American University Law Review 2021 Symposium ‘Privacy in the Age of Emergency,’ Day 1
good evening everyone my name is kieran giuvangi and i am the senior symposium editor for the american university law review i want to welcome you all to our annual symposium privacy and the age of emergency each year the law review dedicates its annual symposium to exploring a burgeoning area of the law few events in recent history have disrupted the standard of living more so than covid19 almost every sector of the law continues to face novel legal issues in this new normal today and tomorrow as we explore these questions we hope to shed some light on how the pandemic has transformed privacy law before we begin i would like to take a moment to thank the office of special events in continuing legal education and their fantastic audio visual team a virtual symposium would not be possible without all of their hard work i would also like to thank the law review staff and our editorial board for their support and assistance and in particular i would like to thank our senior projects editor maria stratienko without maria there would not have been a symposium and i am eternally grateful for her partnership now usually this event would be hosted in person at the law school however in order to protect the health and safety of all our participants and attendees our symposium looks a little different this year to help avoid some of that zoom fatigue we've all become so familiar with the symposium will take place over the course of two days tonight we will host our first two panels on surveillance and privacy in a pandemic and after a short break contact tracing and other innovative technological responses tomorrow morning our symposium will resume to discuss the ongoing evolution of healthcare privacy and finally conclude with lessons learned and the future of digital privacy in the united states i hope you all are able to join us for both days to formally open our symposium i would like to introduce wcl's acting dean dean dean dennerstein is acting dean professor of law and director of the disability rights clinic at american university washington college of law he's taught here since 1983. he specializes in the fields of clinical education and disability law the americans with disabilities act the un convention on the rights of persons with disabilities legal representation of clients with mental disabilities and disability and international human rights dean gunnerstein thank you so much thank you karen and good evening everybody uh to i want to uh welcome you on behalf of the law school to all the guests uh students alumni and faculty of the washington college of law uh it's my pleasure to welcome you to the 2021 a.u law review symposium privacy in the age of emergency first i want to recognize the entire law review team for their hard work and commitment to their annual symposium in response to the unique challenges of covet 19 pandemic as you know and as kieran just told you we are doing this symposium in a different kind of way we should be thankful to the organizers that they recognize the phenomenon of zoom fatigue and are taking that into account so i think you will find that the splitting it up over two days um will allow you to be attentive to the entire uh symposium we hope you do attend that if you can uh the american university law of your aulr as we call it is the oldest and largest student publication at the american university washington college of law as a as wco's flagship law review it's ranked among the top 50 law journals in the nation it's the highest rank and most cited journal here at the law school the law review devotes its fifth issue every year to a symposium in this case the current one and several of the panelist papers will be published as part of that fifth issue the uh disadvantages of doing this in uh virtually uh perhaps a parent but there are some advantages and one of the advantages is we're able to uh attract uh and not have to worry about uh you know travel and other kinds of potential problems um by being able to bring in panelists of such a distinguished group of people who will be here with us over the next two days um we had somebody give a lecture earlier in the week the law school on monday when we had a bit of a snow event for those not in washington any time there's at least two inches that's that's a major achievement here um and i was thinking that normally we probably would have had to reschedule or do something odd in order to deal with whether we didn't have to because the person had not gone anywhere as as kieran said i think the issue of uh privacy is has been of course a critical issue in our society for so long and uh you know with the rise in social media and all the other events all the other uh aspects of society the privacy concerns have been with us but covet 19 has raised them to a particularly high level and so this this symposium could not be more timely um and as you heard terms of the titles of the various panels you know we will be covering uh or the larvae will be covering a number of very important issues in the course of the next two days i should say that in looking over the panelists i'm very impressed with the group that's been assembled some of whom i know particularly on the panel tomorrow in healthcare because of the overlap with disability work that i do uh people like leslie francis who i've known for many years it's great to see them participating in this um i want to add finally that um my own involvement with the larvae i've not been a a member of law reviews advisory faculty advisory committee we have many colleagues who do serve in that capacity but i have been um honored to serve as a faculty advisor for various students who've done their law review notes or comments for the law review uh including two of your current uh officers fernando montoya and cassie g uh and and it's great to be able to work with them and it has happened having nothing to do with me only with the students that a number of the students with whom i've worked over the years um several have been editors-in-chief and several of them more than a few have had their uh articles published as well which we know is is particularly important to the students so um i always feel the connection with the law of you on the on that basis the the work of the editors is great it works in parallel to the to the uh advice that that i give the students and some other students come out of that uh unscathed so uh uh once again uh we're grateful that you're here with us we know you're going to be excited about the material that the panelists are going to present and with that i would like to turn it back over to karen thank you very much thank you so much dean dennerstein we really appreciate you being here um now it is my pleasure to introduce our first panel surveillance and privacy in a pandemic um i'd like to introduce our panelists uh mr allen butler butler is the interim executive director and general counsel at the electronic privacy information center also known as epic here in washington d.c
mr butler joined epic in 2011 and has long managed epic litigation including the amicus program and files briefs in emerging privacy and civil liberty cases before the u.s supreme court and other appellate courts mr butler has authored briefs on behalf of epic and significant privacy cases including an amicus brief in riley versus california that was cited in the supreme court's unanimous opinion upholding fourth amendment protections for cell phones mr buckler is also the chair of the privacy and information protection committee of the aba section of civil on civil rights and social justice i would also like to introduce professor tiffany lee professor lee is a technology attorney and legal scholar she's an expert on privacy artificial intelligence and technology platform governance professor lee's writing has appeared in popular publications including the washington post the atlantic nbc news and slate and she is regularly featured as an expert commentator in national and global news outlets across television radio and podcasts and print and digital publications finally i would like to introduce professor ari ezra waldman who joined northeastern university's faculty into 2020 as a professor of law and computer science with joint appointments at the school of law and curry college of computer sciences he directs the uh school of law center for law innovation and creativity professor waldman studies uh asymmetry asymmetrical power relations created and entrenched by law and technology with particular focus on privacy online harassment free speech and lgbtq community uh finally i would like to introduce our moderator professor andrew ferguson who is a professor right here at the washington college of law who studies new technology and privacy professor ferguson panelist thank you so much for joining us and i look forward to your conversation thank you so much i want to first say what you know needs to be said which is that the law students at the law school have just done an amazing job bringing people together in difficult times uh the challenges of the pandemic are difficult for everyone uh but you know they they challenge uh students and the students have risen to the occasion i'm just so proud of the group of people we have three rock stars here to begin this uh panel national experts on these difficult issues and we have a real challenge right privacy and surveillance are two of the cutting edge issues i have to say when we started thinking about originally this uh sort of idea of uh surveillance and in the uh the age of emergency i was kind of hoping it would all be over by now but it's not and i think that what we're gonna talk about today and what we're going to think about is how many of the impacts of this age this moment in time are going to be with us for a long time so i'm going to turn it over to our illustrious panel uh to uh ask and talk about some of the ways you are thinking about uh these issues right how in your recent research and sort of the work you're doing and the essays you're gonna to are working on either for the symposium or for other work how you've been evaluating engaging thinking about these challenges of surveillance during the covet age i'm going to start with alan to talk about his work then go to tiffany and then we can go to ari and i really look forward to and just want to thank you for being here today with all of us to talk about what has to be you know some of the most critical uh puzzles of law and technology uh and life uh of this age so thank you for being here and i'm gonna turn it over to allen to begin thank you professor ferguson and thank you to kieran and all the students on the law review for inviting me and hosting me and putting on this amazing event i'm really happy to be here uh with with colleagues and friends uh this is gonna be a really great panel and i look forward to joining the conversation uh i can kind of start off with some thoughts i have about ways in which data collection and surveillance have expanded uh during and in many cases as a direct or indirect result of the pandemic and and what i'm seeing and you know our research and and the writing i've been doing in part for the symposium thinking what we're doing about these issues going forward uh as you noted into the future you know what are the effects not only what's happened in the past 12 months but what we will see happening in in the rest of this year and the years to come um when i think about the you know surveillance and data collection as i said that have happened as a result of the pandemic i'm focused not primarily on law enforcement surveillance specifically but on data collection and surveillance more broadly uh throughout a number of different contexts i think really for me it falls into two uh main categories one is data collection that's been initiated as a result direct result or rather in response to the pandemic right which is the increased collection and monitoring of health information and other health related information in response to and in some cases in many cases in order to mitigate the pandemic so we've certainly seen an expansion of that type of surveillance and data collection but also in the second category we've seen as a result of the pandemic obviously there have been public health orders in effect now for almost a year that have severely restricted travel severely restricted day-to-day physical interactions and severely restricted the ability of you know individuals and groups to gather to work to go to school to get you know government services to get other to shop to do other basic necessities of daily life and as a result of that there have been system data collection and surveillance systems deployed or expanded uh that directly apply to those different sectors all of which as i said are kind of necessary functions of daily life and so they're not easily avoidable so the what i'll just kind of the way i think i'll go through it is to think about some interesting and i think significant examples in these two categories and then talk a bit about how i think this issue needs to be approached and addressed going forward in the category of health directly pandemic responsive surveillance i know that there's you know going to be a discussion about this on other panels so i won't go into it in a lot of detail but i'll just note that you know here we see a lot of different systems that had to be rolled out and deployed in rapid speed and without the sort of long uh kind of thought through development process that would usually attach to rolling out for example you know systems where a university decides that it's going to encourage all students to start having wearable health tracking devices right which happened there were at least such proposals at a number of universities in the fall or or circumstances where you know a statewide or even nationwide uh you know app for contact tracing which they're going to be talking about on the next panel uh is rolled out in kind of rapid fashion and i think what's uh important to consider about you know these and other examples i guess the third one i'll mention is you know the the kind of quick development of these public-private partnerships uh for either you know symptom monitoring or locating uh testing facilities or vaccine information is that you know there's a lot of necessarily data collected in these interactions and not just not the time necessarily put in or the regulatory structure backing up uh limitations on what's collected how it's used how long it's retained etc but again i recognize that there's going to be a take a deeper discussion about health and health related data so i won't spend too much time on that but shifting over to kind of the second category which i think is equally interesting there are many systems that either now exist or are now broadly uh kind of deployed that prior to the pandemic and the stay stay-at-home orders really weren't routinely used by very many people one sub-category that is you know the platform we're on right now obviously many entities schools businesses used zoom before the pandemic but but i don't think in any way shape or form in the way that they do now uh and while this platform is one that you know is is intentionally used right people log in they join a session usually uh not by accident there are nevertheless concerns about uh security of the platform about uh the unauthorized activation of microphones or cameras about zoom bombing uh and also the the inherent dynamic of forcing people to use a specific uh platform or forcing people to uh be you know exist in a situation where they're on camera in a space that isn't their school of work i think as an inherent creates an inherent kind of privacy and surveillance uh dynamic that that did not exist before but there are also a number of systems in particular in the workplace and in schools that have been deployed that that involve a more direct type of surveillance and data collection about individuals and their behaviors that include the monitoring of workers who are engaged you know in remote work situations which did exist these systems before the pandemic but but were not deployed uh to nearly the the level that they are now because of again the stay-at-home orders and uh there's been a lot of concern about where the lines are drawn what types of data these systems can access these systems are quite intrusive into the in the workplace situation including monitoring keystrokes screen screenshotting employees computer screens monitoring websites and also assigning workers productivity scores based on the day-to-day actions that they engage in during hopefully during work hours another question about limitations um so there's there's a lot that incorporates a lot of uh new data collection and surveillance architecture uh that that again wasn't so expensively deployed before the pandemic similarly students have had to go through a transition and in particular a transition that we've been looking into towards remote test taking that has resulted in the much broader use of remote proctoring services that have come under uh scrutiny including by my organization epic in in recent months and that is in part because one these systems by a number of different vendors uh are very sort of intrusive from a you know kind of computer security perspective they require you to install software that can control your computer your webcam etc and also force or sort of enforce a remote proctoring setup where the students are you know monitored by video as they take the exam by someone who is remote that they don't know is typically not someone at their school and they may not actually know where that person is and also involves the use of ai based and other algorithmic based determination systems to flag potential cheating that that rely on a number of factors and of unclear provenance at times and that raise significant questions about uh how how effective and also whether there's any disparate impact of those systems uh so the systems may rely on face detection or other facial recognition techniques that have been shown in many cases to be biased based on skin color and other factors they may rely on audio techniques or keystroke kind of quasi-biometric techniques that that haven't been fully vetted and in addition to the lack of uh kind of proof positive that these systems are fair and uh adequately uh for give don't improperly flag students for behavior that they didn't conduct there is also uh you know concern about the student's ability to know the basis of any flag or decision made about them and to access information about uh what that system how that system is evaluating them so it creates kind of an opacity on top of the layer of uh data collection and surveillance that that further kind of reduces the student's own autonomy and control over their test taking system and imposes an additional layer i think of anxiety on top of what is already in an anxiety-inducing situation of taking an exam so certainly there for workers and students in particular there's been a very significant increase in the amount of direct surveillance and data collected about them just going through their day-to-day functions and i think for for the rest of us and for all of us in the other aspects of our lives there's been a shift to digital of a number of activities that would typically be physical that has resulted in greater you know surveillance and data collection of the nitty-gritty pieces of our live everything from grocery shopping to you know obtaining uh government benefits uh to you know having a document notarized a lot of these things now happen online and create a paper trail and create a record that that wouldn't have existed in that format in that way before um and then also i think services that were already online and that were you know maybe infrequently used are now much more frequently used which can have the effect of further kind of entrenching the data monopolies that that were already uh building and growing in prominence uh you know long before we hit the pandemic so services like amazon google facebook continue to sort of entrench their power over the data that they collect as more and more people are social activities and other day-to-day routines shift online and fall under their umbrellas so you know that just sort of as a quick snapshot of how i see uh data collection and surveillance expand having expanded as a result of the pandemic and i think the question that that raises for me is what happens as we start to transition into you know this new phase where we're moving back into uh a more normal situation and hopefully you know getting to there and getting to normal sooner rather than later what change what changes of what stays the same i think that uh there's certainly a sense that the remote work uh and likely in some circumstances at least promotes remote school or things that are not just going to disappear or go away and i imagine that a lot of the systems that have been deployed in the last year will will you know those existing contracts and relationships with the with the schools and work and employers will probably you know be an instinct to continue that and i think that what's most significant from a oversight and accountability perspective is uh the fact that we entered this period right on the cusp of a nationwide effort to establish rules of the road for all of these services we we're entered this pandemic unfortunately without a real federal regulatory structure for privacy in the u.s and that means that as all these systems were rolled out or were you know for kind of foisted upon different communities during this period they were that that happened without any real baseline protection uh rules of the road outside of certain state laws and international frameworks we don't have federal baseline privacy legislation here in the u.s and i hope
that we will take this opportunity of reflecting on the surveillance and data collection and expansion that's happened during the pandemic as a launching off point to really push for and establish a federal standard and real rules of the road and meaningful enforcement thank you very much for that uh wonderful overview i think our students many of whom are watching now have a very real sense of the digital surveillance that exists even the platform the law school uses uh you know captures the amount of time that you've been watching the brilliant videos that i prepared for our class uh and it even gives you a little like three stars out of i don't know why they're zero to three stars of how engaged you've been in uh apparently just being connected to uh this digital platform so i think that there's a real sense of what surveillance is doing and what where privacy is going that uh strikes pretty deep i want to turn over to tiffany lee um if you are watching this event you care something about privacy and something about the pandemic and if you do you should go read her article her forthcoming article called privacy in pandemic because it is a completely comprehensive completely thoughtful brilliant uh expose of everything you need to know i learned everything i need to know about this panel from that one paper so go download it on ssrn it's called privacy and pandemic law technology and public health and the covet 19 crisis and it is the work on this uh issue and uh i will now uh turn it over to you to talk about other work or that work as well uh thank you for that very generous introduction um so as mentioned i did write a prior paper kind of mapping out the terrain for privacy law and privacy issues within the pandemic and i'm now writing a new paper um that will be forthcoming um in the au law review which actually is going to talk about solutions which i know it's a little it seems a little early to talk about we're still in the middle of a pandemic and one thing i always joke about is you know since the beginning it seems like we've always said things will be okay in a few months you know in three to six months it'll all be okay right we said that in march of 2020 um and we're saying this now so who knows how long this will take um but regardless um i think it's important to think about these issues for the reasons that everyone has been saying today right um that these issues about privacy and surveillance are not limited just to the pandemic right they're involved with all of our society um and there's a lot to talk about there that i think we can get into in this panel and we could talk at length everyone on this panel um has so many opinions on privacy i would love to just chat with you all forever but in the limited time we have i will talk about this symposium piece which is specifically about post-pandemic privacy law so the idea is uh that right now we are facing a lot of privacy risks involved with the pandemic and we've seen this um alan spoke just now about a lot of the issues you saw with education um with healthcare you know zoom is extremely creepy for many reasons but a lot of the tech that you all are seeing whether you're students or lawyers or you know people who are outside of the legal realm you've seen a lot of these effects in your life i'm sure we have privacy issues that have come up across different sectors and they've come up in public health responses the the pandemic as well as just the social aspect right the technologies like zoom that we're using that we used before but not nearly to this level um so in this article i built upon my past article looking at this kind of mapping of the train and i also look at the work of many other scholars who talked about privacy about public health and there's even a sort of growing body of literature on uh privacy empademic which this issue will certainly help support a lot of this and i look at this from kind of a holistic angle right thinking about the issues not just in terms of law but also in terms of society so what are we seeing as social effects what are we seeing as social needs i think that's really important because sometimes especially in technology law we kind of forget that we're talking about doesn't exist in its own little bubble right everything has impact outside of technology and outside of law so i first look at the different shifts and social norms that we're seeing in terms of privacy that have come about due to the new uses of technology or the new uses of public health responses throughout the pandemic and i look at a few of the strategies that we've tried in order to respond to things that are happening now but the bulk of my paper looks at my i propose a framework or a paradigm for how to think about creating new legislative or regulatory fixes for privacy in terms of pandemic response but also keep you in mind that you know the pandemic may end in three to six months um you know or three to six years who knows but the effects will be long lasting so talk a little bit about that later about specifically what i uh propose in terms of this paradigm but first let's talk a bit about you know the background of what we're seeing so obviously kova 19 has been a terrible crisis for the entire world it's been a public health crisis it's also been an economic crisis and for our purposes it's been a data crisis an endemic has led to a vast increase in data collection data use all sorts of things also different harms and risks that have been raised throughout all all facets of society and we've seen that these data dimensions can sometimes related not only to the use of data but to the lack of data so for example the lack of transparency about testing data has had hugely harmful effects for the united states or the lack of interoperability between digital contact tracing apps this is also an issue that has potentially slowed the ability for these apps to be helpful in contact tracing so all of these data dimensions of the crisis are important to think about as well and i mentioned this because sometimes we think about privacy uh we limit our thinking to you know a sort of old notion of privacy as just the right to be let alone the right to keep things secret to own your own information and so on but there's a larger data ecosystem out there there's a larger world in which data is used in ways that you may never actually know um your data is resold repackaged shared and so on uh data is used to train machine learning algorithms for ai systems like there are many ways in which data is involved in the rest of the world so i think that's really important to remember in terms of public health responses we've seen you know as alan mentioned um in his uh segment just now we've seen a lot of different shifts right we've seen a lot of public health responses like chronic virus testing contact tracing manual digital we've seen we're seeing now vaccine verification systems which i think is going to be something interesting in the next few months to a few years we've seen a boom in telemedicine telehealth teletherapy we've seen a lot of different types of health responses and including uses of new technologies so medical ai for example using a machine learning algorithm to determine uh different medical triage of limited supplies in hospitals and we've also even seen healthcare robots for example we've seen some use of robots in order to for example deliver medication or food into different rooms which then helps save the time of nurses or other hospital professionals who would have had to you know don ppe and go in and go out and so on so we've seen a lot of these new types of public health responses and i'm really glad that alan pointed out this really unique facet of the public health response which is that these aren't all traditional healthcare actors we've seen public actors uh private actors we've seen traditional health institutions and other institutions and that's really important because a lot of our current privacy laws and our current health privacy laws are really dependent on the specific types of entities being regulated so as alan mentioned we don't have a federal privacy law and america has a sectoral privacy approach that regulates specific industries and specific types of actors with different laws so here we see a lot of gaps in privacy law already but there's more than that obviously we've seen a lot of different types of privacy issues pop up in the education sector both on campus and online we've seen a normalization of surveillance um you know now you have to i'm not sure what au does but i know a lot of schools have this app that you have to put in your symptoms every day um or a website you have to attest that said you did your chronovirus test recently that kind of thing um we've seen this normalized camera usage as well right i think normally i would not see any of your living rooms um your professor would never see your living room right that would never happen you would never see your professors you know pets or children pop up right um or rarely but now that's normal that's what we see in education and in the workplace too so we've kind of lost a bit of privacy there um technical privacy in terms of just the data loss but also social dimensions of privacy are changing too and of course in just in our social space in our own interpersonal relationships i mean you know throughout the past year we've i'm sure we've all experienced this you know personal events that have taken place online um a lot of funeral homes now are using zoom to live stream funerals we have people who have weddings that are completely in an online space our major life events are now semi-online or at least in the hybrid form so all of this means a lot of changing a lot of changing of perceptions and norms for privacy and i think that's really important and i think it's also important to think about the context politically that we're facing right now and we have economic problems we have a lot of problems related to racism and race relations in the u.s we have a very fraught political situation i mean we just had a potential armed insurrection at the u.s capitol a few weeks ago which i still find it strange that we're all kind of just moving on from that but that was just a few weeks ago so there is a lot happening right now and there's a lot that needs to be done so what can we do about this so i think we have to address this these changing norms and the changing situation um of keeping three things in mind so first there are three different norms i think are really important to highlight uh first is this blurring or an erosion of the line between cyber and physical space as we all use more and more online technologies and as a lot of public health responses use more data and more digital means as well i think second we have to think about the importance of privacy even with the necessity of using data for some public health purposes and finally it's really important that we don't forget that there is still a digital divide and there's still digital inequities at play here we have many different groups who have been suffering worse harms throughout the pandemic and whether that includes marginalized populations who may be more concerned about government surveillance or that includes disabled populations who may be less able to use some of the technologies that are being deployed for public health so based on those three sort of norm shifts and things to think about my the paradigm i offer also has three points so first i think we have to remember that data does not exist in a vacuum so whatever laws and legal norms we try to create uh need to reflect that any type of data used for pandemic purposes will have long ranging effects throughout the data ecosystem this means that we need to have laws that regulate against downstream harms of data sharing and data re-access later we also have to think about potential you know data broker regulation um and we should also consider the algorithmic harms of data being used as part of algorithmic systems and second i think it's really important that any legal changes we propose um do recognize that the laws or that the pandemic does not affect all of us equally so laws have to address the disparate harms and needs of different populations including women people of color the lgbtq population the disabled population older people senior citizens the poor and so on and so forth there's so many dimensions of this crisis that are affecting all of us differently and our legal solutions have to look at that in order to make a more equitable post-pandemic privacy world and finally any solutions we create have to be sustainable because the pandemic is not going away in three months and it's not going away in six months unfortunately if we look at past epidemics we've seen that generally reaching herd immunity for a large population like an entire nation or entire world is likely going to take a few years and even after this whatever privacy changes we make now are going to be long lasting you can't just roll the clock back so whatever we do has to be sustainable so i'm going to end now so i don't take up this entire time slot but that's essentially what i'm arguing here for a new paradigm for thinking about the legal changes to solve some of these privacy harms for post-pandemic privacy law thank you very much we are uh obviously quite lucky to have you publishing that work i look forward uh to seeing it when it comes out as part of this uh series on the panama i love the phrase and it's a great title the pandemic as a data crisis i think that's a different way of really thinking about it i think it's so true in its way so i want to turn over to professor waldman who again i want to pitch his book uh privacy is trust if you're interested in this space you gotta read it he also has somewhere like 30 larvae articles you could also read also worth reading uh but the book is also there as well um and we're honored to have him here to talk about some of his work uh and get some of his insights about this critically uh important and interesting topic uh thanks andrew and thanks for having me here thanks to the law review and my co-panelists i'll also add that i'm on the advisory board of epic so it's really nice to see allen here as well and uh can't say enough about his his work uh i don't want to take up too much time because i'd rather encourage conversation but i think one area to talk about to hop off what both alan and tiffany were saying is talk about more systemic questions about solutions whether our privacy laws are actually up to up to the job of regulating or protecting us from the harms associated with the data extractive capacities of the covid crisis and uh the answer to that is uh uh no um pretty much 100 percent know and i'll go even a little bit further and maybe be a little bit provocative and say almost all of the suggestions that tiffany made are good i mean we do need regulation on downstream harms we should have regulation on data brokers we should have regulation on um on the use of any kind of data for algorithmic purposes and certainly the law law absolutely should um take account of asymmetrical effects uh but our laws don't do that uh our laws uh pretend to do that and the rhetoric around privacy talks about regulation in an ongoing basis so if you if you look at if you look at the recent spate of new privacy laws being proposed in the united states alone over the last two and a half years there have been 44 proposals in 28 different states this is in addition to nine proposals that have been introduced in the u.s congress all of these laws basically look the same they combine uh a series of individual rights to your data like rights of rights to delete and right to access with a private public-private partnership of regulation in which regulated entities themselves right so not just in the sectors like tiffany was talking about but regulated entities themselves would have to engage in compliance right they'd have to fill out privacy impact assessments they'd have to fill out forms and hire a cpo and they call these um they call these ongoing compliance responsibilities that follow data use from beginning to end and they incorporated in those would be even in the laws as the proponents envisioned them incorporating in those would be compliance responsibilities for companies about what happens to their data downstream uh or what happens they would even apply to data brokers but even applying these to data brokers and to downstream uses these uh these laws are as as julie cohen says in a new piece for the knight foundation exactly not how you should write a privacy law because what they do is they let companies be there essentially let companies be their own regulator and then thrust the responsibilities of accessing our data or having our data deleted to us which we are fundamentally incapable of doing so so um and so this is this is what i'm working on now it's a part of my part of the conclusion of my next book and an article that's out for going out for publication now um but i think we absolutely need to go further than what my co-panelists have suggested we need to do we need fundamentally different types of privacy laws and we need to actually throw out pretty much everything that we have done right now none of these laws represent except for one ish represent a represent progress in how we're going to regulate privacy because they just boil down to much more of the same um and the short of you know burning it all down and rebuilding it which you know i have a lot of sympathy for um i recognize that that's certainly uh certainly not easy um there are a couple of things that i think we need to do that are independent of of unique crises like covid which is essentially kind of the thesis of this short talk is that i don't think anything we do about privacy should be unique to a covid crisis it should allow for protections associated with any type of data extraction there are reasons sometimes things would go up and down given what's going on but we don't need protections for covet related data we need basic protections for all of our data um and that requires lots of things like it requires us not listening to what companies want right now they have the regulated entities are the only ones with seats at the table giving the ftc and ags and and regu and policy and law writers input the ftc engages in settlements with these companies they have the primary seat at the table and why i mean there is absolutely no reason why we need to have companies get buy-in or agree to the regulations that um that are imposed upon them it's just neoliberal managerialism that we've been using for the last 30 50 years that has essentially made it impossible for us to regulate our privacy um so taking tiffany's suggestion you know how do we account for asymmetries and effects well the people who should be represented at these at these tables are marginalized populations who have the ace who are bearing the asymmetrical effects of uh data extraction what else do we need um we need radical changes in public institutions right so the way privacy regulation works now is we rely on companies themselves to do the uh audits to do the compliance to do the systems that engage in ongoing monitoring none of that we need actual public institutions to be fully funded fully ramped up fully staffed to be able to do that on their own because how much of an audit is a company who hires the auditor and then answers the questions that an auditor that they've hired asked them purely based on their executive attestation and trust me i've read these uh i've read these audits as part of my research where they'll say are you in compliance with section 3.2 of the ftc consent decree and then the uh evidence of compliance is um the executive has attested to compliance with sdc consent decree section 3.2 here's a letter in exhibit i or whatever right so that is the extent of our audit powers right so those kind of things absolutely have to be have to be changed but that's but the thing is and there are many other things we can do the thing is none of our privacy laws are doing that so uh although that sounds really terrible and really cynical that you know we are at a loss for privacy protections that's where we are now which is one of the reasons why we need so many new privacy lawyers and privacy advocates leave law school and then tell people that this is exactly the wrong way of doing well thank you um i hope there are some privacy law students who are going to leave law school and join uh the battle to change uh privacy so i want to open it up with a just a conversation among us so you know in some ways the way i had initially viewed the you know symposium was like this age of emergency as if it was a defined age i think what we're talking about now is in some ways this is merely an accelerant to something that's already happening we've talked everyone has talked and equated for privacy and data as the future and thinking about ways to do it and we sort of put out different avenues you have you know uh alan and epic have been litigating this and and proposing litigation different ways tiffany's proposed it uh uh ari's solution's office is a little bit more radical but also uh important because i think you know in my world in the surveillance space for policing again you can't check the police because there's no entity to check them you can't audit it because no entity to audit you don't have uh that power so if we are in a world where the problems of privacy have been accelerated because of the emergency um where do how do we pitch the new administration at least that's where some of this could come in or even maybe your kind of local governments in terms of thinking about it from the states uh or may even more local how do we shift the the battle to do any of those possible solutions to this problem be it uh you know practical big holistic or or anything and so so what's that what's the first step in you know february 4th or fifth we'll give you until tomorrow to start do you want us to just jump in or do you want us to raise your hand or whoever i mean if you wanna you could i'm happy to jump in first with her i actually think that the the first steps uh in this are happening already and um the battle is is upon us you know i mean the the sort of rallying cry that that ari is making i think is absolutely right i think we need a really fundamental uh fundamentally different approach to how we regulate privacy in the united states but what's happening now today immediately for example is over in virginia where they have a very short legislative session they've just fast-tracked uh a piece of legislation that was up in washington uh before there's kind of back and forth with amendments so this one is industry supported but then there's another bill coming up in florida we've just seen uh the the new ballot initiative passed in california that's on its way to going into effect and will actually be creating a state privacy entity with audit enforcement authority there so everything is happening everywhere all at once and what that's likely going to do is it's going to put increasing pressure on congress and industry is going to put increasing pressure on congress to pass a federal law and and that's i think that's increasingly likely to happen now uh in this congress probably in the next year or two uh for there to be there's already been substantial proposals as you can see in epics grading on a curve report in the last congress that have been batted around and that's that process is going to continue and accelerate and and the fight on that front is going to be at congress between the specific you know members and committees working on the bills and and so far what we know about it is that the the key kind of points of contention between the different groups and especially between the privacy groups kind of versus where industry is are over whether the federal law is going to preempt existing or future state privacy laws and what even that means and then also whether or not there's going to be a private route of action which goes to ari's point about and they both go both of them go to ari's points one you know federal law preempts everything else and it and it sets kind of just a baseline does not do a whole lot to fix the problem standard then we're worse off and if there's no private right of action then we're reliant on these existing enforcement and there's no data protection agency created in the us then we're relying on existing enforcement mechanisms that have failed us already yeah so i mean as i i i support epic i mean i'm on their advisory board but i i am super skeptical of private rights of action as like an on off switch like i think al i agree with allen that that could be part of the process but imagine if we like turned on private rights of action right now that would be those private rights of action would be in a federal bench where the winners of cases over the last 30 years the most frequent winners of cases are big business right there's like so you go you you turn on the private right of action faucet in an environment where judges hate collective action and hate claims against big businesses so i mean that's not to criticize right but it's just to say that that's not the be-all and end-all solution i think when we want to think about where we go from here i'll also you know do a classic law professor thing and resist the premise of your question andrew in that biotin is not the only place we need to go i mean we need to go there but that's not the only place we need to go like we also need to broaden what we think is a is a pro-privacy law right so mass unionization of technology workers is going to help privacy right because if any if the firing of ai researchers by google particularly minority researchers by google shows us anything is that a they have all the money where we do tech research but they also control the people who do it if those people are protected from summary firing just because they do research that that undermines the company's bottom line then we're going to have better research out there we're going to have better tools out there so no one thinks that mass unionization of tech workers is a privacy law but it actually is a privacy law so if we think about so that means we need to go to the nrb we need to ramp up how these how um how we encourage workers to unionize and you know one of the things that just happened you know biden recently fired all uh forced to resign or fired all of trump's appointees to an important labor board that when that goes in when federal employees have can't um can't come to an agreement with employers so here's a good example um also the kind of thing that we did i had the opportunity to work on policy for the biden campaign and um one of the things that we one of the things that i did i felt i was like constantly pushing back against old obama-era neo-liberal approaches to uh to data but what turned and i was super skeptical about what would come out but by the time the administration came into office all these new proposals thinking about pushing up labor making it more difficult for tech companies to erode environmental protection in order to lay the wires that they need under the oceans in order to transfer data between continents no one is thinking about that but biden's campaign team produced policy statements based on the recommendations that we made that recognize that in limiting what companies can do under the oceans is actually going to affect privacy because it limits what it may limit what comes what companies can transfer from continent to continent right so when we think about privacy law we have to think more broadly than data protection we have to think about unions we have to we so we have something about labor we have to think about environmental law we have to think about marginalized populations right so i'll add in just a bit as we're running close on time i think uh that's really interesting i i love this question and i love the provocations from both alan and ari here i also really need to read whatever policy recommendations that were on the undersea cables because that's fascinating i'm not sure if anybody here in the audience knows but the internet is a series of tubes and many of these tubes run under the ocean um and they collect like this is really pretty much what happens um this is how data is transmitted um and that's really important because our internet networking is key to thinking about the internet as not just a national but global system right and who can control the internet a lot of it does matter uh you know who actually owns these cables and who is able to police the waters above them so that's an entirely different question but that gets something that i'm really interested in too when i think about privacy as a systemic issue um i also love i think ari's dog in the background right now um this is the best and in any zoom conference or call when there's a dog or a cat in the background it's like automatically it's a much better conference so this is the peabody this is peabody sorry interrupt tiffany this is peabody she's nine months old and she's having her dinner in in a bone like it's this game that she has to play to find her dinner that's very cute um i'm pretty sure i follow her on instagram oh good yeah everyone should follow her on instagram it's peabody the dog very important peabody the dumb you know maybe violating her privacy rights now i'm not sure she consented to be on camera um but yes so undersea cables dogs um i think it's really important to think about the international dimensions of all this too so just as we can't fix the pandemic unless we also vaccinate the global south we have to think about the privacy aspects of this on a global level too so i also support a federal privacy law i also support greater protections like we all mentioned a lot of the things we talked about today but i think it's important to consider the international aspects of this because the way that we regulate privacy is going to send a signal internationally too and there are a few things i think there are two things i think are important the first is we are behind the eu and some of our partners and allies in thinking about privacy and the longer we take to you know get to that level or to at least signal something um the longer it will take for the world to change the privacy norms on a global level so i think it's important to have a signaling mechanism that a federal privacy law could provide especially one that includes mention of say you know inequities and disparities right but second i think it's important to think about our privacy laws as supporting privacy protecting rights but also not overly limiting the potential of u.s and international tech companies
to sort of continue to innovate in this sector but i thought about that when you mention the undersea cables because one of the issues we have thinking about internet as a global um you know global space right now is that it can be cut off right we've seen countries like you know china and russia for example um have had their own base essentially their own internet right and this lack of access this lack of interoperability is frightening for thinking about speech and democracy so when i think about regulating privacy in a post-pandemic world i'm also really cognizant of those dimensions as well i think we should not forget the international aspects too this is great um i think there might be some questions for the audience but before we get to that i want to just pick up on something that has been uh mentioned again and again because it should be which is the inequities in data both in terms of the digital divide but also how data will be and is extracted from people without a lot of power and underlying some of the problems with thinking about the next new privacy you know law and or theory and or way of thinking about it is how would you how do you get those voices to the table and how do you protect their uh privacy from the growing surveillance that will will happen we've seen throughout history that the people with the least amount of power um will be the ones extracted from the data will be extracted from them we see it with surveillance police surveillance and everything else and it happens in consumer surveillance so how do we you know if we have our our doubts that the democratic system is going to represent the voiceless um how does we get the voiceless into the conversations about privacy and surveillance in this way i'll jump in very quickly um so uh we have a model for this uh senator sherrod brown uh who proposed his own privacy law recently uh called data um you know one of these hokey of course you know jokey uh acronyms for them i forgot what it's actually stands for i'm sure alan knows um alan and tiffany know but uh sherrod brown explicitly said um explicitly said to non-profit advocacy organizations in ohio and in d.c because he's a senator from ohio and he said he sent out a press release and said we are seeking um input from uh non-profit organizations that represent consumer groups and uh he turned away business groups to turned away a calls for meeting from business groups not because he doesn't ever meet with business groups uh he's a progressive but it's not that he doesn't meet with them it says he said on this law we're listening to non-profit organizations um and that was it was kind of remarkable in that no one ever does that and the only thing you need to do is you need to just add we're interested in nonprofit organizations like epic or like cdt the center for democracy and technology but we're also interested in civil rights online civil rights organizations like the cyber civil rights initiative which i'm also on the board of which represents the interests of people who have been um victim survivors of online sexual assault you also need input from organizations like data for black lives uh or um the detroit data initiative uh which org which um advocates for um which advocates for the uh for the interests of black americans and by poc americans with respect to data extraction so we have a model for this it's just not done because of you know how we how politicians get money from big business all you need is someone like sharon brown who says you know i'm just not going to listen to you for now so we have a model we just need some political will there's a question that was raised a panel that also rephrases in looking at sort of the the benefits if if any of this new world um you know what we've seen is a disruption of our normal life right we've had a disruption of different power uh things some people have been in some companies and entities have been more empowered and some people have been disempowered are there uh positives that might result from that disruption in the sense of uh ways of when the norm the way we've been living our lives uh have changed that other groups could gain power where otherwise they would have not have had power do you see any uh positives so i've seen a few positive things i mean overall i would say that we haven't seen a a good change a good shift in surveillance for privacy norms um i think what we've seen are more privacy violations and a normalization of those but there are a few things that have been good for example the digital contact racing app debate when that first when that idea first circulated people were very concerned that this would lead to mass data collection that would be very privacy violating but we what we ended up with um was i think probably the most privacy preserving method of doing contact tracing that we could we end up with most people using an apple google api for exposure notification that relied on encrypted bluetooth keys um so instead of collecting location tagged individual phones um or instead of collecting data even in one central server we had a more decentralized anonymous system and i think that was a big positive that was a win for privacy um but i'm also going to mention because otherwise ari might that one of the potential negatives of that system was that it was an apple google system right that was um that only really succeeded because it was hosted by a very large company um it was not a system that say was you know completely open to other entities there was really no competition you've got the exposure notification tool immediately set on your phone without any consumer choice really you can opt in or opt out but it's on your phone um so you know there did those dimensions as well but at least we were doing this in a privacy preserving way and i think that was a benefit i also think that we've seen that technology can be used for a lot of great benefits right zoom despite how much we all hate it by now um i don't think we could do school without it imagine law school right now without zoom we'd be sending you packets of homework and reading every week and maybe you'd send us essays in return or something right i think the technology has been helpful the technology for public health and for society has been helpful and in some cases we've seen pushback right we've seen some privacy pushback zoom has had various privacy allegations against it um i think the new york ag started an investigation very early on regarding zoom bombing so we've seen a bit of pushback it hasn't been completely negative pro privacy violation um social norm shifting but i would say on the whole um it's been difficult and i wish you know we could think more about how to get these good things that rely on our data and our tech while still protecting privacy in the way that say a privacy preserving contact tracing app might do and one other thing i would just add to that and to tie it back into what aria was talking about i think one effect of like secondary effect similar to what tiffany was talking about with zoom of uh the pandemic has been a forcing of government institutions uh to change their methods and to open things up in a way that you know frankly it's a lot easier for someone to testify in congress via zoom than it would have been to testify in congress in person right you don't have to physically be in dc you don't have to spend all the money to get prepared in that way and that plays into the issue that you mentioned brought up before which is how do we hear from these at-risk communities and these marginalized communities we have to actually hear from them we have to someone has to tell their story they have to have people that are able to tell their story to the people that matter to senator brown to others who are making policy and so you know hopefully by shaking loose some of those methods and procedures we may open that process up a bit so that there are more opportunities for that to actually happen that's a great point in terms of you know if we focus some attention and energy on uh using the technologies of zoom and these means we could capture more voices than would otherwise ever be able to uh reach the people making these decisions one of the questions from the audience was uh what role will surviv will surveillance technologies play in preventing future pandemics and public health emergencies right so what will we see these new surveillance scenarios that are already in place continue because we are always going to be looking for the next pandemic and we might be sort of creating you know new methods of surveillance for that that that health reason and i think that that one interesting thing that came out of the early stage of the pandemic was that many folks you know some in the privacy community and certainly in the broader policy community around tech issues uh had to learn that the
2021-02-16 08:06
