233 research outputs found
Fourth Amendment Codification and Professor Kerr\u27s Misguided Call for Judicial Deference
This essay critiques Professor Orin Kerr\u27s provocative article, The Fourth Amendment and New Technologies: Constitutional Myths and the Case for Caution, 102 Mich. L. Rev. 801 (2004). Increasingly, Fourth Amendment protection is receding from a litany of law enforcement activities, and it is being replaced by federal statutes. Kerr notes these developments and argues that courts should place a thumb on the scale in favor of judicial caution when technology is in flux, and should consider allowing legislatures to provide the primary rules governing law enforcement investigations involving new technologies. Kerr\u27s key contentions are that (1) legislatures create rules that are more comprehensive, balanced, clear, and flexible; (2) legislatures are better able to keep up with technological change; and (3) legislatures are more adept at understanding complex new technologies. I take issue with each of these arguments. Regarding Kerr\u27s first contention, I argue that Congress has created an uneven fabric of protections that is riddled with holes and weak safeguards. Kerr\u27s second contention - that legislatures are better able to update rules quickly as technology shifts - is belied by the historical record, which suggests Congress is actually far worse than the courts in reacting to new technologies. As for Kerr\u27s third contention, shifting to a statutory regime will not eliminate Kerr\u27s concern with judges misunderstanding technology. In fact, many judicial misunderstandings stem from courts trying to fit new technologies into an old statutory regime that is built around old technologies. Therefore, while Kerr is right that our attention must focus more on the statutes, he is wrong in urging for a deferential judicial approach to the Fourth Amendment
A Taxonomy of Privacy
Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law
Identity Theft, Privacy, and the Architecture of Vulnerability
This Article contrasts two models for understanding and protecting against privacy violations. Traditionally, privacy violations have been understood as invasive actions by particular wrongdoers who cause direct injury to victims. Victims experience embarrassment, mental distress, or harm to their reputations. Privacy is not infringed until these mental injuries materialize. Thus, the law responds when a person\u27s deepest secrets are exposed, reputation is tarnished, or home is invaded. Under the traditional view, privacy is an individual right, remedied at the initiative of the individual. In this Article, Professor Solove contends the traditional model does not adequately account for many of the privacy problems arising today. These privacy problems do not consist merely of a series of isolated and discrete invasions or harms, but are systemic in nature. They cannot adequately be remedied by individual rights and remedies alone. In contrast, Professor Solove proposes a different model for understanding and protecting against these privacy problems. Developing the notion of architecture as used by Joel Reidenberg and Lawrence Lessig, Solove contends that many privacy problems must be understood as the product of a broader structural system which shapes the collection, dissemination, and use of personal information. Lessig and Reidenberg focus on architectures of control, structures that function to exercise greater dominion over individuals. Solove argues that in addition to architectures of control, we are seeing the development of architectures of vulnerability, which create a world where people are vulnerable to significant harm and are helpless to do anything about it. Solove argues that protecting privacy must focus not merely on remedies and penalties but on shaping architectures. Professor Solove illustrates these points with the example of identity theft, one of the most rapidly growing types of criminal activity. Identity theft is often conceptualized under the traditional model as the product of disparate thieves and crafty criminals. The problem, however, has not been adequately conceptualized, and, as a result, enforcement efforts have been misdirected. The problem, as Solove contends, is one created by an architecture, one that creates a series of vulnerabilities. This architecture is not created by identity thieves; rather, it is exploited by them. It is an architecture of vulnerability, one where personal information is not protected with adequate security. The identity thief\u27s ability to so easily access and use our personal data stems from an architecture that does not provide adequate security to our personal information and that does not afford us with a sufficient degree of participation in the collection, dissemination, and use of that information. Understanding identity theft in terms of architecture reveals that it is part of a larger problem that the law has thus far ignored. Solove then discusses solutions to the identity theft problem. He engages in an extensive critique of Lynn LoPucki\u27s solution, which involves the creation of a public identification system. After pointing out the difficulties in LoPucki\u27s proposal, Solove develops an architecture that can more appropriately curtail identity theft, an architecture based on the Fair Information Practices
HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
This essay, written in a journalistic style, examines HIPAA over the past decade. The essay discusses the creation of HIPAA, the evolution of HHS enforcement, the impact of the HITECH Act, and the overall influence and effect of HIPAA on healthcare providers and organizations using medical data. Professor Solove combines analysis with interviews of key regulators and practitioners
The First Amendment as Criminal Procedure
This Article explores the relationship between the First Amendment and criminal procedure. These two domains of constitutional law have long existed as separate worlds, rarely interacting with each other despite the fact that many instances of government information gathering can implicate First Amendment freedoms of speech, association, and religion. The Fourth and Fifth Amendments used to provide considerable protection for First Amendment interests, as in the famous 1886 case Boyd v. United States, in which the Supreme Court held that the government was prohibited from seizing a person\u27s private papers. Over time, however, Fourth and Fifth Amendment protection has shifted, and countless searches and seizures involving people\u27s private papers, the books they read, the websites they surf, and the pen names they use when writing anonymously now fall completely outside the protection of constitutional criminal procedure. Professor Solove argues that the First Amendment should protect against government information gathering that implicates First Amendment interests. He contends that there are doctrinal, historical, and normative justifications for developing what he calls First Amendment criminal procedure. Solove sets forth an approach for determining when certain instances of government information gathering fall within the regulatory domain of the First Amendment and what level of protection the First Amendment should provide
Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data
Heightened protection for sensitive data is becoming quite trendy in privacy laws around the world. Originating in European Union (EU) data protection law and included in the EU’s General Data Protection Regulation, sensitive data singles out certain categories of personal data for extra protection. Commonly recognized special categories of sensitive data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and sex life, and biometric and genetic data.
Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end. The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use nonsensitive data as a proxy for certain types of sensitive data.
Personal data is akin to a grand tapestry, with different types of data interwoven to a degree that makes it impossible to separate out the strands. With Big Data and powerful machine learning algorithms, most nonsensitive data give rise to inferences about sensitive data. In many privacy laws, data giving rise to inferences about sensitive data is also protected as sensitive data. Arguably, then, nearly all personal data can be sensitive, and the sensitive data categories can swallow up everything. As a result, most organizations are currently processing a vast amount of data in violation of the laws.
This Article argues that the problems with the sensitive data approach make it unworkable and counterproductive as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake—they embrace the idea that the nature of personal data is a sufficiently useful focal point for the law. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does.
To be effective, privacy law must focus on harm and risk rather than on the nature of personal data. The implications of this point extend far beyond sensitive data provisions. In many elements of privacy laws, protections should be proportionate to the harm and risk involved with the data collection, use, and transfer
A Taxonomy of Privacy
Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests. In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms. A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law
The Myth of the Privacy Paradox
In this article, Professor Daniel Solove deconstructs and critiques the privacy paradox and the arguments made about it. The “privacy paradox” is the phenomenon where people say that they value privacy highly, yet in their behavior relinquish their personal data for very little in exchange or fail to use measures to protect their privacy. Commentators typically make one of two types of arguments about the privacy paradox. On one side, the “behavior valuation argument” contends behavior is the best metric to evaluate how people actually value privacy. Behavior reveals that people ascribe a low value to privacy or readily trade it away for goods or services. The argument often goes on to contend that privacy regulation should be reduced. On the other side, the “behavior distortion argument” argues that people’s behavior isn’t an accurate metric of preferences because behavior is distorted by biases and heuristics, manipulation and skewing, and other factors. In contrast to both of these camps, Professor Solove argues that the privacy paradox is a myth created by faulty logic. The behavior involved in privacy paradox studies involves people making decisions about risk in very specific contexts. In contrast, people’s attitudes about their privacy concerns or how much they value privacy are much more general in nature. It is a leap in logic to generalize from people’s risk decisions involving specific personal data in specific contexts to reach broader conclusions about how people value their own privacy. The behavior in the privacy paradox studies doesn’t lead to a conclusion for less regulation. On the other hand, minimizing behavioral distortion will not cure people’s failure to protect their own privacy. It is perfectly rational for people — even without any undue influences on behavior — to fail to make good assessments of privacy risks and to fail to manage their privacy effectively. Managing one’s privacy is a vast, complex, and never-ending project that does not scale; it becomes virtually impossible to do comprehensively. Privacy regulation often seeks to give people more privacy self-management, such as the recent California Consumer Privacy Act. Professor Solove argues that giving individuals more tasks for managing their privacy will not provide effective privacy protection. Instead, regulation should employ a different strategy — focus on regulating the architecture that structures the way information is used, maintained, and transferred
The Digital Person: Technology and Privacy in the Information Age (Introduction)
THE DIGITAL PERSON: TECHNOLOGY AND PRIVACY IN THE INFORMATION AGE (ISBN: 0814798462) (NYU Press 2004) explores the social, political, and legal implications of the collection and use of personal information in computer databases. In the Information Age, our lives are documented in digital dossiers maintained by hundreds (perhaps thousands) of businesses and government agencies. These dossiers are composed of bits of our personal information, which when assembled together begin to paint a portrait of our personalities. The dossiers are increasingly used to make decisions about our lives - whether we get a loan, a mortgage, a license, or a job; whether we are investigated or arrested; and whether we are permitted to fly on an airplane. Digital dossiers impact many aspects of our lives. For example, they increase our vulnerability to identity theft, a serious crime that has been escalating at an alarming rate. Moreover, since September 11th, the government has been tapping into vast stores of information collected by businesses and using it to profile people for criminal or terrorist activity. Do these developments pose a problem? Is it possible to protect privacy in a society where information flows so freely and proliferates so rapidly? THE DIGITAL PERSON seeks to answer these questions. This book explores the problem from all angles - how businesses gather personal information in massive databases; how the government increasingly provides this data to businesses through public records; and how the government is gathering personal data from businesses for its own uses. THE DIGITAL PERSON not only explores these problems, but also provides a compelling account of how we can respond to them. Using a wide variety of sources, including history, philosophy, and literature, Solove sets forth a new understanding of privacy, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world
- …