Category Archives: Academic Resource

Free access to recent research papers on cyberspace law

Thanks to the Digital Commons Network, all of you pdpechoers have free access to these new papers:

Workplace Privacy and Monitoring: The Quest for Balanced Interests

Paper by Adriana R. Levinson, in Clev. St. L. Rev. 377 (2011).


We can see in 2001 that 77 percent of employers were engaged in monitoring. This may have increased slightly or decreased slightly, but whatever has happened, we know that this is a significant amount of employers–much greater than a majority–that are engaging in monitoring of their employees. We can also see the great rise in monitoring of computers and electronic files in a ten-year period between 1997 and 2007.

Finally, we can see some of the newer technologies. In 2007, twelve percent of the reporting employers were monitoring the blogosphere, eight percent were monitoring GPS vehicle tracking, and ten percent were monitoring social networking sites. Probably, some of you are working with social networking policies with the companies that you are involved with. This is a hot topic right now. ….

That gives you a picture of what the technology looks like, what the statistics are, and what we are grappling with in terms of the law here. In terms of the law, I am going to talk about the Electronic Communications Privacy Act (“ECPA”). There are also some state statutes that are going to be relevant. There is the tort that we are all very familiar with, dating back to Brandeis’ day, of the invasion of privacy, which is invasion of seclusion. And then finally we know that right now there is the hot topic with the Quon case coming down last term with the Fourth Amendment and public-sector employers and employees.


Open Book: The Failed Promise of Information Privacy in America (by James P. Nehf)


With financial and other personal information about us in countless databases, and with companies such as Facebook and Google collecting data about their users to drive profits and satisfy expectations of shareholders, there is a pervasive concern that we have little control over access to potentially harmful uses of that information.

Moreover, many consumers believe that little can be done to address the problem except to give out as little information as possible and try our best to monitor our credit reports and financial accounts in an effort to detect unexpected activity if it occurs. By not enacting strong information privacy laws in the non-governmental sector, the U.S. Congress and the fifty states have effectively defaulted to a market-based model of privacy protection that relies heavily on individual self-policing and market incentives as the primary means of information control.

A self-policing privacy protection model could be effective if a market for information privacy were possible — if well informed individuals could shop their privacy preferences effectively. This book-length paper examines the reasons why this is highly unlikely and why privacy laws in the United States (or the lack thereof) will not protect legitimate consumer interests in the years to come.

Part 1 shows why information privacy is a social or societal value and not just an individual concern. Part 2 examines in more detail why individualist, market approaches to privacy protection are destined to fail. Part 3 continues this theme and examines research in behavioral sciences about how consumers make decisions in market transactions. Part 4 concludes by critiquing the “new” privacy framework released by the Federal Trade Commission. While the framework contains hopeful rhetoric calling for greater emphasis on societal solutions to privacy concerns, most of the framework continues to rely heavily on individual notice and choice in transactions that involve exchanges of personal information.

Number of Pages in PDF File: 260

You can download the book following this link:

Do Students Turn Over Their Rights When They Turn in Their Papers? A Case Study of


Turnitin is a rapidly growing online anti-plagiarism service subscribed to by thousands of schools in the United States. Though the pursuit of honesty and integrity are at the heart of our academic institutions and the Turnitin anti-plagiarism service, there is a fatal flaw in its execution. This comment examines the copyright and fair use arguments presented by four Virginia students asserting that Turnitin violated their intellectual property rights. This comment goes beyond the facts of the four Virginia students to explore the root issues of a service that collects and distributes the copyrighted works submitted to it by hundreds of students.

Despite the unsuccessful attempts to convince the District Court and Circuit Court of appeals that their rights were violated it is patently clear that the rights of the students were infringed. This comment delves deep into not only the copyright and fair use arguments, but also scrutinizes the contract issues and privacy implications of a service like Turnitin’s.

Unfortunately, students will always find ways to cheat, but it is unacceptable to cheat them out of their legal rights. Educators should lead by example and respect the privacy and intellectual property rights of all students, even if the consequences are difficult to accept.

A list of 10 Coursera free high profile courses on databases, information management, big data

2wsIt is more and more difficult for privacy lawyers and thinkers to contribute to further developments of the field without a basic knowledge of technology related fields, databases, information management etc.

Hence, pdpEchoers decided to put together a list of recommended courses available on the free platform Coursera, which are provided by some of the best universities in the world (More about Coursera, here) and which we consider that could be of help to better understand the reality privacy law has to regulate.

Pay attention, though, some of the courses require basic or advanced algebra.

1. Introduction to Data Science

Join the data revolution. Companies are searching for data scientists. This specialized field demands multiple skills not easy to obtain through conventional curricula. Introduce yourself to the basics of data science and leave armed with practical experience programming massive databases.

Next Session:

April 2013 (10 weeks long)

Sign up here:

2. Building an Information Risk Management Toolkit 

In this course, you will explore several structured, risk management approaches that guide information security decision-making. ourse topics include: developing and maintaining risk assessments (RA); developing and maintaining risk management plans (RM); regulatory and legal compliance issues affecting risk plans; developing a control framework for mitigating risks; risk transfer; business continuity and disaster recovery planning from the information security perspective.

Next Session:

Jan 7th 2013 (10 weeks long)

Sign up here:

3. Social Network Analysis

This course will use social network analysis, both its theory and computational tools, to make sense of the social and information networks that have been fueled and rendered accessible by the internet.


Jan 28th 2013 (9 weeks long)

Sign up here:

4. Internet History, Technology and Security

The impact of technology and networks on our lives, culture, and society continues to increase. The very fact that you can take this course from anywhere in the world requires a technological infrastructure that was designed, engineered, and built over the past sixty years. To function in an information-centric world, we need to understand the workings of network technology. This course will open up the Internet and show you how it was created, who created it and how it works. Along the way we will meet many of the innovators who developed the Internet and Web technologies that we use today.

Next Session:

Mar 1st 2013 (13 weeks long)

Sign up here:

5. Web Intelligence and Big Data

The past decade has witnessed the successful of application of many AI techniques used at `web-scale’, on what are popularly referred to as big data platforms based on the map-reduce parallel computing paradigm and associated technologies such as distributed file systems, no-SQL databases and stream computing engines. Online advertising, machine translation, natural language understanding, sentiment mining, personalized medicine, and national security are some examples of such AI-based web-intelligence applications that are already in the public eye. Others, though less apparent, impact the operations of large enterprises from sales and marketing to manufacturing and supply chains. In this course we explore some such applications, the AI/statistical techniques that make them possible, along with parallel implementations using map-reduce and related platforms.

Next Session:

Date to be announced

Sign up here:

6. Data Management for Clinical Research

This course is designed to teach important concepts related to research data planning, collection, storage and dissemination. Instructors will offer information and best-practice guidelines for 1) investigator-initiated & sponsored research studies, 2) single- & multi-center studies, and 3) prospective data collection & secondary-reuse of clinical data for purposes of research. The curriculum will balance theoretical guidelines with the use of practical tools designed to assist in planning and conducting research. Real-world research examples, problem solving exercises and hands-on training will ensure students are comfortable with all concepts.

Next Session:

April 2013 (6 weeks long)

Sign up here:

7. Networks: Friends, Money and Bytes

A course driven by 20 practical questions about wireless, web, and the Internet, about how products from companies like Apple, Google, Facebook, Netflix, Amazon, Ericsson, HP, Skype and AT&T work.

  1. What makes CDMA work for my smartphone?
  2. How does Google sell its ad spaces?
  3. How does Google rank webpages?
  4. How does Netflix recommend movies?
  5. When can I trust an average rating on Amazon?
  6. Why does Wikipedia even work?
  7. How do I viralize a YouTube video and tip a Groupon deal?
  8. How do I influence people on Facebook and Twitter?
  9. Can I really reach anyone in 6 steps?
  10. Does the Internet have an Achilles’ heel?
  11. Why do AT&T and Verizon Wireless charge me $10 a GB?
  12. How can I pay less for my Internet connection?
  13. How does traffic get through the Internet?
  14. Why doesn’t the Internet collapse under congestion?
  15. How can Skype and BitTorrent be free?
  16. What’s inside the cloud of iCloud?
  17. IPTV andNetflix: how can the Internet support video?
  18. Why is WiFi faster at home than at a hotspot?
  19. Why am I only getting a few percent of advertised 4G speed?
  20. Is it really fair that my neighbor’s iPad downloads faster?


Feb 4th 2013 (12 weeks long)

Sign up here:

8. TechniCity

We live in real-time, technologically enhanced cities. Explore the sweeping changes that our cities are undergoing as a result of networks, sensors, and communication technology.

Next Session:

May 4th 2013 (4 weeks long)

Sign up here:

9. Securing Digital Democracy

Computer technology has transformed how we participate in democracy. The way we cast our votes, the way our votes are counted, and the way we choose who will lead are increasingly controlled by invisible computer software. Most U.S. states have adopted electronic voting, and countries around the world are starting to collect votes over the Internet. However, computerized voting raises startling security risks that are only beginning to be understood outside the research lab, from voting machine viruses that can silently change votes to the possibility that hackers in foreign countries could steal an election. This course will provide the technical background and public policy foundation that 21st century citizens need to understand the electronic voting debate. You’ll learn how electronic voting and Internet voting technologies work, why they’re being introduced, and what problems they aim to solve. You’ll also learn about the computer- and Internet-security risks these systems face and the serious vulnerabilities that recent research has demonstrated. We’ll cover widely used safeguards, checks, and balances — and why they are often inadequate. Finally, we’ll see how computer technology has the potential to improve election security, if it’s applied intelligently. Along the way, you’ll hear stories from the lab and from the trenches on a journey that leads from Mumbai jail cells to the halls of Washington, D.C. You’ll come away from this course understanding why you can be confident your own vote will count — or why you should reasonably be skeptical.

Previous Session:

Sep 3rd 2012 (5 weeks long)

Sign up here if the course will be held again:

10. Introduction to Databases

“Introduction to Databases” had a very successful public offering in fall 2011, as one of Stanford’s inaugural three massive open online courses. Since then, the course materials have been improved and expanded, and all materials are available for self-study. Students have access to lectures with in-video quizzes, multiple-choice quiz assignments, automatically-checked interactive programming exercises, midterm and final exams, a discussion forum, optional additional exercises with solutions, and pointers to readings and resources. Taught by Professor Jennifer Widom, the curriculum draws from Stanford’s popular Introduction to Databases course.

Next Session:

Self study

Sign up here:


Find what you’re reading useful? Consider supporting pdpecho!

When you put privacy and math together = differential privacy, a new approach to safeguarding data



It happens so often in the data protection and privacy field to read something mind-blowing, that it is no surprise this field enjoys more and more enthusiasts. Take for example a piece of information published on December 31st, 2012, on the Scientific American website:

“A mathematical technique called “differential privacy” gives researchers access to vast repositories of personal data while meeting a high standard for privacy protection”.

So this means that you can use math also to safeguard personal data, not only to make profiles based on personal data. Ha!

The article talks about a body of work a decade in the making, which is now starting to offer a genuine solution.

“Differential privacy,” as the approach is called, allows for the release of data while meeting a high standard for privacy protection. A differentially private data release algorithm allows researchers to ask practically any question about a database of sensitive information and provides answers that have been “blurred” so that they reveal virtually nothing about any individual’s data — not even whether the individual was in the database in the first place.

“The idea is that if you allow your data to be used, you incur no additional risk,” said Cynthia Dwork of Microsoft Research Silicon Valley. Dwork introduced the concept of differential privacy in 2005, along with McSherry, Kobbi Nissim of Israel’s Ben-Gurion University and Adam Smith of Pennsylvania State University.

Read the whole story HERE.

Ample Study On Surveillance in Ex-Soviet States

A diagram of the SORM surveillance system. Illustration: MFI-Soft

A diagram of the SORM surveillance system. Illustration: MFI-Soft

A joint investigation by Agentura.RuCitizenLab and Privacy International with the title “In Ex-Soviet States, Russian Spy Tech Still Watches You” was recently published in Wired magazine. It explains how the SORM surveillance system, initiated in the mid 1980s’, is still working not only in Russia, but also in former USSR states, like Ukraine and Belarus. It also explains why the SORM surveillance mechanisms are different than the mechanisms used by Western societies. It is definitely worth reading for those curious about the Surveillance Society. I am not extremely convinced that the difference between surveillance techniques associated with SORM and surveillance techniques associated with Western mechanisms is a consistent one, but perhaps it is just me.

On November 12, the Russian Supreme Court okayed the wiretapping of an opposition activist. The Court ruled that spying on Maxim Petlin, a regional opposition leader in Yekaterinburg, was lawful, since he had taken part in rallies where calls against extending the powers of Russia’s security services were heard. The court decided that these were demands for “extremist actions” and approved surveillance carried out by the national interception system, known as SORM.

Manned by the country’s main security service, the FSB, this ”System of Operative Search Measures” has been in use for more than two decades. But recently, SORM has been upgraded. It is ingesting new types of data. It is being used as Moscow’s main tool for spying on the country’s political protesters. And it has become extremely useful in the quest to make sure that the Kremlin’s influence in the former Soviet Union continues long into the second regime of Vladimir Putin.

Meet the New Boss

When the Soviet Union collapsed, many of the KGB’s regional branches became the security services of the newly independent states. But they didn’t stray far from the Kremlin’s lead. They modeled their governing laws after Moscow’s, and used similar technology, too. Namely, SORM — Russia’s nationwide system of automated and remote legal interception on all kinds of communications.

SORM’s tactical and technical foundations were developed by a KGB research institute in the mid-1980s. Initially SORM was installed on analogue telephone lines. As new technologies developed, SORM did, as well.


Today SORM-1 intercepts telephone traffic, including mobile networks, while SORM-2 is responsible for intercepting internet traffic, including VoIP. SORM-3 gathers information from all communication media, and offers long-term storage (three years), providing access to all data on subscribers. In addition, SORM enables the use of mobile control points, a laptop that can be plugged directly into communication hubs and immediately intercept and record the operator’s traffic.

SORM also proved essential to spy on social networks based in Russia. “We can use SORM to take stuff off their servers behind their backs,” an FSB official told us. According to figures published by Russia’s Supreme Court, over the last five years the number of legal telephone intercepts alone has almost doubled, from 265,937 intercepts and recordings of phone calls and e-mails to 466,152 in 2011.

Read the whole study HERE.

DP fundamentals: Few facts on Information and Access

One of the concrete data protection rights individuals enjoy in Europe are the right to access data collected on them and the right to be informed about the processing of their data.

These rights are provided under Articles 10, 11 and 12 of the Directive 95/46. However, a great emphasis is made on Article 12, which contains both the right to access and the right to confirmation of undergoing processing of personal data by a certain processor or operator.

Prof. Christopher Kuner writes in one of his books that “The rights granted to data subjects under Article 12 can present substantial difficulties for companies. First, given the distributed nature of computing nowadays, personal data may be contained in a variety of databases located in different geographic regions, so that it can be difficult to locate all the data necessary to respond to a data subject’s request. Indeed locating all the data pertaining to a particular data subject in order to allow him to know what data are being held about him to assert his rights of erasure, blockage etc. may require the data controller to comb through masses of data contained in various databases, which in itself could lead to data protection risks”.

He also writes that another source of problems with complying with Art. 12 is that Member States have transposed differently this provision with regard to the costs of access and the number of times it can be exercised. “For instance, in Finland the data controller may charge its costs in accessing the data and requests by data subjects are limited at one per year, while in UK the controller may charge a fee of up to 10 pounds for access to each entry and reasonable time must elapse between requests. This disharmony of the law creates problems for data controllers that process data of data subjects from different Member States.”

Source: Christopher Kuner, European Data Privacy Law and Online Business, Oxford University Press, 2003 (p. 71, 72)

You can find the book here:

European Data Privacy Law and Online Business

It took 15 years for UK to pass it's Data Protection Act

The history of data protection legislation section of this blog continues today with the story of how UK needed 15 years to transform the initiative data protection regulation into law. The process started in 1969 and ended in 1984. You will further find a detailed history of the struggle to pass this bill:

It was end sixties that the United Kingdom Parliament began to be worried by increasing computerization and its consequences for the privacy of the individual citizen. Several Members of Parliament introduced Bills, but without success. (See for example the Data Surveillance Bill 1969 by Kenneth Baker and the Personal Records (computers) bill 1969 by Lord Windlesham).

The debate in and outside Parliament only really got under way with the publication in 1970 of a report by Justice, the British section of the international Commission of Jurists, entitled Privacy and the law. The Right of Privacy Bill contained in an annex to the report was introduced into Parliament virtually unchanged as a Private Member’s Bill by Brian Walden, M.P..

The ensuing debate in the House of Commons let to the setting up of the Committee on Privacy, also known as the Younger Committee, which presented its final report in 1972.

Following on from the Younger Report, three years later the Government published a White Paper, entitled Computers and Privacy.

The need for a data protection law was recognized both by the Government and the Parliament.

To this end a Committee on Data Protection was set up under the chairmanship of Lindop. The Lindop Report was published in December 1978. It contained thorough recommendations both as to the aims to be achieved and on the substance of future data protection legislation.

Following the Lindop Report, the government published in April 1982 a new White Paper containing a proposed Bill.

The first reading of the DPA Bill took place in the House of Lords on December 21, 1982. Passage of the Bill was stopped when Parliament was dissolved on May 13, 1983. An amended version was discussed in the House of Lords on June 23, 1983. It passed to the House of Commons on November 3, of that year, returning to the House of Lords on June 29, 1984. The DPA received the Royal Assent on July 12, 1984.

The Bill did not pass through the house of Parliament without a struggle. Compared to other British statutes it had relatively long Parliamentary history. It appears from the debates that this was due in great part to the complexity of the subject-matter. Members of both Houses were regularly perplexed by the technical subject matter of the Bill and the complexity of its structure.

Source: A.C.M. Nugter, Transborder Flow of Personal Data within the EC, Springer, Netherlands, 1990 (p. 107 – 109)

You can find the book here: Transborder Flow of Personal Data Within the EC (Computer/law series)

The EU right to be forgotten, already criticized by US academics. Does it really threaten freedom of speech?

Professor Jeffrey Rosen published in the Stanford Law Review some very serious criticism against the soon to be enforced in the EU right to be forgotten, stating mainly that it is a threat to freedom of speech. You can find the article HERE.

I don’t really see how obliging a person to erase an embarrassing photo of yourself   infringes that person’s right to free speech. At least, one should balance the right to dignity against freedom of speech in a particular situation and afterwards make a decision in this respect.

Then again, the European system for the protection of human rights is very elaborated and exhaustive, a particular system, with concrete mechanisms of protection and precise principles to be effectively applied (such as the balance I was talking about).

Where is the freedom of speech breached here? “Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.” This is recital 53 of the Preamble of the proposed regulation for data protection, which means Art. 17 of the regulation should be interpreted according to the principles stated in this recital.

I think the provision is very clear and when reading it I feel my privacy protected and not my freedom of speech threatened.