• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Regulating Data: The Implications of Informatics on International Law
 

Regulating Data: The Implications of Informatics on International Law

on

  • 664 views

Description: Because of the increasing ease of digitization, all information has the potential to be digitized and as such, all information is becoming part of a single, incomprehensibly large, ...

Description: Because of the increasing ease of digitization, all information has the potential to be digitized and as such, all information is becoming part of a single, incomprehensibly large, multinational, multicultural data system. The resulting data ecosystem is subject to local regulation by state and national laws which have often been drafted to address a conflicting set of jurisdictional rules and normative expectations regarding the creation, ownership, collection, storage and dissemination of information. The laws vary from country to country, resisting efforts at bringing international harmony because of deeply rooted historical differences. The presentation is an overview of the steps necessary for developing a comprehensive informatics regulatory system that protects privacy, telecom policy and copyright.

Statistics

Views

Total Views
664
Views on SlideShare
658
Embed Views
6

Actions

Likes
0
Downloads
8
Comments
0

2 Embeds 6

http://www.linkedin.com 5
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Regulating Data: The Implications of Informatics on International Law Regulating Data: The Implications of Informatics on International Law Presentation Transcript

    • Regulating Data: The Implications of Informatics on International Law International Law Congress 2010 Ankara Bar Association Ankara,Turkey 11-15 January 2010 Jon M. Garon Professor of Law
    • Introduction  What is Informatics - How to conceptualize the field  Informatics has been described as “the art and science of information,” or “the science of information, the practice of information processing, and the engineering of information systems.  Informatics studies the structure, algorithms, behavior, and interactions of natural and artificial systems that store, process, access and communicate information.”  The field of informatics looks beyond the science of information systems to embrace the ecology of information within its environmental context. Most importantly, because a second level of data, or metadata, is created by the very study of data, informatics must provide methodologies to embrace a highly dynamic environment.
    • Small steps toward integration of informatics  Intersection of key rights  IP Rights – Patent, Trademark, Copyright, Trade Secret  Anti-piracy efforts  Control of offensive content (immoral, scandalous, pornographic, etc.)  Rights of Persons – Privacy, Protection from Commercialization  Anti-defamatory efforts  Databases and Software – Rights related to Copyright  Computer Security – anti-intrusion, digital protection measures  Data Integrity efforts, laws and practices  Telecommunications – integrity of telephony, Internet telephony  Integration of broadband, cable, satellite and terrestrial regulation  Harmonization – National laws, EU Directives, GATT, TRIPS, WIPO  The very first steps to see these disparate systems as an information ecosystem 3 Jon M. Garon
    • Internet Management - ICANN  ICANN a semi-autonomous NGO  Developing policies to protect trademarks and IP  UDRP - The Uniform Domain Name Dispute Resolution Policy: a relatively fast, inexpensive procedure to resolve domain name disputes  Dispute proceedings arising from alleged abusive registrations of domain names (for example, cybersquatting) may be initiated by a holder of trademark rights.  The UDRP is a policy between a registrar and its customer and is included in registration agreements for all ICANN-accredited registrars  Expansion of character set  Addition of Chinese characters, Arabic characters for domain names will have much greater international impact on commerce than most other changes  IDNs are domain names that include characters other than the currently available set of the English alphabet  Internet extensions are expected to come online in many countries in 2010  With expansion of gTLDs and character names greater streamlining and expansion is needed and being developed
    • Coverage of Copyright Laws  Summary of the Berne Convention for the Protection of Literary and Artistic Works (1886)  The three basic principles  National Treatment: Works originating in any of the contracting States must be given the same protection as provided to nationals in that state  Automatic Protection: No conditions or formalities  Independence or Minimum Standards: A State can provide for a longer term than the minimum prescribed by the Convention (but a work may lose protection once protection in the country of origin ceases).
    • Copyright & Digital Expression  WIPO Implementation – December 1996  Beginning of the Internet revolution  Need to thwart emergence of IP rogue states  Need to create “effective legal remedies” for developing countries  Need to create legislation to encourage enforcement in high-piracy states (rules on the books not enough)  US Implementation – October 1998  Need to comply with International Law, under TRIPS  Need to simplify evidentiary issues related to copyright  Need to shore up the “digital deadbolts” so companies will put their content onto disks  EU Implementation – May 2001  The European Union passed the EU Copyright Directive bringing it into compliance
    • Copyrights and Digital Information  Turkish accession bills to the WCT and the WPPT submitted to parliament in May 2005  Both of the bills were put on the parliamentary agenda after affirmative reports were submitted by the relevant commissions  Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846  Turkey is a party to the Berne Convention, the Rome Convention and the TRIPs Agreement  The Turkish Copyright Law became compliant with these treaties after its 1995 and 2001 amendments  WIPO Copyright Treaty came into force on November 28, 2008
    • Copyrights and Digital Information  Within the scope of the legal regulations adopted in relation to EU law, the accession bills to the WCT and the WPPT were submitted to parliament in May 2005. Both of the bills were put on the parliamentary agenda after affirmative reports were submitted by the relevant commissions  Turkish Copyright Law - The Act of Intellectual and Artistic Works 5846  Turkey is a party to the Berne Convention, the Rome Convention and the TRIPs Agreement.  The Turkish Copyright Law became compliant with these treaties after its 1995 and 2001 amendments  WIPO Copyright Treaty came into force on November 28, 2008  Source: Ugur Aktekin, Mehmet Gün & Partners
    • Copyrights and Digital Information  Computer programs and databases  Council Directive 91/250/EEC of May 14 1991 on the Legal Protection of Computer Programs within meaning of Art. 2 of Berne  Protection of databases and computer software was introduced into the Turkish Copyright Law in 1995  Rights of reproduction includes digital rights  Rights of digital distribution –Communication by wire or wireless means  Adopted in Turkey to include all copyrighted works  Makes great sense given growth of e-books and digitization of other media  Technological measures and rights management  WCT Art. 11 requires adequate legal protection and effective legal remedies against the circumvention of technological measures  WCT Art. 12 prohibits removing or altering any electronic rights management information, or distributing, importing for distribution, broadcasting or communicating to the public works or copies of works knowing that electronic rights management information has been removed or altered  Source: Ugur Aktekin, Mehmet Gün & Partners
    • U.S. DMCA Comparison: Section 1201 – protecting from circumvention of copy protection provisions  “No person shall circumvent a technological measure that effectively controls access to a [copyrighted] work….”  Protects from unauthorized decryption of a work’s security or picking of any virtual lock.  Section 1201(a)(1)(A)  prohibits trafficking in black box technology “produced for the purpose of circumventing a technological measure that effectively controls access to a work….”  §1201(a)(2)  prohibits trafficking in anticircumvention technology “that allow some forms of ‘access’ but restrict other uses of the copyrighted work.”  Internet streaming audio player was tweaked or circumvented to permit the downloading of that content  §1201(b)(1)
    • U.S. Telecom Strategic Goals  BROADBAND - All Americans should have affordable access to robust and reliable broadband products and services. Regulatory policies must promote technological neutrality, competition, investment, and innovation to ensure that broadband service providers have sufficient incentive to develop and offer such products and services.  COMPETITION - Competition in the provision of communications services, both domestically and overseas, supports the Nation’s economy. The competitive framework for communications services should foster innovation and offer consumers reliable, meaningful choice in affordable services.  SPECTRUM - Efficient and effective use of non-federal spectrum domestically and internationally promotes the growth and rapid deployment of innovative and efficient communications technologies and services.  MEDIA - The Nation’s media regulations must promote competition, diversity and localism, and facilitate the transition to digital modes of delivery.
    • Heavy focus on impact of privacy in broadband  In order to inform the Commission’s development of a National Broadband Plan, the Commission has inquired about the relevance of online privacy protections to broadband adoption and deployment.  For example, in the Notice of Inquiry initiating the National Broadband Plan proceeding, the Commission asked “[w]hat are consumer expectations of privacy when using broadband services or technology and what impact do privacy concerns have on broadband adoption and use?”  The Commission has also solicited responses to questions about online privacy as it relates to cloud computing.  The inquiry highlights the importance of privacy and the public private balance as telecom policies integrate traditional over-the-air cable, satellite and broadband into a single format.
    • Identity – Protection of Autonomy and Personal Dignity  the U.S. and European expectations of privacy have different doctrinal roots which significantly influence informatic data protection  It follows that since the U.S. and Europe have substantially different frameworks for understanding the notions of personal privacy, they have different understanding of the relation of privacy to their respective data policies  Privacy has very long, distinguished protection in Europe “whose history dates well back into the early nineteenth century.  It bears a close and evident connection to concepts of personal honour,” focused on the autonomy of the individual “to keep one’s name and photograph out of the newspapers.”  These values center on image, name, and reputation 01/14/10 13 Jon M. Garon
    • Continental value of privacy  The Council of Europe has identified privacy as co-equal with that of expression and news dissemination.  11. The Assembly reaffirms the importance of every person’s right to privacy, and of the right to freedom of expression, as fundamental to a democratic society. These rights are neither absolute nor in any hierarchical order, since they are of equal value.  12. However, the Assembly points out that the right to privacy afforded by article 8 of the European Convention on Human Rights should not only protect an individual against interference by public authorities, but also against interference by private persons or institutions, including the mass media.  Council of Europe Resolution 1165 of 1998 at 11-12  Very different than approach afforded to expression in U.S. 01/14/10 14 Jon M. Garon
    • U.S. value of privacy  “To the Europeans, indeed, it often seems obvious that Americans do not understand the imperative demands of privacy at all.”  U.S. privacy law of privacy rests on a stool of three imperfectly balanced and unequal legs:  Implied constitutional protections  common law traditions (along with their state statutory adornments) and  federal legislation  Provisions of Constitution implying privacy rights:  First Amendment, guaranteeing the right to free speech, freedom of religion, and the right to association;  Fourth Amendment, protecting against unlawful search and seizure;  Fifth Amendment, guaranteeing freedom from self-incrimination;  Ninth Amendment, addressing general liberties. 01/14/10 15 Jon M. Garon
    • Fourth Amendment Criminal Jurisprudence  The Fourth Amendment jurisprudence provides that a “search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable” while a “search does not occur … unless the individual manifested a subjective expectation of privacy in the object of the challenged search, and society is willing to recognize that expectation as reasonable.”  This leads to a two-part inquiry of whether there is an actual, subjective expectation of privacy and  “whether the individual’s subjective expectation of privacy is “one that society is prepared to recognize as ‘reasonable.’”  Kyllo v. United States, 533 U.S. 27, 33 (2001) 16
    • U.S. constitutional privacy from technology  Technology cases have held  Phone booths - placing a listening device in a closed telephone booth violated the reasonable expectation of privacy, while information about the telephone numbers called from a personal phone did not  E-mails and user generated content is similarly posted to third party recipients and does not receive constitutional protection  Telecom records and activities require warrants to view  Pen registers - no reasonable expectation of privacy in information – the logs of phone numbers called – because that information was provided freely to the telephone company  Social media and other websites - no reasonable expectation of privacy in information – the logs of phone numbers called – because that information was provided freely to the telephone company 01/14/10 17 Jon M. Garon
    • U.S. Federal statutory privacy laws  Stored Communications Act  Requires a subpoena for an ISP to give subscriber information, a statutorily defined order (the 2703(d) order) for non-content records (a combination of subpoena and notice) for stored records and other documents, while a search warrant will give the government access to everything.  The only affects the ability of the government to compel disclosure of ISP’s customer e-mails and stored content. It does not affect the rights of the ISP or the customer.  Driver’s Privacy Protection Act of 1994, requires assent for resale of motor vehicle driver information by states  Family Educational Rights and Privacy Act protects some student information from disclosure  Viewing, subscribing and reading records protected  Financial services data, credit reporting records, and health care records each protected by separate laws 01/14/10 18 Jon M. Garon
    • From Privacy to Personal Data  Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980  EC directive 95/46, (the EC Privacy Directive)  The key aspects of the EC Privacy Directive protect personal data, very broadly defined.  Establishes quality controls over the data, requiring that reasonable steps are taken to keep the information accurate and current  The retention of the data is for only as long as is necessary and the person identified must give unambiguous consent to the collection and use of the data  Identified individual has the right to know what information is mandatory and what information is voluntary, how to object to the collection and use of the data, and how to correct the data 01/14/10 19 Jon M. Garon
    • Balance with other fundamental rights  As part of the balancing between the public’s right to public information and the control of private data, the Directive provides for member states to accommodate journalism and free expression  “solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”  The Directive does not apply to public security and defense.  EC Privacy Directive at Art. 1, § 2 (a) “personal data” shall mean any information relating to an identified or identifiable natural person (“data subject”);  an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity 01/14/10 20 Jon M. Garon
    • Update of the Privacy Directive  Directive 2002/58/EC of the European Parliament and of the Council, cleared for adoption  In the years since the initial EC Privacy Directive has been in operation, concerns have grown regarding the theft of private data and the intrusions suffered as a result of unwanted e-mail or spam.  For the first time in the EU, a framework for mandatory notification of personal data breaches. Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Notification will include recommended measures to avoid or reduce the risks. The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches. 01/14/10 21 Jon M. Garon
    • U.S. Federal Trade Commission (FTC)  The Federal Trade Commission is the primary enforcement agency in the area of consumer privacy protection in the U.S.  The FTC bases its jurisdiction on the obligation of companies to refrain from operating in an unfair or deceptive manner.  “Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies’ privacy promises about how they collect, use and secure consumers’ personal information.”  Under the statute, a practice is unfair and deceptive if “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”  The FTC has been quite aggressive in finding that the failure to meet a company’s self-imposed privacy and data security policies are just such an unfair and deceptive practice. 01/14/10 22 Jon M. Garon
    • EU/U.S. Safe Harbor  EC Data Privacy Guidelines prohibit transborder data transfers unless the party receiving the data provides contractual protections in place to achieve similar levels of privacy protection  Countries may be barred from receiving EC data  Participating U.S. organizations must certify that they meet guidelines  Organizations must comply with the seven safe harbor principles.  Notice - Organizations must notify individuals about the purposes for which they collect and use information about them.  They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure. 01/14/10 23 Jon M. Garon
    • EU/U.S. Safe Harbor Principles  Choice - Organizations must give individuals the opportunity to choose (opt in or opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.  For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.  Security - Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.  Data integrity - Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. 01/14/10 24 Jon M. Garon
    • EU/U.S. Safe Harbor Principles  Onward Transfer (Transfers to Third Parties) - To disclose information to a third party, organizations must apply the notice and choice principles.  Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding.  As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.  Access - Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. 01/14/10 25 Jon M. Garon
    • EU/U.S. Safe Harbor Principles  Enforcement - In order to ensure compliance with the safe harbor principles, there must be  (a) readily available and affordable independent recourse mechanisms so that each individual’s complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide;  (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and  (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization.  Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured. 01/14/10 26 Jon M. Garon
    • Informatics implications for the infosystem  Resource Description Framework (RDF)  Metadata data model  subject-predicate- object descriptions to make the data independent of its database  RDF Linked Data - Connect Distributed Data across the Web  This model requires that data be coded in some standardized way  Automated coding  All data has potential to be cross-linked in this way  Even better if the software understands the content
    • Deep searching and the semantic web  James Geller, et. al., IEEE Computer Society: “Many organizations generate backend data that is … not indexed by conventional search engines.”  “This hidden, invisible, and nonindexable content is called the Deep Web, and its size is estimated to be tens of thousands of times larger than the surface Web.”  “Software agents (softbots) with rich semantic knowledge and reasoning capabilities automatically roam the Web, find data and services, and combine them to achieve business goals.”  “Goals to improve deep searching are “gaining acceptance of an “open source attitude” in the e-commerce realm to make building Deep Web ontologies easier by accessing currently securely locked data sources; [and] creating libraries of semantic crawlers for the purpose of extracting back-end database information…”  Deep searching can be used to increase cross-referenced of personally identified information and expand behavior tracking for behavioral advertising or other identity searches
    • What else will the deep web find  Public records include arrests, initial charges, convictions, divorces, civil commitments, administrative files, etc.  Add disparate impact (e.g. in MN, African American men arrested at approximately 10X general population)  Many employers (and lenders, landlords, schools, etc.) will not hire those with criminal record, and these historic disparities become integrated into the information economy infrastructure  Deep web search will find blogs, posts, comments, cyber-bullying, etc. that are too difficult to get taken down or sue
    • Tracking user information can move past the net  RFID: These online suggestions do not even get to the next step - adding RFID and other physical world tracking data (yet)  GPS data  Used to manage traffic; develop toll systems  Available for sighting roadside restaurants and stores?  Testing billboard efficacy?  Tracking: To demand advertising fees, companies are looking to make the advertising increasingly relevant to the consumer  This can only be done by tracking the behavior (or “advertising channels, like Travel, Finance, or Luxury cars.” - Webwise.Phorm.com)  Behavioral ads will track, predict, and offer ‘just-in-time’  The ads will relate to everything we do, everywhere we’ve been
    • RFID Enabled iPhone  The device has a reader enabled  The RFID chip provides information on the clip to load  By proximity, the device will respond and play the media  Toys will respond to owners  Ads & coupons will appear on device  Police can issue warnings or even citations if they can trigger the device to read the phone number 01/14/10 31 Jon M. Garon
    • Consumer advertising – tracking clicks  Contextual Advertising – ads that relate to the content on a particular site (e.g. a coupon for luggage on a travel site) draws its relevance to the content available to every viewer  Relevance of advertising is preferable  No consumer information is sought or used New York Times Online  FTC sees no need to regulate  Online Behavioral Advertising – “Online behavioral advertising involves the tracking of consumers’ online activities in order to deliver tailored advertising.” (FTC)  “The practice, which is typically invisible to consumers, allows businesses to align their ads more closely to the inferred interests of their audience.”  Behavioral media brings the content sought by the audience to the audience – even before they know they want it
    • Facebook users care – about ownership  Facebook is a premiere social site for content and personal information sharing (360 million)  The recent flash over Facebook came from copyright modifications to the user agreement (not privacy concerns)  Modifications allowed Facebook to retain rights to use content even after accounts were closed shocked the community  EPIC brings complaint to FTC over policy changes
    • Where we go next  EU studies anticipating issues with RFID and the Internet of Things that can combine the online activities with the behavioral information  In U.S. and many countries, the access of data available to the governments also raises some concerns  Need to balance the privacy interests with the economic opportunities created by those companies who harness this knowledge and media  Are U.S. companies at an advantage because of lower privacy concerns?  When the gTLDs recognize Chinese, Hindi, Arabic and other characters, will the most populace countries have Internets of their own? 01/14/10 34 Jon M. Garon
    • Suggest Principles for future regulation  Regulating the Data rather than its Origin  Data Should Not Be Regulated by Source  Sources of data not a particularly useful tool to understand its potential for individual interference with copyright, IP or privacy  The source of the data may not actually have the appropriate rights anyway  Data Should be Regulated by Usage & Management  Very important to apply increasingly strict rules on how data is used  The greater the focus on safety, security and use, the less relevant source becomes  Sensitive Data may be Afforded Heighted Protection  Collection of highly personal information may offend, implicating rights of autonomy and dignity  Economically sensitive information like account numbers and passwords are more likely to be stolen, so need greater protections 01/14/10 35 Jon M. Garon
    • Establish a digital fiduciary standard  Covered information includes  Personally Identifiable Information and  Copyrighted materials  By combining the two types of information into a single standard, there will be more consistent protection and better public understanding of the relationship  Duties of the bailee  Reasonable Diligence  Enforcement through norms, much higher standard required to win court cases  Establish data quality standards  Balancing data quality with the rights of content creators 01/14/10 36 Jon M. Garon
    • Preventing Misuse from Unauthorized Data Users – Pirates and Thieves  Greatest threats to infosystem  Identity Theft – actionable standard for failure to take steps to stop unauthorized access to information  Copyright and digital rights management protections – commercial attacks on content owners has tremendous economic implications  But individuals downloading for their own interests should be treated separately from commercial thieves  Industrial Espionage, Trade Secrets and other Business Torts  Laws already provide protection against these actions  Laws must be integrated into informatics framework for greater consistency and efficacy 01/14/10 37 Jon M. Garon
    • Balancing Interests of the Individual  Information and copyright abuse  Any individual may both have data, privacy and copyrighted works exploited without permission and exploit the rights of others without permission  Despite the cumulative effect, non-commercial and personal violations must not be criminalized and instead treated separately from the commercial piracy  Three strikes law  Bars from Internet for repeat offenders  French law revised after initial law deemed unconstitutional  U.S. universities provide notice, which may prove almost as effective to change behavior  Beyond illusory informed consent  As provided in EC Privacy Directive, individuals must be given useful information about the purpose for which information is gathered, meaningful opportunities to accept or reject use, and public policy should limit some areas for consent 01/14/10 38 Jon M. Garon
    • Balancing the Interests of the State  Although it is beyond the scope of this presentation, a comprehensive informatics policy must also reach into the governmental police power  What the protections will be afforded to protect privacy  What access will be permitted to law enforcement for national security, general police powers, and regulatory authority  The balance between the rights of the individual and the state are quintessentially set by normative expectations.  The U.S.A. Patriot Act provides stark evidence of the willingness of society to reduce its civil liberties in the wake of real or perceived terror  London’s cameras makes it the most heavily observed city in Europe  Governments are working to integrate their existing databases.  Governments have the potential to integrate surveillance information taken in public places, voluntary disclosures, licensure data, and other records to create highly comprehensive profiles of an individual’s interests, associates and activities 01/14/10 39 Jon M. Garon
    • Balancing the Interests of the Bailee  End User License Agreements (The Law of the ISP)  Often no meaningful choice of ISPs  Often adhesion contracts  Regulation may be needed to assure public interest in agreements that are increasingly like those with common carriers  Protecting Data in the Clouds  Cloud computing puts information in massive server farms rented to companies by Google, Amazon, etc.  Risk of data security issues if one customer exceeds authority to attack or attempt to obtain other customer data  Presently unclear what standards of care are legally enforceable against the hosts 01/14/10 40 Jon M. Garon
    • Balancing the Interests of the Bailee  Issues of data de-identification and behavioral advertising that targets individuals  FTC Guidelines must become federal law, not merely best practices  New laws must reach any storage of content from the use of targeting individuals  New law may be needed to protect PII from deep web searching  Control: Allowing deep web searching should require same notice and opt-in consent as disclosure by site operator  Fiduciary Duties: Content repositories should have fiduciary obligations to assure that private data is protect from third party use in a manner consistent with the site’s own obligations and rules for third party usage 01/14/10 41 Jon M. Garon
    • FTC Behavioral Advertising Principles (Voluntary Guidelines February 12, 2009) 1. Transparency and Consumer Control Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. 2. Reasonable Security, and Limited Data Retention, for Consumer Data  Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data.  Companies should also retain data only as long as is necessary to fulfill a legitimate business or law enforcement need.
    • FTC Behavioral Advertising Principles (Voluntary Guidelines February 12, 2009) 3. Affirmative Express Consent for Material Changes to Existing Privacy Promises As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes [so] before a company can use previously collected data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. 4. Affirmative Express Consent to (or Prohibition Against) Using Sensitive Data for Behavioral Advertising Companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive such advertising.
    • New laws need not break new ground  New laws may be modeled after COPPA requirements that website operators obtain verifiable consent regarding information sharing and allow distribution only with express consent. See 16 C.F.R. § 312.4  A European model would be preferable to voluntary guidelines, but it is unlikely to create affirmative fiduciary duties from deep web searching or cross-referencing RFID data – new laws needed in all jurisdictions  Recognize that DRM need not be proprietary and lack of interoperability should be presumptively anti-competitive  All governmental use of PII must meet same opt-in requirements or be accessed only after meeting applicable standards  Phishing for criminals and profiling should be restricted  Honey traps must be narrowly built to avoid entrapment
    • Harnessing the research for good  Data trends will be increasingly important in product design and politics  Essential for affinity relationships and subjectively relevant products  Outline of data tracking policy  Release data to researchers in truly de-identified form.  Review data size to assure no re-identification practical  Combinations of non-personal data may be sufficient to reveal identity  Establish Institutional Review Boards or the equivalent so that good practices are followed  All human subject research affects autonomy and dignity even if done using de-identified data. Most research is beneficial, but the step of review should always be done  Utilize researcher agreements, providing some contractual protections against misuse of the data  Limit the retention of data, particularly data in its identified form
    • Digital information beyond the box  Owner of the database regarding sale of the product protected  The data in the sales information  The information about who purchased  Payment information  Protection of techniques to keep the database safe  No decrypting the data  No selling/trafficking a device that can eliminate the encryption or digital rights management  No selling/trafficking a device that changes how the data can be read (e.g. change it from read-only to copyable)
    • Regulating Data: The Implications of Informatics on International Law International Law Congress 2010 Ankara Bar Association Thank you Jon M. Garon Professor of Law