PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Originally posted on Substack

I’ve curated a list of recent works on privacy, AI, and tech that will be worth your time checking out. Authors included:

  • Graham Greenleaf
  • Ella Corren
  • Cindy Cohn
  • Andrew Guthrie Ferguson
  • Alicia Solow-Niederman
  • Laura Moy
  • Mark P. McKenna
  • Woodrow Hartzog
  • Maria P. Angel
  • Christina Lee
  • Zina Makar
  • Elettra Bietti
  • Peter Ormerod

Graham Greenleaf, The Global Trajectory Of 50 Years of Data Privacy Laws: Will It Continue?, 199 Privacy L. & Bus. Int’l Report 14 (2026)

Greenleaf provides a concise overview and history of the last 50 years of privacy law development.

Ella Corren, Privacy Law’s Reality Check, 31 Colum. J. European L. 118 (forthcoming 2026)

Ella Corren argues that current privacy laws are “misaligned with the structural realities of the data-driven economy.” She contends that there is too great a focus on “procedural compliance and observable behaviors, neglecting firms’ opaque data practices and the broader systemic effects of surveillance capitalism.”

CINDY COHN, PRIVACY’S DEFENDER: MY THIRTY-YEAR FIGHT AGAINST DIGITAL SURVEILLANCE (2026)

Cindy Cohn, the former Executive Director of the Electronic Frontier Foundation (EFF) has written an engaging and insightful memoir of her life and professional career in the trenches fighting for privacy. She discusses the fight to free encryption from government backdoors and restrictions, litigation in response to NSA spying on people after the 9/11 attacks, and attempts to curtail National Security Letters (NSLs).

She writes: “In my thirty years of these fights, the government consistently exaggerates the risks—calling the use of encryption ‘going dark’ and making apocalyptic predictions that never seem to come true. We regularly find out that claims of mass surveillance actually playing a key role in solving terrorist attacks or serious crimes are overblown, if not flat-out lies.”

Cindy Cohn will be a keynote speaker at my upcoming event, Privacy+Security Forum (Nov 4-6 in Washington, DC).

ANDREW GUTHRIE FERGUSON, YOUR DATA WILL BE USED AGAINST YOU: POLICING IN THE AGE OF SELF-SURVEILLANCE (2026)

Filled with real cases and great examples, Ferguson’s book illuminates how a vast amount of our personal data is being gathered by devices and technologies we willingly embrace. We’re in the Panopticon and we’re building it ourselves. He writes:

[Y]ou are—at best—a warrant away from having your most intimate personal details revealed to a government agent looking to incarcerate, embarrass, or intimidate you.” He discusses a case where data from a person’s pacemaker was used to prosecute him. He writes that “the safeguards built into our legal system—search warrants, judicial oversight, concepts like probable cause—are too weak to protect us from the self-surveillance system we are building.

Ferguson points out how existing Fourth Amendment doctrine is inadequate to meet the moment. To determine the right types of protections needed, he suggests we apply what he calls “the tyrant test.” He argues: “The tyrant test begins by assuming that your personal data will be misused by a metaphorical (or actual) tyrant and asks what structures you would put in place to protect against that misuse before the tyrant gets the upper hand.”

You can watch my interview with Andrew on YouTube here. This video really resonated, as it has been viewed more than 25K times.

Alicia Solow-Niederman, AI and Doctrinal Collapse, 78 Stan. L. Rev. 955 (2026)

Solow-Niederman identifies a form of legal strain caused by AI which she terms “doctrinal collapse.” She observes:

Because AI models rely on data and because data is governed by two legal domains—information privacy law and intellectual property (IP) law (primarily copyright law)—there is overlapping coverage of the same regulatory object. If the privacy-copyright boundary does not remain sufficiently distinct, and the discrete rules and logics of each domain are not legible, then the two regimes lose their independent structural integrity and collapse into one another.

She elaborates:

I contend that collapse becomes problematic when it disproportionately facilitates exploitation by already-established corporate players and impedes law’s ability to constrain the arbitrary exercise of private power. That’s precisely what is happening in AI. For example, the leading generative AI company OpenAI has argued that the data it used to train its models are “public” and thus not subject to either copyright or privacy restrictions, yet the company also refuses to disclose the same material on the grounds that the data are proprietary and confidential. This sort of doctrinal switching—between copyright and information privacy logics—can be understood as a form of corporate opportunism. And it is. But that is not all that it is. Analyzing only the result (opportunistic behavior) overlooks the relationship between legal regimes (the inter-regime doctrinal collapse) that enables that result. Doctrinal collapse is a structural condition that warrants distinct recognition.

Laura Moy, Disaggregating Digital Rights: The Civil Rights-Civil Liberties Disconnect, 28 N.Y.U. J. Legis. & Pub. Pol’y 537 (2026)

Moy discusses what she terms the “civil rights-civil liberties disconnect.” She argues that initially, civil rights advocates pushed for information policy “to advance a fairer and more equitable information environment.” Then in the 1990s, with the rise of the internet, “public interest information advocacy shifted its focus toward civil liberties”—a vision that focused on “individual freedom,” resulting advocates to “concentrate more on individual rights and less on equality.”

Moy contends that “Public interest organizations working on information policy have been struggling to swing back in the direction of civil rights since 2013. In the 2010s, recognition grew among academics, advocates, and policymakers that the internet could replicate and exacerbate inequities across society.”

As she further argues:

The shifting of focus back and forth between civil rights and civil liberties matters because these two different foci translate to different types of policies. When public interest advocacy organizations focus on civil rights, they advocate for policies that promote fairness and equality, including, at times, by expanding government power to achieve that purpose. In contrast, when organizations focus on civil liberties, they typically advocate for policies that constrain government power and maximize individual freedom.

This ongoing, unresolved civil rights-civil liberties disconnect in the field means that the field’s priorities are split between different types of policies and that public interest organizations in the field are plagued by a fair amount of infighting. This disconnect impedes the field’s ability to unite its work around a shared set of priorities, thus diminishing advocates’ power and hindering the field’s ability to achieve meaningful policy change.

Mark P. McKenna & Woodrow Hartzog, Taking Scale Seriously In Technology Law, 61 Wake Forest L. Rev. 393 (2026)

McKenna and Hartzog have written a thoughtful article about scale, which is a central issue in the modern world of digital technologies. Their ability to scale presents some of the most profound challenges we face. They argue that scale can affect more than the number of people whose data is used (AI is an example, where models affect people beyond those whose data was collected to train the model); can create new problems (often due to automation); can “challenge original assumptions about the costs and benefits of an activity”; and “can affect the efficacy of solutions, making certain institutional designs more effective and taking some legal, social, design, and market-based remedies and strategies entirely off the table.”

Maria P. Angel, From Privacy to the Data Economy: The FTC‘s Reframing of Its Regulatory Priorities, 58 Ariz. St. L.J. 1 (2026)

Angel traces the evolution of the FTC’s privacy jurisprudence, culminating in its proposed rule on Commercial Surveillance and Data Security prior to the FTC’s decimation by the Trump Administration and the killing of the rule.

She argues that the FTC was heading “beyond traditional data privacy frameworks—based on customary privacy harms and notice-and-consent—and toward a broader approach focused on the structural power dynamics of the data economy.”

Angel observes that the FTC’s “transformation is grounded in three newly articulated normative commitments: (1) a clear shift towards addressing broadly conceived data-driven harms, (2) a pivot toward examining the data economy through a political economy lens, and (3) a pledge to meaningfully constrain corporate power.”

This article provides an insightful intellectual history of the FTC’s approach to privacy. Her article also discusses the Trump Administration’s impact on the agency and provides a normative account on what the FTC ought to do in the future.

Christina Lee, Beyond Algorithmic Disgorgement: Remedying Algorithmic Harms, 16 U.C. Irvine L. Rev. ___ (forthcoming 2026)

Lee argues that a popular remedy for AI harms (used a several times by the FTC) known as “algorithmic disgorgement” must be rethought, as the remedy rests on an inaccurate and too simplistic picture of the AI ecosystem in which these algorithms are developed and used.

She contends:

AI systems exist in the context of the algorithmic supply chain; they are controlled by many hands, and seemingly unrelated entities are connected to each other in complicated ways through complex data flows. The realities of algorithmic supply chain means that algorithmic disgorgement is often a bad fit for the harm at issue and causes undesirable effects throughout the algorithmic supply chain, imposing burden on innocent parties while not imposing cost on the blameworthy; ultimately, algorithmic disgorgement undermines the principles it seeks to promote.

Zina Makar, The Datafication of Incarceration, 135 Yale L.J. 2451 (2026)

Makar discusses how digital technologies are affecting prisoners. She observes that courts are split in how to approach these issues:

Some continue to apply traditional deference frameworks, relying on Turner v. Safley or Hudson v. Palmer to uphold sweeping powers allowing prisons to extract data and surveil communication under vague security rationales. Others—in growing numbers—express unease and hesitation in applying old frameworks, noting that digital surveillance is different in scale and kind.

She argues that “the collection and surveillance of information data to compelled speech, or ‘compelled data.’” Courts often “mask data-compulsion concerns by minimizing the nature of privacy harms claimed by incarcerated and nonincarcerated individuals.” Additionally, she contends that “carceral technology has antidemocratic, subordinating effects at the population level and raises questions about our commitment to data privacy for all members of our society.”

Elettra Bietti, The Data-Attention Imperative, 78 Florida L. Rev. (2026)

Bietti argues that the “ability to direct and receive attention is constitutive of human life.” But in our times, “people’s attention is increasingly extracted and colonized through technology. Attention platforms and AI technologies are transforming the shape, objects, metrics and value of human time and attention.” The business models of many platforms are “organized around the data-attention imperative, the drive to continuously capture troves of data and attention to generate value.” The problem with this model is that it leads to a “data-attention spiral” as the platforms aggressively try to maximize attention and extract, which “produces a harmful commodification and erosion of time and attention which shrinks the human experience and undermines collective life.”

Bietti contends that “data-attention disorders” should not be viewed as due to individual choices and can’t be solved by “delegating solutions to market-based tools, more competition or the exercise of individual data protection rights and parental controls.”

She argues that the “answer requires moving past individual preferences and embracing an infrastructural approach focused on changing platform incentives and technological affordances and on safeguarding space for offline time.”

Peter Ormerod, Regulating Data Monetization, 13 Tex. A&M L. Rev. 1003 (2026)

Ormerod argues: “Rather than rely on individual decision-making to govern scalar processes and collective effects, those interested in holding the information age’s real power and profit to account must go to the source, regulating how companies transform data into money.” To do this, he argues that the law should focus on the “dominant form of firms’ data-monetization strategies,” which is “individualized differentiation—the process of offering customized, personalized, or otherwise distinct products, services, experiences, and prices to customers, users, employees, and other counterparties.”

Ormerod notes that there is existing regulation in other areas where companies conduct “differentiation activities, such as the regulation of credit reporting, bans on discrimination based on preexisting health conditions, and restrictions on targeted marketing. He proposes ways the law can more broadly, powerfully, and consistently regulate data-driven commercial differentiation.

The Audacity (TV Series, HBO, Season 1) (2026)

For a great dark satire about privacy and the tech industry, The Audacity is well worth watching. If you enjoyed Succession and Silicon Valley, The Audacity is like a fusion of these shows. Here’s my post about the show: The Audacity: Big Tech and the Battle for Privacy

The show has terrific satirical dialogues and monologues about privacy and the tech industry—tremendous grist for many a future law review article!

Previous Issues

The inaugural issue was:

Privacy, AI, and Tech Works Worth Your Attention (June 2026 Edition)

I’m archiving previous issues of this Works Worth Your Attention series here.

* * * *

Daniel J. Solove is the Bernard Professor of Intellectual Property and Technology Law at the George Washington University Law School. He is the founder of TeachPrivacy, a company that provides workforce privacy, cybersecurity security, and AI training to companies and organizations around the world. He is the author of 10+ books and 100+ articles.

You can follow his events, writings, training, cartoons, and resources by subscribing to his free weekly newsletter.

Divider 01

Subscribe to Solove’s Free Substack

A supplement to Solove’s regular newsletter with more in-depth discussions

Subscribe to Daniel Solove's Substack

Button - Subscribe