This year’s Telecommunications Policy Research Conference (TPRC) featured several significant papers on privacy. Meg Leta Ambrose and Jef Ausloos presented a paper on the right to be forgotten, emphasizing the key features of the proposed European Regulation. The authors correctly emphasize that the right to be forgotten includes two very different concepts: the right for data subjects to require the erasure of personal data that they have provided (the "right to erasure"), and the right for data subjects to have part of their past shielded from excessive media or public exposure (the "right to oblivion").
Ambrose and Ausloos point out that the draft EU Regulation relates more to the right to erasure than to the right to oblivion; the latter exists in certain narrow fact circumstances, and raises significant issues related to freedom of expression. The paper usefully lists instances where the right to be forgotten is recognized in US law, emphasizing that the right to be forgotten is not a new concept, whether under European or US law. What’s new in the proposed EU Regulation is the obligation on data controllers to take "all reasonable steps" to inform third parties of a data subject’s exercise of the right to be forgotten. Ambrose and Ausloss argue that this new obligation is both over-inclusive and under-inclusive, and that it will be difficult to determine when a third party’s publication is "authorized" by the data controller.
Wendy Seltzer from Yale Law School presented a paper entitled "Privacy, Option Value and Feedback" analysing the issue of increased user control over privacy settings, indicating that users have difficulty attaching value to privacy choices because the relevant privacy harms may never occur, or will occur only a long time in the future.
Seltzer cited a study in which a majority of persons tested were willing to communicate their passwords to a stranger in exchange for a Snickers bar. Seltzer’s work focuses on the importance of users receiving immediate feedback in connection with their privacy choices. She is also focusing on option value, as used in financial markets, to value the alternative for users of deferring their privacy choices until such time as circumstances regarding the use of data become more clear.
In his paper "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud" Peter Swire, from Ohio State University demonstrated why the generalization of encryption for IP based communications will force law enforcement officials to rely on increased access to stored data in the cloud as opposed to real time interceptions. Real time interceptions are now too difficult, says Professor Swire, because of end-to-end encryption. The other alternative is "magic lantern" software that intercepts data at the end point, before or after the data have been decrypted.
In their paper "Certificate Authority Collapse: Regulating Vulnerabilities in the HTTPS Value Chain" Axel Arnbak and Nico van Eijk provided a frightening account of the security breach affecting the Dutch certificate authority Diginotar, and how the current HTTPS protocol makes such breaches damaging. In the case of Diginotar the breach remained undisclosed for 90 days permitting hackers to generate false SSL-certificates and divert traffic from a legitimate websites to the hacker’s websites. The paper recommends that the security vulnerabilities of HTTPS be addressed, and that the European Commission’s recent proposal for a regulation on eSignatures may not be the right vehicle through which to do so.