Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements

Encroachments on privacy through mass surveillance greatly resemble the pollution crisis in that they can be understood as imposing an externality on the surveilled. This Article argues that this resemblance also suggests a solution: requiring those conducting mass surveillance in and through public spaces to disclose their plans publicly via an updated form of environmental impact statement, thus requiring an impact analysis and triggering a more informed public conversation about privacy. The Article first explains how mass surveillance is polluting public privacy and surveys the limited and inadequate doctrinal tools available to respond to mass surveillance technologies. Then, it provides a quick summary of the Privacy Impact Notices ( PINs ) proposal to make a case in principle for the utility and validity of PINs. Next, the Article explains how environmental law responded to a similar set problems (taking the form of physical harms to the environment) with the National Environmental Policy Act of 1969 ( NEPA ), requiring Environmental Impact Statement ( EIS ) requirements for environmentally sensitive projects. Given the limitations of the current federal privacy impact analysis requirement, the Article offers an initial sketch of what a PIN proposal would cover and its application to classic public spaces, as well as virtual spaces such as Facebook and Twitter. The Article also proposes that PINs apply to private and public data collection -including the NSA\u27s surveillance of communications. By recasting privacy harms as a form of pollution and invoking a familiar (if not entirely uncontroversial) domestic regulatory solution either directly or by analogy, the PINs proposal seeks to present a domesticated form of regulation with the potential to ignite a regulatory dynamic by collecting information about the privacy costs of previously unregulated activities that should, in the end, lead to significant results without running afoul of potential U.S. constitutional limits that may constrain data retention and use policies. Finally, the Article addresses three counterarguments focusing on the First Amendment right to data collection, the inadequacy of EISs, and the supposed worthlessness of notice-based regimes

From Anonymity to Identification

This article examines whether anonymity online has a future. In the early days of the Internet, strong cryptography, anonymous remailers, and a relative lack of surveillance created an environment conducive to anonymous communication. Today, the outlook for online anonymity is poor. Several forces combine against it: ideologies that hold that anonymity is dangerous, or that identifying evil-doers is more important than ensuring a safe mechanism for unpopular speech; the profitability of identification in commerce; government surveillance; the influence of intellectual property interests and in requiring hardware and other tools that enforce identification; and the law at both national and supranational levels. As a result of these forces, online anonymity is now much more difficult than previously, and looks to become less and less possible. Nevertheless, the ability to speak truly freely remains an important \u27safety valve\u27 technology for the oppressed, for dissidents, and for whistle-blowers. The article argues that as data collection online merges with data collection offline, the ability to speak anonymously online will only become more valuable. Technical changes will be required if online anonymity is to remain possible. Whether these changes are possible depends on whether the public comes to appreciate value the option of anonymous speech while it is still possible to engineer mechanisms to permit it

The Virtual Law School, 2.0

Just over twenty years ago I gave a talk to the AALS called The Virtual Law School? Or, How the Internet Will De-skill the Professoriate, and Turn Your Law School Into a Conference Center. I came to the subject because I had been working on internet law, learning about virtual worlds and e-commerce, and about the power of one-to-many communications, and it struck me that a lot of what I had learned applied to education in general and to legal education in particular. It didn\u27t happen. Or at least, it has not happened yet. In this essay I want to revisit my predictions from twenty years ago in order to see why so little has changed (so far). The massive convulsion forced on law teaching because of the social distancing required to prevent COVID-I9 transmission provided an occasion for us all to rethink how we deliver law teaching. After discussing why my predictions failed to manifest before 2020, I will argue that unless the pandemic can be controlled, the market for legal education may force some radical changes on us-whether we like them or not-and that in the main my earlier predictions were not wrong, just premature

Big Data: Destroyer of Informed Consent

The \u27Revised Common Rule\u27 took effect on January 21, 2019, marking the first change since 2005 to the federal regulation that governs human subjects research conducted with federal support or in federally supported institutions. The Common Rule had required informed consent before researchers could collect and use identifiable personal health information. While informed consent is far from perfect, it is and was the gold standard for data collection and use policies; the standard in the old Common Rule served an important function as the exemplar for data collection in other contexts. Unfortunately, true informed consent seems incompatible with modern analytics and \u27Big Data\u27. Modern analytics hold out the promise of finding unexpected correlations in data; it follows that neither the researcher nor the subject may know what the data collected will be used to discover. In such cases, traditional informed consent in which the researcher fully and carefully explains study goals to subjects is inherently impossible. In response, the Revised Common Rule introduces a new, and less onerous, form of broad consent in which human subjects agree to as varied forms of data use and re-use as researchers\u27 lawyers can squeeze into a consent form. Broad consent paves the way for using identifiable personal health information in modern analytics. But these gains for users of modern analytics come with side-effects, not least a substantial lowering of the aspirational ceiling for other types of information collection, such as in commercial genomic testing. Continuing improvements in data science also cause a related problem, in that data thought by experimenters to have been de-identified (and thus subject to more relaxed rules about use and re-use) sometimes proves to be re-identifiable after all. The Revised Common Rule fails to take due account of real re-identification risks, especially when DNA is collected. In particular, the Revised Common Rule contemplates storage and re-use of so-called de-identified biospecimens even though these contain DNA that might be re-identifiable with current or foreseeable technology. Defenders of these aspects of the Revised Common Rule argue that \u27data saves lives.\u27 But even if that claim is as applicable as its proponents assert, the effects of the Revised Common Rule will not be limited to publicly funded health sciences, and its effects will be harmful elsewhere