Rina Steenkamp - Privacy and technology
[Privacy self-management and the consent dilemma | Towards a positive theory of privacy law | The EU-U.S. privacy collision - a turn to institutions and procedures | A sober look at national security access to data in the cloud | Distributed denial of service actions and the challenge of civil disobedience on the internet | Law in the boardroom | Who has your back? - Which companies help protect your data from the government? | The economic importance of getting data protection right - protecting privacy, transmitting data, moving commerce | Implications of the European Commission's proposal for a general data protection regulation for business | Using malware analysis to evaluate botnet resilience | Digital surveillance - Why the Snooper's Charter is the wrong approach - A call for targeted and accountable investigatory powers | Insider threat control - Understanding Data Loss Prevention (DLP) and detection by correlating events from multiple sources | Public cloud service agreements - What to expect and what to negotiate | Lets cut through the Bitcoin hype - A hacker-entrepreneur's take | How Google lost the trust of Europe's data protection authorities]
A paper by Daniel J. Solove.
Abstract:
"The current regulatory approach for protecting privacy involves what I refer to as 'privacy self-management' - the law provides people with a set of rights to enable them to decide how to weigh the costs and benefits of the collection, use, or disclosure of their information. People's consent legitimizes nearly any form of collection, use, and disclosure of personal data. Although privacy self-management is certainly a necessary component of any regulatory regime, I contend in this Article that it is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model. Moreover, people cannot appropriately self-manage their privacy due to a series of structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. Moreover, many privacy harms are the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses, further limiting the effectiveness of the privacy self-management framework. In addition, privacy self-management addresses privacy in a series of isolated transactions guided by particular individuals. Privacy costs and benefits, however, are more appropriately assessed cumulatively and holistically - not merely at the individual level. In order to advance, privacy law and policy must confront a complex and confounding dilemma with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution - paternalistic measures - even more directly denies people the freedom to make consensual choices about their data. In this Article, I propose several ways privacy law can grapple with the consent dilemma and move beyond relying too heavily on privacy self-management."
Full text (SSRN):
See also:
An article by Lior Jacob Strahilevitz.
From the article:
"Privacy protections create winners and losers. So does the absence of privacy protections. The distributive implications of governmental decisions regarding privacy are often very significant, but they can be subtle too. Policy and academic debates over privacy rules tend not to emphasize the distributive dimensions of those rules, and many privacy advocates mistakenly believe that all consumers and voters win when privacy is enhanced. At the same time, privacy skeptics who do discuss privacy in distributive terms sometimes score cheap rhetorical points by suggesting that only those with shameful secrets to hide benefit from privacy protections. Neither approach is appealing, and privacy scholars ought to do better. This Article reveals some of the subtleties of privacy regulation, with a particular focus on the distributive consequences of privacy rules. The Article suggests that understanding the identities of privacy law's real winners and losers is indispensable both to clarifying existing debates in the scholarship and to helping predict which interests will prevail in the institutions that formulate privacy rules."
Full text (PDF linked from this page):
See also:
An article by Paul M. Schwartz.
From 'I. Introduction':
"Internet scholarship in the United States generally concentrates on how decisions made in this country about copyright law, network neutrality, and other policy areas shape cyberspace. In one important aspect of the evolving Internet, however, a comparative focus is indispensable. Legal forces outside the United States have significantly shaped the governance of information privacy, a highly important aspect of cyberspace, and one involving central issues of civil liberties. The EU has played a major role in international decisions involving information privacy, a role that has been bolstered by the authority of EU member states to block data transfers to third party nations, including the United States."
Full text (PDF linked from this page):
See also:
A white paper by Winston Maxwell and Christopher Wolf.
From the Introduction:
"Ultimately, governments need some degree of access to data stored in the Cloud to conduct investigations relating to national security and terrorism. But privacy and confidentiality also are important concerns. This White Paper does not enter into the ongoing debate about the appropriate balance between the protection of privacy and government access to data for law enforcement and national security purposes. Rather, it undertakes to dispel some of the common, unfounded criticisms of [Section 702 of the Foreign Intelligence Surveillance Act ('FISA'), enacted under the FISA Amendments Act of 2008 ('FAA') and codified at 50 U.S.C. § 1881a ('Section 1881a')], and to compare the nature and extent of governmental access to data in the Cloud for terrorism and counterintelligence purposes in many jurisdictions around the world."
Full text (PDF linked from this page):
A thesis by Molly Sauter.
From the Abstract:
"This thesis examines the history, development, theory, and practice of distributed denialof service actions as a tactic of political activism. DDOS actions have been used ino nline political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback inDecember 2010. Guiding this work is the overarching question of how civildisobedience and disruptive activism can be practiced in the current online space."
Full text (SCRIBD):
See also:
An article by Kimberly S. Crowe.
From 'Broad themes':
"It's hardly surprising, then, that data security (in a virtual tie with succession planning) is one of the top issues that keeps directors from resting at night, and that feeling was seconded by general counsel who also chose it as a chief area of concern, just after regulatory compliance. Accordingly, cyber risk was cited by both directors and general counsel as an issue on which the board will be spending considerable time this year, although it's interesting that GCs don't seem to think directors will be spending as much time on this topic as the legal department itself will."
Full text (PDF):
See also:
A report by EFF.
From the Executive Summary:
"When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what's going on? In this annual report, the Electronic Frontier Foundation examined the policies of major Internet companies - including ISPs, email providers, cloud storage providers, location-based services, blogging platforms, and social networking sites - to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to incentivize companies to be transparent about how data flows to the government and encourage them to take a stand for user privacy whenever it is possible to do so."
Full text:
See also:
A trade impact assessment of the General Data Privacy Regulation for the U.S. Chamber of Commerce, by the Europen Centre for International Political Economy (ECIPE).
From the Executive Summary:
"This study assesses the potential external trade impact of the EU's proposed General Data Privacy Regulation (GDPR), using the well-established GTAP 8 model to estimate the potential trade effects on GDP, general welfare, services sector output and trade. The assessment of the impact is associated with many uncertain assumptions due to ambiguity and unclear propositions in the proposed regulation itself, especially the controversial proposal of 'right to be forgotten'.
The results from the modeling show that EU GDP shrinks as the degree of trade disruptions increase. The magnitude of the effects varies in accordance with the disruptions and could under some modest assumptions eradicate the estimated economic recovery for 2014, or all the estimated growth contribution from the proposed EU-U.S. Free Trade Agreement. This result holds even if GDPR comes into force in its most conservative form."
Full text (PDF linked from this page):
See also:
A report for the Information Commissioner's Office by London Economics.
From 'Box 1 - Key findings':
"A lack of understanding about the provisions in the EC's proposed general data protection Regulation persists across business. Uncertainty is pervasive across the provisions of the proposed regulation, and affects more abstract and unsettled aspects, such as the obligations of data controllers under the so-called right to be forgotten, as well as seemingly straightforward changes such as those regarding administrative fines and the appointment of Data Protection Officers.
The majority of businesses are unable to quantify their current spending in relation to data protection responsibilities under existing law - and this persists in relation to estimates for expected future spending under the new proposals. This uncertainty indicates that existing evidence on the financial impact of the regulation is difficult to corroborate. Further research is required to clarify some important issues, such as the role of privacy and data protection in determining the level and intensity of consumer participation in online markets."
Full text (PDF):
See also:
Thesis by Christian Rossow.
From '7.1 Conclusions':
"Summarizing, we have analyzed resilience techniques that botmasters use to successfully operate their botnets for many years. As we have shown, botnets rarely show single point of failures. Even if C&C server takedowns cause a botnet to disrupt temporarily, eventually the botmaster will use its remaining infrastructures to reactivate the network, buying new malware installs if necessary. Consequently, operations to successfully disrupt botnets must mitigate all communication means simultaneously."
Full text (PDF):
See also:
A report by the Open Rights Group.
From 'This report' in the Introduction chapter:
"This report demonstrates that surveillance policy makers have options, many of which are a lot less intrusive than the powers proposed by the [Communications Data Bill (CDB)], and that civil society is open to meaningful engagement about surveillance laws in the digital age. It is written for a general audience by leading experts, academics and representatives of a number of civil society groups. The articles in this publication serve as an example of the sort of conversations that would be possible through a proper public debate about what information should be collected and who should have access to it."
Full text (PDF linked from this page):
See also:
A paper by George J. Silowash and Christopher King.
From the Abstract:
"Removable media, such as universal serial bus (USB) flash drives, present unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property. Organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them."
Full text (PDF linked from this page):
See also:
A white paper by the Cloud Standards Customer Council.
From the Executive Summary:
"This paper provides cloud consumers with a pragmatic approach to understand and evaluate public cloud service agreements. The recommendations in this paper are based on a thorough assessment of publicly available agreements from several leading public cloud providers. [...] In general, we have found that the current terms proposed by public cloud providers fall short of the commitment that many businesses will require. Of course, these providers have reputations to establish or maintain, therefore they will likely employ all reasonable efforts to correct problems, restore performance, protect security, and so on. But neither the specifics of the measures they will take, nor the remedies they offer if they fall short, are currently expressed well enough in their formal agreements in most cases. Furthermore, the language about service levels is often distributed among several documents that do not follow a common industry-wide terminology. We hope that one impact of this paper will be to improve this state of affairs."
Full text (PDF):
See also:
An article by Dan Kaminsky.
From the article:
"Bitcoin. Everybody's talking about it. What's true, and what's hype? Perhaps the only thing that's clear about Bitcoin is that it's not going away anytime soon. Who am I to say? I'm not an economist; I'm a hacker, who has spent his career exploring and repairing large networks. And networks may very well be how the world works — financial, social, electronic, even physical. I'm on neither 'Team Bitcoin' nor 'Team Global Financial System.' I'm on 'Team Lets Fix This Thing.'"
Full text:
A blog post on HawkTalk.
From the blog post:
"Over the last two years, various European Data Protection Commissioners have taken action against Google. Hardly a month goes by without something being reported: a EUR 145,000 StreetView fine here or a court case about jurisdiction there. So it is important to understand: 'why is Google on the receiving end all this enforcement action?'. Why now, and not five years ago? What has changed?"
Full text: