American Bankruptcy Institute Law Review 17 Am. Bankr. Inst. L. Rev., No. 1, Spring, 2009. Boston College Law Review 50 B.C. L. Rev., No. 3, May, 2009. Boston University Public Interest Law Journal 18 B.U. Pub. Int. L.J., No. 2, Spring, 2009. Cardozo Journal of Conflict Resolution 10 Cardozo J. Conflict Resol., No. 2, Spring, 2009. Cardozo Public Law, Policy, & Ethics Journal 7 Cardozo Pub. L. Pol’y & Ethics J., No. 3, Summer, 2009. Chicago Journal of International Law 10 Chi. J. Int’l L., No. 1, Summer, 2009. Colorado Journal of International Environmental Law and Policy 20 Colo. J. Int’l Envtl. L. & Pol’y, No. 2, Winter, 2009. Columbia Journal of Law & the Arts 32 Colum. J.L. & Arts, No. 3, Spring, 2009. Connecticut Public Interest Law Journal 8 Conn. Pub. Int. L.J., No. 2, Spring-Summer, 2009. Cornell Journal of Law and Public Policy 18 Cornell J.L. & Pub. Pol’y, No. 1, Fall, 2008. Cornell Law Review 94 Cornell L. Rev., No. 5, July, 2009. Creighton Law Review 42 Creighton L. Rev., No. 3, April, 2009. Criminal Law Forum 20 Crim. L. Forum, Nos. 2-3, Pp. 173-394, 2009. Delaware Journal of Corporate Law 34 Del. J. Corp. L., No. 2, Pp. 433-754, 2009. Environmental Law Reporter News & Analysis 39 Envtl. L. Rep. News & Analysis, No. 7, July, 2009. European Journal of International Law 20 Eur. J. Int’l L., No. 2, April, 2009. Family Law Quarterly 43 Fam. L.Q., No. 1, Spring, 2009. Georgetown Journal of International Law 40 Geo. J. Int’l L., No. 3, Spring, 2009. Georgetown Journal of Legal Ethics 22 Geo. J. Legal Ethics, No. 2, Spring, 2009. Golden Gate University Law Review 39 Golden Gate U. L. Rev., No. 2, Winter, 2009. Harvard Environmental Law Review 33 Harv. Envtl. L. Rev., No. 2, Pp. 297-608, 2009. International Review of Law and Economics 29 Int’l Rev. L. & Econ., No. 1, March, 2009. Journal of Environmental Law and Litigation 24 J. Envtl. L. & Litig., No. 1, Pp. 1-201, 2009. Journal of Legislation 34 J. Legis., No. 1, Pp. 1-98, 2008. Journal of Technology Law & Policy 14 J. Tech. L. & Pol’y, No. 1, June, 2009. Labor Lawyer 24 Lab. Law., No. 3, Winter/Spring, 2009. Michigan Journal of International Law 30 Mich. J. Int’l L., No. 3, Spring, 2009. New Criminal Law Review 12 New Crim. L. Rev., No. 2, Spring, 2009. Northern Kentucky Law Review 36 N. Ky. L. Rev., No. 4, Pp. 445-654, 2009. Ohio Northern University Law Review 35 Ohio N.U. L. Rev., No. 2, Pp. 445-886, 2009. Pace Law Review 29 Pace L. Rev., No. 3, Spring, 2009. Quinnipiac Health Law Journal 12 Quinnipiac Health L.J., No. 2, Pp. 209-332, 2008-2009. Real Property, Trust and Estate Law Journal 44 Real Prop. Tr. & Est. L.J., No. 1, Spring, 2009. Rutgers Race and the Law Review 10 Rutgers Race & L. Rev., No. 2, Pp. 441-629, 2009. San Diego Law Review 46 San Diego L. Rev., No. 2, Spring, 2009. Seton Hall Law Review 39 Seton Hall L. Rev., No. 3, Pp. 725-1102, 2009. Southern California Interdisciplinary Law Journal 18 S. Cal. Interdisc. L.J., No. 3, Spring, 2009. Stanford Environmental Law Journal 28 Stan. Envtl. L.J., No. 3, July, 2009. Tulsa Law Review 44 Tulsa L. Rev., No. 2, Winter, 2008. UMKC Law Review 77 UMKC L. Rev., No. 4, Summer, 2009. Washburn Law Journal 48 Washburn L.J., No. 3, Spring, 2009. Washington University Global Studies Law Review 8 Wash. U. Global Stud. L. Rev., No. 3, Pp.451-617, 2009. Washington University Journal of Law & Policy 29 Wash. U. J.L. & Pol’y, Pp. 1-401, 2009. Washington University Law Review 86 Wash. U. L. Rev., No. 6, Pp. 1273-1521, 2009. William Mitchell Law Review 35 Wm. Mitchell L. Rev., No. 4, Pp. 1235-1609, 2009. Yale Journal of International Law 34 Yale J. Int’l L., No. 2, Summer, 2009. Yale Journal on Regulation 26 Yale J. on Reg., No. 2, Summer, 2009.

/pdf/current-index-to-legal-periodicals-8re353ze53.pdf

Current index to legal periodicals

Delete looks at the surprising phenomenon of perfect remembering in the digital age, and reveals why we must reintroduce our capacity to forget. Digital technology empowers us as never before, yet it has unforeseen consequences as well. Potentially humiliating content on Facebook is enshrined in cyberspace for future employers to see. Google remembers everything we've searched for and when. The digital realm remembers what is sometimes better forgotten, and this has profound implications for us all. In Delete, Viktor Mayer-Schnberger traces the important role that forgetting has played throughout human history, from the ability to make sound decisions unencumbered by the past to the possibility of second chances. The written word made it possible for humans to remember across generations and time, yet now digital technology and global networks are overriding our natural ability to forget--the past is ever present, ready to be called up at the click of a mouse. Mayer-Schnberger examines the technology that's facilitating the end of forgetting--digitization, cheap storage and easy retrieval, global access, and increasingly powerful software--and describes the dangers of everlasting digital memory, whether it's outdated information taken out of context or compromising photos the Web won't let us forget. He explains why information privacy rights and other fixes can't help us, and proposes an ingeniously simple solution--expiration dates on information--that may. Delete is an eye-opening book that will help us remember how to forget in the digital age.

Delete: The Virtue of Forgetting in the Digital Age

The Internet-of-Things: Review and research directions

Big Data has gained much attention from the academia and the IT industry. In the digital and computing world, information is generated and collected at a rate that rapidly exceeds the boundary range. Currently, over 2 billion people worldwide are connected to the Internet, and over 5 billion individuals own mobile phones. By 2020, 50 billion devices are expected to be connected to the Internet. At this point, predicted data production will be 44 times greater than that in 2009. As information is transferred and shared at light speed on optic fiber and wireless networks, the volume of data and the speed of market growth increase. However, the fast growth rate of such large data generates numerous challenges, such as the rapid growth of data, transfer speed, diverse data, and security. Nonetheless, Big Data is still in its infancy stage, and the domain has not been reviewed in general. Hence, this study comprehensively surveys and classifies the various attributes of Big Data, including its nature, definitions, rapid growth rate, volume, management, analysis, and security. This study also proposes a data life cycle that uses the technologies and terminologies of Big Data. Future research directions in this field are determined based on opportunities and several open issues in Big Data domination. These research directions facilitate the exploration of the domain and the development of optimal techniques to address Big Data.

/pdf/big-data-survey-technologies-opportunities-and-challenges-2538s9eunj.pdf

Big Data: Survey, Technologies, Opportunities, and Challenges

Security, privacy and trust of different layers in Internet-of-Things (IoTs) framework

“Big data” refers to novel ways in which organizations, including government and businesses, combine diverse digital data sets and then use statistics and other data mining techniques to extract from them both hidden information and surprising correlations. While big data promises significant economic and social benefits, it also raises serious privacy concerns. In particular, big data challenges the Fair Information Practices (FIPs) as embodied in various privacy laws including the EU Data Protection Directive. This past January, the European Commission released a proposal to reform and replace the Directive by adopting a new Regulation. In this paper, I argue that this Regulation relies too heavily on the discredited informed choice model, and therefore fails to fully engage with the coming big data tsunami. My contention is that when this advancing wave arrives, it will so overwhelm the core privacy principles of informed choice and data minimization on which the Directive rests that reform efforts alone will prove inadequate. Rather, an adequate response must combine legal reform with encouragement of new business models premised on consumer empowerment and supported by a personal data ecosystem. This new business model is important for two reasons: first, existing business models have proven time and again that privacy regulation is no match for them. Businesses inevitably collect and use more and more personal data, and while consumers realize many benefits in exchange, there is little doubt that businesses, not consumers, control the market in personal data with their own interests in mind. Second, a new business model, which I describe in this paper, promises to stand processing of personal data on its head by shifting control over both the collection and use of data from firms to individuals. This “control shift” — and this alone — stands a chance of making the FIPs efficacious by giving individuals the capacity to benefit from big data and hence the motivation to learn about and control how their data is collected and used, while also enabling businesses to profit from a new breed of services that are both data-intensive and imbued with privacy values.

Big Data: The End of Privacy or a New Beginning?

‘Big Data’ refers to novel ways in which organizations, including government and businesses, combine diverse digital datasets and then use statistics and other data mining techniques to extract from them both hidden information and surprising correlations. While Big Data promises significant economic and social benefits, it also raises serious privacy concerns. In particular, Big Data challenges the Fair Information Practices (FIPs), which form the basis of all modern privacy law. Probably the most influential privacy law in the world today is the European Union Data Protection Directive 95/46 EC (DPD). 1 In January 2012, the European Commission (EC) released a proposal to reform and replace the DPD by adopting a new Regulation. 2 In what follows, I argue that this Regulation, in seeking to remedy some longstanding deficiencies with the DPD as well as more recent issues associated with targeting, profiling, and consumer mistrust, relies too heavily on the discredited informed choice model, and therefore fails to fully engage with the impending Big Data tsunami. My contention is that when this advancing wave arrives, it will so overwhelm the core privacy principles of informed choice and data minimization on which the DPD rests that reform efforts will not be enough. Rather, an adequate response must combine legal reform with the encouragement of new business models premised on consumer empowerment and supported by a personal data ecosystem. This new business model is important for two reasons: First, existing business models have proven time and again that privacy regulation is no match for them. Businesses inevitably collect and use more and more personal data, and while consumers realize many benefits in exchange, there is little doubt that businesses, not consumers, control the market in personal data with their own interests in mind. Second, a new business model, which I describe below, promises to stand processing of personal data on its head by shifting control over both the collection and use of data from firms to individuals. This new business model arguably stands a chance of making the FIPs efficacious by giving individuals the capacity to benefit from Big Data and hence the motivation to learn about and control how their data are collected and used. It could also enable businesses to profit from a new breed of services

Regulators here and abroad have embraced “privacy by design” as a critical element of their ongoing revision of current privacy laws. The underlying idea is to “build in” privacy (in the form of Fair Information Practices or FIPs) when creating software products and services. But FIPs are not self-executing. Rather, privacy by design requires the translation of FIPs into engineering and usability principles and practices. The best way to ensure that software includes the broad goals of privacy as described in the FIPs and any related corporate privacy guidelines is by including it in the definition of software “requirements.” And a main component of making a specification or requirement for software design is to make it concrete, specific and preferably associated with a metric. Equally important is developing software interfaces and other visual elements that are focused around end-user goals, needs, wants and constraints. The Article offers the first comprehensive analysis of engineering and usability principles specifically relevant to privacy. Based on the relevant technical literature, it derives a small number of relevant principles and illustrates them by reference to ten recent privacy incidents involving Google and Facebook. The Article concludes that all ten privacy incidents might have been avoided by the application of these privacy engineering and usability principles. Further, we suggest that the main challenge to effective privacy by design is not the lack of design guidelines. Rather, it is that business concerns often compete with and overshadow privacy concerns. Hence the solution lies in providing firms with much clearer guidance about applicable design principles and how best to incorporate them into their software development processes. Greater guidance is also needed for how to balance privacy with business interests, and there must be oversight mechanisms as well.

https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2399105_code419245.pdf?abstractid=2128146&mirid=1&type=2

Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents

Privacy regulators are embracing privacy by design as never before. This is the idea that “building in” privacy throughout the design and development of products and services achieves better results than “bolting it on” as an afterthought. In the US, a very recent FTC Staff Report makes privacy by design one of three main components of a new privacy framework. According to the FTC, firms should adopt privacy by design by incorporating substantive protections into their development practices and implementing comprehensive data management procedures; the latter may also require a privacy impact assessment (PIA) where appropriate. In contrast, European privacy officials view privacy by design as also requiring the broad adoption of Privacy Enhancing Technologies (PETs), especially PETs that shield or reduce identification or minimize the collection of personal data. Despite the enthusiasm of privacy regulators, privacy by design and PETs have yet to achieve widespread acceptance in the marketplace. One reason is that Internet firms derive much of their profit from the collection and use of personal data and may be unwilling to build in privacy if it disrupts profitable activities or new business ventures. Nor does the available evidence support the view that privacy by design pays for itself (except perhaps for a small group of firms who must protect privacy to maintain highly valued brands and avoid reputational damage). At the same time, the regulatory implications of privacy by design remain murky at best, not only for adopters but also for free riders. This Article seeks to clarify the meaning of privacy by design and thereby suggest how privacy regulators might develop appropriate incentives to offset the certain economic costs and uncertain privacy benefits of this new approach. It begins by developing a taxonomy of PETs, classifying them as substitutes or complements depending on how they interact with data protection or privacy laws. Substitute PETs aim for zero-disclosure of PII, whereas complementary PETs enable greater user control over personal data through enhanced user controls. Next, it explores the meanings of privacy by design in the specific context of the FTC’s emerging concept of “comprehensive information privacy programs.” It also examines the activities of a few industry leaders, who rely on engineering approaches and related tools to implement privacy principles throughout the product development and the data management lifecycles. Building on this analysis and using targeted advertising as its primary illustration, the Article then suggests how regulators might achieve better success in promoting the adoption of privacy by design by 1) identifying best practices in privacy design and development, including prohibited practices, required practices, and recommended practices; and 2) situating best practices within an innovative regulatory framework that a) promotes experimentation with new technologies and engineering practices; b) encourages regulatory agreements through stakeholder representation, face-to-face negotiations, and consensus-based decision making; and c) supports flexible, incentive driven safe harbor mechanisms as defined by (newly enacted) privacy legislation.

Regulating Privacy by Design

In the past several election cycles, presidential campaigns and other well-funded races for major political offices have become data-driven operations. Presidential campaign organizations and the two main parties (and their data consultants) assemble and maintain extraordinarily detailed political dossiers on every American voter. These databases contain hundreds of millions of individual records, each of which has hundreds to thousands of data points. Because this data is computerized, candidates benefit from cheap and nearly unlimited storage, very fast processing, and the ability to engage in data mining of interesting voter patterns. The hallmark of data-driven political campaigns is voter microtargeting, which political actors rely on to achieve better results in registering, mobilizing and persuading voters and getting out the vote on or before Election Day. Voter microtargeting is the targeting of voters in a highly individualized manner based on statistical correlations between their observable patterns of offline and online behavior and the likelihood of their supporting a candidate and casting a ballot for him or her. In other words, modern political campaigns rely on the analysis of large data sets in search of useful and unanticipated insights, an activity that is often summed up with the phrase “big data.” Despite the importance of big data in U.S. elections, the privacy implications of data-driven campaigning have not been thoroughly explored much less regulated. Indeed, political dossiers may be the largest unregulated assemblage of personal data in contemporary American life. This Article seeks to remedy this oversight. It proceeds in three parts. Part I offers the first comprehensive analysis of the main sources of voter data and the absence of legal protection for this data and related data processing activities. Part II considers the privacy interests of individuals in both their consumer and Internet-based activities and their participation in the political process, organizing the analysis under the broad rubrics of information privacy and political privacy. That is, it asks two interrelated questions: first, whether the relentless profiling and microtargeting of American voters invades their privacy (and if so what harm it causes) and, second, to what extent do these activities undermine the integrity of the election system. It also examines three reasons why political actors minimize privacy concerns: a penchant for secrecy that clashes with the core precept of transparent data practices; a tendency to rationalize away the problem by treating all voter data as if it were voluntarily provided or safely de-identified (and hence outside the scope of privacy law) while (falsely) claiming to follow the highest commercial privacy standards; and, a mistaken embrace of commercial tracking and monitoring techniques as if their use has no impact on the democratic process. Part III presents a moderate proposal for addressing the harms identified in Part II consisting in (1) a mandatory disclosure and disclaimer regime requiring political actors to be more transparent about their campaign data practices; and (2) new federal privacy restrictions on commercial data brokers and a complementary “Do Not Track” mechanism enabling individuals (who also happen to be voters) to decide whether and to what extent commercial firms may track or target their online activity. The article concludes by asking whether even this moderate proposal runs afoul of political speech rights guaranteed by the First Amendment. It makes two arguments. First, the Supreme Court is likely to uphold mandatory privacy disclosures and disclaimers based on doctrines developed and re-affirmed in the leading campaign finance cases, which embrace transparency over other forms of regulation. Second, the Court will continue viewing commercial privacy regulations as constitutional under longstanding First Amendment doctrines, despite any incidental burdens they may impose on political actors, and notwithstanding its recent decision in Sorrell v. IMS Health, which is readily distinguishable.

https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID3099797_code88200.pdf?abstractid=2447956&mirid=1

Ira Rubinstein

Papers

Big Data: The End of Privacy or a New Beginning?

Big Data: The End of Privacy or a New Beginning?

Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents

Regulating Privacy by Design

Voter Privacy in the Age of Big Data