Knowledge Transfer - Policy

Deirdre K. Mulligan

School of Law

School of Information

University of California, Berkeley

Policy Audiences

• Colleagues and students• TRUST; other academics; other disciplines

• Policy makers• Legislative; regulatory; administrative• Federal; state; local

• Private Sector• Entities and individuals

• Technologists• Private and public sector

Privacy Workshop

“Exploring the Privacy Implications of Trustworthy Systems” - October 2006

Two-day workshop for TRUST graduate students from Berkeley, Stanford, Cornell

Students and post docs presented their work to TRUST faculty and nationally-recognized privacy-policy experts

– Kevin Bankston, Electronic Frontier Foundation– Janlori Goldman, Health Privacy Project– Jim Dempsey, Center for Democracy

Workshop identified privacy issues within students’ research, and brainstormed on future interdisciplinary collaborations.

– Several papers resulted, additional joint work in progress

Visual Privacy Symposium

“Unblinking: New Perspectives on Visual Privacy in the 21st Century”

Symposium discussed the implications of increased network surveillance, cameras in public places, and public policy responses to this technology

Participants included US and international experts in art, law, engineering, psychology, architecture, urban planning, sociology, human rights – Wiki, several forthcoming papers, collaborations

Coding for Policy & Regulating Design

New reading group includes TRUST students Considers whether, when and how to embed

policy in technical systems Emboding Values in technical design Considering entry points available for

influencing technology design When technology design should be viewed as

policy-making Who should be responsible for identifying and

addressing

Private Sector: understanding and creating incentives

Organizational Behavior Effects of Security Breach laws

– More information Absent legal requirement only 20% of firms will report serious breaches

(FBI/CSI 2005)– Broad reach -- electronic data– Privacy laws highly fragmented, sectoral, difficult to adjust– Security process focused lacking performance metrics.– Put a price tag on failure

Two studies underway– Theoretical, role of light-weight information disclosure as

regulation model can play in raising security investment and practices (comparison to environmental sector)

– Empirical analyzing breach type, relationship to consumer, remedial measures, disclosure practices. Which state provisions are more effective? Classifying breach types and feasible technology or policy solutions.

Private sector controls 85% of critical infrastructure Research underway to understand private sector

officials (Chief Privacy Officers and Chief Security Officers) processes around privacy and security:

– Policy development and implementation– Investment decisions– Relation to reputation and risk management

Extent to which decisions are influenced by:– External factors

Market, law, standard setting orgs, insurance– Internal factors

Position, access, background– Technology

Availability, price, standards

Private Sector: understanding and creating incentives

Government: managing policy-significant technology change

How have agencies identified and managed policy significant technological change?

Case studiesRFID Epassport Study

How does government approach shapeUnderstanding of security/privacy issues adoption of security/privacy mechanisms

Remotely available court records

Comparative (Germany/US)

Engagement with DHS, DOS, CA legRFIDVideo

Theoretical => practical

Policy-makers

Federal Trade Commission– Participated in “Protecting Consumers in multiple sessions of the Next Tech-ade”– Presented at “Negative Options Workshop” regarding effect of “short-notices” for

consumers before installing software Department of Homeland Security

- Testified before DHS Security Data Privacy and Integrity Advisory Committee. - Ongoing work on video surveillance with DHS and PIAC- Upcoming nprm-related workshop on REAL ID- Policy framework for information and network security research

California Energy Commission– Held seminar for Commissioner Rosenfeld on security and privacy concerns re:

“demand response” energy systems– Working with CEC to facilitate their access to data for energy forecasting &

conservation in a way that protects privacy San Francisco, Fresno

– Video surveillance assessment and policy development Anti-spyware coalition

– Input into best practices– Input into litigation and enforcement

Policy-makers, cont’d

Invited to testify before Senate Subcommittee on Terrorism, Technology & Homeland Security

Briefed House and Senate on TRUST – Offices of Senators Feinstein, Boxer, Rockefeller, Webb– Senate and House Committees on the Judiciary– Offices of Representatives Lofgren, Lee, Eschoo

Participated in the Congressional Internet Caucus’s “State of the Net” conference.

– This summer state of the net west– Workshops on social networking and privacy and behavioral

targeting Ongoing work with Federal and State legislatures Initial groundwork for TRUST researcher briefings at

FTC and with Internet caucus