FTC’s Role, ECPA Update Highlight of Final White House Big Data Workshop

The White House’s big data review will come to a close in the coming weeks, after a 90-day period with three public workshops and many more closed-door meetings (WID Jan 24 p8). The workshops have hit on the technology behind big data (WID March 4 p3), the social and ethical concerns it presents (WID March 19 p2) and, Tuesday, the policy and governance solutions to address those concerns.

Society’s view of “harm” is expanding, said Indiana University School of Law professor Fred Cate, who runs the school’s applied cybersecurity research center. To date, the legal view of “harm” is financially focused, said Berkeley School of Law professor Kenneth Bamberger, but “most of the things we've been talking about today go far beyond that.” Bamberger is also co-director of the Berkeley Center for Law and Technology. Omnipresent data collection raises harms not addressed by law, such as “harms to dignity” and “harms to equity,” he said.

More intangible harms, such as to dignity, are “much easier to deal with as a matter of redress,” Cate said, similar to how the FTC approaches big data and privacy. “That feels like Whac-A-Mole to me,” said Deirdre Mulligan, who co-directs the Berkeley Center for Law and Technology with Bamberger. Shouldn’t the government help “shape things proactively” by “getting people in on the ground floor when you're designing a system” to inculcate privacy? Mulligan asked. For instance, the government could put privacy conditions on projects it funds through grants, said Nicole Ozer, technology and civil liberties policy director for the American Civil Liberties Union of California. The Department of Homeland Security went through the process to develop such conditions “and it was never implemented,” she said. “That’s one sensible step” for the government,” Ozer said. “Local communities don’t have the resources themselves to think through these problems.”

For the private sector, every time the FTC whacks a mole, “all the other moles look around and say ‘Oh, we don’t want to do that,'” Cate said. Each action encourages industry to consider privacy in a broader context and prompts big-picture discussions, he said. The FTC can set the conversation agenda through its workshops, Cate said. A series of workshops “on harm might be a really useful approach,” he said.

This creates a “hollow” version of the “common law,” said TechFreedom in comments filed to the White House Monday. “Even if the FTC has reached the right policy outcome in many, or even most cases,” the process to reach that outcome is “devoid of the very analytical rigor by which the adversarial process of litigation weighs competing theories and advances doctrine,” said the group. It has testified before Congress (WID March 3 p1) and held events with FTC Commissioner Joshua Wright to encourage the agency to clarify its Section 5 authority and file more of its cases in court instead of settling with companies after an investigation (WID Dec 17 p3). “In the real world we're not likely to see legislation pass,” TechFreedom President Berin Szoka -- who supports an ECPA update -- said in an interview Monday. “The FTC is going to continue operating as it does,” Szoka said. “In that sense, the thing that really matters, much more so than imaginary legislation and arguments over what the right legal standard is, is FTC process."

Several industry groups told the White House Monday they would prefer no new legislation, even if legislation were possible. The Software and Information Industry Association (SIIA) told the White House “to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come.” The Direct Marketing Association (DMA) praised “the robust framework of sectoral laws and self-regulatory protections” for data-based marketing as partly responsible for the industry’s dramatic growth in recent years. DMA rebuked a Senate Commerce Committee report critical of data brokers (WID Dec 19 p1) and has pushed back against aspects of FTC Commissioner Julie Brill’s efforts to get data collectors to make an individual’s data publicly available to consumers (WID Dec 20 p1). SIIA commented that “uninhibited cross-border, or cross-jurisdictional, data flows is perhaps the single greatest need for innovative U.S. companies to continue growing around the world.”

But panelists Tuesday said outdated laws failing to address changing uses of technology have opened the data collection floodgates -- for both the government and private sector. “We had a little bit of a lack of imagination about what the Internet would look like today,” when working on the original law, Mulligan said. Counselor to the President John Podesta -- head of the big data review and a main drafter of ECPA while working as a Senate Judiciary staffer -- retorted from the audience: “When we were writing ECPA there was no Internet.” It’s not the changing technology, Mulligan said, but the changing uses of technology that make the law antiquated. During ECPA’s drafting in the 1980s, the concern was protecting “what used to be inside the envelope,” she said. But now “we're all sharing” that information, and “what people care to protect is that metadata,” traditionally outside-the-envelope information, she said. Revamping ECPA is “very doable,” Ozer said. “There’s a lot of agreement between civil liberties groups and the business community.” Not to mention the 200-plus House members supporting legislation to require warrants for obtaining digital content -- a commonly requested ECPA update (WID April 1 p3) -- and an ECPA update bill that has passed the Senate Judiciary Committee, according to a Monday Center for Democracy & Technology (CDT) blog post (http://bit.ly/1dONrBH). In its comments to the White House (http://bit.ly/1kpUmjd), CDT encouraged the administration to support both bills “with no carve-outs or exceptions for civil agencies.”