We were happy to see that the report recognized that email privacy is critical, and the law should "ensure the standard of protection for online, digital content is consistent with that afforded in the physical world--including by removing archaic distinctions between email left unread or over a certain age." As we have argued, and courts have agreed, law enforcement should be required to get a warrant before reading your email, regardless of where it's stored or how long it's been there.
Congress has been grappling with this issue for many years now because the outdated Electronic Communications Privacy Act (ECPA) purports to permit law enforcement to access emails without a warrant in certain situations. Right now, Congress is considering powerful bipartisan legislation that would help bring our outdated email privacy law into alignment with Fourth Amendment case law. We're supporting the bill, and the White House should too.
However, one issue was left conspicuously unaddressed in the report. The Securities and Exchange Commission, the civil agency in charge of protecting investors and ensuring orderly markets, has been advocating for a special exception to the warrant requirement. No agency can or should have a get-out-of-jail-free card for bypassing the Fourth Amendment.Protections Must be Enacted to Prevent Big Data Discrimination
We were also glad the report emphasized the dangers of big data when it comes to fairness and discrimination. Big data analytics often make use of techniques from machine learning, a field of computer science in which an algorithm "learns" what sorts of output to produce based on data presented to it during a training phase. When the input data explicitly or implicitly encodes for a protected characteristic like gender or race, though, the resulting algorithm runs the risk of being biased against certain groups, or in the worst case "redlining" them. 1 Even worse, people may assume the results are fair because algorithms are seen as a neutral arbiter--after all, how can a computer discriminate if it doesn't have things like social prejudices? In reality though the algorithm is only as fair as the data fed into it.
But even when big data algorithms manage to be perfectly fair, the danger of discrimination remains due to the very digital nature of big data. Many groups are under-represented in today's digital world (especially the elderly, minorities, and the poor). These groups run the risk of being disadvantaged if community resources are allocated based on big data, since there may not be any data about them in the first place. We see an example of this in Boston, which had a pilot program to allow residents to report potholes through a mobile app but soon recognized that the program was inherently flawed because "wealthy people were far more likely to own smart phones and to use the Street Bump app. Where they drove, potholes were found; where they didn't travel, potholes went unnoted."
Obviously this sort of discrimination and unfairness can have a huge effect on people's lives, resulting in everything from unfair pricing based on economic class to limiting people's credit, housing, education, or employment opportunities. We're glad the President's commission recommended that the Justice Department, the Federal Trade Commission, the Consumer Financial Protection Bureau, and the Equal Employment Opportunity Commission take proactive steps to make sure this sort of big data discrimination doesn't become common. In particular, these agencies should look to scrutinize consumer experiences that might be ripe for discrimination based on big data analytics (such as digital advertising), and to encourage transparency by companies to help users understand how and when big data influences their experience within the marketplace.Non-US Persons Deserve Privacy Too
As we've said before, if our nation truly values privacy and civil liberties in a connected digital world, then we should extend the privacy protections we grant to citizens to all people. The authors of the report agree, recommending that the Privacy Act be extended to all people, not just US persons.
As we've explained before, metadata (the details associated with your communications, content, or actions, like who you called, or what a file you uploaded file is named, or where you were when you visited a particular website) can expose just as much information about you as the "regular" data it is associated with, so it deserves the same sort of privacy protections as "regular" data.
Unfortunately the report claimed--without citation--that this is an issue on which experts are divided. We disagree: the overwhelming weight of experts in technology recognize how invasive metadata can be. The report merely recommended that the government look into the issue.
In contrast, several other government reports have taken a much stronger stance and explicitly stated that metadata deserves the same level of privacy protections as "regular" data. This includes the Privacy and Civil Liberties Oversight Board: "Telephone calling records, especially when assembled in bulk, clearly implicate privacy interests as a matter of public policy"; the President's Review Group on Intelligence and Communications Technologies: "In a world of ever more complex technology, it is increasingly unclear whether the distinction between 'meta-data' and other information carries much weight"; and even the parallel report by the President's Council of Advisors for Science & Technology (PCAST): "There is no reason to believe that metadata raise fewer privacy concerns than the data they describe."
We think the report should have followed the lead of the PCAST report and acknowledged that the distinction between data and metadata is an artificial one, and recommended the appropriate reforms.What the Public Knows About Data Brokers
As one of their recommendations, the White House suggested advancing the Consumer Privacy Bill of Rights, which includes the idea that "consumers have a right to exercise control over what personal data companies collect from them and how they use it," as well as "a right to access and correct personal data." It barely mentioned, however, one of the key reasons a Consumer Privacy Bill of Rights is so important: namely the tremendous disparity in knowledge between consumers and the companies who collect and analyze data about them. As we mentioned in our comments to the White House, "The vast majority of information data brokers use...is data which consumers unintentionally expose in large part because they simply do not know how or when they are being tracked, or what information is being collected." Additionally, consumers "frequently believe wrongly that the law or a company's privacy policies block certain uses of that data or its dissemination." This informational asymmetry puts consumers at a huge disadvantage, and the only way to correct it is through transparency--which the report rightly calls for. However, the report glossed over this issue and failed to articulate why greater transparency around the entire data broker industry is necessary.Where the Recommendations Fell Short Data Breach Reform May Undermine Existing State-Level Consumer Protections
Consumers have a right to know when their data is exposed, whether through corporate misconduct, malicious hackers, or under other circumstances. Recognizing this important consumer safeguard, the report recommends that Congress "should pass legislation that provides a single national data breach standard along the lines of the Administration's May 2011 Cybersecurity legislative proposal."
While at first blush this may seem like a powerful consumer protection, we don't think that proposal is as strong as existing California law. The proposed federal data breach notification scheme would preempt state notification laws, removing the strong California standard and replacing it with a weaker standard.
We strongly support universal data breach notification, but any such proposal should not become a backdoor for weakening the transparency. We're also wary of engaging in a negotiation in Capitol Hill on this topic, since too often powerful corporate interests will trump the best interests of everyday users in the lawmaking process.