PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

The Year in Privacy 2013 and the Year to Come

Daniel Solove @danielsolove
Founder of TeachPrivacy
January 2, 2014

high-tech technology background with eyes on computer display

by Daniel J. Solove

2013 was a remarkable year in privacy developments. Here are four main trends I saw occurring this year:

1. The heat on the NSA for its broad surveillance programs has been sustained and productive.

The Edward Snowden leaks revealed massive NSA surveillance efforts. What is most interesting in the aftermath of the recent NSA surveillance revelations has been the strong public disapproval of the NSA surveillance and courts finally taking some leadership on the issue, such as one court declaring the surveillance likely unconstitutional. The President’s Review Group on Intelligence and Communications Technologies recommended curbs on the NSA. Congress has yet to show leadership on the issue, which remains disappointing, but we are finally seeing the stirrings of a response and perhaps change. Indeed, 56% of people in a Pew poll “say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting.”

Moreover, the story regarding NSA surveillance keeps going on. It hasn’t faded. The overall trend is that there is now sustained heat on the NSA and a sustained stirring for changing the law to provide greater oversight and controls on government surveillance.

Continue Reading

Notable Privacy and Security Books 2013

Daniel Solove @danielsolove
Founder of TeachPrivacy
December 28, 2013

Notable Privacy Security Books 2013 - TeachPrivacy

Here are some notable books on privacy and security from 2013. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.

Continue Reading

NSA Metadata Surveillance and the Fourth Amendment

Daniel Solove @danielsolove
Founder of TeachPrivacy
December 24, 2013

metadata

by Daniel J. Solove

A U.S. District Court recently held that the NSA surveillance of telephone metadata likely violates the Fourth Amendment. The case is Klayman v. Obama.

The NSA surveillance program involves an incredibly broad gathering of metadata about people’s conversations. Metadata doesn’t include the conversations themselves, just data about when and to whom they are made — i.e., not the content of the phone conversations but the phone numbers of the people having the conversations.

The key Fourth Amendment case at issue is Smith v. Maryland, 442 U.S. 745 (1979), which held that a pen register device capturing the phone numbers a person dialed wasn’t protected by the Fourth Amendment partly because the phone company had access to the phone numbers and partly because phone numbers weren’t viewed to be as sensitive as the phone conversations themselves.

Continue Reading

Why Schools Are Flunking Privacy and How They Can Improve

Daniel Solove @danielsolove
Founder of TeachPrivacy
December 24, 2013

pixel cloud network icon computer

by Daniel J. Solove

Fordham School of Law’s Center on Law and Information Policy (CLIP), headed by Joel Reidenberg, has released an eye-opening and sobering study of how public schools are handling privacy issues with regard to cloud computing. The study is called Privacy and Cloud Computing in Public Schools, and it is well worth a read.

Continue Reading

Why Metadata Matters: The NSA and the Future of Privacy

Daniel Solove @danielsolove
Founder of TeachPrivacy
December 2, 2013

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

Continue Reading

Privacy and Data Security in Higher Education

Daniel Solove @danielsolove
Founder of TeachPrivacy
November 19, 2013

Computer work

by Daniel J. Solove

I was recently interviewed in HR Horizons, the magazine of the National Association of College and University Business Officers (NACUBO) on the topic of privacy and data security in higher education. Here are a few excerpts:

What is the difference between data security and data privacy, and what risks do each pose for a college or university?

Data security involves everything you need to know and do to secure the data you have and produce. This includes technical safeguards you should have in place such as firewalls, virus protection, and password controls. It includes processes for monitoring access to data. And it also includes physical controls, such as policies for data destruction like document-shredding programs. Data security officers most often have a technical background and operate from within the IT unit of a university.

Continue Reading

Is Privacy Law Constitutional? Is Personal Data Speech?

Daniel Solove @danielsolove
Founder of TeachPrivacy
November 18, 2013

blog-constitutional-1by Daniel J. Solove

Professor Neil M. Richards (Washington University School of Law) has posted a draft chapter of his forthcoming book about privacy law and free speech. It is a fascinating piece — very accessible and engaging. It’s called Why Data Privacy Law is (Mostly) Constitutional.

Eyebrows were raised a few years ago when the U.S. Supreme Court struck down a privacy statute in Sorrell v. IMS Health, Inc., 131 S.Ct. 2653 (2011). A Vermont statue restricted pharmacies from disclosing personal data for marketing purposes and barred pharmaceutical companies from using personal data for marketing without people’s consent. The Supreme Court held that the statute violated the First Amendment because it singled out particular content and particular speakers.

Does this mean that most privacy laws have a problem with the First Amendment right to free speech? After all, privacy laws mandate restrictions on uses and disclosures of personal data.

Continue Reading

Data Security: The Greatest Threat Is Internal

Daniel Solove @danielsolove
Founder of TeachPrivacy
October 22, 2013

Virus in program code

by Daniel J. Solove

A PC World article discusses a new study by Forrester that reveals that internal threats are the “leading cause” of data breaches. The survey involved companies in Canada, France, Germany, the UK, and the US. The study revealed that 36% of breaches involve “inadvertent misuse of data by employees.”

According to the article, the study also indicated that “only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they’re even aware of their organization’s current security policies.” The article quotes Heidi Shey, the study’s author, who says: “People don’t know what they don’t know. You’ve got to give them some kind of guidance and guard rails to work with.”

Continue Reading

A List of Privacy Training and Data Security Training Requirements in Laws, Regulations, and Industry Codes

Daniel Solove @danielsolove
Founder of TeachPrivacy
September 9, 2013

Privacy Writing 04by Daniel J. Solove

I was recently asked whether I had a list of the various laws, regulations, and industry codes that require privacy and/or data security training.  I know about a number of training requirements, but didn’t have a formal list.  I realized that such a list would be useful, so I created one with the help of Joe Newman, a former student who now does some work for my company.

The PDF is here.  It provides information about each requirement, citations, and quotations of the relevant provisions.  Below is a summary.   If there are any training requirements we missed, please let me know.

Continue Reading

The FTC and the New Common Law of Privacy

Daniel Solove @danielsolove
Founder of TeachPrivacy
August 20, 2013

Bby Daniel J. Solove

I recently posted a draft of my new article, The FTC and the New Common Law of Privacy (with Professor Woodrow Hartzog).

You can download it for free on SSRN.

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

Continue Reading