Monday, June 30, 2008

Observation on Legal Blogging

While looking at Hack-igations I noticed a fun little statement at the bottom of his post:
[Again, all my blog comments are just public discussion and not legal advice for any particular situation.]

He had one on the previous post as well:
[Again, nothing I say on this blog is legal or other professional advice. It is just general public discussion. If you need expert help, you should not rely on this blog. You should go get help.]

This (at least for someone with my sense of humor) is one of the funny side effects of being part of a profession that basically sells words - when we give words away for free (e.g., on a blog) we have to make very sure that no one confuses the public comments on our blogs with the legal advice that we sell professionally. Of course, I have a similar disclaimer here (it's at the bottom of the page above the link to Patent Baristas), but mine's a permanent part of the setup. I thought it was funny that Ben at hack-igations seems to write a new disclaimer for every single post he puts up.

Sunday, June 29, 2008

Protecting Privacy by Contract

I have long been on record as believing that modern contract law will essentially be the death of individual privacy - the basic argument being that people want their toys, so they'll click on abusive clickthroughs and EULAs that essentially sign away their personal data (see, e.g., this post on Privacy and Contract). However, recently Ben Wright has proposed that these contracts could be harnessed on behalf of privacy - essentially, that consumers could put up their own websites with terms of use that require businesses to respect their personal information (see, here). Ben even points to a case where a website's terms of use were enforced against a consumer who made a contract over the phone, to demonstrate how the mere existence of the terms of use can be used in litigation.

I think Ben's argument is appealing, and I'd like to agree with it...unfortunately, there are a couple of problems with the argument that prevent me from endorsing it, as appealing as it may be. First, as a practical matter, it would be difficult to show that a company which sells an individual's personal data ever visited the website where the privacy protective terms of use were posted. In the case Ben cited to show that terms of use could be enforced even against a consumer who made a contract over the telephone, it was easy to prove that the consumer visited the website which hosted the terms of use, because the consumer was trying to enforce the website's privacy policy. However, in most cases, I think it would be hard to prove in court that a company which sells consumer data actually visited the websites of the consumers whose data is being sold. Second, even if it were possible to show that the a company which sells consumer data visited the consumer's website, there is no reason to believe that a court would enforce the website's privacy protective terms of use. For example, in the case of In re Northwest Airlines Litigation, the court refused to allow consumers to sue Northwest Airlines for a violation of its privacy policy. Given that, I see no reason to believe that a court would be any more solicitous of privacy protective terms of use that a consumer might put on his or her website.

The bottom line is I like Ben's idea, and I would love to see the approach to abusive terms of service turned against businesses that don't respect privacy. However, I think the practical obstacles to implementing the idea are such that Ben's idea isn't something that most people can rely on.

Sunday, June 22, 2008

Measuring the Effect of Security Breach Notification Laws

How do you measure the effectiveness of security breach notification laws? One way is to take data on how many consumers report that they were victims of an ID theft due to a security breach, break the data down by state, and compare the states which do have security breach notification laws with those that don't. If the states that have notification laws have a lower rate of identity theft due to security breach (after controlling for various confounding variables) then you would conclude that the notification laws are effective in reducing identity theft.

The cross-state comparison described above was essentially the approach taken in this paper by Romanosky et al., which attempted to measure whether data breach disclosure laws reduce identity theft. Unfortunately, while measuring the effect of data breach disclosure laws is a laudable goal, I don't think the paper's approach was likely to result in any meaningful conclusion. The biggest problem with the paper's approach is that it didn't appear to adequately take into account the effect of interstate commerce in extending the coverage of existing security breach notification acts to states where those acts haven't been enacted. That isn't to say that the paper ignored this effect. However, its efforts to account for it seemed to focus on interstate movement by people (e.g., students attending an out of state university), when interstate movement of data is almost certainly a much bigger effect (largely because there is a well developed interstate market for data, while such an interstate market for people is prohibited by the 13th amendment). Most security breach notification laws are triggered not only by security breaches at in-state companies, but also by security breaches at out of state companies which expose the data of state residents. This results in a duty to disclose data traveling from the point where the data was collected to anywhere in the country. Similarly, if the data for a resident of a state which doesn't have a security breach notification act is transferred to a state where such an act does exist, the individuals whose data was transferred will benefit from the out-of-state notification law, even if the person has never left their local jurisdiction. Thus, since the effects of security breach notification acts bleed so freely across state lines, trying to measure the effectiveness of those acts by comparing jurisdictions with security breach notification acts to jurisdictions without security breach notification acts is unlikely to yield any meaningful results.

So what would be a better approach to measuring the effect of security breach notification laws? One way would be to compare jurisdictions where transfer of data is either nonexistent or severely limited. Unfortunately, it seems likely that there would be so many other differences between such jurisdictions that meaningful comparisons would simply be impossible. For example, if you were comparing between the U.S. and E.U., how would you control for the effect of the E.U. data privacy directive? Another approach would be to examine relative rates of identity theft caused by security breaches with id thefts caused by something that isn't influenced by security breach notification acts (e.g., dumpster diving). The problem with that though, is that the absolute most common cause of identity theft is "unknown." Thus, it could be that security breach notification laws would actually increase the reported incidence of ID theft due to security breaches, because some ID thefts caused by breaches would move from the "unknown" column to the security breach column. Further, when making that kind of fine grained comparison, it's necessary to have a larger data set than is necessary to simply look at overall rates of ID theft, and such a data set might not be available. The bottom line is that measuring the effectiveness of security breach notification acts is hard, and if there is a good way to do so, it isn't clear what it is.

Wednesday, June 18, 2008

New Identity Theft Blog

One of the most difficult things about running a blog is finding good material. True, it seems there's a new data security breach every few days, but reporting that another million, or thousand, or ten million records have been compromised gets old fast. Thus, I was happy to be discover (discover in the sense of follow a link left in a comment) a new ID theft blog: ID Theft and Business. I look forward to using it as a source for informed comment on the subject, and (hopefully) picking up a few ideas there to use for my own posts.

Tuesday, June 17, 2008

Always Go With the Original

Via The Dunning Letter, I learned about this paper which (according to Jack's post) says that data security breach notification laws don't actually work. When I first read the post discussing the paper, I was somewhat unnerved, since that would mean that one of the primary vehicles that governments have used to try and address the vulnerability of consumer data is ineffective. Happily, when I read the paper I found that this was one time that the normally astute Dunning Letter was simply wrong. What the paper actually found was that, using their data set (which, as I will discuss in a later post, was not the proper data to evaluate security breach notification laws) they did not detect a statistically significant effect of security breach notification laws on identity theft. However, that is different from saying that there is no effect. Indeed, the paper explicitly recommends increasing disclosure requirements to help address the lack of data: "[other authors argue that] current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view."

So what can be gained from this? First, the paper itself is quite interesting, and I plan on addressing it in more detail in future posts. For now though, the lesson I draw from this is that you should always go to the original source when blogging. When discussing the paper, the Dunning Letter also linked to a TechWorld article with the bold headline that "Researchers say notification laws in US not lowering ID theft." My guess is that Jack probably read the TechWorld article but not the original paper. While that might be a nice shortcut, it can also (as demonstrated here) lead to perpetuating falsehoods just because they make nice screaming headlines.

Thursday, June 12, 2008

Ephemeral Law Named to Top 100

Happy news for me today. Ephemeral law has been named as one of the top 100 civil liberties advocacy blogs by the criminal justice degrees guide. Now, of course, one could point out that Ephemeral law's rankings, plus $3.25 would get me a coffee at Starbucks, but whatever. It certainly isn't bad news, and I'm happy with all the not-bad blog related news I can get.

Wednesday, June 11, 2008

Value of Security Breach Notification Laws

This article from Computer World advances a position which I find truly bizarre: that security breach notification laws don't help people. The article's reasoning (and I use the term loosely) seems to be that notification laws only require action after a breach takes place, so they really don't prevent identity theft. It would be better for consumers, according to the article, if the money companies now spend on complying with security breach notification laws were instead spent on security that might prevent identity theft. In any case, the article points out, more identity theft takes place due to telephone scams, lost wallets, or consumers who don't properly protect their computers. Basically, the article minimizes the harm caused by security breaches, and tries to argue that the money spent notifying consumers of the breaches would be better spent elsewhere.

Frankly, it's hard to know where to begin criticizing the article. My immediate instinct is to slam the prose. The author has a terrible habit (epidemic in lawyers, I'm sad to say) of asking rhetorical questions and making mealy mouthed equivocations rather than just taking a position. For example, the author points out that "Enforcement of these laws may not help consumers, either." So there's a possibility that consumers may not be helped by enforcing laws. Similarly, it's possible that the sun may not rise in the east tomorrow. If the author really feels that security breach notification laws don't help people, he should say so, rather than couching his arguments in insubstantial speculation and rhetorical questions.

However, while my instinct is to slam the prose, I think it's more important to recognize that the logic underlying the prose is really, really bad. The primary mistake the author makes (and it's a doozy) is to assume that the only benefit which can come from security breach notification acts is to prevent identity theft. That's simply nuts. The primary benefit of the notification acts is that, because of them, people are notified when there's a problem. Without notification laws, businesses would never go public about security breaches, and what is indisputably a major public policy issue would simply be swept under the rug. Perhaps the author of the article thinks ignorance is bliss, but I prefer that problems be widely acknowledged so that they can be addressed. A secondary mistake the author makes is that he assumes that the more money businesses spend complying with notification laws, the less money they'll spend on security. This doesn't make sense. If businesses could sweep security breaches under the proverbial rug, they would spend even less on security. The high cost of security breach notifications (in terms of both money and bad PR) will cause companies to spend more on security, not less.

I could go on almost indefinitely about what's wrong with the author's position, but I won't. Instead, I can illustrate with a simple analogy: if the author were arguing that statutes requiring businesses to notify consumers when there was a toxic waste spill were ill conceived because they diverted money which would otherwise be used preventing spills, he would be treated as a laughing stock. While drinking toxic waste is clearly a more direct threat to health than a data security breach, it's no more logical to allow the release of personal data to be swept under the rug than it is to allow the release of toxic waste to be covered up.

Sunday, June 1, 2008

Facebook Accused of Violating Canadian Law

According to this article from Computer World, a complaint has been filed against Facebook for violating Canada's Personal Information and Electronic Documents Act (PIPEDA). If that law, and its rather unwieldy acronym, seem familiar, it could be because there were concerns last year that Google's Street View product might violate it (see, e.g., here). In the case of Street View, the concerns were raised over the broad scope and indefinite retention of the data which was collected. In the case of Facebook, there are several possible violations. First, Facebook (allegedly) does not fully inform users how broadly their information can be shared with strangers for social networking. Second, Facebook (again, allegedly), fails to notify users of how their information will be used for advertising, and shared with third parties.

Without commenting on the merits of the complaint, I will note that the Computer World article points out that

Jeffrey Chester, founder and executive director of the Center for Digital Democracy in the U.S., said the Canadian organization "has lifted the veil that covers Facebook's extensive personal data collection apparatus." [and said that]...It's a giant privacy wake-up call about Facebook from our friends up north."

My own view is a bit different. I don't think this is a wake-up call at all. American consumers already know that there are some serious privacy issues surrounding Facebook. In fact, there is already a lawsuit in U.S. court based on Facebook's beacon program (see, e.g., here).. The problem is that U.S. consumers don't really have much they can do about privacy. The lawsuit about beacon is only possible because of a very narrow provision of federal law which covers video tape rentals and sales records, but that kind of sui generis protection doesn't really translate into decent coverage for personal information. Thus, my view is that the Canadian complaint, to the extent it's a wakeup call at all, is a wakeup about the state of U.S. privacy laws, not a wakeup about the threats to privacy.