Reconciling Public Policy with New Theories of Privacy Ed Felten Princeton University

Four Theses Laws and public policies on data privacy are mostly based on a theory of privacy. There is a huge gap between that policy community theory and more modern theories. This gap results in poorly designed laws and policies. The gap will be difficult to close, but we need to start closing it.

PII theory of data privacy Key concept is Personally Identifiable Information (PII) Data carries risk if it contains PII If no PII, then risk is minimal, because sensitive information in the data cannot be associated with any specific individual. Render data safe by scrubbing PII out of it

Underlying model of data and computing What computers do: store data for later retrieval Meaning of data is evident on its face No processing of data, other than simple joins ID data ID more data ID data more data

How parties interact ID data

How parties interact ID data a data anonymize

FIPPs Fair Information Practice Principles are part of the orthodox privacy religion. Arguably, they should be re-examined. Perhaps they’re off target. Or perhaps they’re orthogonal to the problem in some ways. Example: data must be correct – but nowadays we often rely on deliberate errors (“noise”) as part of a privacy strategy.

How our current theories differ Interact with data via queries, rather than data-shipping focus on interactive protocols Meaning of data more than what is evident on its face assume probabilistic inference from data depends how data was generated Harm is (additional) inference about an individual, rather than linking of records Presumption that interaction is disclosive, absent evidence to the contrary

Why policymaking is like engineering Have to “ship code” under time/cost constraints Can’t wait for theory to answer your questions – have to work with what is known Serve multiple masters Huge installed base, hard to re-architect

Why so little adoption of our theories? Our theories are hard to understand, especially for non-techies. rely on intuition about computation, probability, etc. Our theories are more pessimistic—perhaps an “inconvenient truth.” Theories are very different—need a true paradigm shift. … and no easy way to evolve old policies into new ones.

What should we do?

Evangelize within the professional community Courts try not to make scientific judgments themselves. Instead, they rely on established consensus of the expert community. So we need to change the views of rank-and-file developers and statisticians. Establish accepted best practices. Influence what is viewed as “reasonable.”

Provide useful tools Fight idea that “The differential privacy stuff is only theoretical.” Need (more) usable tools and cookbooks for developers. Even if no legal requirement: forward-leaning orgs can use to set a good example other orgs can be named-and-shamed for not adopting best practices

Figure out how to teach our theories Can we simplify our theories, at least for explanatory purposes? Can we abstract them, and ask for policies that rely on government experts like NIST to fill in the details? What specifically would you want a law or regulation to say?

Policy pro-tip: Litigate the definitions To de-identify, “must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.”

Policy engagement Important to keep participating in public policy process: submit comments, testify, talk to policymakers Continue to point out failures in current models Consider how groups like National Academies can help Join the trend toward computer scientists participating in policy directly, and educating our students to do so

Reconciling Public Policy with New Theories of Privacy Ed Felten Princeton University