Introduction
Dr. Fred Cate’s talk revolves around the current approach to data privacy. He analyzes the role that consent plays in data protection and privacy today, grappling with how we manage consent in a world in which data is constantly being inferred about us. In a chaotic world, he emphasizes that it is important that we ask for consent in a meaningful and effective manner. Fred H. Cate is Vice President for Research, Distinguished Professor, and C. Ben Dutton Professor of Law at Indiana University. He specializes in information security and privacy law and has testified before numerous congressional committees and served on many advisory groups for companies and governmental and international organizations. He served as the founding director of IU’s Center for Applied Cybersecurity Research from 2003 to 2014, where he is now a senior fellow. He is also a senior policy advisor to the Centre for Information Policy Leadership and one of the founding editors of the Oxford University Press journal, International Data Privacy Law.
He is the author of more than 200 articles and books, including most recently "Bulk Collection: Systematic Government Access to Private-Sector Data" (with Jim Dempsey) published in 2017 by Oxford University Press. Professor Cate attended Oxford University and received his J.D. and his A.B. with Honors and Distinction from Stanford University. A former Senator and President of the Phi Beta Kappa Society, he is a fellow of Phi Beta Kappa and the American Bar Foundation, and an elected member of the Council on Foreign Relations and the American Law Institute. This talk was given at a TEDx event using the TED conference format but independently organized by a local community. Learn more at www.ted.com/tedx
Video
Thank you, I'm gonna.
Warn you right now there.
No there no audiovisuals and part of that's because, if you're looking at someone I want you to be looking at me and part of that's because after 30 years of working in technology I, don't trust it, but don't worry.
I have I, have note cards and when I told the organizers this they look slightly chagrined but I said: don't worry it's only for the long boring quote so I want to use and the statistics that I want to bore the audience with and that made them feel a great deal better.
So let me say when I heard the topic was entropy, nothing came to mind faster to my mind than data, because we are surrounded by data that seems to be falling out of control, data being lost by corporations, data being stolen from government agencies, data that we are volunteering, that's being collected about us billions of bytes a day that seems hopelessly out of control and just to continue the focus on entropy.
It seems to be getting worse, so I thought what I might do this evening is talk about particularly the challenge of personal data and privacy.
So remember all of this data that we are talking about much of it.
We are volunteering.
We are posting those pictures of our delicious meals that we think our friends care about.
We are engaging in millions and millions of texts a second.
We are posting images and videos at a colossal rate, at a rate that could not have been imagined, it's become almost meaningless to talk about the volume, because, unless you're, a computer scientists talking about things like petabytes and terabytes I just start starts to add up to the point.
It means nothing, but it has a tremendous impact on our privacy.
It has a tremendous impact on this data.
That's being um that we are volunteering, that's being collected about us in some cases it's being calculated or inferred about us.
Are you a good credit risk? Should you be able to buy that car? Are you somebody that we want to market to? These may not even be data that really exists about you, but rather that are being created.
The New York Times reported in 2017.
This begins the statistics that accompany you've never heard of not Facebook, not Amazon, not a company that trips off your tongue engages in 50 trillion personal data transactions a year, that's buying and selling your data and mine every year.
It seems completely out of control and along with it, our privacy.
There are many reasons for this, but the one that I want to focus on, which I think will be I hope of interest to you and I think is a tiny bit.
Controversial is the role that consent plays in data protection and privacy.
Today, modern privacy law really came about in the 1960s and it came about from an academic study.
So this makes people who work in universities very happy.
Dr.
Alan Weston, who was at Columbia University, wrote his doctoral dissertation, for which he later got funding to turn into a book.
This sounds familiar so far called privacy and freedom, and in that book he defined privacy in a way that every country in the world now follows, and that is, and I quote the claim of individuals, groups or institutions to determine for themselves when how and to what extent information about them is communicated to others right by the 1990s.
Every country had followed suit.
In fact, in the New York Times William Safire wrote accepting legitimate needs in law enforcement and public interest.
Control of information must rest with the person himself.
Now you might not care about Alan Weston or William Safire, but the Supreme Court went along with this view as well, and in 1988 and Department of Justice versus Rapporteur committee gave us the definition that we use today, but the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person now just quickly, unless you think this is just a u.s.
phenomenon.
Europe and Asia and many other countries have followed suit.
Europe, you may know enacted a new general data protection regulation.
It took effect May 18 months ago and that regulation, although they're quick to say they've, not made the mistake that the US has made and focus so much on consent.
They use the term 108 times.
It's still pretty important in California, which has adopted our most recent privacy law, the California consumer, Privacy Act.
Yet the law gives individuals the right to consent about uses of their data that are collected online.
Well, look.
This sounds like great I mean like who could be against consent.
In fact, challenging consent seems totally counterintuitive in the world of privacy, because privacy is, after all, so closely linked to ourselves and our autonomy.
But for seven quick reasons, I want to outline I think it's both impractical and undesirable, that we focus on consent and I think it explains why privacy law is in the dreadful state.
It is today.
Okay, first think of the complexity of privacy notices.
You see them all the time you probably ignore them.
That's! Okay, almost everybody does unless you're a lawyer and get paid to read them, but you go visit.
The doctor.
You get a privacy notice, you log on to a website.
You get that little cookie privacy notice that's required by European law.
That's why you get it.
You know researchers like to count things and if you count, for example, PayPal's privacy notices, thirty six thousand two hundred and seventy five words that's by the way longer than Hamlet iTunes, Privacy Policy comes to nineteen thousand nine hundred and seventy two words just longer than Macbeth right.
One 2008 study calculated that to read the privacy policies of the forty or forty five most popular websites in the world would take an individual thirty full working days a year.
So these notices are complex because the things in Plex they are difficult to understand and we often just pass them by second.
They are often just inaccessible, for example, how many of you have phones? Ok, everybody has a phone in this audience, I'm gonna be willing to bet, and every one of you could be recording right now, despite that nice sign at the entrance.
That says, please don't record.
Did you give me a notice that I can send to that? Did we discuss that? In other words, how do you provide consent in environments in which you're in a group? How about you walk down the streets of Bloomington's they're, their cameras? Now you consent to that? How do we manage consent in a world in which data is being inferred about you or collected as as part of a group? A third reason is that consent is proven incredibly ineffective, mainly because people just ignore it and I love.
This quote: that's why I carry it with me.
The Federal Trade Commission, Chairman, Jon Leibowitz back in 2009 and remember the FTC is the United States largest privacy regulator, they're the people who make the rest of us put notices and give consent.
He said we all agree that consumers don't read privacy policies, little troubling from the guy who's done more than anyone else on earth to make us have them.
In fact, his predecessor FTC chairman Timothy Morris, commented at the end of 2001 about a new law that required more notices and consent opportunities in the financial services market and a chairman mirror said this acres of trees dyed to produce a blizzard of barely comprehensible privacy notices.
Indeed, this is a statute that only lawyers could love until they found out it applied to them too.
Okay.
Fourth, what we often find out is that the consent we're giving is entirely illusory.
We have no choice.
Try to update your iPhone right, there's a new software.
It comes out every couple of weeks.
If you don't update it quickly, you're prompted to update it.
Then it starts blocking it.
Then it starts saying we're gonna update it for you automatically, then the phone stops working.
The first thing it does when you go to update it is it said here are the seventy four screens of our privacy policy.
You can download it, you can email it.
You can agree to it, but you cannot not agree to it and that's ilusory consent.
That's meaningless! That may make lawyers feel better.
In fact, Apple makes it pop up twice: consent.
Yes, and then it says: do you really consent right? The alternative being? Would you like us to turn your very expensive phone into a brick which is the alternative? If you say no, okay, fifth, there's a huge burden on individuals of all of these consent opportunities and what consent is often talked about as a right, sometimes even a human right.
It's realistically much more of a duty, it's much more of a burden on individuals and remember when you make that choice, it has the legal effect of shifting the liability from the from the the data processor to you right.
It's just like when you drive in the garage and you take that ticket and on the back of it it says we have no liability for anything we can crush and mount your car.
We can throw it out the the edge of the garage, we're not liable for anything that that may look like a right to you, like you, got the right to consent to that by driving in the garage.
But realistically it was the imposition of a burden on you and on me, and that burden is really quite significant at times because of the legal significance that can attach to those six choice often serves as an enormous disservice, both to individuals and society.
Think about press coverage right.
Do we really want up the president to have a right to privacy right now that only his consent will allow coverage of what he's been up to fraud prevention, crime detection? Do we want to wait till the criminals consent so that we can use their data? So what we do in these cases? Is we override the consent? We acknowledge the consent doesn't work.
Research, something close to my heart, often depends on being able to use past data, often in an anonymized fashion, without going back and getting individual consent.
But, finally, and most importantly, the real challenge about consent is: it leads to lousy privacy protection.
It's not the same thing clicking I agree to I get privacy.
Now you agree to terms that often eliminate your privacy.
You agree to broad terms that appear to have no limit.
We're being asked to do things that we could never be asked to do in other consumer protection settings right.
Imagine a consumer protection law that said well, you can always ask the consumer.
If it's okay to defraud them, we don't allow that we set rules and then we hold people to it.
We don't allow you to consent them away its own tempted to end there, but I won't I have four more things.
I want to say very quickly and that's because I want to say something positive, I, don't just want to be a drain on your otherwise stimulating evening.
So what my we do, that would look differently right, so one thing would be less focus on consent and more on stewardship of data.
If you collect my data, if you use my data and something goes wrong that causes harm, you should be liable for it.
You can't shift that liability by asking me to consent to take it myself.
You would be the steward for my data and that's the way we treat other things.
That's the way a lawyer is who acts on the best behalf of his or her client.
That's the way a banker is that's the way a doctor behaves.
Why wouldn't we say if you're using my most personal information, you should be held to the same requirements.
You should be a steward.
You should be acting in trust of the person whose data you're using second, we might think more about what are the things we agree that can be done with data in normal circumstances and what shouldn't be done with it.
Stalking is out.
Fraud is out well, but something should be in.
You know: bill collection, fraud, detection, maybe even research.
If you want to keep the vice president for research, happy there's some things we might be able to slide over into the generally permitted category so long as you use good security and not have to burden people by telling them the bleeding obvious like if I.
If you give me your credit card, I'm gonna use it to charge you money.
Third, we might think more about redress, because no matter what happens, something's gonna go wrong.
That's the one thing we know: that's the one certainty in a world of entropy and right now we are often left in the cold when something does go wrong.
In fact, we often learn about it from the newspaper and finally, when we do ask for consent, let's make it meaningful, timely and effective, and since I've criticized iPhone, I'm gonna say something nice about them now you know that just in time message did you know this app was using your location data right now, that's kind of a useful prompt.
It gives you a chance to say no I'm gonna go in and shut that off.
I, don't like that, but using consent in all of these other settings has the unintended effect of making us tend to ignore it when we could make meaningful effective choices that would protect our privacy.
Thank you very much.
You.