RFID: A 7 Point Plan to Ensure Privacy

This paper gives an overview of consumer fears associated with the introduction of RFID technology. It analyses the motivation and technical viability of these fears and derives suggestions for privacyfriendly technology design. The analysis shows that all consumer fears currently debated are essentially justified, because from a technical perspective they can all be implemented in the short- or mid-term. A 7-point plan of technological measures is presented that should be taken into consideration and developed further by standardization bodies, researchers and governments in order to impede potential abuses of the technology in the long term

Planning for the Future of Cyber Attack Attribution : Hearing Before the H. Subcomm. on Technology and Innovation of the H. Comm. on Science and Technology, 111th Cong., July 15, 2010 (Statement by Adjunct Professor Marc Rotenberg, Geo. U. L. Center)

Steve Bellovin, another security expert, noted recently that one of risks of the new White House plan for cyber security is that it places too much emphasis on attribution. As Dr. Bellovin explains: The fundamental premise of the proposed strategy is that our serious Internet security problems are due to lack of sufficient authentication. That is demonstrably false. The biggest problem was and is buggy code. All the authentication in the world won\u27t stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. While I believe the White House, the Cyber Security Advisor, and the various participants in the drafting process have made an important effort to address privacy and security interests, I share Professor Bellovin’s concern that too much emphasis has been placed on promoting identification. I also believe that online identification, promoted by government, will be used for purposes unrelated to cyber security and could ultimately chill political speech and limit the growth of the Internet. Greater public participation in the development of this policy as well as a formal rulemaking on the White House proposal could help address these concerns

Unilateral Invasions of Privacy

Most people seem to agree that individuals have too little privacy, and most proposals to address that problem focus on ways to give those users more information about, and more control over, how information about them is used. Yet in nearly all cases, information subjects are not the parties who make decisions about how information is collected, used, and disseminated; instead, outsiders make unilateral decisions to collect, use, and disseminate information about others. These potential privacy invaders, acting without input from information subjects, are the parties to whom proposals to protect privacy must be directed. This Article develops a theory of unilateral invasions of privacy rooted in the incentives of potential outside invaders. It first briefly describes the different kinds of information flows that can result in losses of privacy and the private costs and benefits to the participants in these information flows. It argues that in many cases the relevant costs and benefits are those of an outsider deciding whether certain information flows occur. These outside invaders are more likely to act when their own private costs and benefits make particular information flows worthwhile, regardless of the effects on information subjects or on social welfare. And potential privacy invaders are quite sensitive to changes in these costs and benefits, unlike information subjects, for whom transaction costs can overwhelm incentives to make information more or less private. The Article then turns to privacy regulation, arguing that this unilateral-invasion theory sheds light on how effective privacy regulations should be designed. Effective regulations are those that help match the costs and benefits faced by a potential privacy invader with the costs and benefits to society of a given information flow. Law can help do so by raising or lowering the costs or benefits of a privacy invasion, but only after taking account of other costs and benefits faced by the potential privacy invader

Keeping ubiquitous computing to yourself: a practical model for user control of privacy

As with all the major advances in information and communication technology, ubiquitous computing (ubicomp) introduces new risks to individual privacy. Our analysis of privacy protection in ubicomp has identified four layers through which users must navigate: the regulatory regime they are currently in, the type of ubicomp service required, the type of data being disclosed, and their personal privacy policy. We illustrate and compare the protection afforded by regulation and by some major models for user control of privacy. We identify the shortcomings of each and propose a model which allows user control of privacy levels in a ubicomp environment. Our model balances the user's privacy preferences against the applicable privacy regulations and incorporates five types of user controlled 'noise' to protect location privacy by introducing ambiguities. We also incorporate an economics-based approach to assist users in balancing the trade-offs between giving up privacy and receiving ubicomp services. We conclude with a scenario and heuristic evaluation which suggests that regulation can have both positive and negative influences on privacy interfaces in ubicomp and that social translucence is an important heuristic for ubicomp privacy interface functionality

Mobile Privacy and Business-to-Platform Dependencies: An Analysis of SEC Disclosures

This Article systematically examines the dependence of mobile apps on mobile platforms for the collection and use of personal information through an analysis of Securities and Exchange Commission (SEC) filings of mobile app companies. The Article uses these disclosures to find systematic evidence of how app business models are shaped by the governance of user data by mobile platforms, in order to reflect on the role of platforms in privacy regulation more generally. The analysis of SEC filings documented in the Article produces new and unique insights into the data practices and data-related aspects of the business models of popular mobile apps and shows the value of SEC filings for privacy law and policy research more generally. The discussion of SEC filings and privacy builds on regulatory developments in SEC disclosures and cybersecurity of the last decade. The Article also connects to recent regulatory developments in the U.S. and Europe, including the General Data Protection Regulation, the proposals for a new ePrivacy Regulation and a Regulation of fairness in business-to-platform relations