1. Reconciling Public Policy with New Theories of Privacy
Ed Felten
Princeton University

2. Four Theses
Laws and public policies on data privacy are mostly based on a theory of privacy.
There is a huge gap between that policy community theory and more modern theories.
This gap results in poorly designed laws and policies.
The gap will be difficult to close, but we need to start closing it.

3. PII theory of data privacy
Key concept is Personally Identifiable Information (PII)
Data carries risk if it contains PII
If no PII, then risk is minimal, because sensitive information in the data cannot be associated with any specific individual.
Render data safe by scrubbing PII out of it

4. Underlying model of data and computing
What computers do: store data for later retrieval Meaning of data is evident on its face No processing of data, other than simple joins
ID data
ID more data
ID data more data

5. How parties interact
ID data

6. How parties interact
ID data
a data
anonymize

10. FIPPs
Fair Information Practice Principles are part of the orthodox privacy religion.
Arguably, they should be re-examined. Perhaps they’re off target. Or perhaps they’re orthogonal to the problem in some ways.
Example: data must be correct – but nowadays we often rely on deliberate errors (“noise”) as part of a privacy strategy.

11. How our current theories differ
Interact with data via queries, rather than data-shipping
focus on interactive protocols
Meaning of data more than what is evident on its face
assume probabilistic inference from data
depends how data was generated
Harm is (additional) inference about an individual, rather than linking of records
Presumption that interaction is disclosive, absent evidence to the contrary

12. Why policymaking is like engineering
Have to “ship code” under time/cost constraints
Can’t wait for theory to answer your questions – have to work with what is known
Serve multiple masters
Huge installed base, hard to re-architect

13. Why so little adoption of our theories?
Our theories are hard to understand, especially for non-techies.
rely on intuition about computation, probability, etc.
Our theories are more pessimistic—perhaps an “inconvenient truth.”
Theories are very different—need a true paradigm shift.
… and no easy way to evolve old policies into new ones.

14. What should we do?

15. Evangelize within the professional community
Courts try not to make scientific judgments themselves. Instead, they rely on established consensus of the expert community.
So we need to change the views of rank-and-file developers and statisticians.
Establish accepted best practices. Influence what is viewed as “reasonable.”

16. Provide useful tools
Fight idea that “The differential privacy stuff is only theoretical.”
Need (more) usable tools and cookbooks for developers.
Even if no legal requirement:
forward-leaning orgs can use to set a good example
other orgs can be named-and-shamed for not adopting best practices

17. Figure out how to teach our theories
Can we simplify our theories, at least for explanatory purposes?
Can we abstract them, and ask for policies that rely on government experts like NIST to fill in the details?
What specifically would you want a law or regulation to say?

18. Policy pro-tip: Litigate the definitions
To de-identify, “must achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, computer, or other device.”

19. Policy engagement
Important to keep participating in public policy process: submit comments, testify, talk to policymakers
Continue to point out failures in current models
Consider how groups like National Academies can help
Join the trend toward computer scientists participating in policy directly, and educating our students to do so

20. Reconciling Public Policy with New Theories of Privacy
Ed Felten
Princeton University