PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

Why Metadata Matters: The NSA and the Future of Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
December 2, 2013

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

Continue Reading

Privacy and Data Security in Higher Education

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 19, 2013

Computer work

by Daniel J. Solove

I was recently interviewed in HR Horizons, the magazine of the National Association of College and University Business Officers (NACUBO) on the topic of privacy and data security in higher education. Here are a few excerpts:

What is the difference between data security and data privacy, and what risks do each pose for a college or university?

Data security involves everything you need to know and do to secure the data you have and produce. This includes technical safeguards you should have in place such as firewalls, virus protection, and password controls. It includes processes for monitoring access to data. And it also includes physical controls, such as policies for data destruction like document-shredding programs. Data security officers most often have a technical background and operate from within the IT unit of a university.

Continue Reading

Is Privacy Law Constitutional? Is Personal Data Speech?

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
November 18, 2013

blog-constitutional-1by Daniel J. Solove

Professor Neil M. Richards (Washington University School of Law) has posted a draft chapter of his forthcoming book about privacy law and free speech. It is a fascinating piece — very accessible and engaging. It’s called Why Data Privacy Law is (Mostly) Constitutional.

Eyebrows were raised a few years ago when the U.S. Supreme Court struck down a privacy statute in Sorrell v. IMS Health, Inc., 131 S.Ct. 2653 (2011). A Vermont statue restricted pharmacies from disclosing personal data for marketing purposes and barred pharmaceutical companies from using personal data for marketing without people’s consent. The Supreme Court held that the statute violated the First Amendment because it singled out particular content and particular speakers.

Does this mean that most privacy laws have a problem with the First Amendment right to free speech? After all, privacy laws mandate restrictions on uses and disclosures of personal data.

Continue Reading

Data Security: The Greatest Threat Is Internal

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
October 22, 2013

Virus in program code

by Daniel J. Solove

A PC World article discusses a new study by Forrester that reveals that internal threats are the “leading cause” of data breaches. The survey involved companies in Canada, France, Germany, the UK, and the US. The study revealed that 36% of breaches involve “inadvertent misuse of data by employees.”

According to the article, the study also indicated that “only 42 percent of the North American and European small and midsize business workforce surveyed had received training on how to remain secure at work, while only 57 percent say that they’re even aware of their organization’s current security policies.” The article quotes Heidi Shey, the study’s author, who says: “People don’t know what they don’t know. You’ve got to give them some kind of guidance and guard rails to work with.”

Continue Reading

A List of Privacy Training and Data Security Training Requirements in Laws, Regulations, and Industry Codes

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
September 9, 2013

Privacy Writing 04by Daniel J. Solove

I was recently asked whether I had a list of the various laws, regulations, and industry codes that require privacy and/or data security training.  I know about a number of training requirements, but didn’t have a formal list.  I realized that such a list would be useful, so I created one with the help of Joe Newman, a former student who now does some work for my company.

The PDF is here.  It provides information about each requirement, citations, and quotations of the relevant provisions.  Below is a summary.   If there are any training requirements we missed, please let me know.

Continue Reading

The FTC and the New Common Law of Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
August 20, 2013

Bby Daniel J. Solove

I recently posted a draft of my new article, The FTC and the New Common Law of Privacy (with Professor Woodrow Hartzog).

You can download it for free on SSRN.

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

Continue Reading

The Stunning Need for Improvement on Mobile and Cloud Risks

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 29, 2013

Cloud and Mobile 02by Daniel J. Solove

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud*, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services. The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others. The results are quite startling.

The study concluded that “the greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Continue Reading

Higher Education Needs Privacy Officers and Privacy/Security Training

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
July 9, 2013

privacy officer

In 2007, Seung Cho, a student at Virginia Tech, killed 32 students and faculty and wounded 17. He then committed suicide.

One of the most troublesome things about this incident was that it might have been prevented if school officials and employees had a better grasp of privacy law. Appointed by the state governor, the Virginia Tech Review Panel issued an extensive report revealing that several University officials and employees knew about Cho’s mental instability but failed to share what they knew with each other. And nobody ever told Cho’s parents about his problems, his stalking of a female student, and his dark writings and erratic behavior. Cho’s parents said that if they had known, they would have taken him home and made him go to therapy. This is what they did when Cho had problems in high school.

Continue Reading

Why Learning the Humanities Is a Key to Success

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 25, 2013


recent piece in the New York Times by Verlyn Klinkenborg discusses the withering of humanities in higher education: “The teaching of the humanities has fallen on hard times. So says a new report on the state of the humanities by the American Academy of Arts and Sciences.” Students majoring in key humanities subjects are dwindling, and the article mentions rapidly fewer numbers of English majors. According to the article: “Undergraduates will tell you that they’re under pressure — from their parents, from the burden of debt they incur, from society at large — to choose majors they believe will lead as directly as possible to good jobs. Too often, that means skipping the humanities.”Continue Reading

Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

Daniel Solove     @daniel-solove.bsky.social
Founder of TeachPrivacy
June 3, 2013

Passwords 01by Daniel J. Solove

In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

Continue Reading