Internet Privacy Symposium Brings Academics, Policy Makers, Economists, and Legal and Corporate Professionals to Stanford
|
|
|
Aim of Symposium: To Promote Business Innovation While
Preventing Unauthorized Disclosure of Private Information
As Internet activity becomes more of a way of life, the trail of
private information following an individual who shops, talks, or
works online grows both in size and in significance. The amount
of proprietary data that companies store on networked servers has
reached equally alarming levels. In response to the need to protect
this information from unauthorized intruders or inadvertent leaks,
a vast computer security industry has arisen. Yet the stubborn availability
of such confidential information to those with the "right"
tools prompts many to wonder whether we are in need of a new legal
regime that would transfer out of private hands some of the responsibility
for keeping these servers secure. Others acknowledge the inadequacy
of the current legal situation but suspect that the imposition of
a new legal and economic burden might impede the advances that the
computer industry has made in the past decade.
On March 13 and 14, academics, policy makers, economists, advocates, and legal and corporate professionals congregated at Stanford Law School to debate these and other questions raised by the topic of computer security. Over the course of a two-day symposium, entitled Securing Privacy in the Internet Age, participants articulated numerous competing visions of a legal framework that would be better suited to deal with the problems that crop up whenever new technologies are used by customers.
Margaret Jane
Radin, a coeditor of the symposium and the Director of the Stanford
Program in Law, Science & Technology (LST), started things
off by posing the following questions:
How should privacy and security be governed, and is governance indeed necessary? Should we look to governments or nongovernmental organizations for a solution to problems of Internet security and privacy? Or will the market prove itself capable of handling these problems? Alternatively, might there be a solution in tort law, constitutional law, privacy law, international treaties, or in some new kind of law? How would such a law be implemented?
Later speakers proposed answers to these questions from a variety
of perspectives. Michael Froomkin, a professor at the University
of Miami School of Law, argued the pros and cons of a system of
national ID cards. He sketched a scenario in which such a system
might actually enhance privacy; at the very least, he argued, the
presence of "plastic in people's pockets" would make privacy
a more salient concern for most Americans. Professor Froomkin pointed
out that the status quo of security protection was bad and getting
worse. Many speakers echoed this last sentiment.
Identity theft--the use of personal information to illegally access
existing financial accounts or to take out credit cards in the name
of the victim--is the most rapidly growing type of white collar
crime, according to FTC statistics. Daniel Solove, of Seton Hall
Law School, noted the FTC's estimate of over 10 million people victimized
by identity theft within the last year, which led to approximately
$5 billion in consumer loss and 300 million work hours dedicated
to repairing the damage wrought by this theft. He suggested, however,
that neither the new technologies themselves nor the creators and
users of these technologies were fully responsible for the extent
of this damage. Rather, the problem stems from a legislative failure
to properly regulate the dissemination of personal information.
For instance, due to a lack of resources in law enforcement, roughly
one out of every seven hundred cases of identity theft currently
result in the conviction of a perpetrator. Mr. Solove emphasized
that we need to create legal solutions that address the insecurity
of business architecture on the Internet; specifically, we need
to solve the problems that arise from the low-tech entry point of
most online business transactions.
The next speaker, Jennifer Chandler, from the University of Ottawa,
made a very different kind of argument, stating that end users,
software developers, and vendors should be held responsible for
creating and contributing to the vulnerability of systems. Ms. Chandler
pointed out that standards of security are necessarily complex and
dependent upon context and thus resistant to sluggish legislative
response. She reasoned that a system of tort liability--in which
victims of denial of service attacks and other crimes would be able
to sue relevant parties for negligence--better fits the enormous
and ever-changing variety of possible damages that hackers can inflict.
In addressing the challenges for a company's Chief Privacy Officer,
Alex Fowler of PricewaterhouseCoopers modeled the two ways that
most organizations think about privacy. First, there is an "old
school," the members of which consider privacy as a threat
to business and argue that it is a cost center rather than a growth
driver, and quite unlikely to add any shareholder value. These sorts
of people naturally dislike the institution of new privacy laws.
On the other hand, there is a "new school" that looks
at privacy as an opportunity and as a new way of doing business.
Such people look to privacy as an opportunity for further branding
their product and for fostering long-term customer relationships.
Mr. Fowler pointed out that both of these perspectives come into
play with many of the clients with which his company deals. Indeed,
it often appears that these organizations are at odds with themselves,
but this ongoing state of confusion means that they are in a continual
process of policy reinvention, and are with any luck moving from
an older to a newer way of considering privacy. Success in this
transition can be measured in the strength of a company's infrastructure
of data management, and the extent to which this infrastructure
can effectively aggregate, anonymize, and weed out information.
The two other editors of the symposium were Anupam
Chander, who was a visiting professor at Stanford Law School
in Spring 2004, and Lauren
Gelman, the Associate Director of the Stanford Program in Law,
Science & Technology's Center
for Internet and Society (CIS). Ms. Gelman opened the second
day of proceedings with an overview of future LST and CIS events.
Mr. Chander then introduced the first round of speakers with a discussion
of the shift in Internet security law away from contractual freedom
and towards the tort law concept of strict liability.
Andrea Matwyshyn, from the Northwestern University School of Law,
referenced Professor Margaret Jane Radin’s work on personalization
vs. standardization and Professor Lawrence Lessig's analysis of
the architectures of control (which was specifically relevant to
her description of the differences between emergent organizational
code and hierarchically implemented legislative and technical code)
in her talk on the development of norms for relational Internet
and privacy contracting. After citing the works of these two Law,
Science & Technology faculty members, Ms. Matwyshyn described
her examination of the current privacy/terms of use policies of
75 publicly traded companies and her discovery that not one of these
companies has a policy that is fully enforceable, in light of a
handful of recent cases. She argued that current Internet data security
constructions are fundamentally nonadaptive and unlikely to develop
into architectures of growth. In the interest of creating a more
adaptable legal construction, Ms. Matwyshyn suggested merging privacy
and terms of use agreements into a single contractual “conversation”
between website publisher and website viewer that both would be
able to memorize. A clearly articulated privacy policy, she added,
would likely shift more liability to the user.
Throughout the rest of the day, speakers negotiated this line between cyber-security and user privacy in a number of ways. Some suggested alternatives for privacy enhancement, including the possible economic role of cyberinsurance and the potential role of disclosure intermediaries in safeguarding sensitive financial information. Others, such as Professor Susan Brenner of the University of Dayton School of Law, argued that in imposing liability on institutions, courts would clearly need to use criminal liability as a deterrent and incentive.
The symposium ended at 5 p.m. on Sunday, but clearly, as threats
to privacy and security become even more pressing, many of the ideas
that speakers broached over the course of the weekend will remain
very much alive. There exist numerous ways in which the application
of legal doctrines might enhance security practices while simultaneously
promoting vigorous competition and innovation. It will be up to
the participants and attendees of this symposium to construct a
framework by which private information will be managed. Overall,
Securing Privacy in the Internet Age was an overwhelming success,
and solidified the LST program's place at the center of informed
debates over technology policies in national and global arenas.
*********************************
For an audio recording of the weekend's proceedings, please visit
the symposium website at http://cyberlaw.stanford.edu/privacysymposium/schedule.html.
Additional notes on the symposium can be found at http://cyberlaw.stanford.edu/blogs.
|