AlexandraRosenSecondEssay 6 - 29 Jan 2016 - Main.AlexandraRosen
|
|
META TOPICPARENT | name="SecondEssay" |
| |
< < | The Student Privacy Pledge: political facade or privacy protection?
The Pledge is not a substitute for student-privacy legislation. | > > | The Student Privacy Pledge: A Dangerous Political Facade | | -- By AlexandraRosen - 09 Dec 2015
Introduction | |
< < | Since January 2015, over 200+ companies—including Google, Apple and Microsoft— signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge written by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter student privacy protection on the Web, the Pledge’s impact on companies' collection and use of personal information and activity should not be overstated. | > > | Since January 2015, over 200+ companies—including Google, Apple and Microsoft— signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge written by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter student privacy protection on the Web, and did quell public (particularly parents') fears' regarding the potential exploitation of students' information in the education context, the Pledge’s impact on companies' collection and use of personal information and activity should not be overstated. | | | |
< < | In the following paper, I will discuss whether the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | > > | In the following paper, I will discuss whether the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, distracts from real progress toward more effective privacy protections. | | | |
< < |
Why bother? That's always precisely the point of these self-regulatory exercises. We can take that for granted once we have seen who is sponsoring the show and who wants to be seen in the front row of the audience. Naturally there will also be non-profit do-gooder "intellectual" participation, accompanied by professional rhetoric and moderate fully-disclosed payment. Naturally the point of it all is a false sense of security.
Lawyers are realists, at least around here. So telling them that is like telling them that the sky is either blue or gray and the sun rises in the east every morning. The real questions are:
- Who is supposed to feel this sense of security, and what business models depend on their not feeling an insecurity instead?
- At whom is it aimed? That is to say, whose business are these people virtuously forswearing going into? As usual, it will help to assume that they are going to benefit as investors and partners from the businesses they virtuously aren't going to go into, so you can gain some insight into this situation by watching what they are doing with the other hand while they are waving the brightly-colored silk handkerchief you are presently paying too much attention to.
- What unintended consequences can this be made to have by foregoing attention paid to the brightly-colored silk handkerchief being waved and thinking instead about the tired old magic trick actually being worked by the clever magician and her sexy assistant? How does the nonsense at which everybody else is looking give you a chance to foil the trick that both this bunch of smoothies and the other bunch they are investing in and trying to screw are either too virtuous to be doing or too virtuous not to be doing?
| > > | The Pledge is an Empty Promise | | | |
< < | | > > | Given my strong skepticism of the Pledge’s ability to impact company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced--does the Pledge protect student's privacy? Not really... | | | |
> > | If anything, EFF’s complaint is evidence that the Pledge is not preventing the collection and use of student personal information. | | | |
< < | Recent action to enforce the terms of the Pledge force me to re-examine my argument | > > | 1. Limited scope | | | |
< < | Given my strong skepticism of the Pledge’s ability to impact company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced. | > > | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Executive Polonetsky said "[w]e have reviewed the EFF complaint but do not believe it has merit."” Similarly, SIIA's MacCarthy? noted that the EFF complaint contains important misunderstandings about the Pledge that largely stems from EFF interpreting the prohibitions of the Pledge too broadly. | | | |
> > | The Pledge does not impose a blanket prohibition on companies' collection and use of student information. Instead, the Pledge obligates signatories to “be transparent about collection and use of data” in conducting certain activity in particular context. The scope of activities covered by the Pledge is explicitly limited not to include “the use of student information for purposes of adaptive learning or customized education. Thus, the Pledge restricts Google’s use of data collected from students in the classroom to enhancing educational purposes, but does not restrict Google’s use of data collected from users (who may also be “students” for certain parts of their day depending on where the user is at the particular time and which Google product (or app) they are using). For example, if a child uses GAFE in the classroom during school, in order to comply with the Pledge, Google cannot sell information collected through this "educational service" to third party advertisers. However, if a child is at home and uses Chrome to browse for leisure, Google may sell the child’s information to a third party advertiser because the information was not collected through an “educational/school service.” The limits of the Pledge on Google, therefore, are narrow. | | | |
< < | Am I Wrong? Or is the Pledge an Empty Promise? | > > | 2. Limited enforcement | | | |
< < | A closer look at student privacy protection under the Pledge | > > | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the U.S. a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State AGs under Section 5 of the Consumer Protection Act.” However, even if noncompliance triggers FTC enforcement, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting, it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | | | |
< < | 1. Limited scope | > > | Pledge creates a false sense of security | | | |
< < | The Pledge does not impose a blanket prohibition on companies' collection and use of student information. Instead, the Pledge obligates signatories to “be transparent about collection and use of data” in conducting certain activity in particular context. The scope of activities covered by the Pledge is explicitly limited not to include “the use of student information for purposes of adaptive learning or customized education.” | > > | EFF attorney Cardozo, who wrote the complaint, told the WSJ that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in [GAFE] users.” Even if that is factually accurate, the self-regulation regime emplaced by the Pledge does not require, nor suggest, signatories take such extreme measures in limiting their activities related to data collection and use. EFF’s request of the FTC, to “require Google to destroy all student data it has collected and used in violation of the Pledge and to prevent the [Google] from collecting such data in the future,” is outside the scope of the Pledge and Google (and other signatories) will likely shrug off EFF’s demands as a lofty “suggestion.” | | | |
< < | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Executive Polonetsky said "[w]e have reviewed the EFF complaint but do not believe it has merit."” Similarly, SIIA's MacCarthy? noted that the EFF complaint contains important misunderstandings about the Pledge including: | | | |
< < | The complaint alleges that Google violated the Pledge:
- because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. [K-12] institutions.”
- by collecting personal information such as browser histories and bookmarks; however, Google collects this information at the direction of the school as a part of a student’s educational experience.
- by collecting and using aggregated and anonymized information; however, the Pledge applies only to personal information that identifies particular students.
| > > | The Pledge Does More Harm Than Good. | | | |
< < | Thus, the problem (in part) with EFF’s complaint is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Pledge and to prevent the company from collecting such data in the future.” EFF attorney Cardozo, who wrote the complaint, told the WSJ that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in [GAFE] users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.” | > > | Considering that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Pledge, I circle back to my initial perspective and ask does the Pledge do any good? | | | |
> > | I think it is important to consider the context in which the Pledge was passed and widely adopted. The initiative came at a time when state legislatures were rushing to enact restrictions on data collection and data mining. Supporters of education technology, like SIIA who had “long resisted efforts to strengthen federal privacy law,” feared that legislative proposals would hurt their business models and wrote the Pledge hoping to avoid stricter proposals from being passed. Therefore, the impetus for the Pledge was to limit future restraints on companies’ data collection. | | | |
< < | 2. Limited enforcement | > > | Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. Furthermore, by explicitly permitting the collection, maintenance, use and sharing of student personal information “needed for authorized educational/school purposes,” the Pledge leaves the door open for companies (like Google) to continue, if not increase, its data mining of students by claiming various uses and services are needed for educational purposes. The Pledge was (and continues to be) a perfect and carefully crafted distraction from public scrutiny. The fact that EFF filed a complaint against Google and that critics have responded with legitimate arguments that the complaint itself is beyond the scope of the Pledge protections is evidence that the Pledge is not only relatively useless as privacy protection, its existence and appearance enables further intrusions on student’s information privacy. | | | |
< < | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the U.S. a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State AGs under Section 5 of the Consumer Protection Act.” However, even if noncompliance triggers FTC enforcement, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting, it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | | | |
< < | Does the Pledge do More Harm than Good? | > > | | | | |
< < | Considering that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Pledge, I circle back to my initial perspective and ask does the Pledge do any good? | > > | Why bother? That's always precisely the point of these self-regulatory exercises. We can take that for granted once we have seen who is sponsoring the show and who wants to be seen in the front row of the audience. Naturally there will also be non-profit do-gooder "intellectual" participation, accompanied by professional rhetoric and moderate fully-disclosed payment. Naturally the point of it all is a false sense of security. | | | |
< < | I think it is important to consider the context in which the Pledge was passed and widely adopted. The initiative came at a time when state legislatures were rushing to enact restrictions on data collection and data mining. Supporters of education technology, like SIIA who had “long resisted efforts to strengthen federal privacy law,” feared that legislative proposals would hurt their business models and wrote the Pledge hoping to avoid stricter proposals from being passed. Therefore, the impetus for the Pledge was to limit future restraints on companies’ data collection. | > > | Lawyers are realists, at least around here. So telling them that is like telling them that the sky is either blue or gray and the sun rises in the east every morning. The real questions are: | | | |
< < | Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. The Pledge is a perfect and carefully crafted distraction from public scrutiny. | > > |
- Who is supposed to feel this sense of security, and what business models depend on their not feeling an insecurity instead?
- At whom is it aimed? That is to say, whose business are these people virtuously forswearing going into? As usual, it will help to assume that they are going to benefit as investors and partners from the businesses they virtuously aren't going to go into, so you can gain some insight into this situation by watching what they are doing with the other hand while they are waving the brightly-colored silk handkerchief you are presently paying too much attention to.
- What unintended consequences can this be made to have by foregoing attention paid to the brightly-colored silk handkerchief being waved and thinking instead about the tired old magic trick actually being worked by the clever magician and her sexy assistant? How does the nonsense at which everybody else is looking give you a chance to foil the trick that both this bunch of smoothies and the other bunch they are investing in and trying to screw are either too virtuous to be doing or too virtuous not to be doing?
| | | |
> > | | |
Yes, but. See top. You circle around getting to the outer suburbs of #1, but #2 is invisible, which means you don't ever really figure out what the trick is, which means that #3 isn't yet thinkable. Instead you do the thing you're supposed to do which is to follow the handkerchief and harrumph the harrumph you're supposed to have, which means you were so busy being all lawyerly about the details of enforceability and feeling superior to them on the fake reveal that you never even had a chance to look over to where they were preparing the real trick they're going to be playing on human civilization the next time the lights go out momentarily. That's the space to cover in thinking your way to draft 2.
| |
< < |
DRAFT 2 IN PROGRESS!!!!!!!!!!!
| |
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. |
|
AlexandraRosenSecondEssay 5 - 20 Jan 2016 - Main.AlexandraRosen
|
|
META TOPICPARENT | name="SecondEssay" |
| | Yes, but. See top. You circle around getting to the outer suburbs of #1, but #2 is invisible, which means you don't ever really figure out what the trick is, which means that #3 isn't yet thinkable. Instead you do the thing you're supposed to do which is to follow the handkerchief and harrumph the harrumph you're supposed to have, which means you were so busy being all lawyerly about the details of enforceability and feeling superior to them on the fake reveal that you never even had a chance to look over to where they were preparing the real trick they're going to be playing on human civilization the next time the lights go out momentarily. That's the space to cover in thinking your way to draft 2.
| |
< < | | > > |
DRAFT 2 IN PROGRESS!!!!!!!!!!!
| |
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. |
|
AlexandraRosenSecondEssay 4 - 09 Jan 2016 - Main.EbenMoglen
|
|
META TOPICPARENT | name="SecondEssay" |
| | In the following paper, I will discuss whether the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | |
> > |
Why bother? That's always precisely the point of these self-regulatory exercises. We can take that for granted once we have seen who is sponsoring the show and who wants to be seen in the front row of the audience. Naturally there will also be non-profit do-gooder "intellectual" participation, accompanied by professional rhetoric and moderate fully-disclosed payment. Naturally the point of it all is a false sense of security.
Lawyers are realists, at least around here. So telling them that is like telling them that the sky is either blue or gray and the sun rises in the east every morning. The real questions are:
- Who is supposed to feel this sense of security, and what business models depend on their not feeling an insecurity instead?
- At whom is it aimed? That is to say, whose business are these people virtuously forswearing going into? As usual, it will help to assume that they are going to benefit as investors and partners from the businesses they virtuously aren't going to go into, so you can gain some insight into this situation by watching what they are doing with the other hand while they are waving the brightly-colored silk handkerchief you are presently paying too much attention to.
- What unintended consequences can this be made to have by foregoing attention paid to the brightly-colored silk handkerchief being waved and thinking instead about the tired old magic trick actually being worked by the clever magician and her sexy assistant? How does the nonsense at which everybody else is looking give you a chance to foil the trick that both this bunch of smoothies and the other bunch they are investing in and trying to screw are either too virtuous to be doing or too virtuous not to be doing?
| | Recent action to enforce the terms of the Pledge force me to re-examine my argument
Given my strong skepticism of the Pledge’s ability to impact company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced. | | Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. The Pledge is a perfect and carefully crafted distraction from public scrutiny. | |
> > |
Yes, but. See top. You circle around getting to the outer suburbs of #1, but #2 is invisible, which means you don't ever really figure out what the trick is, which means that #3 isn't yet thinkable. Instead you do the thing you're supposed to do which is to follow the handkerchief and harrumph the harrumph you're supposed to have, which means you were so busy being all lawyerly about the details of enforceability and feeling superior to them on the fake reveal that you never even had a chance to look over to where they were preparing the real trick they're going to be playing on human civilization the next time the lights go out momentarily. That's the space to cover in thinking your way to draft 2.
| |
|
|
AlexandraRosenSecondEssay 3 - 10 Dec 2015 - Main.AlexandraRosen
|
|
META TOPICPARENT | name="SecondEssay" |
| | Introduction | |
< < | Since January 2015, over 200+ companies—including Google, Apple Inc. and Microsoft Corp.—signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge created by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter consumer privacy protection on the Web, the Pledge’s impact on companies' collection and use of personal information and activity should not be overstated. | > > | Since January 2015, over 200+ companies—including Google, Apple and Microsoft— signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge written by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter student privacy protection on the Web, the Pledge’s impact on companies' collection and use of personal information and activity should not be overstated. | | | |
< < | In the following paper, I will argue that the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | > > | In the following paper, I will discuss whether the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | | Recent action to enforce the terms of the Pledge force me to re-examine my argument | |
< < | Given my strong skepticism of the Pledge’s ability to effect company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced. | > > | Given my strong skepticism of the Pledge’s ability to impact company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced. | |
Am I Wrong? Or is the Pledge an Empty Promise? | | The Pledge does not impose a blanket prohibition on companies' collection and use of student information. Instead, the Pledge obligates signatories to “be transparent about collection and use of data” in conducting certain activity in particular context. The scope of activities covered by the Pledge is explicitly limited not to include “the use of student information for purposes of adaptive learning or customized education.” | |
< < | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Exec Polonetsky issued the following statement in response to EFF’s allegations, “We have reviewed the EFF complaint but do not believe it has merit.” Similarly, SIIA's MacCarthy? noted that the EFF complaint against Google contains important misunderstandings about the Pledge including: | > > | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Executive Polonetsky said "[w]e have reviewed the EFF complaint but do not believe it has merit."” Similarly, SIIA's MacCarthy? noted that the EFF complaint contains important misunderstandings about the Pledge including: | | The complaint alleges that Google violated the Pledge: | |
< < |
- because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. K-12 institutions.”
| > > |
- because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. [K-12] institutions.”
| |
- by collecting personal information such as browser histories and bookmarks; however, Google collects this information at the direction of the school as a part of a student’s educational experience.
- by collecting and using aggregated and anonymized information; however, the Pledge applies only to personal information that identifies particular students.
| |
< < | Thus, the problem (in part) with EFF’s complaint is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Pledge and to prevent the company from collecting such data in the future.” EFF attorney Nate Cardozo, who wrote the complaint, told the WSJ that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in [GAFE] users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.” | > > | Thus, the problem (in part) with EFF’s complaint is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Pledge and to prevent the company from collecting such data in the future.” EFF attorney Cardozo, who wrote the complaint, told the WSJ that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in [GAFE] users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.” | |
2. Limited enforcement | |
< < | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the U.S. a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State AGs under Section 5 of the Consumer Protection Act for “unfair or deceptive acts.” However, even if noncompliance triggers FTC enforcement under Section 5, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting for the FTC, it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | > > | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the U.S. a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State AGs under Section 5 of the Consumer Protection Act.” However, even if noncompliance triggers FTC enforcement, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting, it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | |
Does the Pledge do More Harm than Good? | |
< < | In light of the realization that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Pledge, I circle back to my initial perspective and ask does the Pledge do any good? | > > | Considering that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Pledge, I circle back to my initial perspective and ask does the Pledge do any good? | | | |
< < | I think it is important to consider the context in which the Pledge was passed and widely adopted. The initiative came at a time when state legislatures were rushing to enact restrictions on data collection and data mining. Supporters of education technology, like SIIA who had “long resisted efforts to strengthen federal privacy law,” feared that legislative proposals would hurt their business models and wrote the Pledge hoping to avoid stricter proposals from being passed. Therefore, the impetus for the Pledge was to limit future restraints on companies’ data collection. | > > | I think it is important to consider the context in which the Pledge was passed and widely adopted. The initiative came at a time when state legislatures were rushing to enact restrictions on data collection and data mining. Supporters of education technology, like SIIA who had “long resisted efforts to strengthen federal privacy law,” feared that legislative proposals would hurt their business models and wrote the Pledge hoping to avoid stricter proposals from being passed. Therefore, the impetus for the Pledge was to limit future restraints on companies’ data collection. | | | |
< < | Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. The Pledge is a perfect and carefully crafted distraction from public scrutiny. | > > | Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. The Pledge is a perfect and carefully crafted distraction from public scrutiny. | | |
|
AlexandraRosenSecondEssay 2 - 10 Dec 2015 - Main.AlexandraRosen
|
|
META TOPICPARENT | name="SecondEssay" |
The Student Privacy Pledge: political facade or privacy protection? | |
> > | The Pledge is not a substitute for student-privacy legislation. | | -- By AlexandraRosen - 09 Dec 2015
Introduction | |
< < | Since January 2015, over 200 companies—including Google, Apple Inc. and Microsoft Corp.—signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge created by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter consumer privacy protection on the Web, the Pledge’s impact on companies collection and use of personal information and activity should not be overstated. The Pledge is not a substitute for student-privacy legislation. | > > | Since January 2015, over 200+ companies—including Google, Apple Inc. and Microsoft Corp.—signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge created by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter consumer privacy protection on the Web, the Pledge’s impact on companies' collection and use of personal information and activity should not be overstated. | | | |
< < | In the following paper, I will argue that the existence and wide support lauding the Student Privacy Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | > > | In the following paper, I will argue that the existence and wide support lauding the Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections. | | Recent action to enforce the terms of the Pledge force me to re-examine my argument | |
< < | Given my strong skepticism of the Pledge’s ability to effect company behavior, I was surprised to see that on Tuesday, December 1, 2015, the Electronic Frontier Foundation (EFF),a non-profit privacy organization, filed a complaint with the Federal Trade Commission (FTC) against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Student Privacy Pledge is completely misplaced. | > > | Given my strong skepticism of the Pledge’s ability to effect company behavior, I was surprised to see that on December 1, 2015, the Electronic Frontier Foundation (EFF) filed a complaint with the FTC against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Pledge is completely misplaced. | |
Am I Wrong? Or is the Pledge an Empty Promise? | | The Pledge does not impose a blanket prohibition on companies' collection and use of student information. Instead, the Pledge obligates signatories to “be transparent about collection and use of data” in conducting certain activity in particular context. The scope of activities covered by the Pledge is explicitly limited not to include “the use of student information for purposes of adaptive learning or customized education.” | |
< < | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Executive Director Jules Polonetsky issued the following statement in response to EFF’s allegations, “We have reviewed the EFF complaint but do not believe it has merit.” Similarly, Mark MacCarthy? , Senior Vice President at SIIA, noted that the EFF complaint against Google contains important misunderstandings about the Pledge including: | > > | Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Exec Polonetsky issued the following statement in response to EFF’s allegations, “We have reviewed the EFF complaint but do not believe it has merit.” Similarly, SIIA's MacCarthy? noted that the EFF complaint against Google contains important misunderstandings about the Pledge including: | | | |
< < |
- The complaint alleges that Google violated the Pledge because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. elementary and secondary educational institutions.”
- The complaint alleges that Google violated the Pledge by collecting personal information such as browser histories and bookmarks; however, Google collects this information at the direction of the school as a part of a student’s educational experience (“educational/school purposes” explicitly permitted in the Pledge).
- The complaint alleges that Google violated the Pledge by collecting and using aggregated and anonymized information; however, the Pledge applies only to personal information that identifies particular students and is maintained at the individual level.
| > > | The complaint alleges that Google violated the Pledge:
- because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. K-12 institutions.”
- by collecting personal information such as browser histories and bookmarks; however, Google collects this information at the direction of the school as a part of a student’s educational experience.
- by collecting and using aggregated and anonymized information; however, the Pledge applies only to personal information that identifies particular students.
| | | |
< < | Thus, the problem with EFF’s complaint(at least a part of the problem) is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Student Privacy Pledge and to prevent the company from collecting such data in the future.” EFF attorney Nate Cardozo, who wrote the complaint, told the Wall Street Journal that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in Google [Apps for] Education users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.” | > > | Thus, the problem (in part) with EFF’s complaint is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Pledge and to prevent the company from collecting such data in the future.” EFF attorney Nate Cardozo, who wrote the complaint, told the WSJ that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in [GAFE] users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.” | |
2. Limited enforcement | |
< < | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the United States a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State Attorneys General under Section 5 of the Consumer Protection Act for “unfair or deceptive acts.” However, even if noncompliance triggers FTC enforcement under Section 5, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting for the FTC (at the time, it was largest-ever fine issued by the FTC against a company), it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | > > | The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the U.S. a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State AGs under Section 5 of the Consumer Protection Act for “unfair or deceptive acts.” However, even if noncompliance triggers FTC enforcement under Section 5, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting for the FTC, it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012]. | |
Does the Pledge do More Harm than Good? | |
< < | In light of the realization that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Student Privacy Pledge, I circle back to my initial perspective and ask does the Pledge do any good? | > > | In light of the realization that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Pledge, I circle back to my initial perspective and ask does the Pledge do any good?
I think it is important to consider the context in which the Pledge was passed and widely adopted. The initiative came at a time when state legislatures were rushing to enact restrictions on data collection and data mining. Supporters of education technology, like SIIA who had “long resisted efforts to strengthen federal privacy law,” feared that legislative proposals would hurt their business models and wrote the Pledge hoping to avoid stricter proposals from being passed. Therefore, the impetus for the Pledge was to limit future restraints on companies’ data collection.
Despite any perverse incentives that led to the creation of the regime, if the Pledge improved privacy for students, then the initial motives are irrelevant. However, the existence and the propaganda-like support for the Pledge as sufficient protection makes the likelihood of any real rules passing slim, at best. The 200+ signatories are free to continue collecting and mining student data largely without limit (except for the very narrow constraints imposed by the Pledge) and without privacy advocates and politicians constantly looking over their shoulder and questioning their every move. The Pledge is a perfect and carefully crafted distraction from public scrutiny. | |
|
|
AlexandraRosenSecondEssay 1 - 09 Dec 2015 - Main.AlexandraRosen
|
|
> > |
META TOPICPARENT | name="SecondEssay" |
The Student Privacy Pledge: political facade or privacy protection?
-- By AlexandraRosen - 09 Dec 2015
Introduction
Since January 2015, over 200 companies—including Google, Apple Inc. and Microsoft Corp.—signed what is referred to as the Student Privacy Pledge (the "Pledge"). The legally binding pledge created by the Future of Privacy Forum (FPF) and Software and Information Industry Association (SIIA) is a “vow to collect, store or use student data only for educational purposes.” While on its face the Pledge seems like a positive step towards stricter consumer privacy protection on the Web, the Pledge’s impact on companies collection and use of personal information and activity should not be overstated. The Pledge is not a substitute for student-privacy legislation.
In the following paper, I will argue that the existence and wide support lauding the Student Privacy Pledge as an effective mechanism for protecting student privacy on the Web creates a false sense that security within the status quo and in turn, slows real progress toward more effective privacy protections.
Recent action to enforce the terms of the Pledge force me to re-examine my argument
Given my strong skepticism of the Pledge’s ability to effect company behavior, I was surprised to see that on Tuesday, December 1, 2015, the Electronic Frontier Foundation (EFF),a non-profit privacy organization, filed a complaint with the Federal Trade Commission (FTC) against Google's Apps for Education (GAFE) alleging that it violates the company’s pledge to limit its use of student data. In light of this complaint, I consider whether my critique of the Student Privacy Pledge is completely misplaced.
Am I Wrong? Or is the Pledge an Empty Promise?
A closer look at student privacy protection under the Pledge
1. Limited scope
The Pledge does not impose a blanket prohibition on companies' collection and use of student information. Instead, the Pledge obligates signatories to “be transparent about collection and use of data” in conducting certain activity in particular context. The scope of activities covered by the Pledge is explicitly limited not to include “the use of student information for purposes of adaptive learning or customized education.”
Apparently, EFF’s complaint against Google incorrectly interprets the Pledge to apply to various GAFE activities. Shortly after the complaint was filed, both FPF and SIIA issued statements criticizing the complaint as a large misunderstanding of the Pledge itself. For example, FPF Executive Director Jules Polonetsky issued the following statement in response to EFF’s allegations, “We have reviewed the EFF complaint but do not believe it has merit.” Similarly, Mark MacCarthy? , Senior Vice President at SIIA, noted that the EFF complaint against Google contains important misunderstandings about the Pledge including:
- The complaint alleges that Google violated the Pledge because it collected information about students who are using general purpose services; however, the Pledge only applies to applications, services, or web sites “designed and marketed for use in U.S. elementary and secondary educational institutions.”
- The complaint alleges that Google violated the Pledge by collecting personal information such as browser histories and bookmarks; however, Google collects this information at the direction of the school as a part of a student’s educational experience (“educational/school purposes” explicitly permitted in the Pledge).
- The complaint alleges that Google violated the Pledge by collecting and using aggregated and anonymized information; however, the Pledge applies only to personal information that identifies particular students and is maintained at the individual level.
Thus, the problem with EFF’s complaint(at least a part of the problem) is that EFF applies the prohibitions agreed to under the Pledge too broadly. In the complaint, EFF asked the FTC to “require Google to destroy all student data it has collected and used in violation of the Student Privacy Pledge and to prevent the company from collecting such data in the future.” EFF attorney Nate Cardozo, who wrote the complaint, told the Wall Street Journal that “[t]he best way for Google to comply would be to simply not collect any data on the activities of logged-in Google [Apps for] Education users.” While privacy advocates like Cardozo would surely prefer that Google do just that, under the Pledge regime companies have no real incentive to give in to Cardozo’s demands—Google can, and likely will, shrug off Cardozo’s demands as a lofty “suggestion.”
2. Limited enforcement
The Pledge does not include a specific enforcement provision “nor is there an enforcement regime behind the effort that monitors compliance, and takes disciplinary action or informs the FTC when a company is not compliant.” Despite any specific enforcement provision, in the United States a company’s security and other commitments made under the Pledge are legally enforceable by the FTC and State Attorneys General under Section 5 of the Consumer Protection Act for “unfair or deceptive acts.” However, even if noncompliance triggers FTC enforcement under Section 5, the FTC’s enforcement powers are limited. For example, in 2012, Google paid $22.5 million to settle an FTC complaint that it violated an advertising industry pledge by misrepresenting the way it tracked Web users. While the FTC’s $22.5 million fine was record-setting for the FTC (at the time, it was largest-ever fine issued by the FTC against a company), it was arguably only a slap on the wrist for Google [the agency’s fine represented about 0% of Google’s income in 2012].
Does the Pledge do More Harm than Good?
In light of the realization that the Pledge applies to only a narrow set of activities in limited contexts and that within that narrow scope, the FTC does not have sufficient teeth to deter companies from noncompliance with the Student Privacy Pledge, I circle back to my initial perspective and ask does the Pledge do any good?
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable.
To restrict access to your paper simply delete the "#" character on the next two lines:
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list. |
|
|
|
This site is powered by the TWiki collaboration platform. All material on this collaboration platform is the property of the contributing authors. All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
|
|