Healthcare data breach violations, and accompanying fines, are common. Patrick J.
O’Toole, Corey M. Dennis, and Douglas Levy (28 Mar 2014), “Best practices for avoiding
data breach liability,”
Michigan Lawyers Weekly
, http://milawyersweekly.com/news/2014/03/28/commentary-best-practices-for-avoiding-data-breach-liability.

it’s starting to happen here:
Sasha Romanosky, David Hoffman, and Alessandro Acquisti (25–26 Jun 2012), “Empirical
analysis of data breach litigation,” 11th Annual Workshop on the Economics of Information
Security, Berlin, Germany, http://weis2012.econinfosec.org/papers/Romanosky_WEIS2012.pdf.

Target is facing several lawsuits:
Target Corporation is a defendant in multiple lawsuits stemming from its 2013 data
breach. Alex Williams (23 Dec 2013), “Target may be liable for up to $3.6 billion
for card data breach,”
Tech Crunch
, http://techcrunch.com/2013/12/23/target-may-be-liable-for-up-to-3-6-billion-from-credit-card-data-breach.
Lance Duroni (3 Apr 2014), “JPML centralizes Target data breach suits in Minn.,”
Law360
, http://www.law360.com/articles/524968/jpml-centralizes-target-data-breach-suits-in-minn.

banks are being sued:
Brian Krebs (8 Jan 2014), “Firm bankrupted by cyberheist sues bank,”
Krebs on Security
, http://krebsonsecurity.com/2014/01/firm-bankrupted-by-cyberheist-sues-bank. Brian
Krebs (20 Jun 2014), “Oil Co. wins $350,
000
cyberheist settlement,”
Krebs on Security
, http://krebsonsecurity.com/2014/06/oil-co-wins-35
000
0-cyberheist-settlement. Brian Krebs (13 Aug 2014), “Tenn. firm sues bank over $327K
cyberheist,”
Krebs on Security
, http://krebsonsecurity.com/2014/08/tenn-utility-sues-bank-over-327k-cyberheist.

These cases can be complicated:
Here’s one proposal. Maurizio Naldi, Marta Flamini, and Giuseppe D’Acquisto (2013),
“Liability for data breaches: A proposal for a revenue-based sanctioning approach,”
in
Network and System Security
(Lecture Notes in Computer Science Volume 7873), Springer, http://link.springer.com/chapter/10.1007%2F978-3-642-38631-2_20.

There’s a parallel with how:
Much has been written about what privacy regulation can learn from environmental
regulation. Dennis D. Hirsch (Fall 2006), “Protecting the inner environment: What
privacy regulation can learn from environmental law,
” Georgia Law Review
41, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1021623. Ira S. Rubinstein
(2011), “Privacy and regulatory innovation: Moving beyond voluntary codes,”
I/S, A Journal of Law and Policy for the Information Society
6, http://www.ftc.gov/sites/default/files/documents/public_comments/privacy-roundtables-comment-project-no.p095416-544506-
000
22/544506-
000
22.pdf.

The US Code of Fair Information Practices:
Willis H. Ware et al. (Jul 1973), “Records, computers and the rights of citizens:
Report of the Secretary’s Advisory Committee on Automated Personal Data Systems,”
DHEW Publication (OS) 73-94, US Department of Health, Education and Welfare, http://www.justice.gov/sites/default/files/opcl/docs/rec-com-rights.pdf.

Making companies liable for breaches:
There would need to be some exception for free and open-source software, and other
instances where the user does not have any contractual relationship with the software
vendor.

The relevant term from economics:
Giuseppe Dari-Matiacci and Nuno Garoupa (May 2009), “Least cost avoidance: The tragedy
of common safety,”
Journal of Law, Economics, and Organization
25, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=560062. Paul Rosenzweig (5
Nov 2013), “Cybersecurity and the least cost avoider,”
Lawfare
, http://www.lawfareblog.com/2013/11/cybersecurity-and-the-least-cost-avoider.

personal information about you:
The notion of ownership is actually very complicated. Ali M. Al-Khouri (Nov 2012),
“Data ownership: Who owns ‘my data’?”
International Journal of Management and Information Technology
2, http://www.id.gov.ae/assets/FNukwmhbQ4k.pdf.aspx. Jacob M. Victor (Nov 2013),
“The EU General Data Protection Regulation: Toward a property regime for protecting
data privacy,”
Yale Law Journal
123, http://www.yalelawjournal.org/comment/the-eu-general-data-protection-regulation-toward-a-property-regime-for-protecting-data-privacy.

They pay for this information:
Jennifer Valentino-DeVries and Jeremy Singer-Vine (7 Dec 2012), “They know what you’re
shopping for,”
Wall Street Journal
, http://online.wsj.com/news/articles/SB1
000
1424127887324784404578143144132736214. Jeremy Singer-Vine (7 Dec 2012), “How Dataium
watches you,”
Wall Street Journal
, http://blogs.wsj.com/digits/2012/12/07/how-dataium-watches-you.

transparency trumps proprietary claims:
Frank Pasquale (21 Apr 2009), “The troubling trend toward trade secret-protected
ranking systems,” Chicago Intellectual Property Colloquium, Chicago, Illinois, http://www.chicagoip.com/pasquale.pdf.

more algorithms can be made public:
Ethan Zuckerman (5 Sep 2012), “TSA pre-check, fairness and opaque algorithms,”
My Heart’s in Accra
, http://www.ethanzuckerman.com/blog/2012/09/05/tsa-pre-check-fairness-and-opaque-algorithms.

there are ways of auditing algorithms:
Daniel Weitzner (29–30 Jan 2014), “The
jurisprudence of accountability,” 2nd International Workshop on Accountability: Science,
Technology and Policy, Cambridge, Massachusetts, http://dig.csail.mit.edu/2014/AccountableSystems2014/abs/weitzner-account-jurisprudence-abs.pdf.
Ed Felten (19 Mar 2014), “Algorithms can be more accountable than people,”
Freedom to Tinker
, https://freedom-to-tinker.com/blog/felten/algorithms-can-be-more-accountable-than-people.
Ed Felten (12 Sep 2012), “Accountable algorithms,”
Freedom to Tinker
, https://freedom-to-tinker.com/blog/felten/accountable-algorithms.

There’s been a concerted:
Examples include Microsoft Corporation and the World Economic Forum. Craig Mundie
(Mar/Apr 2014), “Privacy pragmatism: Focus on data use, not data collection,”
Foreign Affairs
93, http://www.foreignaffairs.com/articles/140741/craig-mundie/privacy-pragmatism.
William Hoffman et al. (May 2014), “Rethinking personal data: A new lens for strengthening
trust,” World Economic Forum, http://reports.weforum.org/rethinking-personal-data.
William Hoffman et al. (May 2014), “Rethinking personal data: Trust and context in
user-centred data ecosystems,” World Economic Forum, http://www3.weforum.org/docs/WEF_RethinkingPersonalData_TrustandContext_Report_2014.pdf.
William H. Dutton et al. (May 2014), “The Internet trust bubble: Global values, beliefs
and practices,” World Economic Forum, http://www3.weforum.org/docs/WEF_InternetTrustBubble_Report2_2014.pdf.
Fred H. Cate, Peter Cullen, and Viktor Mayer-Schonberger (Mar 2014), “Data protection
principles for the 21st century: Revising the 1980 OECD Guidelines,” Oxford Internet
Institute, University of Oxford, http://www.oii.ox.ac.uk/publications/Data_Protection_Principles_for_the_21st_Century.pdf.
President’s Council of Advisors on Science and Technology (May 2014), “Big data and
privacy: A technology perspective,” http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_privacy_-_may_2014.pdf.

the privacy harms come from:
Chris Jay Hoofnagle (2 Sep 2014), “The Potemkinism of privacy pragmatism,”
Slate
, http://www.slate.com/articles/technology/future_tense/2014/09/data_use_regulation_the_libertarian_push_behind_a_new_take_on_privacy.single.html.

One intriguing idea has been:
A. Michael Froomkin (23 Feb 2014), “Regulating mass surveillance as privacy pollution:
Learning from environmental impact statements,” University of Miami, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2400736.

The regulatory agencies:
Julie Brill (2 Jun 2014), “Weaving a tapestry to protect privacy and competition
in the age of Big Data,” European Data Protection Supervisor’s Workshop on Privacy,
Consumer Protection and Competition in the Digital Age, Brussels, Belgium, http://www.ftc.gov/system/files/documents/public_statements/313311/140602edpsbrill2.pdf.
Jules Polonetsky and Omer Tene (6 Dec 2012), “It’s not how much data you have, but
how you use it: Assessing privacy in the context of consumer data integration,” Future
of Privacy Forum, http://www.futureofprivacy.org/wp-content/uploads/FPF-White-Paper-Its-Not-How-Much-Data-You-Have-But-How-You-Use-It_FINAL.pdf.

what the United States needs:
European Union (9 Dec 2013), “National data protection authorities,” http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Other applications prefer having:
Alon Halevy, Peter Norvig, and Fernando Pereira
(Mar/Apr 2009), “The unreasonable effectiveness of data,”
IEEE Intelligent Systems
24, https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35179.pdf.

Twitter . . . is giving its data:
Doug Gross (7 Jan 2013), “Library of Congress digs into 170 billion tweets,” CNN,
http://www.cnn.com/2013/01/07/tech/social-media/library-congress-twitter.

the German language:
Martin Fowler (12 Dec 2013), “Datensparsamkeit,” http://martinfowler.com/bliki/Datensparsamkeit.html.