Privacy Bar Camp DC

Image based on Three Poppies by Federico Ferrari.

by Aaron Titus

In late June, 2009 I attended the Privacy Bar Camp DC (Twitter: @PrivacyCampDC) organized by Shaun Dakin with support from the Center for Democracy and Technology, and conducted at the Center for American Progress. I confess that I attended primarily to aid my job search (psst… that was a shameless, self-promoting plug), but ended up having a great time. Bar camps have an ingenious format which promotes a high degree of participation, interaction, and brainstorming. They have nothing to do with a state legal bar, nor camping. And the genius is, they don’t have an agenda.

About 50 people showed up Saturday morning, and after a brief round of introductions, everyone interested in leading a discussion pitched their ideas to the group. Then each discussion was placed on a grid schedule with four rooms, each with four sessions. The “camp” ran all day, and each attendee chose which combination of the 16 sessions they wanted to attend. Each session was highly interactive, spontaneous, and collaborative.  The topics ranged from Government and Web 2.0 to “Empowering Big Brother,” to Open ID, to lock-picking (my personal favorite). Thomas “cmdln” Gideon and I hosted a session on “Personal Information as Property and the Platform for Privacy Preferences (P3P).” During the discussion, the concept of “Privacy Commons” came up, and several of the session participants agreed to work on the idea.

Privacy Commons

We soon had a group interested in developing the idea, and have been working on it since. Modeled in the spirit of Creative Commons, Privacy Commons (PC) aims to help individuals and organizations clarify privacy expectations, practices, rights, and mutual responsibilities by providing a series of comprehensive model privacy policies.

I admire what the Creative Commons movement has done for copyright. With its easy-to-understand concepts and clear iconography, Creative Commons is successful because it embodies commonly held cultural notions of intellectual property and copyright, which are otherwise absent from the law itself. Creative Commons fills the gap between what the law is, and what many think the law should be. Likewise, Privacy Commons will be successful only when it can identify, articulate, and empower under-served cultural expectations of privacy with easy-to-understand concepts and clear messages.

The Need for Complete, Informative, and Enforceable Privacy Policies

Privacy policies in the United States suffer from several deficiencies. First, they are often unsophisticated and incomplete. They often fail to protect an appropriate scope of information or individuals. Second, many privacy policies waive, rather than confer, privacy rights. But most importantly, courts have consistently interpreted privacy policies as unbinding notices, rather than contracts. In other words, privacy policies are unenforceable, and a victim of a privacy policy breach usually has no enforceable rights. As a result, privacy policies can have the unfair effect of creating an expectation of confidentiality, privacy, special technological protections, or even fiduciary responsibility even where there is none.

Protecting Personal Information via Contract vs. Intellectual Property

Intellectual property (IP) law is not an appropriate legal framework to protect personal information because nobody owns personal information. Personal information are facts, which are not copyrightable. Unless a person is famous, a name or SSN can’t be trademarked. An address probably does not qualify for trade secret protection, and a date of birth is certainly not patentable. Even if some sort of property right accrued to personal information, it would most logically belong to the originators of the information. For example, parents would logically “own” a child’s name and date of birth, since they created them. The government creates social security numbers, and the credit card companies create credit card numbers. The post office creates addresses, and the phone company creates phone numbers. Even third parties create gossip (beneficial or harmful), and it would be difficult to draw a line distinguishing a person’s ownership interest in gossip or other third-party-created personal information.

In contrast to Creative Commons (which operates under IP licensing law), Privacy Commons is structured around principles of contract, where two parties can bind themselves to mutual obligations through offer and acceptance. Each model privacy policy would exist between a Data Steward (Steward), and a Data Subject (Subject). A PC Policy may be converted into a contract when the Steward and Subject formalize the policy through contract principles of offer, acceptance, and consideration.

What do you think?

There is an ad-hoc working group and a Privacy Commons Wiki, which is starting work on the project, and has already published a few articles on mission, scope, and approach. The wiki is closed (to prevent spam), but logins are liberally granted with a simple e-mail. I, for one, find the project pretty exciting.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.