Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data show that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.

These business decisions leave individuals and merchants with some of the externalities of identity theft. Victims sometimes spend their own money, and more often, valuable personal time dealing with identity theft externalities. This article concludes by reviewing several approaches to internalizing these costs. Popular approaches specify prescriptive rules to address particularly problematic practices in credit granting, such as using the Social Security number as a password for authentication. These approaches may lead to compliance-oriented approaches and reification. Several commentators have suggested negligence actions as a cure to identity theft, but uncertainty surrounding the duty of care would probably leave many consumers unremunerated. A strict liability regime is suggested because credit grantors are the least cost avoiders in the identity theft context, and because consumers cannot control the credit granting process nor insure against identity theft losses efficiently.

UCLA Journal of Law and Technology, p. 1, 2010

First, increasingly, privacy statutes create evolving standards of care, thus encouraging innovation for handling of data and avoiding the reification that can result from prescriptive, detailed regulation. For instance, the Fair Credit Reporting Act mandates an evolving “maximum possible accuracy” standard.

Second, in the direct marketing context, the US has imposed advertiser liability for violations of telemarketing, fax, and spam laws. This is a promising approach to address the use of difficult-to-identify and prosecute service providers that are responsible for illegal marketing campaigns.

Third, audit requirements for access to personal information has had a profound effect in encouraging industry and citizen policing of privacy violations. Audit logs have substantiated long-suspected privacy problems regarding “browsing” of files, and news media access to celebrities’ medical records.

Fourth, the US has briefly experimented with “data provenance,” a requirement that buyers of personal information exercise diligence to ensure against misuse of data. Data provenance responsibilities can create incentives to reduce gray and black market sales of personal information.

Finally, most federal privacy law acts as a floor of protections, allowing states to enact stronger rules. This has created a tension between state and federal governments, resulting in a leveling up of protections, because states (which tend to be more activist on privacy issues) can act where the US Congress is occupied with other issues.

NB: The final report, an executive summary of the final report, both by Douwe Korff and Ian Brown (et al), and one of two working papers, as well as two further country reports (on France and Germany) and a Comparative Chart, all by Douwe Korff, all also produced for the Comparative Study of Different Approaches to New Privacy Challenges in Particular in the Light of Technological Developments, can be found on SSRN.

Jennifer King
UC Berkeley School of Information; Berkeley Center for Law & Technology

Su Li
University of California, Berkeley- School of Law, Center for the Study of Law and Society

Joseph Turow
University of Pennsylvania - Annenberg School for Communication

Media reports teem with stories of young people posting salacious photos online, writing about alcohol-fueled misdeeds on social networking sites, and publicizing other ill-considered escapades that may haunt them in the future. These anecdotes are interpreted as representing a generation-wide shift in attitude toward information privacy. Many commentators therefore claim that young people “are less concerned with maintaining privacy than older people are.” Surprisingly, though, few empirical investigations have explored the privacy attitudes of young adults. This report is among the first quantitative studies evaluating young adults’ attitudes. It demonstrates that the picture is more nuanced than portrayed in the popular media.

In this telephonic (wireline and wireless) survey of internet using Americans (N=1000), we found that large percentages of young adults (those 18-24 years) are in harmony with older Americans regarding concerns about online privacy, norms, and policy suggestions. In several cases, there are no statistically significant differences between young adults and older age categories on these topics. Where there were differences, over half of the young adult-respondents did answer in the direction of older adults. There clearly is social significance in that large numbers of young adults agree with older Americans on issues of information privacy.

A gap in privacy knowledge provides one explanation for the apparent license with which the young behave online. 42 percent of young Americans answered all of our five online privacy questions incorrectly. 88 percent answered only two or fewer correctly. The problem is even more pronounced when presented with offline privacy issues – post hoc analysis showed that young Americans were more likely to answer no questions correctly than any other age group.

We conclude then that that young-adult Americans have an aspiration for increased privacy even while they participate in an online reality that is optimized to increase their revelation of personal data.

This article attempts to actuate a market for bank safety by comparing identity theft victim data with government statistics used to measure the relative size of financial institutions. It envisions a future when this market incentivizes financial services firms to explicitly compete to reduce the likelihood that customers will become victims of identity theft or other frauds. In a world of competition in bank safety, consumers who put a premium on avoiding fraud could reward the most proficient firms with their loyalty.

This article concludes that the available data, while weakened by several methodological concerns, do show that certain banks, large and small, have different identity theft footprints. Other discoveries were made as well. First, if present trends continue, there will be a substantial upswing in identity theft complaints to the Federal Trade Commission in 2008. Second, over a three-year period, a small group of companies accounted for almost 50 percent of identity theft incidents. Focusing interventions on this small group of companies could have a profound effect on incidence of identity theft. Finally, non-banking institutions, such as telecommunications companies, have an enormous identity theft footprint; in our highly dependent credit markets, impostors may be using these companies as stepping stones for attacks against banks.

This survey finds that Americans want openness with marketers. If marketers want to continue to use various forms of behavioral targeting in their interactions with Americans, they must work with policymakers to open up the process so that individuals can learn exactly how their information is being collected and used, and then exercise control over their data. We offer specific proposals in this direction. An overarching one is for marketers to implement a regime of information respect toward the public rather than to treat them as objects from which they can take information in order to optimally persuade them.

A gulf exists between California consumers' understanding of online rules and common business practices. For instance, Californians who shop online believe that privacy policies prohibit third-party information sharing. A majority of Californians believes that privacy policies create the right to require a website to delete personal information upon request, a general right to sue for damages, a right to be informed of security breaches, a right to assistance if identity theft occurs, and a right to access and correct data.

These findings show that California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards. Website operators have little incentive to correct this misperception, thus limiting the ability of the market to produce outcomes consistent with consumers' expectations. Drawing upon earlier work, we conclude that because the term "privacy policy" has taken on a specific meaning in the minds of consumers, its use should be limited to contexts where businesses provide a set of protections that meet consumers' expectations.

In 2007, fraud events where the victim could identify the institution associated with the incident, were concentrated among a relatively small number of companies. Just ten companies accounted for 30% of events. Verizon was identified by victims more than any other company as being targeted by impostors to commit fraud. AFNI, a collections agency, was next in total number of events. Bank of America improved dramatically over its 2006 numbers, while ING Bank and American Express remained top performers among large institutions.

Studies have shown that most consumers oppose the sale of personal information. Unfortunately, most consumers are under the misimpression that a company with a "privacy policy" is barred from selling data. To learn more about information selling, the authors, using a California privacy law, made requests to 86 companies for a disclosure of information sharing practices. The results show that while many companies have voluntarily adopted a policy of not sharing personal information with third parties, many still operate under an opt-out model that is inconsistent with consumer expectations, and others simply did not respond to the request. Based on these results, the authors propose several public policy approaches to bringing business practices in information sharing in line with consumer expectations.

Professor Alan Westin has pioneered a popular "segmentation" to describe Americans as fitting into one of three subgroups concerning privacy: privacy "fundamentalists" (high concern for privacy), "pragmatists" (mid-level concern), and the "unconcerned" (low or no privacy concern). When compared with these segments, Californians are more likely to be privacy pragmatists or fundamentalists, and less likely to be unconcerned about privacy. Fundamentalists were much more likely to be correct in their views of privacy rules. In light of this finding, we question Westin's conclusion that privacy pragmatists are well served by self-regulatory and opt-out approaches, as we found this subgroup of consumers is likely to misunderstand default rules in the marketplace.

The author hypothesizes that if lending institutions reported limited information about identity theft, it would reveal that identity theft is both more prevalent and economically damaging than currently acknowledged, in part because of the rise of synthetic identity theft, a form that cannot be measured by victim surveys because they are unaware of the crime. Furthermore, the disclosure requirement would birth an anti-identity theft market, and the prevalence and severity of the crime would decrease dramatically as institutions compete to offer the safest financial products to consumers.

CDBs make available a wide variety of personal information, from arrest and court records to notice that a suspect has opened a private mailbox. Access to private sector databases has significantly altered the balance of power between law enforcement and the individual. This new power has been made possible by the confluence of fast network connections; the availability of public records, both electronic and paper, that are rich with personal information; a regulatory environment that has turned a blind eye to private sector collection of personal information for marketing and other purposes; and the alacrity of companies that have become very profitable from selling personal data to the government.

This article summarizes the findings of three years of research into the relationship between CDBs and the federal government. The federal Freedom of Information Act was employed to obtain over 1,500 documents from nine federal agencies concerning ChoicePoint and other CDBs. Findings are presented from the requests, and concerns are raised regarding law enforcement access to personal information.

The documents led to six major findings. First, the documents show that law enforcement can quickly obtain a broad array of personal information about individuals. Second, although broad requests for documents were filed, there was almost no evidence of controls to prevent agency employees from misusing the databases. It appears as though auditing employee use of the databases is either impossible or simply not done. Third, the database companies are extremely solicitous to the government and actually design the databases for law enforcement use. Fourth, ChoicePoint expanded significantly in 2000 by starting to acquire and sell personal information of non-citizens. That discovery has led to strong international dissent. Fifth, many of the contracts with CDBs are sole-sourced, meaning the contracts are not open to competitive bidding. Sixth, the FBI has a secret, sole-source contract with ChoicePoint to develop an information service prototype.

Based on these documents, the author concludes that the Privacy Act should apply to CDBs. The Privacy Act of 1974 establishes a comprehensive set of Fair Information Practices for government collection of personal information, but does not substantially affect the data practices of these private companies. Because of this lack of coverage, government entities have performed an end-run around the protections of the Privacy Act by allowing the private sector to amass troves of personal information that the government would ordinarily not be allowed to collect. Essentially, commercial data brokers are big brother's little helpers - private sector companies that have escrowed personal information that is customized for law enforcement and other government agencies.

The author also concludes that public policy makers should not draw distinctions between commercial and government collection of personal information. Libertarians and conservatives have employed persuasive arguments to stave off privacy regulation that affects the commercial sector. They have argued that government collection, use, and disclosure of information presents more risk than commercial collection because the government has the power to arrest, imprison, and even to execute citizens. But this article shows that this distinction between the risks of government and commercial privacy risk is no longer tenable. Commercial actors provide personal information to the government in a number of contexts, and often with astonishing alacrity.

Finally, policymakers should revisit policies surrounding access to public records. Much of the personal information made available to law enforcement originates from public records. In a variety of contexts, the government compels individuals to reveal their personal information, and then pours it into the public record for anyone to use for any purpose. The private sector has collected the information, repackaged it, and brought it back to the government full circle. While public records are supposed to provide a window for a citizen to check abusive government activities, increasingly, they are used to leverage more control for powerful institutions against the common man.

And finally, the worst identification and tracking policies from the online world are finding their way into the offline world. In other words, online self-regulatory approaches have encouraged a more invasive web environment, and have dragged down the practices of ordinary, offline retailers. This paper argues that the FTC and Congress should reevaluate their commitment to market approaches, and empower consumers with privacy law that incorporates Fair Information Practices.

The Deck is drawn upon my experience as a lawyer working on consumer protection in Washington, DC. Where possible, I have provided specific examples of denialism, but in many cases, these arguments are used only in closed negotiations. Some who read them find the examples humorous, while others find it troubling. But all who read the Washington Post will recognize these tactics; they are ubiquitous and quite effective.

This taxonomy provides a roadmap for consumer advocates to understand the resistance they will face with almost any form of consumer reform. I hope to expand it to include retorts to each argument in the future.

In the aftermath of the ChoicePoint debacle and other major information security breaches, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as ChoicePoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We have welcomed input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We have incorporated criticisms and constructive suggestions, and we will continue to update this Model Regime to include the comments we find most helpful and illuminating.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

This article proposes a fix to address lax credit granting practices. It takes the form of a change in the default state of credit reports from their current liquid state to a frozen one. That is, our current credit system allows our personal information to flow like water to almost anyone who requests it. Once credit information is released, credit grantors who are operating in an extremely competitive market, race to issue new accounts. This makes it simple for impostors to commit identity theft by obtaining new credit accounts.

Under the proposed system, credit reports would be sealed or frozen, available only when the individual thaws her file, and specifies to whom, when, or in what contexts it should be released. Creditors will not extend tradelines without a credit report, and thus under a frozen credit report system, impostors would have great difficulty in obtaining new accounts. A simple barrier to obtaining a credit report will provide a shield for all individuals against most identity thieves.

This article is a short book chapter in a forthcoming book to be published by Stanford University Press of papers presented at a March 2004 symposium on privacy and security at Stanford Law School.

What appears below is our attempt at such an endeavor. Privacy experts have long suggested that information collection be consistent with Fair Information Practices. This Model Regime incorporates many of those practices and applies them specifically to the context of commercial data brokers such as Choicepoint. We hope that this will provide useful guidance to legislators and policymakers in crafting laws and regulations. We also intend this to be a work-in-progress in which we collaborate with others. We welcome input from other academics, policymakers, journalists, and experts as well as from the industries and businesses that will be subject to the regulations we propose. We invite criticisms and constructive suggestions, and we will update this Model Regime to incorporate the comments we find most helpful and illuminating. We also aim to discuss some of the comments we receive in a commentary section. To the extent to which we incorporate suggestions and commentary, and if those making suggestions want to be identified, we will graciously acknowledge those assisting in our endeavor.

Notice, Consent, Control, and Access

1. Universal Notice
2. Meaningful Informed Consent
3. One-Step Exercise of Rights
4. Individual Credit Management
5. Access to and Accuracy of Personal Information

Security of Personal Information

6. Secure Identification
7. Disclosure of Security Breaches

Business Access to and Use of Personal Information

8. Social Security Number Use Limitation
9. Access and Use Restrictions for Public Records
10. Curbing Excessive Uses of Background Checks
11. Private Investigators

Government Access to and Use of Personal Data

12. Limiting Government Access to Business and Financial Records
13. Government Data Mining
14. Control of Government Maintenance of Personal Information

Privacy Innovation and Enforcement

15. Preserving the Innovative Role of the States
16. Effective Enforcement of Privacy Rights

Public concern cases involving professors tend to arise in one of four different contexts: faculty expression concerning the internal affairs of the institution; faculty expression motivated by personal interest; faculty expression made in private and not shared with the public; and vulgar or derogatory language employed by faculty in the classroom. In this article I will argue that, in each of the four contexts, courts have not always been sensitive to the special differences between ordinary public employment and employment at an institution of higher education. Also, in all four contexts, it is clear that the matter of public concern test does not encompass the traditional notions of protection offered by academic freedom.

To explain the trends in public concern jurisprudence, it is helpful to review the history of constitutional protection for public employee free expression. Part II of this article will review the rise of First Amendment protection for academic freedom, the development of the public concern test, and academic standards for free expression. Part III will describe the current procedural hurdles that plaintiffs and defendants must maneuver when a professor's free speech rights are being litigated. Part IV contains an analysis of public concern cases in terms of the four categories listed above. Finally, Part V presents academic criticism of the matter of public concern test and alternative legal standards for determining the First Amendment value of professors' expression.

Professors must exercise caution when relying on the First Amendment or academic freedom to shield their expression from retaliation because the only academic speech likely to enjoy protection under the Constitution is speech on matters of public concern. The matter of public concern test does not encompass the traditional notions of protection offered by academic freedom. And, even if a professor is successful in showing that the speech in question pertains to a matter of public concern, the professor's case must still survive Pickering balancing, qualified immunity challenges, and other procedural hurdles. Courts applying the matter of public concern test to faculty speech sometimes are insensitive to the special context of higher education. As a result, professors must consider that important expression in the academic environment may appear as inconsequential to a judge. This insensitivity and difference in worldviews results in less protection for free speech, and as a result, it endangers academic freedom.

Cases applying the matter of public concern test to faculty speech are highly fact-sensitive. But some generalizations can be made about public concern cases to help faculty evaluate their free speech rights:

(1) Many important internal affairs issues are not matters of public concern. To be protected, expression on internal affairs issues must directly affect the public's perception of quality of education. As a result, faculty speech on many important, quality-affecting issues is not protected by the First Amendment.

(2) Faculty expression that is motivated by purely personal interest will not enjoy First Amendment protection. Courts will also reject First Amendment claims by faculty who use public issues as a pretense to air their personal grievances. However, faculty who have mixed motives of personal and sincere public interest may have their speech protected.

(3) Professors do not have to publicize their expression in order to enjoy First Amendment protection. Private expression on matters of public concern is protected by the First Amendment.

(4) Professors who use vulgar or derogatory language should exercise caution because an institution or court might not consider the context or speaker's intent carefully. As a result, professors cannot rely on First Amendment protection for vulgar or derogatory speech. Sexually-explicit expression that is motivated by pedagogical purposes has, however, been found to relate to a matter of public concern.