All posts in Scholarship

The Nothing-to-Hide Argument – My Essay’s 10th Anniversary

Daniel Solove
Founder of TeachPrivacy

Privacy Surveillance Nothing to Hide Argument

In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about.  “I’ve got nothing to hide,” they declare.  “The only people who should worry are those who are doing something immoral or illegal.”

Nothing to Hide - SoloveThe nothing-to-hide argument is ubiquitous.  This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007).  It was a short law review piece, one that I thought would be read by only a few people.  But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay.  I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security  (Yale University Press 2011).

This year is the 10th anniversary of the piece.  A lot has happened between then and now.  Not too long before I wrote my essay, there were revelations of illegal NSA surveillance.  A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again.  This was the climate in which I wrote the essay.

Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority.  Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”  This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.

Nevertheless, the nothing-to-hide argument is far from vanquished.  There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.

Here are a few short excerpts from my nothing-to-hide essay:

Continue Reading

New Edition of Privacy Law Fundamentals

Daniel Solove
Founder of TeachPrivacy

Privacy Law Fundamentals

I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS  (IAPP 2017)  (co-authored with Professor Paul Schwartz) is now out in print.  This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.

Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.

“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.

“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field.  It is a gem.” — Kurt Wimmer, Covington & Burling LLP

“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum

“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology

You can get a copy at IAPP’s bookstore or at Amazon.  For general information about this book as well as all my textbooks and useful resources, visit our Information Privacy Law textbook website.

The full table of contents is below:

Continue Reading

A Brief History of Information Privacy Law

Daniel Solove
Founder of TeachPrivacy

I recently updated my book chapter, A Brief History of Information Privacy Lawwhich appears in the new edition of PLI’s Proskauer on Privacy.

This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.

The chapter can be downloaded for free here.

Here is the table of contents:

Continue Reading

The Digital Person: Technology and Privacy in the Information Age

Daniel Solove
Founder of TeachPrivacy

 

Digital Person: Technology and Privacy in the Information Age

 

I am now offering the full text of my book The Digital Person:  Technology and Privacy in the Information Age (NYU Press 2004) online for FREE download.

Continue Reading

The 5 Things Every Privacy Lawyer Needs to Know about the FTC: An Interview with Chris Hoofnagle

Daniel Solove
Founder of TeachPrivacy

Privacy and Security Training

The Federal Trade Commission (FTC) has become the leading federal agency to regulate privacy and data security. The scope of its power is vast – it covers the majority of commercial activity – and it has been enforcing these issues for decades. An FTC civil investigative demand (CID) will send shivers down the spine of even the largest of companies, as the FTC requires a 20-year period of assessments to settle the score. Continue Reading

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Daniel Solove
Founder of TeachPrivacy

The Ultimate Unifying Approach to Complying with All Laws and Regulations

Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations19 Green Bag 2d 223 (2016).  Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law.  Here’s the abstract:

There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.

Continue Reading

Teaching Information Privacy Law

Daniel Solove
Founder of TeachPrivacy

Eyes Privacy 01

I originally posted a version of this post more than 10 years ago, in 2005.  I think it is important to re-post it, with a few updates.

I strongly recommend teaching information privacy law in law schools.  I have authored several textbooks in the field, and I know that this might seem like a self-plug.  But I really am a big believer that all law schools should have not just one course on information privacy law, but several — no matter what textbooks are used!

Information privacy law remains a fairly new field, and it has yet to take hold as a course taught consistently in most law schools.  Last year, I wrote a post complaining about the fact that only about 25% of law schools have a course on privacy law. I’m hoping to change all that.

Privacy Law

So if you’re an academic interested in exploring issues involving information technology, criminal procedure, or free speech, you should consider adding information privacy law to your course package.  If you’re a practitioner, consider teaching an information privacy law course as an adjunct.

Here are some reasons to teach the course:

Continue Reading

The Scope and Potential of FTC Data Protection

Daniel Solove
Founder of TeachPrivacy

FTC Privacy and Security

I am pleased to announce the publication of my article, The Scope and Potential of FTC Data Protection., 83 George Washington Law Review 2230 (2015).  I wrote the article with Professor Woodrow Hartzog.

FTC StatueThe article addresses  the scope of FTC authority in the areas of privacy and data security (which together we refer to as “data protection”).  We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of action, the FTC can regulate with a much different and more flexible understanding of harm than one focused on monetary or physical injury.

We contend that the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss why the FTC should act with greater transparency and more nuanced sanctioning and auditing.

The article was part of a great symposium organized by the George Washington University Law Review: The FTC at 100.

GW Law Review FTC Symposium

Here is a table of contents of the issue, along with links to where you can access each essay and article.

Continue Reading

Does Cybersecurity Law Work Well? An Interview with Ed McNicholas

Daniel Solove
Founder of TeachPrivacy

Does Cybersecurity Law Work Well?  An Interview with Ed McNicholas

By Daniel J. Solove

“The US is developing a law of cybersecurity that is incoherent and unduly complex,” says Ed McNicholas, one of the foremost experts on cybersecurity law. 

McNicholas is a partner at Sidley Austin LLP and co-editor of the newly-published treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk (with co-editor Vivek K. Mohan).   The treatise is a superb guide to this rapidly-growing body of law, and it is nicely succinct as treatises go.  It is an extremely useful volume that I’m delighted I have on my desk.  If you practice in this field, get this book.  

Continue Reading

Social Dimensions of Privacy

Daniel Solove
Founder of TeachPrivacy

Digital Person 02
I recently received my copy of Social Dimensions of Privacy, edited by Beate Roessler & Dorota Mokrosinska.  The book was published by Cambridge University Press this summer.

Social Dimensions of Privacy ISBN 9781107052376I’m delighted as I look over this book.  The book has a wonderful selection of short philosophical essays on privacy, and I’m honored to be included among the terrific group of chapter authors, who include Anita Allen, Paul Schwartz, Helen Nissenbaum, Judith Wagner DeCew, Kirsty Hughes, Colin Bennett, Adam Moore, and Priscilla Regan, among many others.  Each chapter is succinct and well-chosen.

From the book blurb: “Written by a select international group of leading privacy scholars, Social Dimensions of Privacy endorses and develops an innovative approach to privacy. By debating topical privacy cases in their specific research areas, the contributors explore the new privacy-sensitive areas: legal scholars and political theorists discuss the European and American approaches to privacy regulation; sociologists explore new forms of surveillance and privacy on social network sites; and philosophers revisit feminist critiques of privacy, discuss markets in personal data, issues of privacy in health care and democratic politics. The broad interdisciplinary character of the volume will be of interest to readers from a variety of scientific disciplines who are concerned with privacy and data protection issues.”

My chapter is entitled “The Meaning and Value of Privacy.”

Here’s a full table of contents:

Continue Reading

What Is Privacy?

Daniel Solove
Founder of TeachPrivacy

Finger Print Iris Scan

By Daniel J. Solove

What is privacy? This is a central question to answer, because a conception of privacy underpins every attempt to address it and protect it.  Every court that holds that something is or isn’t privacy is basing its decision on a conception of privacy — often unstated.  Privacy laws are also based on a conception of privacy, which informs what things the laws protect.  Decisions involving privacy by design also involve a conception of privacy.  When privacy is “baked into” products and services, there must be some understanding of what is being baked in.

Far too often, conceptions of privacy are too narrow, focusing on keeping secrets or avoiding disclosure of personal data.  Privacy is much more than these things.  Overly narrow conceptions of privacy lead to courts concluding that there is no privacy violation when something doesn’t fit the narrow conception.   Narrow or incomplete conceptions of privacy lead to laws that fail to address key problems.  Privacy by design can involve throwing in a few things and calling it “privacy,” but this is like cooking a dish that requires 20 ingredients but only including 5 of them.

It is thus imperative to think through what privacy is.  If you have an overly narrow or incomplete conception of privacy, you’re not going to be able to effectively identify privacy risks or protect privacy.

In my work, I have attempted to develop a practical and useable conception of privacy.  In what follows, I will briefly describe what I have developed.

Continue Reading

5 Great Novels About Privacy and Security

Daniel Solove
Founder of TeachPrivacy

title

I am a lover of literature (I teach a class in law and literature), and I also love privacy and security, so I thought I’d list some of my favorite novels about privacy and security.

I’m also trying to compile a more comprehensive list of literary works about privacy and security, and I welcome your suggestions.

Continue Reading

Does Scholarship Really Have an Impact? The Article that Revolutionized Privacy Law

Daniel Solove
Founder of TeachPrivacy

Title image

 

By Daniel J. Solove

Does scholarship really have an impact? For a long time, naysayers have attacked scholarship, especially scholarship about law. U.S. Supreme Court Chief Justice Roberts once remarked: “Pick up a copy of any law review that you see, and the first article is likely to be, you know, the influence of Immanuel Kant on evidentiary approaches in 18th Century Bulgaria, or something.” He noted that when the academy addresses legal issues at “a particularly abstract, philosophical level . . . they shouldn’t expect that it would be of any particular help or even interest to the members of the practice of the bar or judges.” Judge Harry Edwards also has attacked legal scholarship as largely irrelevant.

Continue Reading

Notable Privacy and Security Books in 2014

Daniel Solove
Founder of TeachPrivacy

notable privacy books 2014

by Daniel J. Solove

There were quite a number of books published about privacy and security issues last year, and I would like to highlight a few notable ones. A few books came out in late 2014 and have an early 2015 publication date. I’m including them here. The books are in no particular order.

Continue Reading

Should the FTC Be Regulating Privacy and Data Security?

Daniel Solove
Founder of TeachPrivacy

ftc

by Daniel J. Solove

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

Continue Reading

Jennifer Lawrence’s Nude Photos and Civil Rights Law: An Interview with Danielle Citron

Daniel Solove
Founder of TeachPrivacy

Online Harm

“It is a sexual violation. It’s disgusting.
The law needs to be changed, and we need to change.”
Jennifer Lawrence on her nude photos being
non-consensually disclosed online

Fairly recently, Jennifer Lawrence’s iCloud account was hacked and her private nude photos were stolen and posted online. She was mortified.

Her case is just one of many, according to Professor Danielle Citron (University of Maryland School of Law), who very recently published a book about online harassment, Hate Crimes in Cyberspace (Harvard University Press 2014).

Citron - Hate Crimes in Cyberspace

It is a compelling and provocative book. It is a bold book. And as the recent news stories indicate, it is a book that couldn’t be more timely and more needed. One might think that online harassment is rare. Who would write such mean and vile things? What kind of person would harass Zelda Williams, the daughter of Robin Williams, who was viciously attacked online immediately after her father’s death? Even Caligula would show more humanity.

Continue Reading

Why Do Lawsuits for Data Breaches Continue Even Though the Law Is Against Plaintiffs?

Daniel Solove
Founder of TeachPrivacy

chess pic 1

by Daniel J. Solove

If there’s a big data breach, the class action lawyers will start nipping like a bunch of hungry crocodiles. Upwards of forty separate lawsuits were filed against Target after its data breach, and one was filed the day after the breach became public knowledge.

The law, however, has thus far been far from kind to plaintiffs in data breaches. Most courts dismiss claims for lack of harm. I have written extensively about harm in a series of posts on this blog, and I have chided courts for failing to recognize harm when they should.

Continue Reading

Follow Professor Solove on Social Media

Daniel Solove
Founder of TeachPrivacy

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:

Professor Solove’s LinkedIn Influencer blog

LinkedIn Influencer 02 You can follow Professor Solove on his blog at LinkedIn, where he is an “LinkedIn Influencer.”  He blogs about various privacy and data security issues. His blog has more than 600,000 followers.

LinkedIn Influencer 01

*    *    *    *

Professor Solove’s Twitter Feed

Twitter 01Professor Solove is active on Twitter and posts links to current privacy and data security stories and new scholarship, cases, and developments of note.

*    *    *    *

Professor Solove’s Newsletter

Newsletter 01Sign up for our newsletter where Professor Solove provides information about his recent writings and new training programs that he has created.

*    *    *    *

Professor Solove’s LinkedIn Discussion Groups

Please join one or more of Professor Solove’s LinkedIn discussion groups, where you can follow new developments on privacy, data security, HIPAA, and education privacy issues. You can also participate in the discussion, share interesting news and articles, ask questions, or start new conversations:

Privacy and
Data Security
HIPAA Privacy
and Security
Education Privacy
and Data Security
Image Group LinkedIn Logo Education Privacy 01 Image Group LinkedIn Logo HIPAA 01 Image Group LinkedIn Logo Privacy Security 01

Our Privacy and Data Security Depend Upon Contracts Between Organizations

Daniel Solove
Founder of TeachPrivacy

contracts between organizations blog 1

by Daniel J. Solove

Increasingly, companies, hospitals, schools, and other organizations are using cloud service providers (and also other third party data service providers) to store and process the personal data of their customers, patients, clients, and others. When an entity shares people’s personal data with a cloud service provider, this data is protected in large part through a contract between the organization and the cloud service provider.

In many cases, these contracts fail to contain key protections of data. For example, a study conducted by Fordham School of Law’s Center on Law and Information Policy revealed that contracts between K-12 school districts and cloud service providers lacked essential terms for the protection of student data. I blogged about this study previously here.

Continue Reading

The Future of Global Privacy: Conflict or Harmony?

Daniel Solove
Founder of TeachPrivacy

future of global privacy blog 1

by Daniel J. Solove

I recently had the opportunity to interview Christopher Kuner, Senior Of Counsel with Wilson Sonsini Goodrich & Rosati in Brussels. He is also an Honorary Professor at the University of Copenhagen, a visiting fellow at the London School of Economics, and teaches at the University of Cambridge. He is editor-in-chief of the law journal International Data Privacy Law, and has been active in international organizations such as the Council of Europe, the OECD, and UNCITRAL. His book entitled “Transborder Data Flows and Data Privacy Law” was published in 2013 by Oxford University Press. More information is available at his personal web site.

Continue Reading

5 Key Quotes from the FTC v. Wyndham Decision on Data Security

Daniel Solove
Founder of TeachPrivacy

5 key points ftc wyndham blog 1

by Daniel J. Solove

This post was co-authored by Professor Woodrow Hartzog.

The long-awaited federal district court opinion in FTC v. Wyndham was finally released last week. The U.S. District Court for the District of New Jersey rejected Wyndham’s arguments that the FTC lacks the authority to regulate unfair data security practices, that the FTC is required to issues rules before bringing an unfair data security complaint, and that the FTC failed to provide fair notice of what constitutes an unfair data security practice.

I blogged about the case here last week.

Continue Reading

Privacy by Design with Passion and Pizazz: A Review of The Privacy Engineer’s Manifesto

Daniel Solove
Founder of TeachPrivacy

C

by Daniel J. Solove

I was fortunate to pick up a copy of The Privacy Engineer’s Manifesto, a new book by Michelle Finneran Dennedy, Jonathan Fox, and Thomas Finneran.

I’ve read a lot of practical “how to” stuff about privacy before that’s vague and not very specific, but this book is so refreshingly detailed, has great depth, and is concrete. It’s a real achievement, and a book that deserves attention.

Continue Reading

Why Metadata Matters: The NSA and the Future of Privacy

Daniel Solove
Founder of TeachPrivacy

metadata pic blog 1

 by Daniel J. Solove

Over at Slate, Dahlia Lithwick and Steve Vladeck have a great piece about why “metadata” matters. It is very much worth reading. Here are some of my thoughts on the matter.

Several National Security Agency (NSA) surveillance programs involve gathering metadata about our communications (the numbers we call or the email addresses we email). This data is distinguished from the content of the communications, which is understood to be more sensitive and important. Sometimes, metadata is referred to as “envelope” information because it is akin to an envelope we send a letter in – and the letter itself is the “content” information.

Is the envelope information really that sensitive? “Nobody is listening to your telephone calls,” President Obama declared. Intelligence agencies are “looking at phone numbers and durations of calls; they are not looking at people’s names, and they’re not looking at content.” So should we breathe easier?

The answer is no. There are several reasons why the privacy of metadata matters tremendously.

Continue Reading

Is Privacy Law Constitutional? Is Personal Data Speech?

Daniel Solove
Founder of TeachPrivacy

blog-constitutional-1by Daniel J. Solove

Professor Neil M. Richards (Washington University School of Law) has posted a draft chapter of his forthcoming book about privacy law and free speech. It is a fascinating piece — very accessible and engaging. It’s called Why Data Privacy Law is (Mostly) Constitutional.

Eyebrows were raised a few years ago when the U.S. Supreme Court struck down a privacy statute in Sorrell v. IMS Health, Inc., 131 S.Ct. 2653 (2011). A Vermont statue restricted pharmacies from disclosing personal data for marketing purposes and barred pharmaceutical companies from using personal data for marketing without people’s consent. The Supreme Court held that the statute violated the First Amendment because it singled out particular content and particular speakers.

Does this mean that most privacy laws have a problem with the First Amendment right to free speech? After all, privacy laws mandate restrictions on uses and disclosures of personal data.

Continue Reading

The FTC and the New Common Law of Privacy

Daniel Solove
Founder of TeachPrivacy

Bby Daniel J. Solove

I recently posted a draft of my new article, The FTC and the New Common Law of Privacy (with Professor Woodrow Hartzog).

You can download it for free on SSRN.

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite more than fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States – more so than nearly any privacy statute and any common law tort.

Continue Reading

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

In the April issue of the Journal of AHIMA, I authored two short pieces about HIPAA:

HIPAA Turns 10: Analyzing the Past, Present, and Future Impact
84 Journal of AHIMA 22 (April 2013)

HIPAA Mighty and Flawed: Regulation has Wide-Reaching Impact on the Healthcare
Industry
84 Journal of AHIMA 30 (April 2013)

The first piece provides an overview of HIPAA and its evolution. The second involves an analysis of HIPAA’s strengths and weaknesses. Overall, I find HIPAA to be one of the most effective privacy regulatory regimes.  HIPAA is very effective in large part because it requires privacy and security officials who have responsibility over these issues.  These officials develop policies and procedures, perform assessments, and provide HIPAA training to employees, among other things. Privacy laws are not self-executing, and enforcement agencies have limited enforcement resources. The effectiveness of the law depends upon each organization taking compliance seriously, and this starts with a governance structure, awareness training, and things that create a culture of compliance.  Many other privacy laws don’t realize this, and fail to include the robust governance components of HIPAA.

The entire issue is here. Copyright belongs to Journal of AHIMA.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security

Privacy Self-Management and the Consent Dilemma

Daniel Solove
Founder of TeachPrivacy

by Daniel J. Solove

I’m pleased to share with you my new article in Harvard Law Review entitled Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013). You can download it for free on SSRN. This is a short piece (24 pages) so you can read it in one sitting.

Here are some key points in the Article:

Continue Reading