The Federal Trade Commission held its Information Injury Workshop in December in Washington D.C. The goal of the workshop was to explore how to characterize and measure information injuries to consumers.
Information injury is the harm that a victim suffers as a result of privacy or data security breach. Financial, health and safety injury are the most common types of alleged injuries that the FTC has seen in privacy and data security in the past few years. Yet, injury that does not cause financial harm can be challenging to quantify.
In her opening remarks at the workshop, FTC Acting Director Maureen Ohlhausen said the FTC needs a “framework for principled and consistent analysis of consumer injury in the context of specific privacy and data security incidents.” This will help the agency monitor new technologies and data uses for potential consumer injury. She said it will also help the agency “establish criteria by which we can judge if privacy and data security enforcement is the proper tool to address a practice, or if other mechanisms, perhaps even other agencies, institutions, or laws would be better equipped to address any particular negative outcome.”
The workshop had four panels with noted experts in a variety of fields and disciplines. The brief summary that follows is not intended to be comprehensive, but to touch on some interesting points made during the course of the workshop. Transcripts for each panel are linked below.
The first panel described the different kinds of injuries suffered by consumers because of privacy incidents and data security breaches.
- Pam Dixon, Executive Director of the World Privacy Forum, noted that victims of medical identity theft face unique harms. With medical identity theft, a thief uses a victim’s name or health insurance number to obtain prescription drugs or seek other medical services. She described one situation where a Utah woman had her children taken away from her because of the actions of a medical identity thief. It took over three months and a DNA test to get the victim cleared so she could get her kids back. Another problem with medical identity theft is the aggressive debt collection practices that follow, which can negatively affect a victim’s credit scores.
- Damon McCoy, Assistant Professor in the Computer Science Department at NYU Tandon School of Engineering, described his research with doxing, which is the public release of people’s information and other methods of social engineering that collect personal information. His research indicates that the use of this data can be innocuous or harmful if it is used for extortion or other stalking purposes.
- Lauren Smith, Policy Counsel at the Future of Privacy Forum, noted that as the volume of consumer data grow, the number of decisions that were previously made by humans are now increasingly made by algorithms. Her remarks focused on what can occur through what is called the mosaic effect, which is what happens when some data is combined with other data or with artificial intelligence to create inferences that the consumer may not want shared or could have potential discriminatory impacts. She noted that the potential harms could be grouped in the following categories: loss of opportunity, economic loss, social detriment, and loss of liberty.
- Cindy Southworth, Executive Vice President for the National Network to End Domestic Violence, described the staggering statistics related to the prevalence of domestic violence and stalking and the frequency in which technology is used by the offenders and abusers. She also noted the special privacy needs of abuse victims and the physical risk associated when an abuser discovers, for example, the location information of a victim.
- Heather Wydra, Supervising Attorney at Whitman-Walker Health, described the harms associated with disclosure of private health information or gender identity and sexual orientation. She addressed the harms she has seen when disclosure of personal health and other information. Specifically, she addressed discrimination in the work place, places of public accommodation and which could interfere with personal and community relationships.
The second panel used both a privacy and security hypothetical to assess consumer injury, including the type and magnitude of the injury as well as the sensitivity of the information and asked the panelists to identify the potential injuries that could occur and then to have a policy discussion.
- Alessandro Acquisiti, Professor of Information Technology and Public Policy at Carnegie Mellon University, referenced Irwin Altman who described privacy not as the protection of data, but a dialectic process of boundary management, which includes both the opening of the self to others and the closing of the self to others. The boundaries are affected by social norms, expectations, and individual preferences.
- James Cooper, Associate Professor of Law and Director at the Program on Economics & Privacy at the Antonin Scalia Law School of George Mason University, expressed the view that there is a big difference between aggregated and individualized data. He views that the privacy harm begins when sensitive information about an individual is exposed, but is skeptical as to whether targeted ads that do not implicate sensitive personal data cause harm.
- Michelle De Mooy, Director, Privacy & Data Project at the Center for Democracy & Technology, said that consumer expectations matter and privacy is a core principal in a democracy. She also noted the importance of expectations, consent, and recourse. In addition, she said that the collection of information can increase the risk of harm through surveillance and merely retaining information becomes a likely harm because the possibility of a data breach is always there.
- Geoffrey Manne, Executive Director at the International Center for Law & Economics, noted that there is a lot less that we know than what we do not know in this area. He cautioned the “risk of harm” is not the same as harm and that too much deterrence and over-enforcement could stifle companies from experimenting with new innovations and technology that could benefit consumers.
- Paul Ohm, Professor at Georgetown University Law School, began by suggesting a working definition of harm to be whether one is worse off than if the conduct had not occurred. He also took exception to the suggestion that the risk of injury is not injury. He noted that aggregation is not a shield because if data is aggregated in such a way that the privacy harm has been reduced, the data is likely to be unusable for any commercial purpose. He noted that new and unexpected tracking should be a concern when potential injury involving sensitive data is at stake, and that in those instances, perhaps government should intervene.
The third panel examined how businesses and consumers perceive and evaluate the benefits, costs, and risks of collecting and sharing information in light of potential benefits and injuries.
- Leigh Freund, President and CEO of the Network Advertising Initiative, expressed her view that some consumers misunderstand what data is collected and used to provide targeted ads and noted the efficiencies associated with using consumer data to deliver advertising. She also noted that because advertising data is only valuable in very limited circumstances for limited time periods, NAI counsels member companies to practice data minimization and collect and keep only what is needed for the specific purpose.
- Privacy expert Jennifer Glasgow noted the importance of distinguishing between data breaches and the inappropriate use of information, which includes consideration of ethics. She suggested that businesses are going to have to step up to do more. For example, she questioned whether consumers should have 50 choices when buying a connected car because that is how many sensors are in the car. Rather, it would be better to have three or four choices and have the car manufacturer stand behind their decision to allow it or only use consumer data in certain situations. Glasgow also noted that consumers expect security, but that as we move into more big data applications and more analytics it will be more difficult for consumers to understand what is happening to their data.
- Katie McInnis, Policy Counsel at the Consumers Union, noted that it is her view that businesses evaluate risks and benefits to data protection and tend to overstate the benefits. She also noted that it is difficult for some consumers to evaluate privacy policies especially in the IoT space, which is one of the reasons that Consumers Union launched their digital standard last March to begin evaluating products and services under privacy and data security.
- Bob Gourley, Partner at Cognitio, noted that how companies address data risks and benefits, vary from industry to industry and that there has been a big shift in business recently towards very secure channels. He also noted that with the growth of IoT devices especially in homes as well as the application to of artificial intelligence to different data sets, there will be a number of privacy and data security questions that no one has thought about yet.
- Omri Ben-Shahar, the Leo and Eileen Herzel Professor of Law and Kearney Director of the Coase-Sandor Institute for Law and Economics at the University of Chicago Law School, expressed skepticism about the role of education, transparency, and privacy policies, noting that it is hard to educate consumers about everything and especially about data policy because it is a moving target.
The final panel examined the different methods for and challenges associated with assessing and quantifying informational injuries.
- Garrett Glasgow, Senior Consultant at NERA Economic Consulting, described how surveys can help determine what value people place on having their data protected. He described the two different approaches he has used which is conjoint analysis and contingent valuation.
- Ginger Jin, Professor of Economics at the University of Maryland, in discussing causality, described some research that indicates a link from certain data breaches and records available on the dark web. She also indicated that she is aware that blockchain can be used as a technology to track how data changes from one hand to another.
- Lynn Langton, Chief of the Victimization Statistics Bureau of Justice Statistics at the U.S. Department of Justice, said that even among identity theft victims who did not experience financial losses, 30 percent found the experience moderately or severely depressing. The majority of victims do not how their information was obtained.
- Catherine Tucker, Sloan Distinguished Professor of Management and Professor of Marketing at the MIT Sloan School of Management, noted that sometimes consumers’ actions differ from their stated preferences. She also noted that sometimes you can change people’s conduct based on context or places the choices in a way to make an easy decision.
- Josephine Wolff, Assistant Professor of Public Policy at Rochester Institute of Technology, noted that because there are different types of injuries, it is necessary to use both survey and revealed preference data in order to understand how consumers are injured by different types of data breaches or the misappropriated use of data.
The workshop is another example of the FTC bringing together experts across many fields to explore the flow of personal data between commercial applications as well as personal and private applications. The panels explored the challenges of definitional issues associated with terms such as risk, harm and injury. The panels also grappled with the role of consumers and what they do and do not understand, and whether it is always their responsibility to make good choices or whether businesses have some responsibility to consider ethical uses of data. Finally, with respect to measuring injury, the final panel highlighted the challenges associated with quantifying consumer behavior noting that there is often a disconnect between a particular consumer’s stated preference and the consumer’s actions.