By Andrew Cohen
Yet another public endorsement of Berkeley Law’s privacy work: the school’s expertise permeated the annual Privacy Papers for Policymakers awards, accounting for three of the ten honored publications.
Professors Paul Schwartz, Kenneth Bamberger, and Deirdre Mulligan, along with Chetan Gupta ’16 L.L.M., were recognized for leading privacy scholarship that is relevant to United States policymakers and foreign data protection authorities. Schwartz and Karl-Nikolaus Peifer co-authored one of the six chosen papers, Bamberger and Mulligan co-wrote one of the three honorable mention selections, and Gupta won the inaugural student category.
A team of academics, advocates, and industry professionals reviewed papers that were evaluated highly by the Future of Privacy Forum’s advisory board. Papers were chosen for demonstrating a thoughtful analysis of emerging issues and proposing new means of analysis that could influence real-world policy.
The winning authors are invited to present their work at the U.S. Senate on February 27, 2018, a day before the Federal Trade Commission’s PrivacyCon event. Summaries of their papers will be distributed to policymakers, privacy professionals, and the public.
Squeaky wheel power
Gupta’s paper explores whether individual actors can drive the adoption of privacy and security standards in a given marketplace. The idea came from studying economist Nassim Nicholas Taleb’s research on the “Minority Effect”—where a small but vocal or picky minority can affect the choices of society as a whole.
Now an associate at Baker McKenzie’s employment practice group in Palo Alto, Gupta probed why certain protective technologies gain widespread adoption. “It normally requires that the end consumer be inconvenienced as little as possible, even if the cost is high to implement the privacy-enhancing technology for businesses,” he says. “I found that single actors do shape privacy improvements, but they tend to be dominant or significant players in their field.”
One of his case studies is HTTPS, the more secure, encrypted version of an earlier protocol (HTTP) that most webpages use today. Gupta noted how quickly HTTPS was adopted once Google announced it would promote HTTPS pages in search results by ranking them higher and displaying red “not secure” warnings next to other webpage addresses in the browser. HTTPS adoption soared from less than 40 percent in 2015 to more than 80 percent today.
Increased understanding of this issue can help businesses, policymakers, and consumers decide how best to improve privacy and security. “It can also guide what privacy regulation should look like,” Gupta says. “For example, policies that require consumers to absorb and act on large amounts of technical information probably do little to enhance their actual privacy.”
Gupta wrote the paper for his LL.M. writing requirement. He credits James Dempsey, executive director of the school’s Berkeley Center for Law & Technology, for helping him pinpoint everyday technologies to illustrate his hypothesis. Professor Chris Hoofnagle also instilled some needed confidence.
“I simply could not have written this paper without Chris’ help.” Gupta said. “His Privacy Law for Technologists seminar got me interested in the topic in the first place. He’s an incredible mentor. He helped me shape my ideas, articulate my hypotheses, introduced me to people I could speak with to improve the paper, and even suggested suitable avenues for publication.”
Bridging the transatlantic divide
Teaming with Peifer for a third article together, Schwartz describes problematic differences between how the U.S. and the European Union (EU) approach data privacy. Those differences have prompted the EU to set strict limits on transfers of personal data to any non-EU country—including the U.S.—that lacks sufficient privacy protections.
Schwartz says that while U.S. law promotes “long privacy notices that no one reads and formalistic consent to terms-of-service, the EU is hostile to this approach. It strives to bolster ‘strong’ consent and to limit the grounds for which consent can justify personal data collection and use.”
His paper illustrates how Europe has created a privacy rights culture and constitutionalized privacy in a sweeping fashion. “By contrast, in the U.S., the approach is around consumers in a marketplace,” Schwartz says. “Using such different reference points makes it difficult to reach understanding … and understanding is essential because of the importance of international data transfers in the modern economy.”
Nevertheless, he foresees common solutions that will permit international data flows thanks to the General Data Protection Regulation, an EU-wide standard that becomes binding in 2018, and the Privacy Shield, an EU–U.S. treaty signed in 2016. These legal standards require regular interactions, create avenues for harmonization, and establish new governmental networks to resolve conflicts.
The Privacy Shield created a system of regular reviews of its functioning by the EU and U.S. alike, which allows ongoing exchanges. Schwartz also sees the General Data Protection Regulation strengthening international data privacy “immeasurably” by providing one binding information privacy law for regulation.
“All privacy lawyers and scholars will be quite busy with it for many years to come,” he says.
Driving toward safety
Bamberger and Mulligan tackle security vulnerability in modern automobiles. In 2015, researchers gained control of a Jeep Cherokee by hacking into its connectivity system. Soon after, the first cybersecurity-related auto recall covered more than 1.4 million Fiat Chrysler vehicles, and General Motors initiated a broad update to address similar concerns.
Highlighting the importance of security update functionality in the auto industry, Bamberger and Mulligan also discuss the roadblocks to achieving that. They offer guiding principles to regulatory agencies such as the National Highway Traffic Safety Administration, and urge the development of cybersecurity expertise and shared objectives across relevant stakeholders.
Cars equipped with internet access can have more than 100 million lines of software code, and that code base is growing. Bamberger and Mulligan note that embedded sensors and algorithms affect airbag deployment, seatbelt engagement, anti-skid systems, and anti-lock brakes, among other functions.
Their paper touts “the importance of regulatory structures that incentivize greater attention to security during production, and the management of security vulnerabilities discovered after connected devices are in circulation.” Their suggested reforms also call for a transparent process with public participation.