Privacy Research Group

The Privacy Research Group is a weekly meeting of students, professors, and industry professionals who are passionate about exploring, protecting, and understanding privacy in the digital age.


Joining PRG:

Because we deal with early-stage work in progress, attendance at meetings of the Privacy Research Group is generally limited to researchers and students who can commit to ongoing participation in the group. To discuss joining the group, please contact Professor Helen Nissenbaum or Professor Katherine Strandburg. If you are interested in these topics, but cannot commit to ongoing participation in PRG, you may wish to join the PRG-All mailing list.

PRG Calendar

Spring 2015

April 29: Sofia Grafanaki - Autonomy Challenges in the Age of Big Data
                 David Krone - Compliance, Privacy and Cyber Security Information Sharing
                 Edwin Mok - Trial and Error: The Privacy Dimensions of Clinical Trial Data Sharing
                 Dan Rudofsky - Modern State Action Doctrine in the Age of Big Data

April 22: Helen Nissenbaum - Respect for Context' as a Benchmark for Privacy: What it is and Isn't
April 15: Joris van Hoboken - From Collection to Use Regulation? A Comparative Perspective
ABSTRACT: In the debates about data privacy for the 21st century, we increasingly hear the argument hat regulation should focus on the use of data instead of its initial collection. The argument for this shift tends to be pragmatic: the collection of personal data has become the normal state of affairs to such an extent that focusing the regulation of personal data driven processes through limiting the collection of data (input) is no longer feasible and desirable. Instead, regulation should focus on issues related to the actual use (output). This paper will look at this position from a comparative perspective. It will first explore the different positions that have been expressed in the relevant literature, look at the position of data (collection) minimization and purpose limitation in the US and European regulatory systems and analyze them in comparative perspective, focusing on the different rationales underlying the regulation of ‘collection’ on the one hand, and ‘use’ on the other hand.
April 8: Bilyana Petkova
 - Privacy and Federated Law-Making in the EU and the US: Defying the Status Quo?
ABSTRACT: The federated nature of lawmaking in both the United States and the European Union is seen to deliver sub-optimal results. In particular, in the US there are concerns for the increased fragmentation of American data privacy law and the lack of relevant federal consolidation, whereas in the EU the proposed General Data Protection Regulation and overall data protection regime generated opposition regarding the over-centralization of powers to the European institutions. My argument is that the autonomy of state institutions and regulatory experimentation on the state level can defy the status quo, be that of too little or too much privacy consolidation. I look into the role of Member States’ parliaments and highest courts in the EU and of state attorneys general in the US. Arguably, regulatory experimentation with higher data privacy standards in individual states like Germany or California has the potential of generating a dynamic of horizontal adaptation among jurisdictions and industry players that the federal or EU tier can capitalize on to level up privacy protection.
April 1: Paula Kift — Metadata: An Ontological and Normative Analysis

ABSTRACT: When the legality of the bulk telephony metadata program was challenged, the NSA countered that it was not collecting the content but only the metadata of communications. The aim of this paper is to discover where the distinction between metadata and content data came from and whether this distinction still makes sense today. The first part of the paper relies on Klayman v. Obama and ACLU v. Clapper to look at the various dichotomies the courts have used to define metadata over time: content vs. non-content information, sensitive vs. non-sensitive information and private records vs. business records held by third parties. The second part of the paper engages in a normative analysis of the bulk telephony metadata program based on the framework of contextual integrity. The paper finds that the bulk telephony metadata program violates entrenched informational norms.

March 25: Alex Lipton — Privacy Protections for the Secondary User of Consumer-Watching Technologies

ABSTRACT: Consumer products increasingly record user data without regard to whether the recorded individual is the primary user—the purchaser of the product—or the secondary user—an individual who uses the product but is not the purchaser. This distinction proves especially significant when considering the product's privacy policy, which purports to establish user consent to expansive data use practices, and statutory protections governing the recording of user data, many of which include exceptions based on user consent. This Note examines one private regime for protecting consumer privacy—privacy policies—and several public regimes—including state wiretap laws, the Electronic Communications Privacy Act, and the Children's Online Privacy Protection Act—to illustrate how legal protections differ for primary and secondary users of consumer-watching technologies. I conclude by suggesting a framework for designing privacy protections for the secondary user of consumer-watching technologies.

March 11: Rebecca Weinstein (Cancelled
March 4: Karen Levy & Alice Marwick — Unequal Harms: Socioeconomic Status, Race, and Gender in Privacy Research

ABSTRACT: (NOTE: this is a nascent idea and we're envisioning PRG as primarily a time for discussion of these issues, rather than a research presentation. We'll do a short presentation and then open it up to the group.) While privacy and surveillance affect different populations in disparate ways  (Gilman 2012), they are often treated as a monolithic concept by privacy researchers.

February 25 : Luke Stark — NannyScam: The Normalization of Consumer-as-Surveillorm

ABSTRACT: With the proliferation of surveillance technologies in the developed world over the past decade, norms of surveillance are appearing in novel forms and new ways across the terrain of everyday life. While there has been much academic scrutiny of certain aspects of this trend, such as surveillance in the workplace, the collection and analysis of consumer data through loyalty cards and other mechanisms, and location tracking through mobile digital devices, this paper explores an under-studied facet of quotidian surveillance: the construction of a new subject position, that of the consumer not just as surveilled but as also as surveillor.

February 18: Brian Choi // A Prospect Theory of Privacy

ABSTRACT: Privacy law differs from other information law doctrines in that it is guided almost exclusively by moral intuition. What qualifies as a “violation” of privacy turns in large part on the moral reprehensibility of the act in question. By stark contrast, the intellectual property regimes are led primarily by economic considerations, and only secondarily by non-economic factors.
February 11: Aimee Thomson — Cellular Dragnet: Active Cell Site Simulators and the Fourth Amendment

ABSTRACT: This Paper examines government use of active cell site simulators (ACSSs) and concludes that ACSS operations constitute a Fourth Amendment search. An ACSS known colloquially as a stingray, triggerfish, or dirtbox mimics a cell phone tower, forcing nearby cell phones to register with the device and divulge identifying and location information.
February 4: Ira Rubinstein — Anonymity and Risk

ABSTRACT: The possibility of re-identifying anonymized data sets has sparked one of the most lively and important debates in privacy law. The credibility of anonymization, which anchors much of privacy law, is now open to attack. Critics of anonymization argue that almost any data set is vulnerable to a re-identification attack given the inevitability of related data becoming publicly available over time.
January 28: Scott Skinner-Thomson — Outing Privacy

ABSTRACT:The government regularly outs information concerning people’s sexuality, gender identity, and HIV-status.  Notwithstanding the implications of such outings, the Supreme Court has yet to answer whether the Constitution contains a right to informational privacy—a right to limit the government’s ability to collect and disseminate personal information.

Fall 2014

December 3: Katherine Strandburg — Discussion of Privacy News [which can include recent court decisions, new technologies or significant industry practices]

November 19: Alice Marwick — Scandal or Sex Crime? Ethical and Privacy Implications of the Celebrity Nude Photo Leaks

November 12: Elana Zeide — Student Data and Educational Ideals: examining the current student privacy landscape and how emerging information practice and reforms implicate long-standing social and legal traditions surrounding education in America. The Proverbial Permanent Record [PDF]

November 5: Seda Guerses — Let's first get things done! On division of labor and practices of delegation in times of mediated politics and politicized technologies

ABSTRACT: During particular historical junctures, characterized by crisis, deepening exploitation and popular revolt, referred to here as “sneaky moments”, hegemonic hierarchies are simultaneously challenged and reinvented, and in case of the latter in due course subtly reproduced. The current divide between those engaged in politics of technology and those participating in struggles of social justice requires reflection in this context.
October 29:
Luke Stark — Discussion on whether “notice” can continue to play a viable role in protecting privacy in mediated communications and transactions given the increasing complexity of the data ecology and economy.

Kristen Martin — Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy online
 Ryan Calo — Against Notice Skepticism in Privacy (and Elsewhere)
 Lorrie Faith Cranor — Necessary but Not Sufficient: Standardized Mechanisms for Privacy Notice and Choice.
 October 22: Matthew Callahan — Warrant Canaries and Law Enforcement Responses. 
As background, he recommends reading, "Twitter's First Amendment Suit & the Warrant Canary Question" by Brett Max Kaufman in the Just Security blog.
 October 15: Karen Levy — Networked Resistance to Electronic Surveillance. 
October 8: Joris van Hoboken —  The Right to be Forgotten Judgement in Europe: Taking Stock and Looking Ahead
 October 1: Giancarlo Lee — Automatic Anonymization of Medical Documents.
 September 24: Christopher Sprigman — MSFT "Extraterritorial Warrants" Issue 
September 17: Sebastian Zimmeck — Privee: An Architecture for Automatically Analyzing Web Privacy Policies [with Steven M. Bellovin].
 September 10: Organizational meeting.


Spring 2014

April 30: Seda Guerses — "Privacy is Security is a prerequisite for Privacy is not Security is a delegation relationship"

ABSTRACT: Since the end of the 60s, computer scientists have engaged in research on privacy and information systems. Over the years, this research has led to a whole palette of “privacy solutions.” These solutions originate from diverse sub-fields of computer science, e.g., security engineering, databases, software engineering, HCI, and artificial intelligence.
April 23: Milbank Tweed Forum Speaker — Brad Smith: "The Future of Privacy".

April 16: Solon Barocas — "How Data Mining Discriminates" - a collaborative project with Andrew Selbst, 2012-13 ILI Fellow

ABSTRACT: This presentation considers recent computer science scholarship on non-discriminatory data mining that has demonstrated—unwittingly, in some cases—the inherent limits of the notion of procedural fairness that grounds anti-discrimination law and the impossibility of avoiding a normative position on the fairness of specific outcomes.
April 9: Florencia Marotta-Wurgler — "The Anatomy of Privacy" - initial findings from her empirical study on privacy policies
April 2: Elana Zeide— "Student Privacy in Context: Intuition, Ignorance and Trust"
March 26: Heather Patterson — "When Health Information Goes Rogue: Privacy and Ethical Implications of Decentextualized Information Flows from Consumer Mobile Fitness Devices to Clinician, Insurers, and Employers"
ABSTRACT: The rapid proliferation of health apps, digital sensors, and other participatory personal data collection devices points to an increasingly personalized future of health care, whereby individuals will track their own physiological and behavioral biomarkers in near real time and receive tailored feedback from an expanding team of commercial entities, social networks, and clinical care providers.
March 12: Scott Bulua & Amanda Levendowski — Challenges in Combatting Revenge Porn

ABSTRACT: Revenge porn - sexually explicit images that are publicly shared online, without the consent of the pictured individual - has become the a hot button issue for journalists and academics, lawyers and activists.
For further reading, here are two publications by Amanda Levendowski:
 Using Copyright to Combat Revenge Porn, 3 N.Y.U. J. Intell. Prop. & Ent. L.
Our Best Weapon Against Revenge Porn: Copyright Law?, The Atlantic (Feb. 4, 2014)

March 5: Claudia Diaz — "In PETs we trust: tensions between Privacy Enhancing Technologies and information privacy law"
The presentation is drawn from a paper, "Hero or Villain: The Data Controller in Privacy Law and Technologies” with Seda Guerses and Omer Tene.

February 26: Doc Searls: "Privacy and Business"

ABSTRACT: Thoughtful conversations around privacy (such as ours) have tend come mostly from legal, policy, social and ethical angles. When business comes up, it is often cast in the role of culprit. Today's online advertising business, for example, rationalizes surveillance, dismisses privacy concerns and opposes legislation and regulation protecting privacy. So, in today's privacy climate, one might ask, Can privacy be good for business? and, Can business be good for privacy? Doc Searls' answer to both questions is yes. Through ProjectVRM at Harvard's Berkman Center, Doc has been fostering developments that empower individuals as independent actors in the marketplace since 2006. The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012) summarized that work and where it was headed at that time. Today there are more than a hundred VRM (vendor relationship management) developers, many of which are working specifically on protecting personal privacy and establishing its worth in the marketplace. Doc will report that work, its background, where it is currently headed—and the growing role of privacy as both a market demand and a design goal.

February 19: Report from the Obfuscation Symposium, including brief tool demos and individual impressions

February 12: Ira Rubinstein: "The Ethics of Cryptanalysis — Code Breaking, Exploitation, Subversion and Hacking"

ABSTRACT: When it comes to the First Amendment, commerciality does, and should, matter. Building on the work of Meir Dan-Cohen and others, this article develops the view that the key distinguishing characteristic of commercial or corporate speech is that the interest at stake is “derivative,” in the sense that we care about the speech interest for reasons other than caring about the rights of the entity directly asserting a claim under the First Amendment.
February 5: Felix Wu — "The Commercial Difference" which grows out of a piece just published in the Chicago Forum called The Constitutionality of Consumer Privacy Regulation
January 29: Organizational meeting

Fall 2013

December 4: Akiva Miller — Are access and correction tools, opt-out buttons, and privacy dashboards the right solutions to consumer data privacy?" & Malte Ziewitz: "What does transparency conceal?".
November 20: Nathan Newman — "Can Government Mandate Union Access to Employer Property? On Corporate Control of Information Flows in the Workplace"

ABSTRACT: A basic question of labor law over the years has been how government can intervene to ensure that workers receive information needed to exercise their rights? A contrary concern has been what rights do property owners have under the 1st, 4th, 5th amendments and under federal labor law to restrict that information flow, both in their own interest and in interests claimed on behalf of their employees?

November 6: Karen Levy — "Beating the Box: Digital Enforcement and Resistance"

ABSTRACT: I’ll be presenting some research from my dissertation, which (broadly) explores digital enforcement strategies – the use of technologies in place or in support of traditional human rule enforcement regimes as a means to enact more ‘perfect’ behavioral regulation over subjects.
October 23: Brian Choi — "The Third-Party Doctrine and the Required-Records Doctrine: Informational Reciprocals, Asymmetries, and Tributaries"

ABSTRACT: Even as many have assailed the third-party doctrine and predicted its impending demise, few have heeded the parallel threat posed by the required-records doctrine. Although the third-party doctrine has been widely criticized as an overbroad exception to the Fourth Amendment, defining a coherent limiting principle has proved exceedingly difficult.
October 16: Seda Güerses — "Privacy is Don't Ask, Confidentiality is Don't Tell"

ABSTRACT: Since the end of the 60s, computer scientists have engaged in research on privacy and information systems. Over the years, this research has led to a whole palette of "privacy solutions''.
October 9: Katherine Strandburg — "Freedom of Association Constraints on Metadata Surveillance"

ABSTRACT: Documents leaked this past summer confirm that the National Security Agency has acquired access to a huge database of domestic call traffic data, revealing information about times, dates, and numbers called.
October 2: Joris van Hoboken — "A Right to be Forgotten"

ABSTRACT: In this talk I will present my ongoing work on the so-called 'right to be forgotten' and the underlying questions relating to balancing privacy and freedom of expression in the context of online services.
May 1: Akiva Miller — "What Do We Worry About When We Worry About Price Discrimination"
Readings: Price Discrimination Table: Incomplete Thesis

April 24: Hannah Block-Wheba and Matt Zimmerman — National Security Letters [NSL's]

April 17: Heather Patterson — "Contextual Expectations of Privacy in User-Generated Mobile Health Data: The Fitbit Story"
April 10: Katherine Strandburg — ECPA Reform; Catherine Crump: Cotterman Case; Paula Helm: Anonymity in AA

April 3: Ira Rubinstein — "Voter Privacy: A Modest Proposal"
March 27: "Privacy News Hot Topics" — US v. Cotterman, Drones' Hearings, Google Settlement, Employee Health Information Vulnerabilities, and a Report from Differential Privacy Day
March 6: Mariana Thibes — "Privacy at Stake, Challenging Issues in the Brazillian Context"

March 13: Nathan Newman — "The Economics of Information in Behavioral Advertising Markets"

February 27: Katherine Strandburg — "Free Fall: The Online Market's Consumer Preference Disconnect"

February 20: Brad Smith — "Privacy at Microsoft"
Readings: Healthcare Entities, Cloud-Based IT Services, and Privacy Requirement; FERPA and the Cloud: Why FERPA Desperately Needs Reform; From a Cloud Service Provider: The Importance of Keeping Your School's Data Safe; Microsoft response to the Ministry of Justice Call for Evidence on EU Data Protection Proposal - Regulation COM(2012)

February 13: Joe Bonneau — "What will it mean for privacy as user authentication moves beyond passwords?"

February 6: Helen Nissenbaum — "The (Privacy) Trouble with MOOCs"
January 30: Welcome meeting and discussion on current privacy news
September 11: Organizational meeting

September 18: Discussion - NSA/Pew Survey

September 25: Luke Stark — "The Emotional Context of Information Privacy"

Fall 2012

December 5: Martin French — "Preparing for the Zombie Apocalypse: The Privacy Implications of (Contemporary Developments in) Public Health Intelligence"

November 7: Sophie Hood — "New Media Technology and the Courts: Judicial Videoconferencing"
November 14: Travis Hall — "Cracks in the Foundation: India's Biometrics Programs and the Power of the Exception"

November 28: Scott Bulua and Catherine Crump — "A framework for understanding and regulating domestic drone surveillance"

November 21: Lital Helman — "Corporate Responsibility of Social Networking Platforms"

October 24: Matt Tierney and Ian Spiro — "Cryptogram: Photo Privacy in Social Media"

October 17: Frederik Zuiderveen Borgesius — "Behavioural Targeting. How to regulate?"

October 10: Discussion of 'Model Law'

October 3: Agatha Cole — "The Role of IP address Data in Counter-Terrorism Operations & Criminal Law Enforcement Investigations: Looking towards the European framework as a model for U.S. Data Retention Policy"

September 26: Karen Levy — "Privacy, Professionalism, and Techno-Legal Regulation of U.S. Truckers"
September 19: Nathan Newman — "Cost of Lost Privacy: Google, Antitrust and Control of User Data"