Aim of Symposium: To Promote Business Innovation While As Internet activity becomes more of a way of life, the trail of private information following an individual who shops, talks, or works online grows both in size and in significance. The amount of proprietary data that companies store on networked servers has reached equally alarming levels. In response to the need to protect this information from unauthorized intruders or inadvertent leaks, a vast computer security industry has arisen. Yet the stubborn availability of such confidential information to those with the "right" tools prompts many to wonder whether we are in need of a new legal regime that would transfer out of private hands some of the responsibility for keeping these servers secure. Others acknowledge the inadequacy of the current legal situation but suspect that the imposition of a new legal and economic burden might impede the advances that the computer industry has made in the past decade. On March 13 and 14, academics, policy makers, economists, advocates, and legal and corporate professionals congregated at Stanford Law School to debate these and other questions raised by the topic of computer security. Over the course of a two-day symposium, entitled Securing Privacy in the Internet Age, participants articulated numerous competing visions of a legal framework that would be better suited to deal with the problems that crop up whenever new technologies are used by customers. Margaret Jane Radin, a coeditor of the symposium and the Director of the Stanford Program in Law, Science & Technology (LST), started things off by posing the following questions: How should privacy and security be governed, and is governance indeed necessary? Should we look to governments or nongovernmental organizations for a solution to problems of Internet security and privacy? Or will the market prove itself capable of handling these problems? Alternatively, might there be a solution in tort law, constitutional law, privacy law, international treaties, or in some new kind of law? How would such a law be implemented? Later speakers proposed answers to these questions from a variety of perspectives. Michael Froomkin, a professor at the University of Miami School of Law, argued the pros and cons of a system of national ID cards. He sketched a scenario in which such a system might actually enhance privacy; at the very least, he argued, the presence of "plastic in people's pockets" would make privacy a more salient concern for most Americans. Professor Froomkin pointed out that the status quo of security protection was bad and getting worse. Many speakers echoed this last sentiment. Identity theft--the use of personal information to illegally access existing financial accounts or to take out credit cards in the name of the victim--is the most rapidly growing type of white collar crime, according to FTC statistics. Daniel Solove, of Seton Hall Law School, noted the FTC's estimate of over 10 million people victimized by identity theft within the last year, which led to approximately $5 billion in consumer loss and 300 million work hours dedicated to repairing the damage wrought by this theft. He suggested, however, that neither the new technologies themselves nor the creators and users of these technologies were fully responsible for the extent of this damage. Rather, the problem stems from a legislative failure to properly regulate the dissemination of personal information. For instance, due to a lack of resources in law enforcement, roughly one out of every seven hundred cases of identity theft currently result in the conviction of a perpetrator. Mr. Solove emphasized that we need to create legal solutions that address the insecurity of business architecture on the Internet; specifically, we need to solve the problems that arise from the low-tech entry point of most online business transactions. The next speaker, Jennifer Chandler, from the University of Ottawa, made a very different kind of argument, stating that end users, software developers, and vendors should be held responsible for creating and contributing to the vulnerability of systems. Ms. Chandler pointed out that standards of security are necessarily complex and dependent upon context and thus resistant to sluggish legislative response. She reasoned that a system of tort liability--in which victims of denial of service attacks and other crimes would be able to sue relevant parties for negligence--better fits the enormous and ever-changing variety of possible damages that hackers can inflict. In addressing the challenges for a company's Chief Privacy Officer, Alex Fowler of PricewaterhouseCoopers modeled the two ways that most organizations think about privacy. First, there is an "old school," the members of which consider privacy as a threat to business and argue that it is a cost center rather than a growth driver, and quite unlikely to add any shareholder value. These sorts of people naturally dislike the institution of new privacy laws. On the other hand, there is a "new school" that looks at privacy as an opportunity and as a new way of doing business. Such people look to privacy as an opportunity for further branding their product and for fostering long-term customer relationships. Mr. Fowler pointed out that both of these perspectives come into play with many of the clients with which his company deals. Indeed, it often appears that these organizations are at odds with themselves, but this ongoing state of confusion means that they are in a continual process of policy reinvention, and are with any luck moving from an older to a newer way of considering privacy. Success in this transition can be measured in the strength of a company's infrastructure of data management, and the extent to which this infrastructure can effectively aggregate, anonymize, and weed out information. The two other editors of the symposium were Anupam Chander, who was a visiting professor at Stanford Law School in Spring 2004, and Lauren Gelman, the Associate Director of the Stanford Program in Law, Science & Technology's Center for Internet and Society (CIS). Ms. Gelman opened the second day of proceedings with an overview of future LST and CIS events. Mr. Chander then introduced the first round of speakers with a discussion of the shift in Internet security law away from contractual freedom and towards the tort law concept of strict liability. Andrea Matwyshyn, from the Northwestern University School of Law, referenced Professor Margaret Jane Radin’s work on personalization vs. standardization and Professor Lawrence Lessig's analysis of the architectures of control (which was specifically relevant to her description of the differences between emergent organizational code and hierarchically implemented legislative and technical code) in her talk on the development of norms for relational Internet and privacy contracting. After citing the works of these two Law, Science & Technology faculty members, Ms. Matwyshyn described her examination of the current privacy/terms of use policies of 75 publicly traded companies and her discovery that not one of these companies has a policy that is fully enforceable, in light of a handful of recent cases. She argued that current Internet data security constructions are fundamentally nonadaptive and unlikely to develop into architectures of growth. In the interest of creating a more adaptable legal construction, Ms. Matwyshyn suggested merging privacy and terms of use agreements into a single contractual “conversation” between website publisher and website viewer that both would be able to memorize. A clearly articulated privacy policy, she added, would likely shift more liability to the user. Throughout the rest of the day, speakers negotiated this line between cyber-security and user privacy in a number of ways. Some suggested alternatives for privacy enhancement, including the possible economic role of cyberinsurance and the potential role of disclosure intermediaries in safeguarding sensitive financial information. Others, such as Professor Susan Brenner of the University of Dayton School of Law, argued that in imposing liability on institutions, courts would clearly need to use criminal liability as a deterrent and incentive. The symposium ended at 5 p.m. on Sunday, but clearly, as threats to privacy and security become even more pressing, many of the ideas that speakers broached over the course of the weekend will remain very much alive. There exist numerous ways in which the application of legal doctrines might enhance security practices while simultaneously promoting vigorous competition and innovation. It will be up to the participants and attendees of this symposium to construct a framework by which private information will be managed. Overall, Securing Privacy in the Internet Age was an overwhelming success, and solidified the LST program's place at the center of informed debates over technology policies in national and global arenas. ********************************* For an audio recording of the weekend's proceedings, please visit the symposium website at http://cyberlaw.stanford.edu/privacysymposium/schedule.html. Additional notes on the symposium can be found at http://cyberlaw.stanford.edu/blogs. |
