Now is the time to get smart about privacy and technology, because your government regulators are smart and savvy in those areas.
No, that’s not a misprint. Though government regulators are often far behind on the technology curve, real experts have taken over at several important agencies that regulate conduct on the Internet.
Take Ashkan Soltani, who took over in late 2014 as Chief Technologist for the Federal Trade Commission. Just by hiring a chief technologist, the FTC showed awareness of the need for deep computer expertise to effectively regulate privacy and commercial practices on the Internet. And by hiring Soltani, one of the sharpest computer privacy experts in country, the FTC showed it was serious.
Soltani was one of a handful of computer experts who have been at the forefront of studying privacy on the Internet. Along with his former colleagues at Berkeley, and like-minded researchers, especially at Stanford and Carnegie-Mellon universities, Soltani has identified and publicized many previously unknown ways in which the Internet allows personal information to be collected, used and commercialized.
Soltani and his colleagues haven’t just quietly studied Internet privacy. They’ve been active and savvy in getting the word out on their studies.
To take one example, a few years back, most website operators thought they had satisfied their disclosure obligations if they told their users that they honored users’ instructions with respect to HTTP “cookies” (datasets that identify previous browsing activity). But in an important research report in 2009, Soltani and colleagues reported that even when users deleted HTTP cookies, in an attempt to shield knowledge of their previous browsing activity, some websites, by activating Flash cookies (often tied to web video files) would automatically regenerate those HTTP cookies – a generally unintended result, but one that cast doubt on the company’s privacy promises. Soltani followed this up with reports on other pervasive tracking technologies.
Soltani and his colleagues and co-authors, many of whom, like him, are motivated by their need for more privacy protection, focused their research on exposing technologies (like Flash cookies) that collected or revealed information that consumers thought was private. Many of their research projects became the foundation of class action lawsuits against companies that made privacy promises in ignorance of these technologies.
And it wasn’t a coincidence that Soltani’s research was used in class action cases. He served as technology adviser to the Wall Street Journal for its widely read “What They Know” series that has brought many Internet privacy issues to widespread attention, beginning in 2010. In several instances, a flurry of class action suits followed within days of the Journal’s Soltani-supported articles.
Soltani isn’t the only technology whiz to join the government from the Berkeley-Stanford-Carnegie-Mellon research triad. The Federal Communications Commission recently announced that it was hiring Jonathan Mayer, another member of the group, to act as its Chief Technologist. Like Soltani, his research has focused specifically on web-tracking technologies. And as with Soltani, Mayer’s research has led to major privacy cases, including an FTC consent decree against Google, concerning its use of tracking code on the Safari browser. While privacy isn’t an FCC focus, Mayer’s work on net neutrality could significantly affect many businesses.
Some business people may think that they don’t have to worry much about the FTC, a slimly staffed agency that has the impossible mission of policing “unfair or deceptive acts or practices” all over our huge country. But the FTC has been very active in the Internet privacy area, and its results, usually in the form of consent decrees, are reshaping how business is done on the Internet.
As two privacy experts have pointed out in a law review article titled “The FTC and the New Common Law of Privacy,” the FTC has become the primary regulator of privacy on the Internet, and its large and growing body of consent decrees have an effect far beyond the companies that are directly bound (which, moreover, includes such Internet giants as Google, Microsoft, Facebook, and Linkedin). The authors assert that contrary to the general belief that the United States has weak privacy regulation compared to Europe, that view is “becoming outdated as FTC privacy jurisdiction develops and thickens.”
They expect the FTC, building on the foundation of its many consent orders, to “push more toward focusing on consumer expectations than on broken promises, move beyond the four corners of privacy policies into design elements and other facets of a company’s relationship with consumers, and develop and establish even more substantive standards.”
Interestingly, the chief technologist positions seem to turn over frequently. The FTC announced in December that Lorrie Cranor will replace Soltani in January 2016. She has directed the CyLab Privacy and Policy Laboratory at Carnegie Mellon University and, like Soltani, has been in the forefront of Internet privacy research.
Where do you go if you want to stay ahead of Soltani, Mayer and Cranor?
That may not be easy to do, but companies that are active on the Internet and their lawyers should at least actively survey and stay abreast of the technical literature, including the reports still being generated by Soltani, Mayer and Cranor’s former colleagues. Lawyers should craft Internet privacy policies and practices with references not only to their clients’ good intentions, but also to the specific technologies deployed, and the research on how they actually work.
Finally, an upcoming book by a technologically sophisticated lawyer promises to give Internet businesses some guidance on FTC regulation of privacy on the Internet. The author? Christopher Hoofnagle, of Berkeley, one of Soltani’s former co-authors and colleagues.
While he was at the FTC, Soltani’s personal website contained a simple notice and the graphic of a “Gone Fishing” sign. Unless you want to be one of the fish that he catches, you should get smart about privacy and technology.
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns. You can find Mark on Google+ and Twitter, and reach him at (314) 552-6103 or firstname.lastname@example.org.