• Selected
• Entire List

Abstract:
This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.

Privacy, tracking, flash, cookies, local stored objects, usability, online advertising, behavioral targeting, self-help

Abstract:
The Denalists' Deck of Cards is a humorous illustration of how libertarian policy groups use denialism. In this context, denialism is the use of rhetorical techniques and predictable tactics to erect barriers to debate and consideration of any type of reform, regardless of the facts. Giveupblog.com has identified five general tactics used by denialists: conspiracy, selectivity, the fake expert, impossible expectations, and metaphor.

The Denialists' Deck of Cards builds upon this description by providing specific examples of advocacy techniques. The point of listing denialists' arguments in this fashion is to show the rhetorical progression of groups that are not seeking a dialogue but rather an outcome. As such, this taxonomy is extremely cynical, but it is a reflection of and reaction to how poor the public policy debates in Washington have become.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

lobbying, logic, rational thought, advocacy, libertarianism

Abstract:
This version incorporates and responds to the many comments that we received to Version 1.1, which we released on March 10, 2005.

Privacy protection in the United States has often been criticized, but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves. Other companies announced security breaches, including LexisNexis, from which personal information about 32,000 people was improperly accessed. Senator Schumer criticized Westlaw for making available to certain subscribers personal information including Social Security Numbers (SSNs).

In the aftermath of the ChoicePoint debacle and other major information security breaches, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as ChoicePoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We have welcomed input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We have incorporated criticisms and constructive suggestions, and we will continue to update this Model Regime to include the comments we find most helpful and illuminating.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

Commentary

Privacy, legislation, regulation, ChoicePoint, information, security, data

Abstract:
A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices - principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.

This is the final version of this paper (Version 3.0), earlier versions of which are also available on SSRN. This version of the paper is published in the Illinois Law Review.

privacy, databases, databrokers, ChoicePoint, identity theft, credit, legislation, regulation, information, security, data

Abstract:
Privacy protection in the United States has often been criticized, but critics have too infrequently suggested specific proposals for reform. Recently, there has been significant legislative interest at both the federal and state levels in addressing the privacy of personal information. This was sparked when ChoicePoint, one of the largest data brokers in the United States with records on almost every adult American citizen, sold data on about 145,000 people to fraudulent businesses set up by identity thieves.

In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

Privacy, legislation, regulation, ChoicePoint, information, security, data

Abstract:
This nationally representative telephone (wire-line and cell phone) survey explores Americans' opinions about behavioral targeting by marketers, a controversial issue currently before government policymakers. Behavioral targeting involves two types of activities: following users' actions and then tailoring advertisements for the users based on those actions. While privacy advocates have lambasted behavioral targeting for tracking and labeling people in ways they do not know or understand, marketers have defended the practice by insisting it gives Americans what they want: advertisements and other forms of content that are as relevant to their lives as possible.

Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages - between 73% and 86% - say they would not want such advertising. Even among young adults, whom advertisers often portray as caring little about information privacy, more than half (55%) of 18-24 years-old do not want tailored advertising. And contrary to consistent assertions of marketers, young adults have as strong an aversion to being followed across websites and offline (for example, in stores) as do older adults.

This survey finds that Americans want openness with marketers. If marketers want to continue to use various forms of behavioral targeting in their interactions with Americans, they must work with policymakers to open up the process so that individuals can learn exactly how their information is being collected and used, and then exercise control over their data. We offer specific proposals in this direction. An overarching one is for marketers to implement a regime of information respect toward the public rather than to treat them as objects from which they can take information in order to optimally persuade them.

Behavioral advertising, online advertising, privacy, transparency, consumer protection

Abstract:
There is widespread agreement that identity theft causes financial damage to consumers, lending institutions, retail establishments, and the economy as a whole. Surprisingly, there is little good public information available about the scope of the crime and the actual damages it inflicts. The publicly available data on identity theft come mainly from survey research. Methodologically, these survey polls of the public suffer from being both under and over-inclusive in measuring the problem. As a result, low estimates attribute tens of billions of dollars in costs to the economy and consumers, the highest estimates place losses in the hundreds of billions.

To identify proper interventions and appropriately allocate resources we need comprehensive, hard data on the scope and effect of identity theft. One way to provide concrete data is to require lending institutions to publicly report figures on identity theft. Such public reporting will help identify the relative need for intervention and the likely efficacy of interventions. These disclosures are necessary to provide a sound baseline for investment by businesses and action by regulators. They are also warranted because the public pays the price of identity theft directly when they are the victim, and indirectly through higher fees, interest rates, and because the losses are tax subsidized.

The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

identity theft, fraud, reporting, privacy, synthetic, fictitious, information security, social security numbers

Abstract:
Identity theft is a growing problem. In any given identity theft situation, there are three actors - the victim, the impostor, and an institution, such as a bank or credit card company. Thus far, policymakers have attempted to address the crime by focusing on victims and impostors; victims are told to try to shield their personal information and impostors are increasingly subject to stiffened penalties for committing identity theft. Neither approach has been effective.

This article argues that the third actor, credit granting institutions, are culpable for a large number of identity theft cases. Institutions enable identity theft by maintaining lax credit granting practices, ones that make it easy for impostors to get credit in victims' names.

This article proposes a fix to address lax credit granting practices. It takes the form of a change in the default state of credit reports from their current liquid state to a frozen one. That is, our current credit system allows our personal information to flow like water to almost anyone who requests it. Once credit information is released, credit grantors who are operating in an extremely competitive market, race to issue new accounts. This makes it simple for impostors to commit identity theft by obtaining new credit accounts.

Under the proposed system, credit reports would be sealed or frozen, available only when the individual thaws her file, and specifies to whom, when, or in what contexts it should be released. Creditors will not extend tradelines without a credit report, and thus under a frozen credit report system, impostors would have great difficulty in obtaining new accounts. A simple barrier to obtaining a credit report will provide a shield for all individuals against most identity thieves.

This article is a short book chapter in a forthcoming book to be published by Stanford University Press of papers presented at a March 2004 symposium on privacy and security at Stanford Law School.

Privacy, security, identity theft, Fair Credit Reporting Act, social security number, credit

Abstract:
The shift to a digital information environment has brought many changes to law enforcement access to personal data. Now, by visiting a single website, such as www.cpgov.com, law enforcement can obtain a comprehensive dossier on almost any adult. That website was custom-tailored for law enforcement by ChoicePoint, Inc., a commercial data broker (CDB).

CDBs make available a wide variety of personal information, from arrest and court records to notice that a suspect has opened a private mailbox. Access to private sector databases has significantly altered the balance of power between law enforcement and the individual. This new power has been made possible by the confluence of fast network connections; the availability of public records, both electronic and paper, that are rich with personal information; a regulatory environment that has turned a blind eye to private sector collection of personal information for marketing and other purposes; and the alacrity of companies that have become very profitable from selling personal data to the government.

This article summarizes the findings of three years of research into the relationship between CDBs and the federal government. The federal Freedom of Information Act was employed to obtain over 1,500 documents from nine federal agencies concerning ChoicePoint and other CDBs. Findings are presented from the requests, and concerns are raised regarding law enforcement access to personal information.

The documents led to six major findings. First, the documents show that law enforcement can quickly obtain a broad array of personal information about individuals. Second, although broad requests for documents were filed, there was almost no evidence of controls to prevent agency employees from misusing the databases. It appears as though auditing employee use of the databases is either impossible or simply not done. Third, the database companies are extremely solicitous to the government and actually design the databases for law enforcement use. Fourth, ChoicePoint expanded significantly in 2000 by starting to acquire and sell personal information of non-citizens. That discovery has led to strong international dissent. Fifth, many of the contracts with CDBs are sole-sourced, meaning the contracts are not open to competitive bidding. Sixth, the FBI has a secret, sole-source contract with ChoicePoint to develop an information service prototype.

Based on these documents, the author concludes that the Privacy Act should apply to CDBs. The Privacy Act of 1974 establishes a comprehensive set of Fair Information Practices for government collection of personal information, but does not substantially affect the data practices of these private companies. Because of this lack of coverage, government entities have performed an end-run around the protections of the Privacy Act by allowing the private sector to amass troves of personal information that the government would ordinarily not be allowed to collect. Essentially, commercial data brokers are big brother's little helpers - private sector companies that have escrowed personal information that is customized for law enforcement and other government agencies.

The author also concludes that public policy makers should not draw distinctions between commercial and government collection of personal information. Libertarians and conservatives have employed persuasive arguments to stave off privacy regulation that affects the commercial sector. They have argued that government collection, use, and disclosure of information presents more risk than commercial collection because the government has the power to arrest, imprison, and even to execute citizens. But this article shows that this distinction between the risks of government and commercial privacy risk is no longer tenable. Commercial actors provide personal information to the government in a number of contexts, and often with astonishing alacrity.

Finally, policymakers should revisit policies surrounding access to public records. Much of the personal information made available to law enforcement originates from public records. In a variety of contexts, the government compels individuals to reveal their personal information, and then pours it into the public record for anyone to use for any purpose. The private sector has collected the information, repackaged it, and brought it back to the government full circle. While public records are supposed to provide a window for a citizen to check abusive government activities, increasingly, they are used to leverage more control for powerful institutions against the common man.

Privacy, freedom of information, public records, law enforcement, national security

Abstract:
The Federal Trade Commission's Do-Not-Call Registry, a government-created protection for privacy, is a stellar success. With over 80 million numbers enrolled, Americans now have a easy to use and effective shield against telemarketing. The government's creation quickly superceded and made irrelevant self-regulatory solutions, which were difficult to use, did not apply to all telemarketers, and were unenforceable.

This article argues that, like self-regulatory solutions to the 20th century problem of telemarketing, market approaches to protecting consumers from 21st century problems have failed. The FTC embraced self-regulation to protect privacy on the Internet in 1995. That decision stalled Congress and anesthetized the public, as privacy practices worsened for a decade. Self-regulation has allowed the development of new tracking technologies, and the continued employment of old ones. Self-regulation allows companies to obfuscate their practices, leaving consumers in the dark. Emerging technologies represent serious threats to privacy and are not addressed by self-regulation or law. Self regulation has failed to produce usable anonymous payment mechanisms. We now know (as a result of California consumer protection regulation) that self-regulation failed to address security.

And finally, the worst identification and tracking policies from the online world are finding their way into the offline world. In other words, online self-regulatory approaches have encouraged a more invasive web environment, and have dragged down the practices of ordinary, offline retailers. This paper argues that the FTC and Congress should reevaluate their commitment to market approaches, and empower consumers with privacy law that incorporates Fair Information Practices.

Privacy, market, self-regulation, consumer protection, telemarketing, profiling, cookies, price discrimination, customer exclusion

Abstract:
The volume of online commerce grows every year, in absence of a federal law setting baseline protections for the collection, use, and disclosure of personal information. Instead, information collected by websites are governed by individual privacy policies.

In order to gauge Californians' understanding of privacy policies and default rules in the online environment, we commissioned a representative survey of adults in the State (N=991). The telephonic survey of Spanish and English speakers was conducted by the Survey Research Center of University of California, Berkeley.

A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.

These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations. Drawing upon earlier work, we conclude that because the term "privacy policy" has taken on a specific meaning in the minds of consumers, its use should be limited to contexts where businesses provide a set of protections that meet consumers' expectations.

Privacy, market, self-regulation, consumer protection, profiling, opt-in, opt-out

Abstract:
The author reviews 2002 developments in privacy and e-commerce, and concludes by arguing that a framework of fair information principles should govern the collection, maintenance, and dissemination of personal information. Proposed online privacy, computer security, and student privacy legislation is reviewed. The role of the Federal Trade Commission in handling privacy complaints is analyzed, and the author finds that the agency tends only to take action in cases with strong merits or where children's privacy is involved. The agency tends not to levy monetary fines for privacy violations, unless children's privacy is involved. The author reviews two landmark privacy lawsuits, Trans Union v. FTC and IRSG v. FTC, and the status of several privacy issues, including the role of self-regulation, consumer profiling, national identification, wireless privacy, digital rights management, authentication systems, and customer proprietary network information.

Privacy, E-Commerce, identity, consumer protection

Abstract:
Many online privacy problems are rooted in the offline world, where businesses are free to sell consumers' personal information unless they voluntarily agree not to or where a specific law prohibits the practice. In order to gauge Californians' understanding of business practices with respect to the selling of customer data, we asked a representative sample of Californians about the default rules for protecting personal information in nine contexts. In six of those contexts (pizza delivery, donations to charities, product warranties, product rebates, phone numbers collected at the register, and catalog sales), a majority either didn't know or falsely believed that opt-in rules protected their personal information from being sold to others. In one context - grocery store club cards - a majority did not know or thought information could be sold when California law prohibited the sale. Only in two contexts - newspaper and magazine subscriptions and sweepstakes competitions - did our sample of Californians understand that personal information collected by a company could be sold to others.

Respondents who shopped online were less likely to say that they didn't know the answer to the nine questions asked than those who never shopped online. In about half of the cases, those who shopped online answered correctly more often than those who do not shop online.

Professor Alan Westin has pioneered a popular "segmentation" to describe Americans as fitting into one of three subgroups concerning privacy: privacy "fundamentalists" (high concern for privacy), "pragmatists" (mid-level concern), and the "unconcerned" (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin's conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.

Privacy, market, self-regulation, consumer protection, profiling, opt-in, opt-out

Abstract:
In late 2007, the popular social networking site Facebook.com adopted "Beacon," an application that informs Facebook users' friends about purchases made and activities on other websites. For example, if a Facebook user bought a movie ticket on Fandango.com, that user's friends would be informed of that fact through a news "feed" on Facebook. Some users objected vigorously to the Beacon application, because their activities were reported on an opt-out basis, meaning that the user had to take affirmative action to prevent others from learning about their activities. An activism website, Moveon.org, organized a protest, calling users to action by asking, "When you buy a book or movie online - do you want that information automatically shared with the world on Facebook?" Facebook responded to these critiques by changing its policy to obtain express approval before activities on other sites would be shared with friends.

The Facebook folly demonstrates how intensely consumers reject the "sharing" of personal information for marketing purposes. In this instance, consumers learned of Facebook's strategy because it was transparent and obvious to the individual. But what most do not realize is that, in the absence of a specific law prohibiting information sharing, businesses are generally free to monetize their customer databases by selling, renting, or trading them to others. In fact, the sale of customer information is a common, albeit opaque practice that, if disclosed at all, is usually mentioned in a "privacy policy." Facebook's Beacon simply made information sharing obvious to users.

Studies have shown that most consumers oppose the sale of personal information. Unfortunately, most consumers are under the misimpression that a company with a "privacy policy" is barred from selling data. To learn more about information selling, the authors, using a California privacy law, made requests to 86 companies for a disclosure of information sharing practices. The results show that while many companies have voluntarily adopted a policy of not sharing personal information with third parties, many still operate under an opt-out model that is inconsistent with consumer expectations, and others simply did not respond to the request. Based on these results, the authors propose several public policy approaches to bringing business practices in information sharing in line with consumer expectations.

Privacy, opt-in, opt-out, direct marketing, information sharing, SB 27, shine the light

Abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative rates of identity fraud at major financial institutions. This lack of information prevents a consumer market for bank safety from emerging. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 and 2007 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data were aggregated and used to create comparative fraud ranks at leading banks.

This analysis faces several challenges that are described in the methods section. This version incorporates and is substantially improved by comments provided on versions 1.0 and 1.5 of this report, incorporates new data from 2007, and shifts focus from identity theft at top banks to events at all types of companies.

In 2007, fraud events where the victim could identify the institution associated with the incident, were concentrated among a relatively small number of companies. Just ten companies accounted for 30% of events. Verizon was identified by victims more than any other company as being targeted by impostors to commit fraud. AFNI, a collections agency, was next in total number of events. Bank of America improved dramatically over its 2006 numbers, while ING Bank and American Express remained top performers among large institutions.

privacy, security, identity theft, reporting

Abstract:
The matter of public concern test is the threshold inquiry courts use to determine whether a public employee's expression falls within the bounds of constitutionally protected speech. This test has been extended into the realm of academia, and it is now used to determine the First Amendment value of professors' expression as well. Under the test, a professor's expression must relate to a matter of political, social, or other concern to the community to gain protection under the First Amendment.

What expression qualifies as a matter of political, social, or other concern to the community? For many reasons, this is a difficult question to answer both in ordinary public employment situations and in academia. Indeed, this article includes many cases where different courts (and different Justices) view the same set of facts, and come to opposite conclusions on whether the expression at issue pertained to a matter of public concern. This article will trace these free speech cases arising in the academic environment in order to determine what expression falls within the ambit of public concern and what expression does not. Despite the gray areas between public and private concern, an analysis of these cases can elucidate trends and provide insight for the professor-plaintiff attempting to evaluate a free speech case.

Public concern cases involving professors tend to arise in one of four different contexts: faculty expression concerning the internal affairs of the institution; faculty expression motivated by personal interest; faculty expression made in private and not shared with the public; and vulgar or derogatory language employed by faculty in the classroom. In this article I will argue that, in each of the four contexts, courts have not always been sensitive to the special differences between ordinary public employment and employment at an institution of higher education. Also, in all four contexts, it is clear that the matter of public concern test does not encompass the traditional notions of protection offered by academic freedom.

To explain the trends in public concern jurisprudence, it is helpful to review the history of constitutional protection for public employee free expression. Part II of this article will review the rise of First Amendment protection for academic freedom, the development of the public concern test, and academic standards for free expression. Part III will describe the current procedural hurdles that plaintiffs and defendants must maneuver when a professor's free speech rights are being litigated. Part IV contains an analysis of public concern cases in terms of the four categories listed above. Finally, Part V presents academic criticism of the matter of public concern test and alternative legal standards for determining the First Amendment value of professors' expression.

Professors must exercise caution when relying on the First Amendment or academic freedom to shield their expression from retaliation because the only academic speech likely to enjoy protection under the Constitution is speech on matters of public concern. The matter of public concern test does not encompass the traditional notions of protection offered by academic freedom. And, even if a professor is successful in showing that the speech in question pertains to a matter of public concern, the professor's case must still survive Pickering balancing, qualified immunity challenges, and other procedural hurdles. Courts applying the matter of public concern test to faculty speech sometimes are insensitive to the special context of higher education. As a result, professors must consider that important expression in the academic environment may appear as inconsequential to a judge. This insensitivity and difference in worldviews results in less protection for free speech, and as a result, it endangers academic freedom.

Cases applying the matter of public concern test to faculty speech are highly fact-sensitive. But some generalizations can be made about public concern cases to help faculty evaluate their free speech rights:

(1) Many important internal affairs issues are not matters of public concern. To be protected, expression on internal affairs issues must directly affect the public's perception of quality of education. As a result, faculty speech on many important, quality-affecting issues is not protected by the First Amendment.

(2) Faculty expression that is motivated by purely personal interest will not enjoy First Amendment protection. Courts will also reject First Amendment claims by faculty who use public issues as a pretense to air their personal grievances. However, faculty who have mixed motives of personal and sincere public interest may have their speech protected.

(3) Professors do not have to publicize their expression in order to enjoy First Amendment protection. Private expression on matters of public concern is protected by the First Amendment.

(4) Professors who use vulgar or derogatory language should exercise caution because an institution or court might not consider the context or speaker's intent carefully. As a result, professors cannot rely on First Amendment protection for vulgar or derogatory speech. Sexually-explicit expression that is motivated by pedagogical purposes has, however, been found to relate to a matter of public concern.

First Amendment, public concern, higher education, free expression, public employee

Abstract:
In comments to the Federal Trade Commission, the authors propose a model for evaluating the costs to personal privacy imposed by uses of personal information. Under this proposal, the costs of information flows would be measured against Fair Information Practices, principles that set out the rights and responsibilities of data subjects and data collectors. The authors argue that many economic assumptions regarding the benefits of information flows have not come to fruition, especially in the financial services arena. The authors challenge five specious claims of the information industry: that information flows reduce prices, that customers want personalization, that profiling reduces the number of solicitations that individuals receive; that personal information allows companies to extend consumers more choices, and that information flows reduce fraud.

Information economics, privacy, profiling

Abstract:
In this paper, the author reviews the first six actions taken by the Federal Trade Commission (FTC) to safeguard consumers' privacy under the agency's authority to prosecute unfair or deceptive trade practices. Six conclusions can be made from these cases: First, the FTC has chosen to take enforcement actions only in cases with strong merits. Second, the protection of children's online activities is a priority of the FTC. Third, deception is the principal theory on which the FTC has relied to enforce violations of the FTCA against online businesses. Fourth, it is possible for the FTC to pursue a privacy claim under an unfairness theory. However, the unfairness theory is more likely to be successful when pursuing violations of children's privacy. Fifth, a strong showing of consumer harm is not required for an action based on unfairness. Merely misrepresenting privacy practices or violating a guarantee of privacy is sufficient to actuate agency action. Under the deception theory, there is no requirement to demonstrate harm. Last, monetary damages have not been assessed in FTC privacy actions against online businesses.

privacy, consumer protection, unfair and deceptive trade practices

Abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative rates of identity fraud at major financial institutions. This lack of information prevents a consumer market for bank safety from emerging. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data were aggregated and used to create comparative fraud ranks at leading banks. This analysis faces several challenges that are described in the methods section. This version incorporates and is substantially improved by comments provided on version 1.0, released in February 2008 and downloaded over 7,000 times.

Unlike version 1.0, this version provides actionable information to consumers on relative rates of identity theft in 2006. According to the measures in this report, American Express, USAA, and Citibank have the lowest rate of identity theft events among top credit card issuers. Among consumer banks, ING Bank and World Savings Bank performed well under every measure. Correlations were calculated for all the statistics the Federal Deposit Insurance Corporation maintains on top banks; generally the number of identity theft events correlates most strongly with measures of institutions size.

privacy, security, identity theft, reporting

Abstract:
While law enforcement increasingly locates individuals by gaining access to wireless phone records, a supermajority of Californians supports judicial intervention and informing suspects before law enforcement acquires retrospective (historical) location data on individuals from wireless phone companies. A majority of Californians understands that wireless phones can track their location, and that there is broad support for location tracking in emergency situations. When compared with Professor Alan Westin's three privacy segments, "Fundamentalists," "Pragmatists," and the "Unconcerned," Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Generally, Westin's segmentation was not predictive of Californians' attitudes towards law enforcement access to wireless location data.

Privacy, wireless, cellular, location, ECPA

Abstract:
On November 2-3, 2001, the University of Buffalo sponsored Digital Frontier: The Buffalo Summit 2001. The attendees included Gary M. Schober (Moderator), Shubha Ghosh (Organizer), Ann Bartow, Chris Hoofnagle, and Phyllis Borzi. The participants were drawn from a wide range of specialties, from lawyers and doctors to business-men and academics, in order to provide some perspective on our data-driven world. This session on Privacy and Security identified some of the trends in technology that threaten privacy rights, as well as those that may assists preserving privacy. The speakers also explored legal developments and political structure influencing cyber-privacy.

colloquium, privacy, security, e-tags, cookies, digital summit, technology, consumer

Abstract:
Consumers have a dim understanding of how companies share personal information. To "shine a light" on information sharing practices, the authors employed a unique California law to survey the information sharing practices of 112 businesses. This follow-on study to a similar, smaller survey in 2007, found that four years after the law took effect, compliance is uneven. Fifty-three companies did not respond to the request at all. Only six companies disclosed how they shared information with third parties for their direct marketing purposes. Thirty-nine companies informed us that they do not share information, 5 provided an opt-out option for third party sharing, and 9 responses were categorized as "other."

Privacy, opt-in, opt-out, direct marketing, information sharing, SB 27, shine the light

Abstract:
Google has come to symbolize the tensions between the benefits of innovative, information-dependent new services and the desire of individuals to control the contexts in which personal information is used. This essay reviews hundreds of newspaper articles where Google speaks about privacy in an effort to characterize the company’s handling of these tensions, to provide context explaining the meaning of the company’s privacy rhetoric, and to advance the privacy dialogue among policy makers, journalists, and consumers.

The dialogue surrounding these tensions is unfocused because many policy makers, journalists, and consumers concentrate the debate on whether the company violates its “you can make money without doing evil” corporate motto. This first observation flows to a second: Google’s conception of “evil” is tied to the revolution the company brought about in advertising practices, practices that many think are mainstream now. Google is thus missing opportunities to remind the public that its advertising policies have several strong pro-consumer aspects, many of which are lost when “evil talk” is employed. Third, vague privacy rhetoric signals a weak commitment to technical or legal safeguards. Journalists are well suited to remedy this by exercising greater inquiry and skepticism in contexts where Google’s privacy representations are non-substantive. Finally, Google heavily relies upon appeals to competition, arguing that those who adopt the company’s services engage in meaningful tradeoffs. Quietly shifting practices, lock in, and lengthy data retention periods, however, mean that these tradeoffs must be continually reevaluated. Google should give voice to its competition and tradeoff rhetoric by creating data portability and deletion rights for consumers.

Privacy, Google

Abstract:
Imagine shopping for a car in 1960. Safety is important to you. How do you assess a car's performance in surviving a crash? What tools were available then to take an informed decision?

The modern consumer of financial services is in a similar position as the car shopper of the 1960s. How does the modern consumer choose a bank that is relatively safe from identity thieves and other malicious individuals? Perhaps she chooses the larger institution, because it has more resources to address fraud. Or perhaps a smaller institution offers more protection, because it is more obscure. There is no way to know for sure, and thus, consumers cannot make an informed decision.

This article attempts to actuate a market for bank safety by comparing identity theft victim data with government statistics used to measure the relative size of financial institutions. It envisions a future when this market incentivizes financial services firms to explicitly compete to reduce the likelihood that customers will become victims of identity theft or other frauds. In a world of competition in bank safety, consumers who put a premium on avoiding fraud could reward the most proficient firms with their loyalty.

This article concludes that the available data, while weakened by several methodological concerns, do show that certain banks, large and small, have different identity theft footprints. Other discoveries were made as well. First, if present trends continue, there will be a substantial upswing in identity theft complaints to the Federal Trade Commission in 2008. Second, over a three-year period, a small group of companies accounted for almost 50 percent of identity theft incidents. Focusing interventions on this small group of companies could have a profound effect on incidence of identity theft. Finally, non-banking institutions, such as telecommunications companies, have an enormous identity theft footprint; in our highly dependent credit markets, impostors may be using these companies as stepping stones for attacks against banks.

privacy, security, identity theft, reporting, regulation through disclosure