Privacy Law for Technologists
Professor Chris Hoofnagle
Info 236: Privacy Law for Technologists (Lec 001, CCN 32366)
Law 276.72: Privacy Law for Technologists (Lec 001, CCN 32261)
Mondays and Wednesdays from 11:20-1:00 in South Hall 210.
Office Hours: Thursdays from 10-12 in South Hall 212.
Information privacy law profoundly shapes how internet-enabled services may work. Privacy Law for Technologists will translate the regulatory demands flowing from the growing field of privacy, information security, and consumer law to those who are creating interesting and transformative internet-enabled services. The course will meet twice a week, with the first session focusing on the formal requirements of the law, and the second on how technology might accommodate regulatory demands and goals. Topics include: Computer Fraud and Abuse Act (reverse engineering, scraping, computer attacks), unfair/deceptive trade practices, ECPA, children’s privacy, big data and discrimination (FCRA, ECOA), DMCA, intermediary liability issues, the anti-marketing laws, the GDPR, and new for 2019, the California Consumer Privacy Act.
The required textbook for this class is my book (how opportunistic!): FTC Privacy Law and Policy (CUP 2016) But here is the good news: I negotiated a good price for it (about $37 in softcover), and there are several ways that you can get the content free. For instance, if you use the UCB VPN and go to Cambridge Books online, you can download a PDF of the whole book free.
This course is more demanding than it appears at first. Each week, you will be asked to learn substantive law, and then discuss how that law (or its policy goals) could be met with technology. This is a challenging exercise for both School of Information and School of Law students. Your participation in discussions (quality over quantity) is essential and is 30% of your grade. The remaining 70% comes from your final presentation.
Final presentation: you may work alone or in a group. Choose a service or a product of interest to you and prepare a presentation (no more than 10 minutes, and there will be a strict time limit) on how its privacy and/or security could be improved based on what you have learned in the course. You may work in a team for this presentation. Your presentation should identify the service or product's privacy/security implications, and discuss technological fixes, including the benefit and costs of the approach. Please identify your team and topic by March 7th.
APM-015 Part II statement
This course will deal with material concerning current events and exploration of government actions and their possible consequences. Class discussion will feature such material.
Law students: Hoofnagle's courses count toward's BCLT's certificate program.
|W Jan 23||
Introduction to the Course; Privacy
Note, UCB subscribes to everything under the sun. If the link to the Otto/Anton paper does not work, be sure you have the UCB library proxy set up, or use the VPN. Either of these resources will give you subscribed access to pretty much anything.
|M 28 Jan||
Privacy by Design
This week we will get into focus on a relatively-new movement in consumer protection: privacy by design (PbD). Generally attributed to former information and privacy commissioner of Ontario, Ann Cavoukian, privacy by design has increasing relevance in regulatory frameworks--the FTC has explicitly called for companies to consider it and it is an important element of the European General Data Protection Regulation (GDPR). We'll see that PbD isn't so easy and think about the incentive structures that are congruous and incongruous with PbD.
|W 30 Jan||
Discussion: Privacy by Design
On an abstract level, privacy by design appears to be a useful approach to addressing technical choices. Today's discussion will focus on the mechanics of making privacy by design workable. We will consider the incentive conflicts in privacy by design, some case studies, and examples of privacy by design that you encounter in your role as consumer. For discussion, please:
W/r/t #2--and for future discussion assignments--feel free to work in a group to develop examples. Be sure to identify your group in your bcourses post.
|M 4 Feb||
No class; Hoofnagle is out of town
|W 6 Feb
California Consumer Privacy Act Mini-Module
Class, my travel breaks up our lecture/discussion format, so let's do both lecture and discussion in one day for this topic. The California Consumer Privacy Act takes effect in 2020. Enacted in a hurry in order to block the likely passage of a legislative initiative, the CCPA is likely to be amended before its effective date, but the fundamental protections it contains will likely stay in place. What does the CCPA mean for information-intensive businesses? The CCPA delegates responsibilities to the CA Attorney General on many issues--how should the AG handle this?
*Class, please note, I've updated the reading. Please read the redline instead of AB 375. This is much easier to read.
California Consumer Privacy Act (AB 375 as enacted).
|M 11 Feb||
Unfair and Deceptive Acts and Practices
This week we will study Unfair and Deceptive Acts and Practices (UDAP) law. UDAP law forms a baseline of regulation for technology in the US. Consumer law thus forms the broadest kind of technology regulation, and it frames and constrains how we think about technology and fairness. In addition to the federal UDAP law, the Federal Trade Commission Act (FTC Act), states have their own versions of UDAP statutes, and some of these are broader than federal law.
Please read: Federal Trade Commission Privacy Law and Policy Chapter 5 (119–141).
|W 13 Feb||
Discussion: Unfair and Deceptive Acts and Practices
In preparation for discussion, please take these three steps:
Please read the following policy guides on modern advertising techniques
Be prepared to discuss how you might implement policy or technological interventions to promote compliance with the various rules we learned about UDAP and the more specific policies set forth by the FTC in the policy statement and guides above. You could think of the problem from at least two ways--as a FTC lawyer or technologist, or as a company that is selling products that wants to avoid affiliate marketers and others from engaging in deception (e.g. in LeanSpa, the company was held liable for 3rd party affiliate marketers who created fake news sites).
|M 18 Feb||
No class--Presidents' day holiday
|W 20 Feb||
FTC Privacy Part 1
Class, last week we discussed the basics of unfair and deceptive practices acts. This week and next we look at how the law of unfair and deceptive trade practices apply to online privacy issues. For the lecture, please read:
Federal Trade Commission Privacy Law and Policy, Chapter 6 (145–192). It is a lot of reading, but we'll use this same reading for this week and next.
|M 25 Feb||
Discussion: FTC Privacy Part 1
1) Disclosures you think are "material" under the FTC Act.
2) Text that specifies affirmative obligations on the website/service (we shall do x).
3) Text that specifies restrictions on the website/service (we will not do y).
4) Text that gives the user some choice (opt in or opt out).
|W 27 Feb||
FTC Privacy Part 2
For this part, please:
1) Review the reading from last week (Federal Trade Commission Privacy Law and Policy, Chapter 6).
2) Read the FTC report, Internet of Things: Privacy & Security in a Connected World (2015).
|M 4 Mar||
Discussion: FTC Privacy Part 2
Discussion this week will focus on the internet of things (IoT). It will become clear that the IoT presents one of the most difficult regulatory challenges for privacy. Our goal will be to consider how the FTC might apply its tools to police the IoT sector, and how we might engineer IoT devices differently in order to protect consumers.
To prepare for the discussion, please choose a consumer product that is now sold as "connected." An example is door locks--these are bronze-age inventions that are now offered in "internet connected" formats. Give thought to the potential new benefits that come from internet connectivity for this product. What new functions will be enable? What knock-on effects will these functions create? What new societal tensions will internet connectivity introduce? How might we introduce privacy by design or other engineering principles to steer this technology toward FTC compliance?
|W 6 Mar||
FTC Security & Security Breach Notification
For this lecture, please:
|Th 7 Mar||
Please identify your final project + team by this date.
|M 11 Mar||
Discussion: Security Frameworks
For this discussion, we will divide into groups to analyze and present several different security standards. Note that the security standards we are visiting here are not law, exactly. They are often developed with the private sector and required by private contract or through procurement standards.
Group 1: Cover ISO 27000/27001/27002. These standards are not publicly available--they have to be licensed. However, Professor Georg Disterer has written a good overview of these standards. See, Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information Security Management, 4(2) Journal of Information Security (2003).
Group 2: Cover NIST 800-53 (Rev 4). This is a 460 page document. Suffice it to say that it would be a waste of time to read the whole thing. Instead, start with the NIST Summary, and then look at chapters 1, 2, and appendixes F, G, and J. In the process, be sure to note any controls that you find particularly useful or underexamined in the course so far.
Group 4: . You will see the NIST framework in practice because financial regulators and the SEC have urged companies to implement it. A good starting point for understanding the framework is the FAQ on the NIST website.
All groups: do some searching and try to determine who uses your group's standard and why. You'll find that many companies do state their security standard in product specification sheets and regulatory findings.
Group assignments: TBD
|W Mar 13||
Read Federal Trade Commission Privacy Law and Policy, Chapter 7 (193–215).
|M Mar 18||
Discussion: Children's Privacy
We'll discuss the differences between COPPA and non-COPPA sites during our discussion, and then do a short, in-class exercise focused on monetizing COPPA regulated sites.
|W Mar 20||
The Stored Communications Act and Law Enforcement Agency (LEA) Requests
Please read Orin Kerr's A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 George Washington Law Review 1208 (2004), pages 1208–1233.
|M Mar 25
W Mar 27
No class, spring break
|M Apr 1||
Discussion: The Stored Communications Act and Law Enforcement Agency (LEA) Requests
Class, for this discussion, we are going to consider a series of different LEA requests for user information.
In order to prepare, could you:
1) Read the entire assignment, including the requests that the other groups are receiving. It's not a lot of reading--about 20 pages in total.
2) Give some thought to how you might respond to the request from the lens of your client/company? Is there anything special about your business model that would affect how you want to respond? What steps should you take to comply? What information should your company disclose in response to the request? What should it not provide?
In class, we'll divide into groups for 20-25 minutes, and then discuss with the whole class the steps and issues you think are important to responding.
Group 1: You work for the Internet Archive. Your Chief Security Officer (CSO) receives a call from the FBI, and Agent Jones says she is going to come in person to the Internet Archive office this afternoon with a request for information (nov2007_nsl_edited.pdf). Agent Jones appears, shows you this letter on FBI letterhead, allows you and the CSO to read it, but does not allow you to keep a copy.
Group 2: You work for a telecommunications carrier Sprint. Your company operates a law enforcement response office 24/7. This request appears in the fax machine (Sprint - Nextel Exigent Circumstances Form_edited.pdf) from Irvine PD. You do a quick Google search and turn up this guide for Cell Tracking Requests from Irvine's police department. (celltrackingpra_irvine4_irvineca.pdf).
Group 3: You are the publisher of a well-established libertarian magazine, Reason.com. You receive this grand jury subpoena (reason_gjs.pdf). Warning: this case involves threats and there is nasty language in it.
Feeling a bit at sea? That's totally normal! Companies receive these processes out of the blue, with no context, and often without their counsel present. We'll work through the issues together.
|W Apr 3||
Wiretapping, Consumer Protection, and LEA Requests
|M Apr 8||
Discussion: Wiretapping, Consumer Protection, and LEA Requests
From the lecture it should become clear that many new consumer services "intercept" the human voice. There are obvious examples, such as in-home assistants (Amazon Echo, Google Home), devices that sometimes respond to human commands (such as Smart TVs), and perhaps some less obvious ones--consider that your phone may be "listening," or that you might use a "wearable" device that captures information in your interpersonal life.
There is almost no caselaw concerning these products and services--the closest we have are the Deep Packet Inspection cases, the Google Gmail Scanning Litigation, and the Google Street View Wifi Scanning cases.
For our discussion, we'll focus on what companies in this space are doing to comply with the federal Wiretap Act and state laws on interception of voice. To prepare
|W Apr 10||
Please read FTC Privacy Law and Policy pages 236–240; 249–259.
We'll also do a final presentation by ES, ND, & MC
|M Apr 15||
To prepare for our discussion, please:
1) As you visit stores in person or on the web, take note of companies that wish to enroll you in text marketing. Here's an example from FEMA, and here's another from a company that recently litigated a TCPA case. Take a screenshot or copy the link and post it in the discussion area--remember that you might find these as you shop offline and if you can snap a picture of them, that's great.
|W Apr 17||Final Presentations See discussion for schedule.|
|M Apr 22||Final Presentations|
|T Apr 23||
Boalt Hall Room 107 11:20-12:20
Last day for law students; Final presentations
|W 24 Apr||
Marketing Part 2
Please read FTC Privacy Law & Policy 240–249; 259–267.
|M 29 Apr||
International Privacy Part 1
Class, for our last session, we will look at how the European Union is shaping privacy norms in the U.S. This is a quickly changing subject matter. For background, please read:
|W 1 May||
International Privacy Part 2
The syllabus page shows a table-oriented view of the course schedule, and the basics of course grading. You can add any other comments, notes, or thoughts you have about the course structure, course policies or anything else.
To add some comments, click the "Edit" link at the top.