A. Michael Froomkin

The Death of Privacy

The rapid deployment of privacy-destroying technologies by governments and businesses threatens to make informational privacy obsolete. The first part of this article describes a range of current technologies to which the law has yet to respond effectively. These include: routine collection of transactional data, growing automated surveillance in public places, deployment of facial recognition technology and other biometrics, cell-phone tracking, vehicle tracking, satellite monitoring, workplace surveillance, internet tracking from cookies to “clicktrails,” hardware-based identifiers, intellectual property protecting “snitchware,” and sense-enhanced searches that allow observers to see through everything from walls to clothes. The cumulative and reinforcing effect of these technologies may make modern life completely visible and permeable to observers; there could be nowhere to hide. The second part of the article discusses leading attempts to craft legal responses to the assault on privacy – including self-regulation, privacy-enhancing technologies, data-protection law, and property-rights based solutions – in the context of three structural obstacles to privacy enhancement: consumers’ privacy myopia; important First Amendment protections of rights to collect and repeat information; and fear of what other people may do if not monitored. The article concludes that despite the warnings of information privacy pessimists, all is not lost – yet.

Ethical, legal and social issues for personal health records and applications

Robert Wood Johnson Foundations Project HealthDesign included funding of an ethical, legal and social issues (ELSI) team, to serve in an advisory capacity to the nine design projects. In that capacity, the authors had the opportunity to analyze the personal health record (PHR) and personal health application (PHA) implementations for recurring themes. PHRs and PHAs invert the long-standing paradigm of health care institutions as the authoritative data-holders and data-processors in the system. With PHRs and PHAs, the individual is the center of his or her own health data universe, a position that brings new benefits but also entails new responsibilities for patients and other parties in the health information infrastructure. Implications for law, policy and practice follow from this shift. This article summarizes the issues raised by the first phase of Project HealthDesign projects, categorizing them into four topics: privacy and confidentiality, data security, decision support, and HIPAA and related legal-regulatory requirements. Discussion and resolution of these issues will be critical to successful PHR/PHA implementations in the years to come.

Legal Issues in Anonymity and Pseudonymity

The regulation of anonymous and pseudonymous communications promises to be one of the most important and contentious Internet-related issues of the next decade. Resolution of this controversy will have direct effects on the freedom of speech, the nature of electronic commerce, and the capabilities of law enforcement. The legal resolution of the anonymity issue also is closely bound up with other difficult and important legal issues: campaign finance laws, economic regulation, freedom of speech on the Internet generally, the protection of intellectual property, and general approaches to privacy and data protection law. The legal constraints on anonymous communication, and the constitutional constraints on those who would regulate it further, thus should be considered in tandem with the policies animating regulation and also their side effects.

The collision of trademarks, domain names, and due process in cyberspace

(DNS), which plays a key role in routing the large majority of Internet traffic, was designed at a time when there were few hosts and the pre-Internet network was limited mostly to academic users, researchers, and noncommercial traffic. The idea of giving internetworked computers easily remembered names dates back at least to 1971 when Peggy Karp, an early author and editor of the network engineers’ Requests For Comments, prepared the first hosts.txt file, the predecessor of the modern “root” file. Each version of the DNS since then has sought to provide routing efficiency, ease of use, and the ability to scale, although it’s unlikely many of the founders foresaw quite how much it would need to scale. Today, with a substantial part of the name-resolution infrastructure still provided on a volunteer basis (and the name assignment function increasingly regulated and commercialized), the DNS continues to meet its objectives of providing mnemonicto-IP mappings while preventing name collisions on the Internet. It thus undergirds part of the network’s fundamental technical stability. Technical success, however, has bred social issues. In the mid-1990s, the DNS and the people admin-

Article 2B as Legal Software for Electronic Contracting - Operating System or Trojan Horse

The proposed draft of Article 2B of the Uniform Commercial Code can be thought of as akin to a complex computer software suite which seeks to dominate a market by offering all things to all people. In this article I suggest, however, that Article 2Bs electronic contracting rules interoperate poorly with existing digital signature laws, and with some forms of electronic commerce. I also question whether Article 2B is the proper means to enact controversial rules that ordinarily would make consumers liable for fraudulent uses of their digital signatures by third parties. After considering Article 2Bs potential interaction with existing digital signature laws, state consumer laws and liability rules, and the practices of Certificate Authorities, I suggest that Article 2B still contains several bugs in its code and is therefore still not ready for adoption. NOTE: The article relies on the August 1, 1998 draft of 2B.

Of Governments and Governance

The Magaziner Report focuses on achieving short-term goals without giving sufficient consideration to long-term consequences affecting the structure of Internet governance and democracy in general. This overly pragmatic approach creates a paradoxical climate: overly-friendly to government intervention (in e-commerce regulation) while also overly-willing to defer to privatized governance structures (in other areas). As the recent World Intellectual Property Organization (“WIPO”) domain name/trademark process demonstrates, certain Internet governance processes raise several questions, not least discerning whether such processes include adequate notice and consultation. More traditional democratic processes, such as legislation and regulation, have routinized means of giving affected parties notice of pending decisions and of soliciting public comment. Other privatized governance processes may be equally or more legitimate, but not inevitably.

Government Data Breaches

This paper addresses the legal response to data breaches in the US public sector. Private data held by the government is often the result of legally required disclosures or of participation in formally optional licensing or benefit schemes where the government is as a practical matter the only game in town. These coercive or unbargained-for disclosures impute a heightened moral duty on the part of the government to exercise careful stewardship over private data. But the moral duty to safeguard the data and to deal fully and honestly with the consequences of failing to safeguard them is at best only partly reflected in current state and federal statute law and regulations. The paper begins with an illustrative survey of federal data holdings, known breach cases, and the extent to which the government’s moral duty to safeguard our data is currently instantiated in statute law and, increasingly, in regulation. I then argue that the government’s duty to safeguard private data has a Constitutional foundation, either free-standing or based in Due Process, at least in cases where the government failed to take reasonable precautions to safeguard the data. This right is separate from any informational privacy rights that constrain the governments ability to acquire personal or corporate information. The key is Chief Justice Rhenquist’s opinion in DeShaney. Under the DeShaney logic, victims of many governmental privacy breaches should have a claim against states under § 1983. Similar constitutional claims against the federal government would require a Bivens action but this is unlikely to work under current doctrine. As a result, persons injured by federal data breaches will have substantially inferior remedies available to them than will victims of state errors. And even when suing a state, however, the provision of effective remedies may be hampered by arguments based on governmental immunity, and the problem of valuing the harms caused by a breach.

Digital Signatures Today

To a lawyer, two issues stand out as critical impediments to the widespread acceptance of digital signatures in electronic commerce: the unresolved nature of liability issues and the looming uncertainty about the nature of the public key infrastructure. These issues are so closely related as to be almost intertwined.