Law Commons^™

Who Owns Data? Constitutional Division In Cyberspace, Dongsheng Zang

Articles

Privacy emerged as a concern as soon as the internet became commercial. In early 1995, Lawrence Lessig warned that the internet, though giving us extraordinary potential, was “not designed to protect individuals against this extraordinary potential for others to abuse.” The same technology can “destroy the very essence of what now defines individuality.” Lessig urged that “a constitutional balance will have to be drawn between these increasingly important interests in privacy, and the competing interest in collective security.” Lessig envisioned that creating property rights in data would help individuals by giving them control of their data. As utopian as property …

Privacy And National Politics: Fingerprint And Dna Litigation In Japan And The United States Compared, Dongsheng Zang

Articles

Drawing cases from two related areas of law-fingerprint and DNA (deoxyribonucleic acid) data-this Article proposes a modified framework, built on the Balkin-Levinson emphasis on national politics: First, national politics understood as partisan rivalry cannot account for what I call doctrinal lock-in in this Article, where I will demonstrate that in different stages of American politics-the Lochner era, the New Deal era, and Civil Rights era-courts across the nation ruled predominantly in favor of public data collectors-state and federal law enforcement in fingerprint cases. From the 1990s, when DNA data became hot targets of law enforcement, the United States Supreme Court …

Why Govern Broken Tools?, Ryan Calo

Articles

In Assessing the Governance of Digital Contact Tracing in Response to COVID-19: Results of a Multi-National Study, Brian Hutler et al. ably compare two approaches to the governance of digital contract tracing (DCT). In this brief essay, I want to examine to what extent governance actually played a meaningful role in the failure of DCT. If DCT failed primarily for other reasons, then the authors’ normative suggestion to pursue “a new governance approach … for designing and implementing DCT technology going forward” may be misplaced.

The Hidden Harms Of Privacy Penalties, Mary D. Fan

Articles

How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals …

Self-Control Of Personal Data And The Constitution In East Asia, Dongsheng Zang

Articles

No abstract provided.

The Right To Benefit From Big Data As A Public Resource, Mary D. Fan

Articles

The information that we reveal from interactions online and with electronic devices has massive value—for both private profit and public benefit, such as improving health, safety, and even commute times. Who owns the lucrative big data that we generate through the everyday necessity of interacting with technology? Calls for legal regulation regarding how companies use our data have spurred laws and proposals framed by the predominant lens of individual privacy and the right to control and delete data about oneself. By focusing on individual control over droplets of personal data, the major consumer privacy regimes overlook the important question of …

Privacy Law's Indeterminacy, Ryan Calo

Articles

American legal realism numbers among the most important theoretical contributions of legal academia to date. Given the movement’s influence, as well as the common centrality of certain key figures, it is surprising that privacy scholarship in the United States has paid next to no attention to the movement. This inattention is unfortunate for several reasons, including that privacy law furnishes rich examples of the indeterminacy thesis—a key concept of American legal realism—and because the interdisciplinary efforts of privacy scholars to explore extra-legal influences on privacy law arguably further the plot of legal realism itself

A Long-Standing Debate: Reflections On Risk And Anxiety: A Theory Of Data Breach Harms By Daniel Solove And Danielle Keats Citron, Ryan Calo

Articles

This jointly-authored Article contributes mightily to our understanding of a critical aspect of privacy: harm. As Professors Solove and Citron carefully evidence, courts are reticent to countenance the harms that flow from a violation of privacy, even as they compensate similar harms in other contexts. Thus while exposing a plaintiff to an environmental or health risk may be compensable, few decisions vindicate victims of a data breach unless or until they experience actual identity theft. Courts have recognized subjective harms such as fear since the night W de S threw his fateful axe at M de S. But courts seldom …

Privacy, Vulnerability, And Affordance, Ryan Calo

Articles

This essay begins to unpack the complex, sometimes contradictory relationship between privacy and vulnerability. I begin by exploring how the law conceives of vulnerability — essentially, as a binary status meriting special consideration where present. Recent literature recognizes vulnerability not as a status but as a state — a dynamic and manipulable condition that everyone experiences to different degrees and at different times. I then discuss various ways in which vulnerability and privacy intersect. I introduce an analytic distinction between vulnerability rendering, i.e., making a person more vulnerable, and the exploitation of vulnerability whether manufactured or native. I also describe …

Private Data, Public Safety: A Bounded Access Model Of Disclosure, Mary D. Fan

Articles

A growing volume of crucial information for protecting public health and safety is controlled by private-sector entities. The data are private in two senses—both proprietary and secluded from scrutiny. Controversies over corporate secrecy, such as sealed settlements that hide deaths due to product defects or nondisclosure of potentially hazardous substances, illustrate how corporate privacy and public safety can conflict.

Courts are conflicted about when to defer to companies’ claims of the right to keep information private when important public interests are implicated by the data that companies refuse to disclose.

This Article proposes allowing what it terms “bounded access” to …

Can Americans Resist Surveillance?, Ryan Calo

Articles

This Essay analyzes the ability of everyday Americans to resist and alter the conditions of government surveillance. Americans appear to have several avenues of resistance or reform. We can vote for privacy-friendly politicians, challenge surveillance in court, adopt encryption or other technologies, and put market pressure on companies not to cooperate with law enforcement.

In practice, however, many of these avenues are limited. Reform-minded officials lack the capacity for real oversight. Litigants lack standing to invoke the Constitution in court. Encryption is not usable and can turn citizens into targets. Citizens can extract promises from companies to push back against …

Taxation And Surveillance: An Agenda, Michael Hatfield

Articles

Among government agencies, the IRS likely has the surest legal claim to the most information about the most Americans: their hobbies, religious affiliations, reading activities, travel, and medical information are all potentially tax relevant. Privacy scholars have studied the arrival of Big Data, the internet-of-things, and the cooperation of private companies with the government in surveillance, but neither privacy nor tax scholars have considered how these technological advances should impact the U.S. tax system. As government agencies and private companies increasingly pursue what has been described as the “growing gush of data,” the use of these technologies in tax administration …

Privacy Harm Exceptionalism, Ryan Calo

Articles

“Exceptionalism” refers to the belief that a person, place, or thing is qualitatively different from others in the same basic category. Thus, some have spoken of America’s exceptionalism as a nation. Early debates about the Internet focused on the prospect that existing laws and institutions would prove inadequate to govern the new medium of cyberspace. Scholars have made similar claims about other areas of law.

The focus of this short essay is the supposed exceptionalism of privacy. Rather than catalogue all the ways that privacy might differ from other concepts or areas of study, I intend to focus on the …

Hands Off Our Fingerprints: State, Local, Andindividual Defiance Of Federal Immigrationenforcement, Christine N. Cimini

Articles

Secure Communities, though little-known outside law-enforcement circles, is one of the most powerful of the federal government’s immigration enforcement programs. Under Secure Communities, fingerprints collected by state and local law enforcement and provided to the Federal Bureau of Investigation for criminal background checks are automatically shared with the Department of Homeland Security, which checks the fingerprints against its immigration database. In the event of a match, an immigration detainer can be issued and an individual held after they would otherwise be entitled to release. Originally designed as a voluntary program in which local governments could choose to participate, the Department …

Communications Privacy For And By Whom?, Ryan Calo

Articles

A response to Professor Orin Kerr's The Next Generation Communications Privacy Act, which makes a series of quiet assumptions, however, that readers may find controversial.

First, the Article reads as though ECPA exists only to protect citizens from public officials. According to its text and to case law, however, ECPA also protects private citizens from one another in ways any new act should revisit.

Second, the Article assumes that society should address communications privacy with a statute, whereas specific experiences with ECPA suggest that the courts may be better suited to address communications privacy—for reasons Professor Kerr himself offers. …

Against Notice Skepticism In Privacy (And Elsewhere), M. Ryan Calo

Articles

What follows is an exploration of innovative new ways to deliver privacy notice. Unlike traditional notice that relies upon text or symbols to convey information, emerging strategies of “visceral” notice leverage a consumer’s very experience of a product or service to warn or inform. A regulation might require that a cell phone camera make a shutter sound so people know their photo is being taken. Or a law could incentivize websites to be more formal (as opposed to casual) wherever they collect personal information, as formality tends to place people on greater guard about what they disclose. The thesis of …

Consumer Subject Review Boards: A Thought Experiment, Ryan Calo

Articles

The adequacy of consumer privacy law in America is a constant topic of debate. The majority position is that United States privacy law is a “patchwork,” that the dominant model of notice and choice has broken down, and that decades of self-regulation have left the fox in charge of the henhouse. A minority position chronicles the sometimes surprising efficacy of our current legal infrastructure.

But the challenges posed by big data to consumer protection feel different. They seem to gesture beyond privacy’s foundations or buzzwords, beyond “fair information practice principles” or “privacy by design.” The challenges of big data may …

The Boundaries Of Privacy Harm, M. Ryan Calo

Articles

Just as a burn is an injury caused by heat, so is privacy harm a unique injury with specific boundaries and characteristics. This Essay describes privacy harm as falling into two related categories. The subjective category of privacy harm is the perception of unwanted observation. This category describes unwelcome mental states—anxiety, embarrassment, fear—that stem from the belief that one is being watched or monitored. Examples of subjective privacy harms include everything from a landlord eavesdropping on his tenants to generalized government surveillance.

The objective category of privacy harm is the unanticipated or coerced use of information concerning a person against …

People Can Be So Fake: A New Dimension To Privacy And Technology Scholarship, M. Ryan Calo

Articles

This article updates the traditional discussion of privacy and technology, focused since the days of Warren and Brandeis on the capacity of technology to manipulate information. It proposes a novel dimension to the impact of anthropomorphic or social design on privacy.

Technologies designed to imitate people-through voice, animation, and natural language-are increasingly commonplace, showing up in our cars, computers, phones, and homes. A rich literature in communications and psychology suggests that we are hardwired to react to such technology as though a person were actually present.

Social interfaces accordingly capture our attention, improve interactivity, and can free up our hands …

Are "Better" Security Breach Notification Laws Possible?, Jane K. Winn

Articles

This Article will evaluate the provisions of California's pioneering security breach notification law (SBNL) in light of "better regulation" or "smart regulation" criteria in order to highlight the costs of taking a narrowly focused, piecemeal approach and the benefits of taking a more comprehensive perspective to the problems of identity theft and information security. Just as the basic structure of SBNLs was borrowed from environmental law, this Article will borrow from decades of analysis of the impact of environmental regulation to evaluate the likely impact of SBNLs.

Just as environmental laws can be used to reduce externalities created through the …

Lost In Translation? Data Mining, National Security And The Adverse Inference Problem, Anita Ramasastry

Articles

To the extent that we permit data mining programs to proceed, they must provide adequate due process and redress mechanisms that permit individuals to clear their names. A crucial criteria for such a mechanism is to allow access to information that was used to make adverse assessments so that errors may be corrected. While some information may have to be kept secret for national security purposes, a degree of transparency is needed when individuals are trying to protect their right to travel or access government services free from suspicion.

Part II of this essay briefly outlines the government's ability to …

Collateralizing Internet Privacy, Xuan-Thao Nguyen

Articles

Collateralizing privacy is a pervasive conduct committed by many on-line companies. Yet most don't even realize that they are engaging in collateralizing privacy. Worse yet, governmental agencies and consumer groups are not even aware of the violation of on-line consumer privacy by the collateralization of privacy. Professor Nguyen argues that collateralizing privacy occurs under the existing privacy regime and the architecture of article 9 of the Uniform Commercial Code. Professor Nguyen critiques the violation of privacy through collateralization dilemmas and proposes a solution involving modifications of the contents of the financing statement and security agreement in secured transactions where consumer …