Introduction to the Course; Privacy

Please read:

• Daniel J. Solove, A Taxonomy of Privacy, 154(3) U. Penn. L. Rev. 477 (2006).
• Paul N. Otto and Annie I. Antón, Addressing Legal Requirements in Requirements Engineering, 15th IEEE International Requirements Engineering Conference (RE 2007), Delhi, 2007, pp. 5-14.

Note, UCB subscribes to everything under the sun. If the link to the Otto/Anton paper does not work, be sure you have the UCB library proxy set up, or use the VPN. Either of these resources will give you subscribed access to pretty much anything. 

Privacy by Design

This week we will get into focus on a relatively-new movement in consumer protection: privacy by design (PbD). Generally attributed to former information and privacy commissioner of Ontario, Ann Cavoukian, privacy by design has increasing relevance in regulatory frameworks--the FTC has explicitly called. for companies to consider it and it is an important element of the European General Data Protection Regulation (GDPR). We'll see that PbD isn't so easy and think about the incentive structures that are congruous and incongruous with PbD.

Please read:

• Ann Cavoukian, 7 Foundational Principles of Privacy by Design (2012).
• Sarah Spiekermann and Lorrie Faith Cranor, Engineering Privacy 35(1) IEEE Transactions on Software Engineering (Jan/Feb 2009)[IEEE link.].

Discussion: Privacy by Design

On an abstract level, privacy by design appears to be a useful approach to addressing technical choices. Today's discussion will focus on the mechanics of making privacy by design workable. We will consider the incentive conflicts in privacy by design, some case studies, and examples of privacy by design that you encounter in your role as consumer. For discussion, please:

1. Read Ira Rubinstein & Nathan Good, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, 28 Berkeley Technology Law Journal 1333 (2013). < This paper is co-authored by a School of Info PhD (Good) and won an award at the Privacy Law Scholars Conference.
2. Think about the products and services you use--find an example where privacy by design has been applied, or where you think it might be applied effectively. Come prepared to discuss your example in light of this week's readings. Post your example in the discussions area of bCourses.

W/r/t #2--and for future discussion assignments--feel free to work in a group to develop examples. Be sure to identify your group in your bcourses post.

No class; Hoofnagle is out of town

California Consumer Privacy Act Mini-Module

Class, my travel breaks up our lecture/discussion format, so let's do both lecture and discussion in one day for this topic. The California Consumer Privacy Act takes effect in 2020. Enacted in a hurry in order to block the likely passage of a legislative initiative, the CCPA is likely to be amended before its effective date, but the fundamental protections it contains will likely stay in place. What does the CCPA mean for information-intensive businesses? The CCPA delegates responsibilities to the CA Attorney General on many issues--how should the AG handle this?

Please read:

*Class, please note, I've updated the reading. Please read the redline instead of AB 375. This is much easier to read.

California Consumer Privacy Act Redline 

California Consumer Privacy Act (AB 375 as enacted).

Unfair and Deceptive Acts and Practices

This week we will study Unfair and Deceptive Acts and Practices (UDAP) law. UDAP law forms a baseline of regulation for technology in the US. Consumer law thus forms the broadest kind of technology regulation, and it frames and constrains how we think about technology and fairness. In addition to the federal UDAP law, the Federal Trade Commission Act (FTC Act), states have their own versions of UDAP statutes, and some of these are broader than federal law.

Please read: Federal Trade Commission Privacy Law and Policy Chapter 5 (119–141).

Discussion: Unfair and Deceptive Acts and Practices

In preparation for discussion, please take these three steps:

Please read the following policy guides on modern advertising techniques

• FTC Enforcement Policy Statement on Deceptively Formatted Advertisements (concerning "advertorial" or "native advertising").
• Guides Concerning the Use of Endorsements and Testimonials in Advertising, 16 CFR 255.
• Then, find some examples of advertising that is covered by either the policy statement or the guides (or covered by both) and post them in the discussion area.
• Finally, read about the business model of a native advertising network--there are several prominent ones, such as Outbrain and Taboola--or about a website that often hosts native content. Think about what is important to the different actors in the field.

Be prepared to discuss how you might implement policy or technological interventions to promote compliance with the various rules we learned about UDAP and the more specific policies set forth by the FTC in the policy statement and guides above. You could think of the problem from at least two ways--as a FTC lawyer or technologist, or as a company that is selling products that wants to avoid affiliate marketers and others from engaging in deception (e.g. in LeanSpa, the company was held liable for 3rd party affiliate marketers who created fake news sites).

No class--Presidents' day holiday

FTC Privacy Part 1

Class, last week we discussed the basics of unfair and deceptive practices acts. This week and next we look at how the law of unfair and deceptive trade practices apply to online privacy issues. For the lecture, please read:

Federal Trade Commission Privacy Law and Policy, Chapter 6 (145–192). It is a lot of reading, but we'll use this same reading for this week and next.

Discussion: FTC Privacy Part 1

Let us start with privacy policies. For this discussion exercise, feel free to work in a group. Find a privacy policy from a website or service that you are interested in (try to select one that is not too long or intractable). Prior to class, place the text in to Microsoft Word or Google Docs, and highlight these elements in different colors:

1) Disclosures you think are "material" under the FTC Act.

2) Text that specifies affirmative obligations on the website/service (we shall do x).

3) Text that specifies restrictions on the website/service (we will not do y).

4) Text that gives the user some choice (opt in or opt out).

Post your policy or a link to it in the discussion board, and be prepared to discuss what you found and what puzzles/intrigues you about the privacy policy. We will discuss these four elements both from the lens of the requirements and prohibitions of the FTC Act, and from the perspective of what administrative and technical infrastructure must exist behind the scenes to implement these privacy policies.

FTC Privacy Part 2

For this part, please:

1) Review the reading from last week (Federal Trade Commission Privacy Law and Policy, Chapter 6).

2) Read the FTC report, Internet of Things: Privacy & Security in a Connected World (2015).

Discussion: FTC Privacy Part 2

Discussion this week will focus on the internet of things (IoT). It will become clear that the IoT presents one of the most difficult regulatory challenges for privacy. Our goal will be to consider how the FTC might apply its tools to police the IoT sector, and how we might engineer IoT devices differently in order to protect consumers.

To prepare for the discussion, please choose a consumer product that is now sold as "connected." An example is door locks--these are bronze-age inventions that are now offered in "internet connected" formats. Give thought to the potential new benefits that come from internet connectivity for this product. What new functions will be enable? What knock-on effects will these functions create? What new societal tensions will internet connectivity introduce? How might we introduce privacy by design or other engineering principles to steer this technology toward FTC compliance?

 FTC Security & Security Breach Notification

For this lecture, please:

• Read Federal Trade Commission Privacy Law and Policy, chapter 8 (216–235).
• Read: California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information (2012).
• Look at this page. on which one discloses security breaches to the California Attorney General.
• Skim: PerkinsCoie, Security Breach Notification Chart (June 2016). 

Please identify your final project + team by this date.

Discussion: Security Frameworks 

For this discussion, we will divide into groups to analyze and present several different security standards. Note that the security standards we are visiting here are not law, exactly. They are often developed with the private sector and required by private contract or through procurement standards.

Group 1: Cover ISO 27000/27001/27002. These standards are not publicly available--they have to be licensed. However, Professor Georg Disterer has written a good overview of these standards. See, Georg Disterer, ISO/IEC 27000, 27001 and 27002 for Information Security Management, 4(2) Journal of Information Security (2003).

Group 2: Cover NIST 800-53 (Rev 4). This is a 460 page document. Suffice it to say that it would be a waste of time to read the whole thing. Instead, start with the NIST Summary, and then look at chapters 1, 2, and appendixes F, G, and J. In the process, be sure to note any controls that you find particularly useful or underexamined in the course so far.

Group 3: Cover PCI-DSS (Ver. 3.2). PCI-DSS governs the acceptance of credit and debit cards. This is a long document as well. You might start by looking at the "quick" reference guide :) and the sample reporting form.

Group 4: NIST Cybersecurity Framework. You will see the NIST framework in practice because financial regulators and the SEC have urged companies to implement it. A good starting point for understanding the framework is the FAQ on the NIST website.

All groups: do some searching and try to determine who uses your group's standard and why. You'll find that many companies do state their security standard in product specification sheets and regulatory findings.

Group assignments: TBD

Children's Privacy 

Read Federal Trade Commission Privacy Law and Policy, Chapter 7 (193–215).

Discussion: Children's Privacy

Class, for our discussion, please spend about an hour looking at a specific COPPA-regulated service (remember--it can be a website, app or other internet "service.") Pay specific attention to the privacy policy (how it differs from the non-COPPA service you looked at weeks ago) and parental consent mechanisms. Overall, do you think the service meets the privacy and security goals of the COPPA? If you want a refresher on COPPA requirements, this guide from the FTC is very good. Also here are this week's slides.

We'll discuss the differences between COPPA and non-COPPA sites during our discussion, and then do a short, in-class exercise focused on monetizing COPPA regulated sites.

The Stored Communications Act and Law Enforcement Agency (LEA) Requests 

Please read Orin Kerr's A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending it, 72 George Washington Law Review 1208 (2004), pages 1208–1233.

No class, spring break

Discussion: The Stored Communications Act and Law Enforcement Agency (LEA) Requests

Class, for this discussion, we are going to consider a series of different LEA requests for user information.

In order to prepare, could you:

1) Read the entire assignment, including the requests that the other groups are receiving. It's not a lot of reading--about 20 pages in total.

2) Give some thought to how you might respond to the request from the lens of your client/company? Is there anything special about your business model that would affect how you want to respond? What steps should you take to comply? What information should your company disclose in response to the request? What should it not provide?

In class, we'll divide into groups for 20-25 minutes, and then discuss with the whole class the steps and issues you think are important to responding.

Group 1: You work for the Internet Archive. Your Chief Security Officer (CSO) receives a call from the FBI, and Agent Jones says she is going to come in person to the Internet Archive office this afternoon with a request for information (nov2007_nsl_edited.pdf). Agent Jones appears, shows you this letter on FBI letterhead, allows you and the CSO to read it, but does not allow you to keep a copy.

Group 2: You work for a telecommunications carrier Sprint. Your company operates a law enforcement response office 24/7. This request appears in the fax machine (Sprint - Nextel Exigent Circumstances Form_edited.pdf) from Irvine PD. You do a quick Google search and turn up this guide for Cell Tracking Requests from Irvine's police department. (celltrackingpra_irvine4_irvineca.pdf).

Group 3: You are the publisher of a well-established libertarian magazine, Reason.com. You receive this grand jury subpoena (reason_gjs.pdf). Warning: this case involves threats and there is nasty language in it.

Feeling a bit at sea? That's totally normal! Companies receive these processes out of the blue, with no context, and often without their counsel present. We'll work through the issues together.

Wiretapping, Consumer Protection, and LEA Requests 

Please read

• California Penal Code §§ 630, 631, 632, 635, 637, and 637.7.  (pdf version)
• In the Matter of the Application of the UNITED STATES FOR AN ORDER AUTHORIZING THE ROVING INTERCEPTION OF ORAL COMMUNICATIONS, The Company, Appellant, v. UNITED STATES of America, Appellee, No. 02-15635, 349 F.3d 1132 (9th Cir. Nov. 18, 2003) (pdf version).

Discussion: Wiretapping, Consumer Protection, and LEA Requests 

From the lecture it should become clear that many new consumer services "intercept" the human voice. There are obvious examples, such as in-home assistants (Amazon Echo, Google Home), devices that sometimes respond to human commands (such as Smart TVs), and perhaps some less obvious ones--consider that your phone may be "listening," or that you might use a "wearable" device that captures information in your interpersonal life.

There is almost no caselaw concerning these products and services--the closest we have are the Deep Packet Inspection cases, the Google Gmail Scanning Litigation, and the Google Street View Wifi Scanning cases.

For our discussion, we'll focus on what companies in this space are doing to comply with the federal Wiretap Act and state laws on interception of voice. To prepare

• Please identify a product or service that captures the human voice and post it to the discussion page.
• Try to determine how the company is dealing with the Wiretap Act issues I discussed in lecture. This might be apparent from the privacy policy, the terms of service, or aspects of the product's design
• Give some thought to "secondary" parties that might be near the device. While you may have agreed to having your television capture your voice, visitors to your home presumably have not. What can the law or tech do about that problem?

Marketing

Please read FTC Privacy Law and Policy pages 236–240; 249–259.

We'll also do a final presentation by ES, ND, & MC

Discussion: Marketing 

To prepare for our discussion, please:

1) As you visit stores in person or on the web, take note of companies that wish to enroll you in text marketing. Here's an example from FEMA, and here's another from a company that recently litigated a TCPA case. Take a screenshot or copy the link and post it in the discussion area--remember that you might find these as you shop offline and if you can snap a picture of them, that's great.

2) I’d like to spend some time discussing “platform liability” for text messages. Please look at these services—can you tell what policies and procedures they have in place to deal with the problem that users might employ the services for illegal telemarketing? Be sure to look at the terms of service, privacy policy, and other disclosures surrounding enrollment.

https://groupme.com/en-US/ Oops! Groupme was recently bought by Microsoft. The old terms are here and the privacy policy here.

https://www.remind.com/

https://telefio.com

Boalt Hall Room 107 11:20-12:20

Last day for law students; Final presentations

Marketing Part 2 

Please read FTC Privacy Law & Policy 240–249; 259–267.

International Privacy Part 1

Class, for our last session, we will look at how the European Union is shaping privacy norms in the U.S. This is a quickly changing subject matter. For background, please read:

• Chris Jay Hoofnagle, Bart van der Sloot & Frederik Zuiderveen Borgesius (2019) The European Union general data protection regulation: what it is and what it means, Information & Communications Technology Law, 28:1, 65-98
• Optional background: Federal Trade Commission Privacy Law and Policy, Chapter 11 (306–328).
• Optional for more detail on the GDPR's specific provisions: Bird & Bird, Guide to the GDPR (May 2017).

International Privacy Part 2

• No new reading