Here are some great cybersecurity and privacy resources.
Notable Privacy and Security Books 2024
Here are some notable books on privacy and security from 2024. To see a more comprehensive list of nonfiction works about privacy and security for all years, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
Information Fiduciaries and Privacy
Information fiduciaries have emerged as a major part of the discussion of privacy regulation. In a nutshell, the information fiduciaries approach aims to apply aspects of fiduciary law to the companies that collect and use our personal data. As one court explained the fiduciary relationship: “A fiduciary relationship is one founded on trust or confidence reposed by one person in the integrity and fidelity of another. Out of such a relation, the laws raise the rule that neither party may exert influence or pressure upon the other, take selfish advantage of his trust, or deal with the subject matter of the trust in such a way as to benefit himself or prejudice the other except in the exercise of utmost good faith.” Mobile Oil Corp. v. Rubenfeld, 339 N.Y.S.2d 623, 632 (1972).
The earliest proponent of the idea of viewing companies as information fiduciaries was the late Ian Kerr in 2001, who noted that “some service provider-user relationships display all of the constituent elements of a fiduciary relationship.” See Ian Kerr, The Legal Relationship Between Online Service Providers and Users, 35 Can. Bus. L.J. 419 (2001).
In 2004, in my book, The Digital Person: Technology and Privacy In the Information Age (NYU Press 2004) (Amazon) (free digital copy on SSRN), argued that concepts from the law of fiduciary relationships should be applied to situations involving data privacy. (pp. 101-104). I contended that “the law should hold that companies collecting and using our personal information stand in a fiduciary relationship with us.” I contended that “If our relationships with the collectors and users of our personal data are redefined as fiduciary ones, then this would be the start of a significant shift in the way the law understands their obligations to us. The law would require them to treat us in a different way—at a minimum, with more care and respect. By redefining relationships, the law would make a significant change to the architecture of the information economy.” (p. 104).
Digital Dossiers and the Aggregation Effect
This year is the 20th anniversary of my first book, The Digital Person: Technology and Privacy In the Information Age (NYU Press 2004) (Amazon) (free digital copy on SSRN). I thought that it would be a great opportunity to engage in a reflection on some of the points I discussed in the book. Apologies for the self-indulgence.
The key theme in The Digital Person is about the rise of what I call “digital dossiers” – the extensive repositories of personal data about us that are collected and used by large organizations. The government and private industry propelled each other into the digital age and beyond through the collection and use of personal data. At the time I wrote, the story culminated with the rise of the internet. Since that time, new technologies have taken the spotlight – AI, Big Data, smart phones, the Internet of Things, social media, and much more. The book is so old that my publisher long ago allowed me to post the entire digital version online for free. And yet, the basic problems and ideas discussed in the book largely remain the same. There are new chapters in the story, but its direction has been quite predictable. I could practically reissue the book with a new preface that says “I told you so.”
Cartoon – Notice and Choice
Here’s a new cartoon on the notice-and-choice approach to privacy — the way that many U.S. privacy laws regulate. Sadly, most of the state laws are based on notice and choice.
Here are some of my recent writings critiquing the notice-and-choice approach:
- Kafka in the Age of AI and the Futility of Privacy as Control, 104 B.U. L Rev 1021 (2024) (with Woodrow Hartzog)
- ON PRIVACY AND TECHNOLOGY (Oxford University Press, Jan 2025). You can pre-order a copy here.
Do you want to use this cartoon in presentations, classes, or newsletters?
Click here to license this cartoon.
Cartoon: Personal Data
Here’s a new cartoon on the difficulties of identifying personal data.
For my thoughts on this topic, see my post: Personal and Sensitive Data.
Cartoon: AI Trick-or-Treating
Here’s a new cartoon on AI for Halloween.
Cartoon: AI Restaurant
My latest cartoon – about the AI craze these days.
Want More Cartoons?
Subscribe to Solove’s Free Newsletter
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.
Prof. Solove’s Privacy Training: 150+ Courses
Bankruptcy Sale of DNA Data: From Toysmart to 23andMe
A recent article in The Atlantic discusses the risk of 23andMe selling its vast stockpile of DNA data on 15 million individuals:
23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
Can anything be done to protect this DNA data in the event of a sale?
More than two decades ago, the FTC intervened in a bankruptcy sale of personal data by Toysmart, an online toy merchant that had massive quantities of children’s data. The FTC limited Toysmart’s ability to sell its data only to companies operating in a similar market and agreeing to abide by the same privacy policies as Toysmart had in place. But the Toysmart case was a “deception” case under the FTC Act, triggered by the fact that the company had stated in its privacy notice that it would not share the personal data of its customers to third parties.
The lesson companies learned from Toysmart is to include the sale of data as an asset in a potential bankruptcy. This makes a deception case difficult or impossible to bring. 23andMe has done this, writing the following in its privacy notice:
If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.
The failure of the notice-and-choice approach is about as established as the law of gravity. Nobody reads privacy notices. Meaningful consent can’t be inferred from customer inaction. The existence of a notice alone provides no indicia of consumer consent whatsoever.
My Forthcoming Book, ON PRIVACY AND TECHNOLOGY, Available for Pre-Order
I am excited to announce that my forthcoming book, ON PRIVACY AND TECHNOLOGY (Oxford University Press) is now available for pre-order. It will be in print in January 2025.
From the book jacket:
Succinct and eloquent, On Privacy and Technology is an essential primer on how to face the threats to privacy in today’s age of digital technologies and AI.
With the rapid rise of new digital technologies and artificial intelligence, is privacy dead? Can anything be done to save us from a dystopian world without privacy?
In this short and accessible book, internationally renowned privacy expert Daniel J. Solove draws from a range of fields, from law to philosophy to the humanities, to illustrate the profound changes technology is wreaking upon our privacy, why they matter, and what can be done about them. Solove provides incisive examinations of key concepts in the digital sphere, including control, manipulation, harm, automation, reputation, consent, prediction, inference, and many others.
Compelling and passionate, On Privacy and Technology teems with powerful insights that will transform the way you think about privacy and technology.
Click here to pre-order the book.
Book Details:
ON PRIVACY AND TECHNOLOGY
by Daniel J. Solove
Oxford University Press (Jan. 2025)
ISBN 978-0197771686