The Technology of Privacy

The Technology of Privacy Wintersession 2013

Paul Ohm

Syllabus Version 0.9

Course Description

Information Privacy is one of the most pressing and debated topics in law and policy today. Policymakers, scholars, advocates, and industry representatives are locked in heated, escalating debates about the growing spread of tracking and surveillance in society. Most of this debate has been spurred by the breakneck pace of changes to technology, and particularly of changes to Internet and mobile technology. Future lawyers interested in practicing information privacy law or technology policy more broadly defined need to understand the past, present, and likely future of the technology of privacy. This course embraces several innovations not found in a typical law school course: It is offered during the one-week wintersession in January, the last week of the winter break. Students will be expected to engage the technology thoroughly, not at arm’s length. Some of the class sessions will take place in a computer lab, with every student directly controlling cutting-edge technologies of privacy and privacy invasion, such as tools for encryption, wiretapping, onion routing, facial recognition, and more. The capstone of the class will be attendance and participation from the audience at a full-day conference including many of the nation’s leading scholars of information privacy. There are no prerequisites for the course. Students of any technical ability and background (including no technical ability or background) are welcome to enroll, but students with some familiarity with computer and network technology will likely find the material easier to master.

Class Times and Office Hours

The class will meet every day from Monday to Thursday from 9:00 AM – 11:20 AM either in Room 306 or in the first floor computer lab in the ATLAS building. The first class will be in Wolf 306. On Friday, every student is required to attend a conference to be held on the “Technology of Privacy” in the law school courtroom, from 9:15 AM – 5:00 PM. Attendance at the full conference is mandatory. I will be available for office hours each day for one hour following class in my office (Room 433) or at any other time by appointment. I can also be reached via e-mail at [email protected].

Course Expectations

Themes. In four class meetings, we cannot even scratch the surface of this vast topic. This course will focus on depth over breadth, focusing in particular in 2013 on three major developments: (1) the crypto wars of the late 90’s; (2) web tracking and do not track; (3) big data. We will pay special attention to topic #2, do not track, which will also figure prominently in the Friday conference. On Thursday, we will spend one hour debating Do Not Track in which students might be asked to play a role in the contemporary debate. Grading. Grades for the course will be based primarily on a final project due one week after the last day of class. In other words, the final project is due Friday, January 18, 2013, by 11:59 PM. In addition, part of the final grade will depend on the level of preparation and participation each student exhibits during two in-week activities: the Thursday in-class Do Not Track debate/discussion and the Friday conference. Finally, general participation is an important part of the final grade. Taking each of these three categories in turn:

1 Final Project. Most of the grade for the course will be based on a final research project. Students are given the choice between a traditional law school assignment or a more novel alternative. The traditional assignment is a research paper. The paper should examine a single collision between evolving technology and privacy law, one that is either raging today or looming in the near future. Some examples are the collision of COPPA and mobile apps; facial recognition and the fourth amendment; WiFi and wiretapping; Big Data and the Privacy Act. Many papers are likely to be drawn from the topics discussed in the assigned reading, but students are encouraged to do independent research outside the assignments to find other interesting topics at the intersection of technology and privacy. Papers should cover at least the following three things: a discussion of the evolution of technology and how it is placing pressure on the law; a doctrinal legal analysis of how current law will respond; and a policy prescription about what to do to resolve the conflict. These papers should be at least ten pages long (typical, reasonable font and margins, double-spaced). Grades will be based on an assessment of each student’s ability to describe technology accurately, persuasiveness of the argument, accuracy of the legal analysis, and writing proficiency. As an alternative, students are encouraged to embrace the same kind of innovative, nontraditional-law-school thinking that forms the basis for the course as they design their final projects. For example, students are encouraged to develop computer programs or information visualizations in lieu of a traditional research paper, although research papers are acceptable as well. Given the novelty of this approach, it is difficult to specify in advance a minimum quantity of work expected for the final project. The rough guideline is that the work conducted must be comparable to at least the work required for a ten page (typical, reasonable font and margins, double-spaced) research paper. The nature and scope of all final projects must be pre-approved by the Professor, no later than Thursday, at the end of the day.

In-Class Assignment Activities. In addition to the general participation grade, students will be assessed by how well they prepare for and participate in two activities during the week. First, on Thursday, we will discuss the Do Not Track proposal currently put before the W3C. This in-class activity may take the form of a discussion or possibly even a formal moot-style debate. Students may be asked to prepare a short written assignment, due Thursday. Second, every student must submit in writing two or more questions they might ask of the panelists at Friday’s conference before the start of the conference. Positive performance and participation in these activities can raise a final grade up to five points above the grade given to the final research project. Negative performance can lower a final grade up to five points.

Participation. I expect you to be prepared to talk every class and will call on you without prior notice. If, however, you are unable to prepare for class on a particular day for whatever reason, please attend anyway. Send me an e-mail at least one hour before we begin or leave me a note on the podium at the front of the room before class starts and I will not call on you that day. You may use this “pass” option only once during the week unless you talk to me in advance about your situation. If you do not leave me a note but are unprepared or absent when I call on you, your grade will be negatively affected. Positive class participation can raise a final grade up to five points above the grade given to the final research project. Negative participation can lower a final grade up to five points.

Course Materials

Required Text. All readings for the course will be posted to the course website. Materials for a particular day be posted no less than twenty-four hours prior to the start of each class, and students are responsible for consulting the website before beginning the reading for every class.

Course Website. Our course website is at http://paulohm.com/classes/techpriv13. Here, you will find reading assignments, important announcements, and links to other resources. The top part of the website will list “Latest Changes to the Site” which can be scanned to see what is important and new.

2 Students are advised to consult the website before every class, particularly when a class is missed. I do not use TWEN.

3 General Outline

The following table lists the planned topics of discussion for each day and the location of each class. All readings are available on the class website.

Day Topics Location Comments Monday The relationship between Wolf 306 technological change and policy.

Cryptography.

Battles from the Crypto Wars: CALEA, Clipper, ITAR, and Bitcoin Tuesday Lab Class ATLAS 1st Floor Computer How the Internet works. Lab

Tracking Behavior online.

Online Behavioral Advertising and Do Not Track.

Tracking countermeasures. Wednesday Lab Class ATLAS 1st Floor Computer Big Data Lab

Location tracking

Mobile and apps

Facial recognition Thursday How do we resolve conflicts Wolf 306 Topics for final project due by between law, policy, and 5:00 PM. technology? Must be prepared for In-Class Do Not Track debate/discussion. debate/discussion. Possible short written assignment. Friday Conference: The Technology of Wittemyer Submit two or more questions Privacy Courtroom to ask panelists by 9:15 AM. Friday + one Final papers/projects due by week 11:59 PM. (1/18/2013) Directions to the ATLAS Building

The ATLAS Building is in the center of campus, adjacent to the art museum and not far from the UMC. The building is marked on this partial campus map:

4 The building’s distinctive tower makes it easy to recognize:

The topics and tentative reading are as follows:

Monday, January 7 Topic: Introduction to the Technology of Information Privacy: The History of Technology and Privacy

5 Location: Law School Tentative Readings: Excerpt from Solove & Schwartz, Information Privacy Law Excerpt from Steven Levy, Crypto Excerpt from Alma Whitten, Why Johnny Can’t Encrypt Excerpt from Michael Froomkin, The Metaphor is the Key, 143 U. Penn.L. Rev. 709 (1995).

Lesson Plan: In Class, typical law school discussion. Have everybody master logic of public key encryption. Detail the crypto wars and discuss Clipper Chip proposal. Model debate over crypto. Talk about decade since. Toward end, tie this to broader themes about tech policy.

Tuesday, January 8

Topic Citation, URL True Internet Clever video: http://www.flixxy.com/how-the-internet-works.htm basics (Less shady looking container presentation: http://worldsciencefestival.com/videos/there_and_back_again_a_packets_tale)

Basic Internet Russ Smith, IP Address: Your Internet Identity, March 29, 1997, Overview (IP http://www.ntia.doc.gov/legacy/ntiahome/privacy/files/smith.htm (good but really old) addresses, log files) Cookies Julia Angwin, The Web’s New Gold Mine: Your Secrets, WALL ST. J., July 30, 2010, Overview / Ad http://online.wsj.com/article/SB10001424052748703940904575395073512989404.htm Tracking l Profiling Emily Steel, A Web Pioneer Profiles Users by Name, WALL ST. J., Oct. 24, 2010, http://online.wsj.com/article/SB10001424052702304410504575560243259416072.htm l (describing RapLeaf) Non-Cookie http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862 Tracking: Flash Cookies Non-Cookie https://panopticlick.eff.org/ Tracking: Fingerprinting Wireshark http://www.ipprimer.com/packets.cfm Demo (A little over-detailed— just skim) Reading web http://www.loganalyzer.net/log-analysis-tutorial/log-file-sample-explain.html server log files TOR https://ssd.eff.org/tech/tor VPN Opting out of BlueKai Registry, http://www.bluekai.com/registry/ OBA Taco SSL

6 Phorm/NebuAd Excerpt from Paul Ohm, The Rise and Fall of Invasive ISP Surveillance, 2009 U. ILL. L. REV. 1417 (2009). Generally Dave Clark et al., Tussle Spaces (Thursday) Controlling the Zittrain, Internet Points of Control (Another class) Web Felten, Great Firewall (Another class) DNT Jeff Blagdon, Do Not Track: An Uncertain Future for the Web’s Most Ambitious Privacy Initiative, THE VERGE, Oct. 12, 2012, http://www.theverge.com/2012/10/12/3485590/do-not-track-explained Business of Natasha Singer, Your Online Attention, Bought in an Instant, N.Y. TIMES, Nov. 17, OBA 2012, at BU1.

Possible Lesson Plan:

Three stations: Users, Middle of the Wire, Endpoint surveillance

Topic: The Internet: Cookies, Packet Sniffing, and Tracking (Lab Class) Location: ATLAS Tentative Readings: Excerpt from Dan Solove, The Digital Person Excerpt from Julia Angwin, What They Know series

Lesson Plan First Lab Class. Lab exercises: 1. Log files. 2. Cookies / Ghostery. 3. Ad networks and opt-out choices. 4. Fingerprinting and Panopticlicks. 5. Mobile tracking: UDIDs and geolocation. 6. Other advertising counter-measures. 7. TOR 8. Wireshark Themes to hit (should find one reading about each): Monetization. Opt-in vs. Opt-out. The arms race between trackers and blockers. Self-regulation vs. Regulation.

Wednesday, January 9 Topic: Big Data, Mobile Issues, and Facial Recognition Location: ATLAS Tentative Readings: Paul Ohm, Broken Promises of Privacy Felix Wu, Jane Yakowitz, The Tragedy of the Data Commons Alessandro Acquisti, Charles Duhigg, How Companies Learn Your Secrets, N.Y. Times, Feb. 16, 2012

7 Lesson Plan Second Lab Class. Lab Exercises: 1. Deidentification/Reidentification. 2. Netflix Prize 3. Facial Recognition 4. GPS tracking (Google Maps and WiFi routers?) Themes (find one reading about each) Case study of deidentification. Balancing costs and benefits. Predicting the future.

Thursday, January 10 Topic: Solutions? Privacy by Design, Do Not Track, and the Right to be Forgotten Location: Law School Tentative Readings: Ann Cavoukian, Principles of Privacy by Design Excerpts from FTC Final Report on Privacy Excerpts from W3C paper on Do Not Track Various blog posts and commentary on Do Not Track Excerpt from Bamberger & Mulligan,

Lesson Plan In-Class Debate Do Not Track, with assigned roles Talk about rise of the CPO / Professionalization / Job market Comparative: EU vs. US vs. Canada

Friday, January 11 Topic: Conference on the Technology of Privacy Location: Law School Courtroom (Must attend entire conference, 9:00 AM – 5:00 PM) Tentative Readings: Must skim all papers submitted by panelists and be prepared to ask questions.