Privacy Law For Technologists
South Hall 205
Professor Chris Hoofnagle
INFO 290 LEC 002 40455
LAW 276.72 LEC 001 45962
Law students: please note that Berkeley Law starts classes on Monday, August 21, but campus starts Wednesday the 23rd. Our first class will be on Wednesday the 23rd. We will make up the missed class.
Information privacy law profoundly shapes how internet-enabled services may work. Privacy Law for Technologists will translate the regulatory demands flowing from the growing field of privacy and security law to those who are creating interesting and transformative internet-enabled services. The course will meet twice a week, with the first session focusing on the formal requirements of the law, and the second on how technology might accommodate regulatory demands and goals. Topics include: Computer Fraud and Abuse Act (reverse engineering, scraping, computer attacks), unfair/deceptive trade practices, ECPA, children’s privacy, big data and discrimination (FCRA, ECOA), DMCA, intermediary liability issues, ediscovery and data retention, the anti-marketing laws, and technical requirements flowing from the EU-US Privacy Shield
The required textbook for this class is my book (how opportunistic!): FTC Privacy Law and Policy (CUP 2016) But here is the good news: I negotiated a good price for it (about $37 in softcover), and there are several ways that you can get the content free. For instance, if you use the UCB VPN and go to Cambridge Books online, you can download a PDF of the whole book free.
This course is more demanding than it appears at first. Each week, you will be asked to learn substantive law, and then discuss how that law (or its policy goals) could be met with technology. This is a challenging exercise for both School of Information and School of Law students. Your participation in discussions (quality over quantity) is essential and is 30% of your grade. The remaining 70% comes from your final presentation.
Final presentation: you may work alone or in a group. Choose a service or a product of interest to you and prepare a presentation (no more than 10 minutes, and there will be a strict time limit) on how its privacy and/or security could be improved based on what you have learned in the course. You may work in a team for this presentation. Your presentation should identify the service or product's privacy/security implications, and discuss technological fixes, including the benefit and costs of the approach. Please identify your team and topic by October 2.
APM-015 Part II statement
This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.
Law students: Hoofnagle's courses count toward's BCLT's certificate program.
|Wed Aug 23||
Introduction to the Course; Privacy
Note, UCB subscribes to everything under the sun. If the link to the Otto/Anton paper does not work, be sure you have the UCB library proxy set up, or use the VPN. Either of these resources will give you subscribed access to pretty much anything. The VPN is probably easier to use--just download it, install it, and start it up. After that, every page you visit will get a UCB IP referrer, thus giving you access to materials.
|Fri Aug 25||
Optional Event. The Troubled Future of Privacy ... and How to Stop It by Palantir Technologies' John Grant, Wozniak Lounge 430 Soda Hall, 6:00–7:30, dinner provided.
|Mon Aug 28||
Privacy by Design
This week we will get into focus on a relatively-new movement in consumer protection: privacy by design. Generally attributed to former information and privacy commissioner of Ontario, Ann Cavoukian, privacy by design has increasing relevance in regulatory frameworks--the FTC has explicitly called for companies to consider it.
|Wed Aug 30||
Discussion: Privacy by Design
On an abstract level, privacy by design appears to be a useful approach to addressing technical choices. Today's discussion will focus on the mechanics of making privacy by design workable. We will consider the incentive conflicts in privacy by design, some case studies, and examples of privacy by design that you encounter in your role as consumer. For discussion, please:
W/r/t #2--and for future discussion assignments--feel free to work in a group to develop examples.
|Mon Sep 4||
Labor Day Holiday, No Class
|Tues Sept 5||
Optional Talk: Becoming a Technical Lawyer (or, Sorry, You Are Going to Have to Do Math After All) 12:45-1:45 Boalt Hall (probably room 105 or 110)
Description: In addition to criminal and civil code, lawyers inevitably need to understand computer code in order to function effectively in today’s world. Technical architectures govern everything from determining what data exists to prove or disprove theories, when and how surveillance can be conducted, the range of policy options available to courts and legislatures, as well as raising novel legal questions that defy traditional solutions. John Grant, Director of Privacy and Civil Liberties Engineering at Palantir Technologies (J.D., Georgetown 2007), draws from his experience as a non-technical lawyer joining a highly technical startup to offer insights into what you need to know, why you need to know it, and how to build an effective relationship with the engineers who will be critical to your success.
|Tue Sep 5||
Optional Talk: Reigning in Online Abuses
Hany Farid, Sept 5, 2017 4pm, South Hall TBD
ABSTRACT: Online platforms today are being used in deplorably diverse ways: recruiting and radicalizing terrorists, buying and selling illegal weapons and underage prostitutes, cyberbullying and cyberstalking, revenge porn, theft of personal and financial data, propagating fake and hateful news, and much more. Technology companies have been and continue to be frustratingly slow in responding to these real threats with real consequences. I advocate for the development and deployment of new technologies that allow for the free flow of ideas while reigning in abuses. As a case study, I will describe one such technology—photoDNA—that is currently being used in the global fight against child exploitation. I will also describe the technological, legal, and policy obstacles that we faced prior to deployment and how lessons from this work can inform future efforts. I will also describe ongoing efforts in countering extremism on-line.
|Wed Sep 6
Active Defense and "Hacking Back" Mini-Module
Class, the holiday breaks up our lecture/discussion schedule, so let's do a one-day module with both lecture and discussion. Jonathan Jaffe, PWC's Director of Cybersecurity will join us.
New amendments to federal law give more leeway for "active defense" measures. In this module, we will look at the new statutory language and attempt to envision what active defense might entail.
Please read a backgrounder on the Computer Fraud and Abuse Act:
And then portions of the Cybersecurity Act of 2015:
Jonathan has specified two more readings:
|Mon Sep 11, 2017||
Unfair and Deceptive Acts and Practices
This week we will study Unfair and Deceptive Acts and Practices (UDAP) law. UDAP law forms a baseline of regulation for technology in the US. In addition to the federal UDAP law, the Federal Trade Commission Act (FTC Act), states have their own versions of UDAP statutes, and some of these are broader than federal law.
Please read: Federal Trade Commission Privacy Law and Policy Chapter 5 (119–141).
|Wed Sep 13||
Discussion: Unfair and Deceptive Acts and Practices
In preparation for discussion, please take these three steps:
Please read the following policy guides on modern advertising techniques
Be prepared to discuss how you might implement policy or technological interventions to promote compliance with the various rules we learned about UDAP and the more specific policies set forth by the FTC in the policy statement and guides above. You could think of the problem from at least two ways--as a FTC lawyer or technologist, or as a company that is selling products that wants to avoid affiliate marketers and others from engaging in deception (e.g. in LeanSpa, the company was held liable for 3rd party affiliate marketers who created fake news sites).
|Mon Sep 18||
FTC Privacy Part 1
Class, last week we discussed the basics of unfair and deceptive practices acts. This week and next we look at how the law of unfair and deceptive trade practices apply to online privacy issues. For the lecture, please read:
Federal Trade Commission Privacy Law and Policy, Chapter 6 (145–192). It is a lot of reading, but we'll use this same reading for this week and next.
|Wed Sep 20||
Discussion: FTC Privacy Part 1
1) Disclosures you think are "material" under the FTC Act.
2) Text that specifies affirmative obligations on the website/service (we shall do x).
3) Text that specifies restrictions on the website/service (we will not do y).
4) Text that gives the user some choice (opt in or opt out).
|Mon Sep 25||
FTC Privacy Part 2
For this week, please:
1) Review the reading from last week (Federal Trade Commission Privacy Law and Policy, Chapter 6).
2) Read the FTC report, Internet of Things: Privacy & Security in a Connected World (2015).
|Wed Sep 27||
Discussion: FTC Privacy Part 2
Discussion this week will focus on the internet of things (IoT). It will become clear that the IoT presents one of the most difficult regulatory challenges for privacy. Our goal will be to consider how the FTC might apply its tools to police the IoT sector, and how we might engineer IoT devices differently in order to protect consumers.
To prepare for the discussion, please choose a consumer product that is now sold as "connected." An example is door locks--these are bronze-age inventions that are now offered in "internet connected" formats. Give thought to the potential new benefits that come from internet connectivity for this product. What new functions will be enable? What knock-on effects will these functions create? What new societal tensions will internet connectivity introduce? How might we introduce privacy by design or other engineering principles to steer this technology toward FTC compliance?
|Mon Oct 2||
FTC Security & Security Breach Notification
For this lecture, please:
|Mon Oct 2||
Make Up Session: Please attend Professor Edward Balleisen's talk, 12:45–2 in Boalt (Law School Room 130). To prepare please
|Wed Oct 4||
Discussion: Security Frameworks
For this discussion, we will divide into groups to analyze and present several different security standards. Note that the security standards we are visiting here are not law, exactly. They are often developed with the private sector and required by private contract or through procurement standards.
Group 1: Cover ISO 27000/27001/27002. These standards are not publicly available--they have to be licensed. However, Professor Georg Disterer has written a good overview of these standards. See, Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information Security Management, 4(2) Journal of Information Security (2003).
Group 2: Cover NIST 800-53 (Rev 4). This is a 460 page document. Suffice it to say that it would be a waste of time to read the whole thing. Instead, start with the NIST Summary, and then look at chapters 1, 2, and appendixes F, G, and J. In the process, be sure to note any controls that you find particularly useful or underexamined in the course so far.
Group 3: Cover . PCI-DSS governs the acceptance of credit and debit cards. This is a long document as well. You might start by looking at the :) and the .
Group 4: . You will see the NIST framework in practice because financial regulators and the SEC have urged companies to implement it. A good starting point for understanding the framework is the FAQ on the NIST website.
All groups: do some searching and try to determine who uses your group's standard and why. You'll find that many companies do state their security standard in product specification sheets and regulatory findings.
Group assignments: TBD
|Mon Oct 9||
Read Federal Trade Commission Privacy Law and Policy, Chapter 7 (193–215).
|Wed Oct 11||
Discussion: Children's Privacy
We'll discuss the differences between COPPA and non-COPPA sites during our discussion, and then do a short, in-class exercise focused on monetizing COPPA regulated sites.
|Wed Oct 11||
Makeup Session: Please attend Professor Josh Lauer's talk, 4:10–5:30 in South Hall 202.
To prepare, please:
|Mon Oct 16||
The Stored Communications Act and Law Enforcement Agency (LEA) Requests
Please read Orin Kerr's A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 George Washington Law Review 1208 (2004), pages 1208–1233.
|Wed Oct 18||
Discussion: The Stored Communications Act and Law Enforcement Agency (LEA) Requests
Class, for this discussion, we are going to consider a series of different LEA requests for user information.
In order to prepare, could you:
1) Read the entire assignment, including the requests that the other groups are receiving. It's not a lot of reading--about 20 pages in total.
2) Give some thought to how you might respond to the request from the lens of your client/company? Is there anything special about your business model that would affect how you want to respond? What steps should you take to comply? What information should your company disclose in response to the request? What should it not provide?
In class, we'll divide into groups for 20-25 minutes, and then discuss with the whole class the steps and issues you think are important to responding.
Group 1: You work for the Internet Archive. Your Chief Security Officer (CSO) receives a call from the FBI, and Agent Jones says she is going to come in person to the Internet Archive office this afternoon with a request for information (nov2007_nsl_edited.pdf). Agent Jones appears, shows you this letter on FBI letterhead, allows you and the CSO to read it, but does not allow you to keep a copy.
Group 2: You work for a telecommunications carrier Sprint. Your company operates a law enforcement response office 24/7. This request appears in the fax machine (Sprint - Nextel Exigent Circumstances Form_edited.pdf) from Irvine PD. You do a quick Google search and turn up this guide for Cell Tracking Requests from Irvine's police department. (celltrackingpra_irvine4_irvineca.pdf).
Group 3: You are the publisher of a well-established libertarian magazine, Reason.com. You receive this grand jury subpoena (reason_gjs.pdf). Warning: this case involves threats and there is nasty language in it.
Feeling a bit at sea? That's totally normal! Companies receive these processes out of the blue, with no context, and often without their counsel present. We'll work through the issues together.
|Mon Oct 23||
Wiretapping, Consumer Protection, and LEA Requests
|Wed Oct 25||
Discussion: Wiretapping, Consumer Protection, and LEA Requests
From the lecture it should become clear that many new consumer services "intercept" the human voice. There are obvious examples, such as in-home assistants (Amazon Echo, Google Home), devices that sometimes respond to human commands (such as Smart TVs), and perhaps some less obvious ones--consider that your phone may be "listening," or that you might use a "wearable" device that captures information in your interpersonal life.
There is almost no caselaw concerning these products and services--the closest we have are the Deep Packet Inspection cases, the Google Gmail Scanning Litigation, and the Google Street View Wifi Scanning cases.
For our discussion, we'll focus on what companies in this space are doing to comply with the federal Wiretap Act and state laws on interception of voice. To prepare
|Mon Oct 30||
Marketing Part 1
Please read FTC Privacy Law and Policy pages 236–240; 249–259.
|Wed Nov 1||
Discussion: Marketing Part 1
To prepare for our discussion, please:
1) As you visit stores in person or on the web, take note of companies that wish to enroll you in text marketing. Here's an example from FEMA, and here's another from a company that recently litigated a TCPA case. Take a screenshot or copy the link and post it in the discussion area--remember that you might find these as you shop offline and if you can snap a picture of them, that's great.
|Mon Nov 6||
Marketing Part 2
Please read FTC Privacy Law & Policy 240–249; 259–267.
|Wed Nov 8||
Discussion: Marketing Part 2
For the discussion, please:
|Mon Nov 13||
Please read Federal Trade Commission Privacy Law and Policy, Chapter 10 (268–305)
|Wed Nov 15||
Class, for our last sessions, we will look at how the European Union is shaping privacy norms in the U.S. This is a quickly changing subject matter. For background, please read:
|Thurs Nov 16||
Optional Event: Professor Christine Borgman (UCLA Info Studies) will speak on Open Data, Trust, and Stewardship: Universities at the Privacy Frontier. Thursday, Nov. 16th from 3:30–5 at the Faculty Club. Register here.
|Mon Nov 20||
Discussion: International Privacy
+MD Final Presentation on Blockchain Analysis
1) Europeans who visit US-based websites, and demand access or challenge your processing of their data as "illegitimate."
2) Whether and how you can place Quantcast measure beacons on EU-based web services (which presumably will move European's data outside the EEA). Do you sign a standard contractual clause with the European web service, or try to transfer data under the new EU-US Privacy Shield?
|Wed Nov 22||
No class--Thanksgiving break
|Mon Nov 27||
|Wed Nov 29||
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.