Privacy and Ubiquitous Computing Deirdre K. Mulligan Acting Clinical Professor of Law Director Samuelson Law, Technology & Public Policy Clinic, Boalt Hall School of Law, UC- Berkeley

Privacy  Legal protections for privacy have multiple roots  Important norm– individuals have own concepts of privacy  Different things in different settings; Know it when you lose it

3 Conceptions of Privacy  “the right to be let alone.” Samuel Warren and Louis Brandeis. “The Right to Privacy,” Harvard Law Review, 1890  “the right of the individual to decide for himself, with only extraordinary exceptions in the interest of society, when and on what terms his acts should be revealed to the general public.” Alan Westin Privacy and Freedom, 1967  fairness and control over personal information, anonymity, and confidentiality. See Berman and Mulligan “Privacy in the Digital Age” Nova Law Review 1999.

4 Privacy interests  Decisional privacy  Bodily integrity (search)  Information privacy  Communications privacy

5 Constitutional Basis  The word “privacy does not appear in the US Constitution, but…  1 st A freedom of association  4 th A freedom from unreasonable searches and seizures (Katz, “reasonable expectations of privacy”)  9 th A unenumerated rights (invoked to protect privacy)  14 th A as interpreted in Whalen, right of informational privacy that protects an interest in  Avoiding disclosure of personal matters  Independence in decision-making

6 Tort Law  Warren and Brandeis proposed need for privacy tort  Prosser Torts  Intrusion upon seclusion  Publication of embarrassing private facts  False light  Appropriation of name, likeness or identity

7 Statutory protections Limits on government intrusion -- conversation between Court and Congress  Title III (1968) – restrictions on wiretapping and electronic surveillance (Katz; Smith) (extended by ECPA 1986 and CALEA 1995; altered by Patriot Act 2001)  Right to Financial Privacy (Miller)

8 Statutory protections Limits on government intrusion -- Or, response to government overreaching  Privacy Act First comprehensive Fair Information Practices statute in US  FOIA (with privacy exception)

9 Statutory Protections 1970’s begins concern about private sector data practices:  Fair Credit Reporting Act  Video Privacy Protection Act  Cable Communications Protection Act  Children’s Online Privacy Protection Act  GLB (financial privacy)

13 Beliefs underlying privacy law  Data collection is exception  Public/private spaces distinct - personal will exist in private space  Wall between private sector and government is thick  Data collection is engaged in by limited set of corporate or commercial entities  Communications are ephemeral; distinction between content and other  Regulatory patchwork; notice and consent  Protections weaken as information moves away from home/person out into network/third party storage  Little regulation of government acquisition of personal information from private entities  Regulatory framework focuses on specific record keepers rather than the protection of the information itself  Protections for records related to individual maintained by third parties are weak

14 Ubiquitous computing environment  “The most profound technologies are those that disappear. They weave themselves into the fabric of everyday life until they are indistinguishable from it.” M. Weiser, “The computer for the 21st Century,”  “In the future, interconnected devices will be so commonplace that "the internet" becomes invisible. Devices span from the so tiny that the computer disappears, to servers so large that storage limits vanish. It will be possible to track and relate everything...” The Endeavour Expedition: Charting the Fluid Information Utility

10 Thinking about privacy in ubiquitous computing Fair Information Practice Principles  Collection Limitation  Purpose specification  Openness  Consent  Individual participation  Data Quality  Use Limitation  Security  Accountability

11 Thinking about privacy in ubiquitous computing Anonymity and Autonomy  Tightly linked to 1st Amendment freedoms (speech, association)  Critical to participation in certain activities (intellectual, political, controversial)  Implicated by data connected to the individual…even if not to their physical world identity

12 Thinking about privacy in ubiquitous computing Confidentiality  Reflected in 4th Amendment and statutory rights controlling government access to information and private sector disclosure of information  Reflected in confidentiality statutes  Implicated by eavesdropping, redirection of information, disclosure of information

15 Existing privacy law is a poor fit for Ubiquitous computing  Data collection as norm  Absence of cues that signal data collection  Porous barriers between public and private spaces  Everyone is a potential data collector  New kinds of data “sensed” created, stored  Increased ability to create patterns, knowledge out of seemingly unrevealing bits of data  Always on, broad accessibility

16 Challenges for system designers  How do you facilitate transparency and control where being unobtrusive is an explicit system goal?  How do you evaluate privacy risks when you don’t know who is accessing the information and to what else they may be privy?  To what extent do you design around the weaknesses of the existing privacy law? (preference for client side storage? Destruction of data? Limits on certain kinds of collection?)

17 Key questions for business adoption  What are the implications of these systems given the ability of private actors and governmental entities to access information? (privacy, business confidentiality, various sorts of litigation)  Given limits of law, how to deploy? (Limit data collection; purge quickly; keep identification information separate from other forms of data)  Need to fix the law?