Protecting Privacy in an AI Era

Daniel Solove argues in the Wall Street Journal (alternate link) that giving people control of their personal data is not an effective way to regulate privacy in this era. Instead, we need to hold companies accountable for their actions, similar to what we do with food and drug companies. Measures such as rigorous data minimization, fiduciary duties, liability for negligent or reckless technological design, liability for algorithms that cause harm, and multi-stakeholder review of technologies will be far more effective.

Paper.

Posted on July 16, 2026 at 10:34 AM5 Comments

Comments

Tris Simondsen July 16, 2026 1:17 PM

Solove is entirely correct that the “user control” paradigm is dead. But shifting to “corporate accountability” and “algorithmic liability” introduces a massive verification problem: How do you formally audit the inferences of an autonomous AI?

In classical software, data minimization is a database problem; you simply restrict the fields you collect. In AI, this approach fails. A model can infer latent, highly sensitive attributes from seemingly innocuous observations. You cannot regulate this effectively at the point of collection; you must regulate the epistemic boundary of the agent itself.

If we are to enforce “rigorous data minimization” in an AI era, we need a mathematical architecture for zero-trust inference – the Principle of Epistemic Sovereignty (PES):

https://trissimondsen.wordpress.com/2026/07/16/the-principle-of-epistemic-sovereignty-formalizing-the-zero-trust-boundary-in-ai/

PES treats data minimization not as a policy preference, but as a strict measure-theoretic constraint. It requires that an agent’s posterior inferences depend only on a strictly authorized, F-measurable information interface. If an algorithm’s output relies on “outside-F” dependencies—smuggling in latent, unobservable completions to make its inferences, it violates the Non-Circularity Principle (NCP).

Under this framework, a structural breach of the epistemic boundary isn’t a vague “negligent design” issue; it is a mathematically provable violation of the agent’s authorized interface.

If we want Solove’s vision of algorithmic liability to survive contact with frontier AI, we must move past legal definitions of privacy and establish verifiable, F-measurable boundaries on what a system is mathematically licensed to “know.”

Rontea July 16, 2026 2:19 PM

The modern man, crowned with algorithms and burdened with illusions of control! He believes that by clicking ‘I agree,’ he becomes the sovereign of his own privacy. Yet, in truth, he is a pilgrim wandering through a bazaar of mirrors, where merchants of data weigh his soul in megabytes and sell it by the fragment. Our age, enamored with artificial intelligence, forgets that the intelligence of the human heart is fragile and easily betrayed. The law that trembles before profit is like a priest that blesses the thief. Until companies are made to feel the sting of consequence, our liberty will remain a shadow on the wall of their server rooms.

lurker July 16, 2026 2:24 PM

from the Paper

One example is the right to delete, which allows individuals to ask businesses to erase data they have collected on them. Long part of the data-protection law of the EU, right-to-delete was considered un-American and a nonstarter in the U.S. Now, it is in every state consumer-privacy law, and it isn’t controversial at all.

But they used to say when it’s on the ‘net, it’s there forever. There was even a meme from waay back said

Real men don’t do backups. They just tar-zip it in 1GB chunks, label it donkey-pr0n-nnn, and put it up on anonymous ftp. When they need it a quick search will find it …

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.