Ryan Calo's blog

Wake Forest Law Review asked me to respond to an interesting privacy article by Patricia Sánchez Abril for their new online supplement, The Forum. I was happy to do it. You can find my response Read more about Privacy's Broken Windows

Is it lawful for a car to drive itself? In the absence of any law to the contrary, it should well be. A new bill is working its way through the Nevada state legislature that would remove any doubt in that state. A.B. 511 directs the Nevada Department of Transportation to authorize autonomous vehicle testing in certain geographic areas of Nevada. Should vehicles meet Nevada DOT standards, they would be permitted to "operate on a highway." The bill defines not only autonomous vehicle, but artificial intelligence as well. AI is "the use of computers and related equipment to enable a machine to duplicate or mimic the behavior of human beings." An autonomous vehicle uses "artificial intelligence, sensors, and [GPS] coordinates to drive itself." To be clear: autonomous vehicles are not yet the law of the land in Nevada. This bill must pass through two committees and receive a hearing before it can be voted on and become law. Some preliminary thoughts on the bill in its present form follow. Read more about Nevada Bill Would Pave The Road To Autonomous Cars

Requiring notice is an extraordinarily popular way to regulate. In online privacy, for instance, giving notice about their practices is among the only affirmative obligations websites face. The strategy is also one of the most heavily criticized. Not only does no one read privacy policies, skeptics rightly point out, but many believe that their mere existence guarantees certain base level protections that may or may not exist.

Should we give up on notice? My recent draft paper argues: maybe not. We should explore two possibilities, at any rate, before we do. The first is that regulators may sometimes select the wrong form of notice for the job. Today most website “terms” say that the company “may disclose data pursuant to lawful requests.” That does very little to further user understanding or action. But maybe it could work to: Read more about Against Notice Skepticsm In Privacy (And Elsewhere)

Facebook previewed a new notice strategy today. Part of the proposed change is a simpler privacy policy. Meh. I, like many, am a privacy policy skeptic. I'm skeptical of layered notice, too. I'm even skeptical of privacy policy icons, tables, and nutrition-style labels. They all run into the same problem: written text cannot simultaneously be readable and exhaustive, thorough and yet concise.

As an alternative, I argue for a concept I've been calling "visceral" privacy notice. Rather than tell people at length what your privacy practices may be, you show them what they really are. Facebook took a step in this direction today, joining Google and Yahoo! in what I hope to be an emerging best practice.
{C} Read more about Facebook's New Privacy Tools As User Notice

The intuition that privacy and innovation are somehow opposed is surprisingly common. It is true that overzealous or reactionary appeals to privacy can cut off interesting ventures. (For instance, some believe Steamtunnels would have evolved into a social network in 1999 were it not shut down by the Stanford University due to privacy and copyright concerns.) But privacy generally supports innovation, and vice versa. Read more about Privacy & Innovation: A Data Privacy Day Reflection

Over Christmas, I received a series 530 Roomba, the robotic vacuum cleaner from iRobot. It cleans the floor really well. But that is all it does. This year at the Consumer Electronics Show, iRobot revealed the prototype AVA. It is, essentially, an open robotic platform. Think of it as an iPad with a body. It has no dedicated purpose and, importantly, it has an API and will run software made by third-party developers.

Yes, apps for robots. This is a wonderful development, one that I predicted in a forthcoming essay in Maryland Law Review. As iRobot founder Colin Angle points out, "If you think of the thousands of apps out there: Which iPad apps would be more cool if they moved?" More importantly, would you not be more inclined to buy a personal robot that came with thousands of programs, with more on the way. Read more about Apps For Robots: iRobot's AVA At CES

UPDATE: The New York Times published most of the rest of my comments on Bits Blog. Thanks!

I was quoted in a cover story in today's New York Times as saying, essentially, that law enforcement was "just trying to do their job" in pushing for greater subpoena power. This particular remark was an aside, made if anything to soften the impression that I was overly critical of the government. For instance, I lamented that consumers do not understand the state of the electronic privacy law and spoke about the dangers of dragnet or otherwise excessive surveillance. (Presumably I am one of the unnamed "[e]lectronic privacy and civil rights advocates" that worries "because the WikiLeaks court order gained such widespread attention, it could have a chilling effect on people’s speech on the Internet.")

I did not mean to imply that we should not push back against government and in fact praised Google and Twitter for having done so. I did offer that the government's purpose in pushing for greater surveillance power was not to erode civil liberties for its own sake, but in order to protect Americans by detecting and punishing crimes. But the gist of my remarks was that we need more protection, not less. Some of my talking points appear below for context. Read more about The Problems Of Web Surveillance: Some Context For My Quote In The New York Times

Affiliate scholar Marvin Ammori offers eight good reasons why the United States should not prosecute Wikileaks founder Julian Assange. I mostly agree with Ammori’s analysis and write to emphasize one point: an Assange trial, regardless of outcome, would help the government gloss over one of the worst security breaches in modern history. And the First Amendment could supply this distraction’s brightest fireworks.

Read more about Wikileaks As Security Breach

The website Wikileaks recently published hundreds of thousands of confidential State Department cables. These communications apparently reveal the details of conversations with, and personal impressions and assessments of, foreign leaders and diplomats. Many fear that the leak will undermine international relations in profound and unknowable ways. One of the unintended consequence of the leak, however, may be to strengthen the case for a national consumer privacy law. Read more about Wikileaks: Lessons For Consumer Privacy

UPDATE: As told to Jules Polonetsky over at The Future of Privacy Forum, Capital One was engaging in "totally random" rate changes that were not related to browser type. On the other hand, according to the Wall Street Journal, Capital One was at one point using [x+1] data to calibrate what credit card offers to show.

The other day, I suggested that the facts of the Clementi suicide may perfectly illustrate why no actual transfer of information is necessary for someone to suffer a severe subjective privacy harm. (Thanks to TechDirt and PogoWasRight for the write ups.)

Just now I learned about an allegation against Capital One that the company offered someone a different lending rate on the basis of what browser he used (Chrome vs. Firefox). A similar allegation was made against Amazon, which apparently used cookies for a time to calibrate the price of DVDs.

Here you have a clear objective privacy harm: your information (browser type) is being used adversely in a tangible and unexpected way. It matters not at all whether a human being sees the information or whether a company knows "who you are." Neither personally identifying information, nor the revelation of information to a person, is necessary for there to be a privacy harm. Read more about Browser Snobbery As Objective Privacy Harm (UPDATE)

Ann Bartow once criticized Daniel Solove for not providing enough “dead bodies” in his discussion of privacy. I tend to disagree that such proof is necessary. But privacy has seen a dead body recently—that of Rutgers University student Tyler Clementi.

The narrative around Clementi’s tragic suicide continues to shift. The press originally reported that Clementi killed himself after his roommate invited the entire campus to view footage of Clementi having sex with another man. The Associated Press is now reporting that, according to the roommate’s defense attorney, no one but he and his friend ever saw the video.

The question of whether the defendants recorded or broadcast the web cam is highly relevant to whether there has been a privacy violation. Yet it is hardly relevant at all to the question of whether there has been a privacy harm. Read more about Clementi And The Nature Of Privacy Harm

I don’t know that generativity is a theory, strictly speaking. It’s more of a quality. (Specifically, five qualities.) The attendant theory, as I read it, is that technology exhibits these particular, highly desirable qualities as a function of specific incentives. These incentives are themselves susceptible to various forces—including, it turns out, consumer demand and citizen fear.

The law is in a position to influence this dynamic. Thus, for instance, Comcast might have a business incentive to slow down peer-to-peer traffic and only refrain due to FCC policy. Or, as Barbara van Schewick demonstrates inter alia in Internet Architecture and Innovation, a potential investor may lack the incentive to fund a start up if there is a risk that the product will be blocked.

Similarly, online platforms like Facebook or Yahoo! might not facilitate communication to the same degree in the absence of Section 230 immunity for fear that they will be held responsible for the thousand flowers they let bloom. I agree with Eric Goldman’s recent essay in this regard: it is no coincidence that the big Internet players generally hail from these United States. Read more about Will Robots Be 'Generative'?

Prohibition wasn’t working. President Hoover assembled the Wickersham Commission to investigate why. The Commission concluded that despite an historic enforcement effort—including the police abuses that made the Wickersham Commission famous—the government could not stop everyone from drinking. Many people, especially in certain city neighborhoods, simply would not comply. The Commission did not recommend repeal at this time, but by 1931 it was just around the corner.

Five years later an American doctor working in a chemical plant made a startling discovery. Several workers began complaining that alcohol was making them sick, causing most to stop drinking it entirely—“involuntary abstainers,” as the doctor, E.E. Williams, later put it. It turns out they were in contact with a chemical called disulfiram used in the production of rubber. Disulfiram is well-tolerated and water-soluble. Today, it is marketed as the popular anti-alcoholism drug Antabuse.

Were disulfiram discovered just a few years earlier, would federal law enforcement have dumped it into key parts of the Chicago or Los Angeles water supply to stamp out drinking for good? Probably not. It simply would not have occurred to them. No one was regulating by architecture then. To dramatize this point: when New York City decided twenty years later to end a string of garbage can thefts by bolting the cans to the sidewalk, the decision made the front page of the New York Times. The headline read: “City Bolts Trash Baskets To Walks To End Long Wave Of Thefts.”

In an important but less discussed chapter in The Future of the Internet, Jonathan Zittrain explores our growing taste and capacity for “perfect enforcement."

Readers are likely familiar with the cyberlaw mantra that “code is law.” What’s striking is that since Lawrence Lessig published Code in 1999, relatively little has been written about the dangers of regulation by architecture, particularly outside of the context of intellectual property. Many legal scholars—Neil Katyal, Elizabeth Joh, Edward Cheng—have instead argued for more regulation by architecture on the basis that it is less discriminatory or more effective. Read more about (Im)Perfect Enforcement

My new paper explores what is unique about privacy harm. How does privacy harm differ from other injury? And what do we gain by defining its boundaries and core properties? You can download the paper here; abstract after the jump. Your thoughts warmly welcome. Read more about The Boundaries of Privacy Harm

ACM Computers Freedom Privacy is in its 20th year. This year was exciting to me in that robots entered the mix. My panel on the topic featured forecaster and essayist Paul Saffo, EFF's Brad Templeton, philosopher Patrick Lin, and was moderated by Wired's Gary Wolf. You can find a video recording of our panel here. I also spoke to the Dr. Katherine Albrecht Radio Show, which was broadcasting live from the conference. Click here to listen.

Read more about Computers Freedom Privacy... And Robotics