The Problems with Managing Privacy by Asking and Giving Consent
New paper from the Harvard Law Review by Daniel Solove: “Privacy Self-Management and the Consent Dilemma“:
Privacy self-management takes refuge in consent. It attempts to be neutral about substance—whether certain forms of collecting, using, or disclosing personal data are good or bad—and instead focuses on whether people consent to various privacy practices. Consent legitimizes nearly any form of collection, use, or disclosure of personal data. Although privacy self-management is certainly a laudable and necessary component of any regulatory regime, I contend that it is being tasked with doing work beyond its capabilities. Privacy self-management does not provide people with meaningful control over their data. First, empirical and social science research demonstrates that there are severe cognitive problems that undermine privacy self-management. These cognitive problems impair individuals’ ability to make informed, rational choices about the costs and benefits of consenting to the collection, use, and disclosure of their personal data.
Second, and more troubling, even well-informed and rational individuals cannot appropriately self-manage their privacy due to several structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. Moreover, many privacy harms are the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses, further limiting the effectiveness of the privacy self-management framework.
name.withhed.for.obvious.reasons • June 3, 2013 6:55 AM
I bring this up here as the legal underpinnings relate to discovery during a proceeding or grand juror investigation. This story is fiction, it is useful as an instrument to inform potential parties to a fictional lawsuit.
An interesting exercise would be a lawsuit, the premise of the case is to determine criminal and civil issues related to an online behavioral scheme to automate misrepresentation of identities using information acquired from a private data company. This data includes real names and related PID info.
Summary of the case against the defendant:
The defendant in this case has developed an application that plies on the edges of the behavioral models of google, bing, and yahoo and their third party data partners. The malware written by the defendant, hidden in a UEFI hook, provides for an invisible persistent Trojan. The Trojan has been instructed (and mapped) to the actual person related to the information stolen from a hacking incident six months ago…in other words a level of authenticity is given to the behavior that is exiting the infected host. This proves wildly successful–for the hacker–and are large number of marketing and advertising in the on-line market start failing–failing fast.
Here where it is fun…discovery
The judge orders that all the data related to the monitoring of internet data, activity, accounts, e-mail, etc. The prosecutor is asking the judge for the information so that the people can determine the extent and scope of the original crime and to determine what has changed between the period prior to the hack attack and the resulting cyber crime. Companies have been destroyed, google has lost 50% of its value, and the trust on the net reaches an all time low. After about two weeks in executing the discovery, the prosecution realizes that could take up to one year just to identify and acquire the data related to the ascribed event…oh, and some of that data is classified–aggregated data is also held by newly anointed “National Security Corporate Military Services Complex”