The 2014 Privies
Dubious Achievements in Privacy Law
Recognizing Stupid Privacy Laws
It’s time to recognize just how stupid privacy law is getting. And what better way than by acknowledging the most dubious achievements of the year in privacy law?
First I should explain why I think privacy law so often produces results that make no sense. After all, most of us think privacy is a good thing. We teach our kids to respect the privacy of others, just as we teach them good manners and restraint in drinking alcohol. At the same time, no one wants courts and legislators to punish us for rudeness or prohibit us from buying a drink. We've already tried mandating abstinence from alcohol once. It didn’t work out so well. And it’s unlikely that Prohibition would have worked better if we’d made it illegal to drink to excess.
The problem is, some rules just don’t translate well into law. We know rude behavior when we see it, but no one wants a Good Manners Protection Agency writing rudeness regulations -- or setting broad principles of good manners and then punishing a few really rude people every year. The detailed regulations would never capture the evolving nuances of manners, while selective prosecution of really rude people would soon become a tool for punishing the unpopular for their unpopularity.
All that seems obvious in the case of drinking and rudeness, but when it comes to privacy, proposals for new legal rules seem endless. In fact, though, privacy is every bit as malleable and context-sensitive as good manners, and efforts to protect it in law are inevitably either so general that anyone can be prosecuted or so ham-handedly specific that they rapidly fall out of date. Either way, instead of serving the public interest, privacy laws often end up encouraging official hypocrisy and protecting the privileges of the powerful.
So it’s not privacy that’s stupid. It’s privacy law. And the stupidity is pretty much built in.
So why not give everyone a chance to choose the stupidest, the most hypocritical, and the most power-serving uses of privacy law of the year? That's the purpose of the Dubious Achievements Awards in Privacy Law.
The plan is to let the public vote for their favorite privacy law abuses, giving special weight to votes cast by those who know privacy law best. The idea is to combine the best of the Academy Awards and the People's Choice Awards. We should give the awards a name, like the Tonies or the Emmies, except that for dubious achievements in privacy law there's only one possible name for the award. The Privies.
Winners in each category will be eligible to receive their very own Golden Privy trophy pictured below.
Votes will be tabulated in two categories.
1. Privacy professionals who provide name, title, and email address constitute the Privy Academy. Their votes will be weighted most heavily. Privacy professionals include anyone who provides advice to the public or to particular parties about privacy issues, whether in government or the private sector.
2. Any other reader is free to vote once on an anonymous basis. These votes will be tabulated to determine the "People's Choice" in each category. The People's Choice will determine the winner in the event of close votes in the Privy Academy.
Voting will not open until all nominations have been published -- likely December 15. Feel free to suggest other candidates, correct errors or complain that one or the other nominee doesn't belong on the list, but the best remedy for the latter objection is simply to vote for someone who does belong on the list.
The 2014 Privies --
"Privacy Hypocrite of the Year"
a. Viviane Reding, European Commissioner for Justice, Fundamental Rights, and Citizenship
Why Regulate Ourselves When We Can Regulate the United States?
Commissioner Reding has led the charge to impose European restrictions on the way the National Security Agency gathers intelligence. When asked by the Guardian why the European Commission didn’t start by imposing restrictions on the way European Union members like Great Britain gather intelligence, she said
[T]here was little she or Brussels could do ..., since secret services in the EU were the strict remit of national governments. The commission has demanded but failed to obtain detailed information from the British government on how UK surveillance practices are affecting other EU citizens.... "I have direct competence in law enforcement but not in secret services. That remains with the member states. In general, secret services are national," said the commissioner.
Unless those secret services are American, apparently.
b. Francois Hollande, President of France
Spying on Allies is "Totally Unacceptable" Except When We Do It
President Hollande called President Obama to describe U.S. spying on its allies as “totally unacceptable,” language that was repeated by the Foreign Ministry when it castigated the U.S. ambassador over a story in Le Monde claiming that NSA had scooped up 70 million communications in France in a single month.
Whoops. Two days later, former French foreign minister Kouchner admitted, "Let's be honest, we eavesdrop too. Everyone is listening to everyone else. But we don't have the same means as the United States, which makes us jealous."
No, make that a double helping of Whoops. Because a week later, the Wall Street Journal revealed that it was the French government, not the NSA, that had collected the data: “Millions of phone records at the center of a firestorm in Europe over spying by the National Security Agency were secretly supplied to the U.S. by European intelligence services—not collected by the NSA, upending a furor that cast a pall over trans-Atlantic relations.
c. James Sensenbrenner, U.S. House of Representatives
You Hid Information From Me By Disclosing It at Briefings I Refused to Attend
Rep. Sensenbrenner (R-WI) was chairman of the House Judiciary Committee when section 215 of the USA PATRIOT Act was first enacted, but in 2013 he repudiated the telephone metadata that had been built on section 215.
Rep. Sensenbrenner complained that the program had been hidden from Congress: “the NSA has cloaked its operations behind such a thick cloud of secrecy that, even if our trust was restored, Congress and the American people would lack the ability to verify it.” Then it turned out that Justice Department witnesses appearing before the Judiciary Committee had made express references to the program in open testimony and to separate classified briefings offered to the members. At which point, Rep. Sensenbrenner declared that he refused to attend most secret briefings because he didn’t want to bear the burden of protecting classified information.
d. Angela Merkel, Chancellor of Germany
We Need Trust -- and Can We Get Our List of 300 Targeted Americans Back, Too?
Chancellor Merkel reacted with outrage to a story that NSA had monitored her personal mobile phone, calling President Obama and demanding an explanation. "We need trust,..." she said. "Spying among friends cannot be." Some in Merkel’s allied party explained the reaction by comparing U.S. eavesdropping to the methods of the East German Communist regime. But similar tactics by actual Communists received a very different reaction. When Chancellor Merkel visited China right after public disclosures that the Chinese had penetrated her computer network, she managed to be “all smiles” for the Chinese while praising relations between the two countries as “open and constructive.” There were no demands then for trust or an end to China’s hacking campaign.
And it turns out that spying on allies is a good deal more acceptable when Berlin is doing the spying. According to Der Spiegel, in 2008,
[T]he BND, Germany's foreign intelligence service, inadvertently sent American officials a list of 300 phone numbers belonging to US citizens and residents -- raising suspicions that the numbers had been tapped. A former deputy secretary of homeland security under President George W. Bush also described French and German intelligence agencies as "good" at spying on American officials. And US National Intelligence Director James Clapper on Tuesday testified before Congress that European allies are guilty of the same kind of spying that the US does.
e. Secretary Kathleen Sebelius
Harsh Privacy Penalties for Thee, But Not For Me
Secretary Sebelius's Department of Health and Human Services imposed harsh penalties on companies handling health data during 2012. Even when there was no evidence that any data had been compromised, her department extracted millions of dollars in fines from companies that failed to perform adequate planning and testing for the security of their networks. Wellpoint, which among other things "did not perform an adequate technical evaluation in response to a software upgrade," paid $1.7 million in fines. Idaho State, which "did not conduct an analysis of the risk to the confidentiality of [health data] as part of its security management process," paid $400,000.
But those were the rules for others, not for HHS itself. Charged with implementing a website, healthcare.gov, that will carry sensitive health data for millions of Americans, HHS ignored the rules it imposed on the private sector. According to David Kennedy of TrustedSec, "even basic security was not built into the healthcare.gov website. TrustedSec is confident based on the exposures identified that the website has critical risks associated with it and security concerns should be remediated immediately." Morgan Wright of Crowd Sourced Investigations pointed to failings that Wellpoint and Idaho State will have no difficulty recognizing: "The first major issue is the lack of, and inability to conduct, an end‐to-end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top-down view of the full security posture."
"We All Got To Serve Someone"
Worst Use of Privacy Law to Protect Power and Privilege
a. Max Mosley, former president of the Fédération Internationale de l'Automobile
That Picture? Forget it. No, Really. I Insist.
Max Mosley achieved fame and wealth as head of the Formula One racing association, FIA. His father was a well-connected politician who embraced fascism before World War II. But Mosley himself achieved notoriety in 2009, when the media published pictures of him naked and engaged in a sado-masochistic orgy with five prostitutes. In a move that seems to define self-defeating, Mosley went to court to establish that it was a naked, five-hour sado-masochistic orgy with five hookers, but it wasn't a naked, five-hour sado-masochistic orgy with five hookers and a Nazi theme. He won.
Now he wants us all to forget those unforgettable pictures of a naked, sixty-eight-year-old man being tied up and whipped. Actually, he doesn't just want us to forget. He insists.
And so do the French courts. In 2013, the French Tribunal de Grande Instance ruled, more or less, that the privacy laws are nothing if not protective of wealthy and famous men who can afford a five-hour, five-hooker discipline session. It ordered Google not to link to those unforgettable pictures , managing with one decision to discredit both itself and French privacy law.
b. China's Privacy Law
"You Think He Insists? Have You Seen Our Prisons?"
In the midst of a highly charged bribery investigation of pharmaceutical companies operating in China, Peter Humphrey was arrested by Chinese authorities. A respected corporate investigator who had represented Western pharmaceutical companies, he was known for investigating fraud. He was not charged with participating in the bribery scandal. Instead he was charged for investigating a little too enthusiastically -- for illegally buying and selling the personal information of Chinese citizens.
Yes, China has a privacy law. And it's working pretty much exactly the way you'd expect.
c. Tom Vilsack, Secretary of Agriculture
"Privacy Law Protects You From Anything That Might Embarrass Me"
In 2013, the New York Times published a massive expose of the "Pigford" scandal, in which a claim that the Agriculture Department had discriminated against minority farmers was settled by creating a fund in excess of $1 billion. Payments up to $50,000 were then distributed to anyone who was willing to claim it, with little review of the claims. Claims were made on behalf of young children, on behalf of every resident in apartment buildings. Many claims used the same stories, told in the same handwriting to collect multiple payments.
Who filed these dubious claims, and would their stories stand up to investigative journalism, the New York Times wondered.
It's still wondering.
Because it turns out that all those similar stories with the same handwriting and all those apartment residents with their shared commitment to farming are protected from scrutiny by the majesty of American privacy law. At least that's what Secretary Vilsack's department told the New York Times. According to the paper:
The true dimensions of the problem are impossible to gauge. The Agriculture Department insists that the names and addresses of claimants are protected under privacy provisions.
Now you might not think that the recipients of these payments are especially powerful, but there's no doubt that a deeper investigation of the program would have been deeply embarrassing to high-ranking officials, including many at the Agriculture Department that, conveniently, found that privacy law prevents it from giving the Times's reporters any more grist for their mill.
d. Spain’s Data Protection Agency (Agencia Española de Protección de Datos)
Spain Reinvents the Memory Hole -- Giving Orwell the Right to be Forgotten
It’s pretty embarrassing to have your property put up for auction because you didn’t pay your taxes. But in Spain, if you’ve got the money and the connections to pursue litigation before the Agencia Española de Protección de Datos, that embarrassment can just be wiped off the Internet, even if the auction was published in a major Spanish newspaper. The Spanish data protection agency decided that the auction just isn’t relevant any more, to anyone, so it ordered the item struck from Internet search results. This year, the agency’s interpretation of its authority went before the European Court of Justice, and the court’s advocate general recommended that the decision be reversed.
No word yet on whether the Spanish agency plans to order the disappearance of the advocate general’s recommendation – or the advocate general himself.
Dumbest Privacy Cases of the Year
a. Boston Police Department (Commissioner William Evans)
Record Your Talk with Boston Police, Face Felony Wiretap Charges
When Taylor Harding called the Boston Police Department's press spokesman about his case, he recorded the call and posted it to YouTube. At which point the Boston police charged him with felony wiretapping. Pretty stupid, but don't blame the cops. Blame privacy law.
Under Massachusetts law, it's a righteous bust, thanks to the privacy advocates who persuaded the Massachusetts legislature that both participants in a call had to agree before the call could be recorded. Spurred by a technological panic, the legislature couldn't have been clearer about its intent: "The uncontrolled development and unrestricted use of modern electronic surveillance devices pose grave dangers to the privacy of all citizens of the Commonwealth. Therefore, the secret use of such devices by private individuals must be prohibited.”
Chalk up another unintended consequence for privacy advocates trying to stop the march of technology. As the tools for recording conversations and even video spread to everyone, the two-party consent law doesn't make sense and is mostly enforced only on behalf of the rich and powerful. So this case was almost nominated in the category "Worst Use of Privacy Law to Protect Power and Privilege." But in the end, the Boston Police Department was ridiculed into dropping the case. Turns out that the police don't quite have as much power and privilege as the technorati. Which is really only comforting if you think the technorati lynch mob will never come for you.
b. Joffe v. Google (Hon. Jay Bybee, Ninth Circuit)
"Radio Waves Aren't Radio. Publicly Accessible Broadcasts Aren't Publicly Accessible. And #$kjhi&#^- ..."
When Google's Street View car collected wi-fi signals from the homes and businesses it passed, it only gathered information that anyone could have gathered without leaving the street. The users who hadn't secured their wi-fi signals decided to shoot the messenger, suing Google for illegally wiretapping them. Kind of a long shot legal claim, since the law exempts the capturing of radio broadcasts and publicly accessible communications; there's not much doubt that wi-fi uses radio waves and can be accessed by the public if it's not secured. But Judge Bybee of the Ninth Circuit wasn't deterred by either of the barriers to holding Google liable. He decided that radio communications are only those things we hear on the AM-FM dial. As for being publicly accessible, he writes, why that's ridiculous: if you listened to wi-fi signals on an AM radio, "they would sound indistinguishable from random noise."
Come to think of it, so does this opinion.
c. FTC v. LabMD (Federal Trade Commission)
Stupid Mistake + Media Coverage = Unfair Practice
When LabMD set up security for its network, it didn't expect a rogue employee to poke holes in its security by running Limewire, a program notorious for sharing pirated music -- as well as any business or personal records that happen to be on the same network. And it certainly didn't expect a complaint from the Federal Trade Commission when Limewire shared a spreadsheet with customer data.
There's no doubt that LabMD made a mistake, and a bad one. But the Federal Trade Commission isn't empowered to correct every mistake made by American businesses. It only has authority to charge companies that have committed "unfair practices." What LabMD did may have been dumb; it may have been sloppy; but you've got to strain pretty hard to call it an unfair practice. The FTC has been trying for years to become America's privacy and security enforcer. For just as long, Congress has refused to give it that role.
You have to admire an agency with the cojones to argue that it can make up its own legal authority as well as the offenses that it chooses to punish. Maybe if you look closely at the seal, you can see the agency's true motto: "Whatever It Takes: Finding Ways To Punish Companies Criticized by the New York Times Since 1914."
d. The Gmail Wiretapping Claims (Hon. Lucy Koh, N.D. Cal.)
Judge Uncovers Wiretap Plot with 425 Million Co-Conspirators
Is there anyone left who doesn't know that Google provides free email and pays for it by serving ads tied to the content of your correspondence? In fact, it's the most popular free email service on the planet, endorsed by 425 million subscribers who voted with their feet for Gmail.
Apparently the Gmail business model was news to Lucy Koh, a federal judge in San Francisco, who decided that all 425 million Gmail subscribers were dopes who couldn't possibly have consented to Google's automated scanning of email content, even though its terms of service said the company reserved the right to "pre-screen, review, flag, [or] modify ... any or all Content from any Service." That language didn't count, Judge Koh said, because it didn't tell consumers that Google was reviewing the mail to provide ads as well as to find objectionable content.
Maybe Google could have written a clearer (though longer and therefore less readable) document. But the effect of Judge Koh's tortured reading was to make Google potentially liable under the wiretap laws for tapping the communications of all 425 million users, plus everyone they wrote to. At $10,000 per violation, that's a pretty heavy price for free email. Not to mention that, if you were one of the 424,999,999 subscribers who actually understood the business model, it looks as though Judge Koh just exposed you to liability for aiding and abetting the wiretapping of everyone you slyly tricked into exchanging mail with you. In fact, the result was so strained that it couldn’t even persuade a magistrate in the same court, who read her opinion and ruled the other way despite being outranked by Judge Koh. Oh, and those spam filters you couldn't live without? In a footnote, Judge Koh suggests they're wiretapping too unless they have a consent clause that even a federal judge can understand.
Before this decision, Judge Koh was most famous for telling an attorney for Apple that he must be "smoking crack." Judge Koh, in contrast, seems intent on smoking the rubble of the Internet economy.
We'll use the information provided by privacy professionals to verify that you are a privacy professional and to send you email about the results of the vote -- and other issues, if we have the energy. If we do manage to send you email, we'll include an unsubscribe link. Surveymonkey runs the voting site. If you don't like their privacy policies, take it up with them.