Ohlhausen on Big Data and Consumer Harm

At today’s conference on Privacy Principles in the Era of Massive Data, co-sponsored by the Georgetown University McCourt School of Public Policy and the Georgetown Law Center, Maureen K. Ohlhausen, Commissioner at the Federal Trade Commission, delivered a thoughtful keynote address on The Power of Data.

She emphasized the value of the new computational techniques that arise in the context of data sets that are larger in volume than traditional data sets, that are composed of a greater variety of data types, and that change at a much faster velocity. These characteristics of volume, variety and velocity enable data scientists to generate insights that were previously impossible to anticipate from traditional static data bases.

This unanticipated quality of the new computational techniques challenges traditional notions of privacy protection. For instance, it creates a tension with the traditionally understood privacy principles of notice and purpose specification.  As Commissioner Ohlhausen pointed out succinctly, “…companies cannot give notice at the time of collection for unanticipated uses.”  These novel uses also challenge the idea that data collection should be minimized and data discarded as soon as possible:

“Strictly limiting the collection of data to the particular task currently at hand and disposing of it afterwards would handicap the data scientist’s ability to find new information to address future tasks.”

So what should the FTC do?  The Commissioner approvingly referenced the FTC’s action in the Spokeo case, where the agency fined the company for failure to follow the requirements of the Fair Credit Reporting Act.  Going forward she thinks that the FTC “should use its traditional deception and unfairness authority to stop consumer harms that may arise from the misuse of big data.”

SIIA agrees.  In our recent White Paper and comments filed with the FTC in their consumer scoring workshop we urged the Commission to use its existing powers under the current regulatory regime to bring bad actors to task for failing to follow consumer protection rules.   This can only help the growth of big data analysis by making sure that edge-riders do not tarnish the new computational techniques.

Moreover, the Commissioner thinks that the FTC should continue its convening role in holding workshops to explore “the nature and extent of likely consumer and competitive benefits and risks.”  In this regard, SIIA found the FTC’s March workshop insightful and looks forward to the Commission’s workshop in September on big data and low income and underserved consumers.

As to principles that should govern the FTC’s actions on big data going forward, the Commissioner was clear that the agency “must identify substantial consumer harm before taking action.”  SIIA endorses this idea that only a significant risk of substantial consumer harm justifies new regulatory action.

Ben Wittes from the Brookings Institution, commenting as part of the discussion panel that followed the Commissioner’s talk, echoed this theme of focusing on harm, instead of abstract notions of privacy.  In his view, when data use is outside of the normal social expectations of data use typical of the context in which the data has been collected, agencies should consider regulatory action only when the data use is hostile to the data subject’s interests.  Determining which uses are harmful, then, becomes a primary task for advocates, industry and policymakers.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

Big Data Improves Education Around the World

A recent article by the head of the International Finance Corporation, an affiliate of the World Bank Group, urged the responsible use of big data analytics to improve student learning around the world. IFC works in more than 100 developing countries supporting companies and financial institutions to create jobs and contribute to economic growth.  Supporting improved education is one of their strategic priority programs.

The IFC article highlighted several initiatives that they are supporting:

  • Bridge International Academies in Kenya uses adaptive learning on a large scale in its 259 nursery and primary schools, with monthly tuition averaging $6. By deploying two versions of a lesson at the same time in a large number of classrooms, Bridge can determine which lesson is most effective and then distributes that lesson throughout the rest of its network.
  • SABIS provides K-12 education in 15 countries including in Asia, the Middle East, and North Africa. It mines large data sets for more than 63,000 students, collecting more than 14 million data points on annual student academic performance that are used to shape instruction and achieve learning objectives.
  • Knewton is an adaptive learning platform that partners with companies like Pearson, Cengage, Houghton Mifflin Harcourt, and Wiley to personalize digital courses using predictive analytics.

These uses of big data analytics will improve learning in developing countries and the IFC should take pride in its leadership role in spreading these techniques around the globe.

Some are concerned that the new use of data for improved learning threatens student privacy. As a recent Wall Street article says:

“Perhaps the biggest stumbling block to using data in schools isn’t technological, though. Rather, it’s the fear that doing so will invade the privacy of students.”

The IFC recognizes the concern and urges policymakers to get out in front of the issue and to design privacy protections into big data projects from the ground up to make sure that the information is used appropriately to support learning:

“To realize those benefits – and to do so responsibly – we must ensure that data collection is neither excessive nor inappropriate, and that it supports learning. The private sector, governments, and institutions such as the World Bank Group need to formulate rules for how critical information on student performance is gathered, shared, and used. Parents and students deserve no less.”

SIIA agrees.  As part of our effort to encourage privacy by design in the educational context, we recently published our recommended best practices for providers of educational services to schools, focusing on the need for an educational purpose, transparency, proper authorization and security in the use of student information.

The Administration’s review of privacy and big data is examining this issue in general and as it applies to student privacy.  We look forward to working with them to make sure that the promise of better learning for the world’s students is fulfilled through the responsible use of big data analytics.


Mark MacCarthy, Vice President, Public Policy at SIIA, directs SIIA’s public policy initiatives in the areas of intellectual property enforcement, information privacy, cybersecurity, cloud computing and the promotion of educational technology. Follow Mark on Twitter at @Mark_MacCarthy

SIIA in Comments to the FTC Urges Focus in Consumer Score Regulation on Prevention of Actual Harm

SIIA today submitted comments in response to the FTC’s Workshop on Alternative Scoring Products in conjunction with a press statement. The FTC’s March seminar focused on unpacking what’s going on in alternative scoring, the implications for privacy and consumer rights, and what – if anything – needs to be done. For a transcript of the proceedings, click here.

SIIA summarized its main comment on the proceedings as follows:

“The current statutory and regulatory framework seems to be adequate for addressing the issues raised by the use of predictive analytics in general and the use of consumer scores as described in the Commission’s March 19 workshop.”

It is SIIA’s view that the workshop did not reveal evidence of significant unregulated harmful acts or practices that could result from the use of consumer scores. Thus, in the absence of such evidence, the FTC should not contemplate additional privacy requirements for consumer scores.

That is not to say that the FTC should nothing. SIIA advocates monitoring the marketplace to ensure that,

  1. Strong and effective enforcement measures are taken against firms that violate current statutory or regulatory constraints, and
  2. To ascertain whether there are business practices that could lead to consumer harm, but are not addressed adequately within the current framework

SIIA is of the opinion that if the need for additional consumer protections is substantiated by compelling evidence, these protections should be undertaken at the stage of usage or implementation, rather than at the stages of data collection or analysis.

As an alternative to increased government regulation, companies need to take on a greater role in consumer protection. Such an accountability framework would shift the burden of responsibility for protecting consumers from harm, from the data subject to those entities that engage in collection, analysis and use of such data.

To read SIIA’s comments in full, click here.


Sabrina Eyob is the Public Policy Coordinator at SIIA. Follow the Policy team on Twitter @SIIAPolicy.

Digital Policy Roundup

District Court Upholds FTC Data Security Authority

On April 7, U.S. District Judge Esther Salas in New Jersey upheld the Federal Trade Commission’s authority to bring cases against firms for failure to observe reasonable security practices. The FTC has brought over 30 data security cases in the last decade, but the hotel chain Wyndham World challenged that authority in court in 2012 after the FTC brought a case against them. The judge refused to “carve out a data-security exception to the FTC’s authority” to protect consumers, saying Wyndham’s position would “bring us into unchartered territory.” The judge, however, also said her ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” The ruling was silent on the merits of the underlying complaint, and Wyndham said it continued to believe that the FTC lacked authority to bring the case.

European Court Rejects Data Retention Mandate

The European Court of Justice (ECJ) ruled today that the 2006 EU directive requiring telecom operators to retain data for two years in invalid. The directive, which was passed as an anti-terrorism measure after the July 7, 2005 London subway and bus terrorist bombings, obliged telecom firms to keep data for two years about customer locations, calls texts and emails. The operators were not obliged to keep the contents of these communications. However, the ECJ still ruled that the directive contravened the EU’s Charter of Fundamental Rights and therefore recommended that the directive be overturned. The directive has been controversial since it was passed and some member states such as Germany have not passed legislation implementing it. The ECJ heard the case in response to complaints from civil society groups about telephone data retention laws in Ireland and Austria. Those laws can now be challenged. Member of the European Parliament and General Data Protection Regulation Rapporteur, Jens Albrecht, welcomed the ruling.

House Committee Ponders Preservation and Reuse of Copyrighted Works

Last week, the House Judiciary Subcommittee on Courts, IP and the Internet held a hearingon Preservation and Reuse of Copyrighted Works. The hearing spanned a wide range of topics, and Committee Chairman Goodlatte (R-VA) expressed interest in several key issues, including digitization in cases of deterioration of works caused by age and decay; the notion that Copyright Act is outdated in the digital age; how to best allow public access to works that may have been abandoned; and technological platforms to connect users and copyright owners. However, there was no uniform view from the six witnesses testifying, nor were there consensus positions demonstrated by committee members. In all, the hearing provided another significant input into the Committee’s ongoing copyright review process. For more information about the hearing and witness testimony, check out the Cmte site.

Recommended Read: The Global War for Internet Governance

Professor Laura DeNardis discussed her book: “The Global War for Internet Governance” at the New America Foundation on April 3. DeNardis book is timely, especially given the Commerce Department’s March 14 decision to privatize the Internet Domain Name Function. She stated that this decision was, in fact, a “big deal.” Brazilian Embassy Minister Counselor Benoni Belli said that as a result of the decision, the atmosphere surrounding the April 23-24 Internet Governance “Netmundial” conference in Sao Paulo is much better. Briefly, the management of the Internet’s root zone file will be transferred from ICANN and Verisign to a multistakeholder body as early as 2015 when the ICANN/Versign contracts with the Department of Commerce lapse. There are conditions though, chiefly that whatever model emerges supports and enhances the multistakeholder approach. DeNardis supports “multistakeholderism,” although she cautioned that the multistakeholder approach is not the answer to every Internet Governance challenge.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Digital Policy Roundup

SIIA Weights in with White House on “Big Data and Privacy”

On Monday, SIIA submitted comments in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of “big data” analytics. SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. Additional inputs for the ongoing Obama Administration big data review process include full day workshops at UC Berkely on April 1st, and NYU on March 17th. The Administration is expected to release the outcome of the 90 day review on April 17th.

Student Data Privacy Legislative Update

Student data privacy bills are pending in a majority of state legislatures, though few have reached the finish line. Most notably, SB 167 was defeated in Georgia, a significantly modified version of NY S6007 was included in the NY State Budget signed into law yesterday, and discussions are ongoing regarding CA SB 1177. SIIA continues to emphasize the need to limit restrictions to “personally identifiable” information, the challenges to schools of parent opt-in/out policies, the important use of meta-data to drive product algorithms, and that one-size requirements on service providers will not work if they fail to address school primary governance in areas such as breach notification, data deletion, and access and correction. Meanwhile, U.S. Senator Markey (MA) indicates continued work toward introducing a bill to amend the Federal Family Educational Rights and Privacy Act (FERPA). SIIA members interested in student privacy should contact SIIA’s Mark Schneiderman.

New School Technology Funding Advances

State and federal initiatives are advancing around technology access, infrastructure and related educator supports. The 2014-2015 New York State Budget signed into law yesterday will authorize up to $2 billion from state bonds to fund school broadband infrastructure and student devices, pending voter approval, with funding distributed on a needs-base formula over the next few years to schools with a state approved technology plan. Equity in technology access was among the SIIA recommendations in testimony 18 months ago to Governor Cuomo’s education reform commission. At the federal level, the FCC issued a second NPRM for the E-rate, calling for comments on their proposed rules, including to prioritize new funding for internal connections including school Wi-Fi, eliminate or phase out voice support, and potentially provide funding eligibility to caching servers and network filtering software. Finally, President Obama’s 2015 Education Budget proposal includes $200-$500 million for a new ConnectEDucators program, which would provide competitive grants for teacher and principal professional development in the improvement of curriculum and instruction through technology.
[Read more...]

Governments can harness the power of data to advance national goals while protecting privacy

SIIA submitted comments yesterday  in response to the White House’s request for information on how the government can best protect citizens’ privacy in the age of big data analysis. We concur with the goals of President’s Obama’s Big Data Initiative to harness the power of data to advance national goals such as economic growth, education, health, and clean energy; use competitions and challenges; and foster regional innovation. Technologists, privacy advocates and policymakers can work together to foster the societal, governmental and business opportunities provided by data-driven innovation, while also meeting the challenge of protecting privacy.

SIIA’s overarching recommendation for policymakers is to proceed cautiously when considering new data policies, as these are likely to steer the future of data-driven innovation and the scope of what is possible for American innovation for decades to come. Policies that seek to curb the use of data could stifle this nascent technological and economic revolution before it can truly take hold. SIIA therefore urges you to avoid support for broad policies that will dramatically curb data collection and analysis.

Other key points contained in SIIA’s big data comments include:

• The vast majority of big data is not personal or sensitive data, and the vast majority of new insights generated from big data analysis do not rely on personal information.

• Uninhibited cross-border, or cross-jurisdictional, data flows is perhaps the single greatest need for innovative U.S. companies to continue growing around the world.

• Big Data policies need to promote technology neutrality and avoid technology mandates, recognizing there is no one-size-fits-all approach.

• It is necessary to think creatively about any new policy regime governing privacy in the “era of big data,” one which increases risk assessment and appropriate data uses by entities—this review should also consider how existing laws have in many ways continued to function effectively and provide a significant degree of protection.

• Governments should continue to embrace open data policies and public-private partnerships that maximize access to critical public data.

Read our full comments, and our 2013 white paper explaining how this innovation presents tremendous economic and social value, capable of transforming the way we work, communicate, learn and live our lives.


David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPolicy.

Georgia Student Privacy Act Would be a Barrier to Student Learning

Senate Bill 167 is receiving much debate in Georgia, centered largely on its primary task of pulling the state back off  of the Common Core State Standards (CCSS). But also included in the controversial bill is a Part II, the so-called “Student Right to Privacy Act.” The Georgia House Education Committee met yesterday to consider SB167, and heard from more than 60 passionate educators, parents and business leaders. While the focus was on the CCSS provisions, SIIA (see 2:16:50 of the March 5 video) and a chorus of eduction (e.g., at 1:27:25), social welfare and business leaders spoke up against the privacy regulations. None cited a problem that needed fixing, while all raised concern with the unintended consequences of restrictive regulations that undermine necessary decision making by local administrators and school boards.

SIIA agrees with the need to safeguard student privacy and data security. A strong network of laws and business practices now does so. SIIA agrees with those concerned that Senate Bill 167 may inappropriately and unnecessarily inhibit core educational functions necessary to serve Georgia’s students.

Schools and service providers have policies and procedures in place to limit the use student personal information to legitimate educational purposes, and safeguard student privacy. For example, the federal Family Educational Rights and Privacy Act (FERPA) requires that: (1) personal student information shared with service providers be limited to uses otherwise performed by the school’s own employees; (2) the provider be under direct control of the school; and (3) the information can only be used for educational purposes. And FERPA and COPPA require parental consent if the service provider wants to use or disclose the information for its own commercial purposes. Responding to the calls for additional industry self-regulation, SIIA has released Industry Best Practices as another step to ensure safeguarding of student information.  This network of laws and practices is safeguarding student privacy and data security.

With regard to Senate Bill 167, the scope, scale, complexity and lack of clarity of the bill’s procedural and technical requirements are significant and challenging to address. The bill creates barriers and disincentives to local school systems to enhance their use of modern technologies and data systems for educational innovation and improvement, just at a time when the state is making continued investments in technology infrastructure and digital learning access.  The bill will have a chilling effect.

  1. While providers are working with schools to help them support the personalization of learning, the very broad restrictions on use of all student information for so-called commercial purposes may interfere with desired educational activities. SIIA does not defend the sale of personal student data, and such sale is already prohibited by federal law. But the bill would inhibit the use of student data to improve product efficacy, and to support recommendation engines and other analytics aimed at addressing the unique needs of each student.
  2. The bill is inconsistent in the types of student information regulated and includes narrow, one-size-fits all restrictions on the educational use and sharing of student information, whether personally identifiable or not, including duplicative requirements around testing and cloud computing. This will create barriers to use of information appropriate and necessary for educational purposes, including with subcontractors and school directed partners.
  3. Many breach notification requirements are inconsistent with standard best practices. For example, required notification of all ‘suspected’ breaches could create false-positive user fatigue, diminishing attention to actual breaches. The bill also excludes standard criteria around actual harm such as in the case of encrypted data or inadvertent exposure by educators. And, ironically, the bill would inappropriately require third parties to notify parents of a breach, thus giving them access to personal parental information to which they would/should not otherwise have access.
  4. The bill puts in place a series of escalating and potentially very large financial penalties for violations of sometimes vague requirements, not distinguishing based upon harm, negligence or intent. There appears no opportunity to first correct the violation, or for appeal. This all will provide a disincentive for outside parties to conduct business in Georgia.
  5. The prohibition on student biometric data will restrict appropriate and important educational activities, including for: (1) student identity verification for online learning or device security, and (2) embedded voice and visual diagnostics for language learning and reading comprehension. Some of these require personally identifiable information, while many do not. In all cases, broader practices and laws already ensure student privacy and data security.
  6. Lastly, while these concerns have focused on those directly impacting school service providers, SIIA notes that there are many burdensome requirements on local school systems and institutions.

In short, SIIA is concerned that SB167, while well-intentioned, is overly inclusive and restrictive. Transparency is critical, but one-size-fits-all requirements will detrimentally limit innovation, appropriate local school decisions, and appropriate educational services that benefit Georgia students. For service providers, there are significant risks and costs that may discourage doing business in Georgia.

While many of these issues are now best handled by existing federal law, state agency guidance, and local school boards, SIIA will continue to work with policy makers in Georgia and across the country on any identified needs to further ensure privacy protections for all Georgia students.