Law Commons^™

Privacy Nicks: How The Law Normalizes Surveillance, Woodrow Hartzog, Evan Selinger, Johanna Gunawan

Faculty Scholarship

Privacy law is failing to protect individuals from being watched and exposed, despite stronger surveillance and data protection rules. The problem is that our rules look to social norms to set thresholds for privacy violations, but people can get used to being observed. In this article, we argue that by ignoring de minimis privacy encroachments, the law is complicit in normalizing surveillance. Privacy law helps acclimate people to being watched by ignoring smaller, more frequent, and more mundane privacy diminutions. We call these reductions “privacy nicks,” like the proverbial “thousand cuts” that lead to death.

Privacy nicks come from the …

Continuous Reproductive Surveillance, Michael Ulrich, Leah R. Fowler

Faculty Scholarship

The Dobbs opinion emphasizes that the state’s interest in the fetus extends to “all stages of development.” This essay briefly explores whether state legislators, agencies, and courts could use the “all stages of development” language to expand reproductive surveillance by using novel developments in consumer health technologies to augment those efforts.

National Telecommunications And Information Administration: Comments From Researchers At Boston University And The University Of Chicago, Ran Canetti, Aloni Cohen, Chris Conley, Mark Crovella, Stacey Dogan, Marco Gaboardi, Woodrow Hartzog, Rory Van Loo, Christopher Robertson, Katharine B. Silbaugh

Faculty Scholarship

These comments were composed by an interdisciplinary group of legal, computer science, and data science faculty and researchers at Boston University and the University of Chicago. This group collaborates on research projects that grapple with the legal, policy, and ethical implications of the use of algorithms and digital innovation in general, and more specifically regarding the use of online platforms, machine learning algorithms for classification, prediction, and decision making, and generative AI. Specific areas of expertise include the functionality and impact of recommendation systems; the development of Privacy Enhancing Technologies (PETs) and their relationship to privacy and data security laws; …

Femtechnodystopia, Leah R. Fowler, Michael Ulrich

Faculty Scholarship

Reproductive rights, as we have long understood them, are dead. But at the same time history seems to be moving backward, technology moves relentlessly forward. Femtech products, a category of consumer technology addressing an array of “female” health needs, seem poised to fill gaps created by states and stakeholders eager to limit birth control and abortion access and increase pregnancy surveillance and fetal rights. Period and fertility tracking applications could supplement or replace other contraception. Early digital alerts to missed periods can improve the chances of obtaining a legal abortion in states with ever-shrinking windows of availability or prompt behavioral …

Privacy Pretexts, Rory Van Loo

Faculty Scholarship

Data privacy’s ethos lies in protecting the individual from institutions. Increasingly, however, institutions are deploying privacy arguments in ways that harm individuals. Platforms like Amazon, Facebook, and Google wall off information from competitors in the name of privacy. Financial institutions under investigation justify withholding files from the Consumer Financial Protection Bureau by saying they must protect sensitive customer data. In these and other ways, the private sector is exploiting privacy to avoid competition and accountability. This Article highlights the breadth of privacy pretexts and uncovers their moral structure. Like most pretexts, there is an element of truth to the claims. …

The Surprising Virtues Of Data Loyalty, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

Lawmakers in the United States and Europe are seriously considering imposing duties of data loyalty that implement ideas from privacy law scholarship, but critics claim such duties are unnecessary, unworkable, overly individualistic, and indeterminately vague. This paper takes those criticisms seriously, and its analysis of them reveals that duties of data loyalty have surprising virtues. Loyalty, it turns out, can support collective well-being by embracing privacy’s relational turn; it can be a powerful state of mind for reenergizing privacy reform; it prioritizes human values rather than potentially empty formalism; and it offers solutions that are flexible and clear rather than …

Legislating Data Loyalty, Woodrow Hartzog, Neil Richards

Faculty Scholarship

Lawmakers looking to embolden privacy law have begun to consider imposing duties of loyalty on organizations trusted with people’s data and online experiences. The idea behind loyalty is simple: organizations should not process data or design technologies that conflict with the best interests of trusting parties. But the logistics and implementation of data loyalty need to be developed if the concept is going to be capable of moving privacy law beyond its “notice and consent” roots to confront people’s vulnerabilities in their relationship with powerful data collectors.

In this short Essay, we propose a model for legislating data loyalty. Our …

What Is Privacy? That’S The Wrong Question, Woodrow Hartzog

Faculty Scholarship

Privacy has never had a precise meaning. But in the early 1900s, the concept took on new life as a term of art in legal frameworks. The result has been a bit of a mess, as no singular definition has been adequate for all purposes. Daniel Solove, perhaps the most influential privacy scholar of our day, wrote at the turn of the millennium that privacy was “a concept in disarray.”

In this short essay reflecting upon Solove’s impact on the modern study of information privacy, I argue that the chaos and futility of competing conceptualizations of privacy is why Solove’s …

The Covid-19 Pandemic And The Technology Trust Gap, Johanna Gunawan, David Choffnes, Woodrow Hartzog, Christo Wilson

Faculty Scholarship

Industry and government tried to use information technologies to respond to the COVID-19 pandemic, but using the internet as a tool for disease surveillance, public health messaging, and testing logistics turned out to be a disappointment. Why weren’t these efforts more effective? This Essay argues that industry and government efforts to leverage technology were doomed to fail because tech platforms have failed over the past few decades to make their tools trustworthy, and lawmakers have done little to hold these companies accountable. People cannot trust the interfaces they interact with, the devices they use, and the systems that power tech …

The Case Of The Nosy Neighbors, Johanna Gunawan, Woodrow Hartzog

Faculty Scholarship

Inspired by companies like Clearview AI, Nextdoor, and Amazon, this case study asks students to assume the role of a high-ranking ethics-focused employee at a (fictional) neighborhood-focused social media company. It involves challenging ethical questions around how social media services and surveillance tools are built and used, and the complicated relationship between companies, their users, and law enforcement authorities. Students should pay particular attention to the values implicated by certain design decisions, and the competing incentives for corporations that might complicate the picture for ethical decision making.

A Duty Of Loyalty For Privacy Law, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Data privacy law fails to stop companies from engaging in self-serving, opportunistic behavior at the expense of those who trust them with their data. This is a problem. Modern tech companies are so entrenched in our lives and have so much control over what we see and click that the self-dealing exploitation of people has become a major element of the internet’s business model.

Academics and policymakers have recently proposed a possible solution: require those entrusted with people’s data and online experiences to be loyal to those who trust them. But many have concerns about a duty of loyalty. What, …

Privacy In Pandemic: Law, Technology, And Public Health In The Covid-19 Crisis, Tiffany Li

Faculty Scholarship

The COVID-19 pandemic has caused millions of deaths and disastrous consequences around the world, with lasting repercussions for every field of law, including privacy and technology. The unique characteristics of this pandemic have precipitated an increase in use of new technologies, including remote communications platforms, healthcare robots, and medical AI. Public and private actors are using new technologies, like heat sensing, and technologically-influenced programs, like contact tracing, alike in response, leading to a rise in government and corporate surveillance in sectors like healthcare, employment, education, and commerce. Advocates have raised the alarm for privacy and civil liberties violations, but the …

Privacy's Constitutional Moment And The Limits Of Data Protection, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both California and the European Union have forced Congress’s hand by passing the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike clamoring for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst …

Cyber Mobs, Disinformation, And Death Videos: The Internet As It Is (And As It Should Be), Danielle K. Citron

Faculty Scholarship

Fiction and visual representations can alter our understanding of human experiences and struggles. They help us understand human frailties and suffering in a visceral way. Nick Drnaso’s graphic novel Sabrina does that in spades. In Sabrina, a woman is murdered by a misogynist, and a video of her execution is leaked. Conspiracy theorists deem her murder a hoax. A cyber mob smears the woman’s loved ones as crisis actors, posts death threats, and spreads their personal information. The attacks continue until a shooting massacre redirects the cyber mob’s wrath to other mourners. Sabrina captures the breathtaking velocity of disinformation online …

Deep Fakes: A Looming Challenge For Privacy, Democracy, And National Security, Danielle K. Citron, Robert Chesney

Faculty Scholarship

Harmful lies are nothing new. But the ability to distort reality has taken an exponential leap forward with “deep fake” technology. This capability makes it possible to create audio and video of real people saying and doing things they never said or did. Machine learning techniques are escalating the technology’s sophistication, making deep fakes ever more realistic and increasingly resistant to detection. Deep-fake technology has characteristics that enable rapid and widespread diffusion, putting it into the hands of both sophisticated and unsophisticated actors. While deep-fake technology will bring with it certain benefits, it also will introduce many harms. The marketplace …

The Missing Regulatory State: Monitoring Businesses In An Age Of Surveillance, Rory Van Loo

Faculty Scholarship

An irony of the information age is that the companies responsible for the most extensive surveillance of individuals in history—large platforms such as Amazon, Facebook, and Google—have themselves remained unusually shielded from being monitored by government regulators. But the legal literature on state information acquisition is dominated by the privacy problems of excess collection from individuals, not businesses. There has been little sustained attention to the problem of insufficient information collection from businesses. This Article articulates the administrative state’s normative framework for monitoring businesses and shows how that framework is increasingly in tension with privacy concerns. One emerging complication is …

The Inconsentability Of Facial Surveillance, Evan Selinger, Woodrow Hartzog

Faculty Scholarship

Governments and companies often use consent to justify the use of facial recognition technologies for surveillance. Many proposals for regulating facial recognition technology incorporate consent rules as a way to protect those faces that are being tagged and tracked. But consent is a broken regulatory mechanism for facial surveillance. The individual risks of facial surveillance are impossibly opaque, and our collective autonomy and obscurity interests aren’t captured or served by individual decisions.

In this article, we argue that facial recognition technologies have a massive and likely fatal consent problem. We reconstruct some of Nancy Kim’s fundamental claims in Consentability: Consent …

Byrd V United States: Unauthorized Drivers Of Rental Cars Have Fourth Amendment Rights? Not As Evident As It Seems, Tracey Maclin

Faculty Scholarship

No discerning student of the Supreme Court would contend that Justice Anthony Kennedy broadly interpreted the Fourth Amendment during his thirty years on the Court. His majority opinions in Maryland v. King, Drayton v. United States and his willingness to join the three key sections of Justice Scalia’s opinion in Hudson v. Maryland, which held that suppression is never a remedy for knock-and-announce violations, are just a few examples of Justice Kennedy’s narrow view of the Fourth Amendment.

In light of his previous votes in search and seizure cases, surprisingly Justice Kennedy, in what would be his final Fourth Amendment …

The Pathologies Of Digital Consent, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Consent permeates both our law and our lives — especially in the digital context. Consent is the foundation of the relationships we have with search engines, social networks, commercial web sites, and any one of the dozens of other digitally mediated businesses we interact with regularly. We are frequently asked to consent to terms of service, privacy notices, the use of cookies, and so many other commercial practices. Consent is important, but it’s possible to have too much of a good thing. As a number of scholars have documented, while consent models permeate the digital consumer landscape, the practical conditions …

A Poor Mother's Right To Privacy: A Review, Danielle K. Citron

Faculty Scholarship

Collecting personal data is a feature of daily life. Businesses, advertisers, agencies, and law enforcement amass massive reservoirs of our personal data. This state of affairs—what I am calling the “collection imperative”—is justified in the name of efficiency, convenience, and security. The unbridled collection of personal data, meanwhile, leads to abuses. Public and private entities have disproportionate power over individuals and groups whose information they have amassed. Nowhere is that power disparity more evident than for the state’s surveillance of the indigent. Poor mothers, in particular, have vanishingly little privacy. Whether or not poor mothers receive subsidized prenatal care, the …

Humans Forget, Machines Remember: Artificial Intelligence And The Right To Be Forgotten, Tiffany Li, Eduard Fosch Villaronga, Peter Kieseberg

Faculty Scholarship

To understand the Right to be Forgotten in context of artificial intelligence, it is necessary to first delve into an overview of the concepts of human and AI memory and forgetting. Our current law appears to treat human and machine memory alike – supporting a fictitious understanding of memory and forgetting that does not comport with reality. (Some authors have already highlighted the concerns on the perfect remembering.) This Article will examine the problem of AI memory and the Right to be Forgotten, using this example as a model for understanding the failures of current privacy law to reflect the …

Risk And Anxiety: A Theory Of Data Breach Harms, Danielle K. Citron, Daniel Solove

Faculty Scholarship

In lawsuits about data breaches, the issue of harm has confounded courts. Harm is central to whether plaintiffs have standing to sue in federal court and whether their claims are viable. Plaintiffs have argued that data breaches create a risk of future injury from identity theft or fraud and that breaches cause them to experience anxiety about this risk. Courts have been reaching wildly inconsistent conclusions on the issue of harm, with most courts dismissing data breach lawsuits for failure to allege harm. A sound and principled approach to harm has yet to emerge, resulting in a lack of consensus …

The Case Against Idealising Control, Woodrow Hartzog

Faculty Scholarship

Seemingly everyone, from scholars, industry, and privacy advocates to lawmakers, regulators, and judges seems to have settled on the idea that the key to privacy is control over personal information. But in practice, there is only so much a person can do. Control is far too precious and finite of a concept to meaningfully scale. It will never work for personal data mediated by technology.

Now we have an entire empire of data protection built around the crumbling edifice of control. The idealisation of control in modern data protection regimes like the GDPR and the ePrivacy Directive creates a pursuit …

Body Cameras And The Path To Redeem Privacy Law, Woodrow Hartzog

Faculty Scholarship

From a privacy perspective, the movement towards police body cameras seems ominous. The prospect of a surveillance device capturing massive amounts of data concerning people’s most vulnerable moments is daunting. These concerns are compounded by the fact that there is little consensus and few hard rules on how and for whom these systems should be built and used. But in many ways, this blank slate is a gift. Law and policy makers are not burdened by the weight of rules and technologies created in a different time for a different purpose. These surveillance and data technologies will be modern. Many …

Saving Face: Unfolding The Screen Of Chinese Privacy Law, Tiffany Li, Jill Bronfman, Zhou Zhou

Faculty Scholarship

Privacy is often a subjective value, taking on meaning from specific social, historical, and cultural contexts. Western privacy scholars have so far generally limited academic study to focus on Western ideals of privacy. However, privacy – or some notion of it – can be found in almost every culture and every nation, including the growing economic powerhouse that is the People’s Republic of China. Focusing on China as a case study of non-Western privacy norms is important today, given the rapid rise of the Chinese economy and its corresponding impact on worldwide cultural norms and law. Simply put, it is …

Data Collection And The Regulatory State, Ahmed Ghappour

Faculty Scholarship

The following remarks were given on January 27, 2017 during the Connecticut Law Review’s symposium, “Privacy, Security & Power: The State of Digital Surveillance.” Hillary Greene, the Zephaniah Swift Professor of Law at the University of Connecticut School of Law, offered introductory remarks and moderated the panel. The panel included Dr. Cooper, Associate Professor of Law and Director of the Program on Economics & Privacy at Antonin Scalia Law School at George Mason University, Professor Ghappour, Visiting Assistant Professor at UC Hastings College of the Law, Attorney Lieber, Senior Privacy Policy Counsel at Google, and Dr. Wu, Professor of Law …

Privacy's Trust Gap, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

It can be easy to get depressed about the state of privacy these days. In an age of networked digital information, many of us feel disempowered by the various governments, companies, and criminals trying to peer into our lives to collect our digital data trails. When so much is in flux, the way we think about an issue matters a great deal. Yet while new technologies abound, our ideas and thinking — as well as our laws — have lagged in grappling with the new problems raised by the digital revolution. In their important new book, Obfuscation: A User’s Guide …

Trusting Big Data Research, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Although it might puzzle or even infuriate data scientists, suspicion about big data is understandable. The concept doesn’t seem promising to most people. It seems scary. This is partly because big data research is shrouded in mystery. People are unsure about organizations’ motives and methods. What do companies think they know about us? Are they keeping their insights safe from hackers? Are they selling their insights to unscrupulous parties? Most importantly, do organizations use our personal information against us? Big data research will only overcome its suspicious reputation when people can trust it.

Some scholars and commentators have proposed review …

The Privacy Policymaking Of State Attorneys General, Danielle K. Citron

Faculty Scholarship

Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals. Crucial agents of regulatory change, however, have been ignored: the state attorneys general. This article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general. Because so little has been written about this phenomenon, I engaged with primary sources — first interviewing state attorneys general and current and former career staff, and then examining documentary evidence received through FOIA requests submitted to AG offices around the country.

Much as Justice Louis Brandeis imagined states as laboratories of the law, offices …

The Internet Of Heirlooms And Disposable Things, Woodrow Hartzog, Evan Selinger

Faculty Scholarship

The Internet of Things (“IoT”) is here, and we seem to be going all in. We are trying to put a microchip in nearly every object that is not nailed down and even a few that are. Soon, your cars, toasters, toys, and even your underwear will be wired up to make your lives better. The general thought seems to be that “Internet connectivity makes good objects great.” While the IoT might be incredibly useful, we should proceed carefully. Objects are not necessarily better simply because they are connected to the Internet. Often, the Internet can make objects worse and …