Is Free Speech for Assholes?

The College of Law at the University of Arizona is holding a First Amendment conference in February; the public lecture, which features a bevy of free speech luminaries, is titled, “Is Free Speech for Assholes?” The panel will debate the virtues and pitfalls of current First Amendment doctrine, from corporate speech to hate speech to whether free expression is leading to a new Lochner era. Please attend!

When: Thursday, 25 February 2016, 12:15PM

Where: Room 164, James E. Rogers College of Law, University of Arizona, 1201 E. Speedway, Tucson, AZ

Who: Jack Balkin (Yale), Ron Collins (Washington), Genevieve Lakier (Chicago), Helen Norton (Colorado), Margot Kaminski (OSU), Seth Kreimer (Penn), David Skover (Seattle)

What else: free lunch!

Speech Holes Poster

Does the Ninth Circuit’s “Dancing Baby” Decision Mean Anything for Fair Use Under the DMCA’s Anticircumvention Rules?

Last fall, in Lenz v. Universal Music Corp., the Ninth Circuit ruled that copyright owners are required to have a procedure (even if it is mostly an automated, computer-implemented procedure) in place to consider whether someone else’s use of the copyright owner’s work online is legally protected under the fair use doctrine prior to sending a takedown notice to the site where the work has been posted. Failure to consider whether a use is fair, the court implied, disentitles the copyright holder to use the takedown procedure of 17 U.S.C. § 512(c) and (g) (which remains by far the most expeditious lawful means of removing allegedly infringing content from the internet). (For more on the background and consequences of the court’s decision, see Rebecca Tushnet’s analysis).

Rereading the court’s decision in preparation for my classes this semester, I was struck by the possible consequences of the Ninth Circuit’s reasoning for a different DMCA issue, to wit, whether fair use may be invoked as a defense to liability under the anticircumvention rules of 17 U.S.C. § 1201. The Ninth Circuit’s ruling strengthens, albeit perhaps only slightly, the argument that fair use belongs in the DMCA case law, and that those courts that have ruled that it doesn’t (including the Second Circuit in Universal City Studios, Inc. v. Corley, 273 F. 3d 429, 443-44, 458-59 (2d Cir. 2001); and [at least by implication] the Ninth Circuit’s own decision in MDY Industries, LLC v. Blizzard Entertainment, Inc., 629 F. 3d 928 (9th Cir. 2010)) were in error. Read more…

Copyright = Speech

I have an essay coming out in volume 65 of the Emory Law Journal, as part of the terrific 2015 Thrower Symposium. It’s titled “Copyright = Speech,” and here’s the abstract:

Expression eligible for copyright protection should be presumptively treated as speech for First Amendment purposes. Both copyright and the First Amendment share the goal of fostering the creation and dissemination of information. Copyright’s authorship requirement furnishes the key link between the doctrines. The Article examines where the two areas of law align and conflict in offering or denying protection. Using copyright law as a guide for the First Amendment offers three benefits. First, many free speech problems can be clarified when examined through copyright’s lens. Second, this approach makes the seeming puzzle of non-human speakers understandable. Finally, it can help end technological exceptionalism in First Amendment doctrine.

Comments and feedback welcomed!

Against Jawboning and Outrageous and Irrational

Volume 100 of Minnesota Law Review has just been published. “Against Jawboning” is in the first issue, along with co-blogger / spouse Jane Bambauer, whose article “Outrageous and Irrational” is co-authored with constitutional law / First Amendment expert and friend Toni Massaro. Minnesota LRev continues to be one of the top venues for publishing information law scholarship, and we’re grateful for their support for the articles. Abstracts below:

Against Jawboning

Despite the trend towards strong protection of speech in U.S. Internet regulation, federal and state governments still seek to regulate online content. They do so increasingly through informal enforcement measures, such as threats, at the edge of or outside their authority—a practice this Article calls “jawboning.” The Article argues that jawboning is both pervasive and normatively problematic. It uses a set of case studies to illustrate the practice’s prevalence. Next, it explores why Internet intermediaries are structurally vulnerable to jawboning. It then offers a taxonomy of government pressures based on varying levels of compulsion and specifications of authority. To assess jawboning’s legitimacy, the Article employs two methodologies, one grounded in constitutional structure and norms, and the other driven by process-based governance theory. It finds the practice troubling on both accounts. To remediate, this Article considers four interventions: implementing limits through law, imposing reputational consequences, encouraging transparency, and labeling jawboning as normatively illegitimate. In closing, it extends the jawboning analysis to other fundamental constraints on government action, including the Second Amendment. This Article concludes that the legitimacy of informal regulatory efforts should vary based on the extent to which deeper structural limits constrain the government’s regulatory power.

Outrageous and Irrational

A wealth of scholarship comments on enumerated and unenumerated fundamental rights, such as freedom of speech, the right to marital privacy, and suspect classifications that trigger elevated judicial scrutiny. This Article discusses the other constitutional cases—the ones that implicate no fundamental right or suspect classification, but nevertheless ask for relief from uncategorizable abuses of power. These cases come in two forms: claims that the government’s conduct is outrageous (satisfying the “shocks the conscience” test), or claims that the government’s conduct is irrational (failing the rational basis test). Both forms trigger highly deferential judicial review and serve similar purposes. But they are on divergent trajectories. Courts have cautiously expanded use of the rational basis test in contexts as varied as gay marriage, hair braiding, and coffin sales. The outrageousness test, by contrast, is universally maligned and mistrusted.

We explain and vindicate both tests. We argue that the very features that attract reflexive scorn—their vagueness and flexibility—have a counterintuitive, normative, and practical beauty. They allow courts to occasionally strike down egregious abuses of power without expanding other constitutional rights. They allow limited judicial experimentation before introducing new rights or adding classifications to elevated scrutiny, enabling courts to reach results that have little doctrinal impact beyond their narrow facts. Thus, contrary to their reputations, the tests promote judicial restraint and preserve constitutional coherence.

Backpage, Dominatrixes, and a Victory Against Jawboning

Sheriff Thomas Dart, of Cook County, is a crusader against prostitution, sex trafficking, and related criminal activity. He has concentrated his efforts recently on Internet platforms such as Craigslist and Backpage, which have an “adult” section as thriving and variegated in its offers as any free weekly newspaper in a major metropolitan area. Dart is far from alone in opposing sex work, but like many crusaders, he feels free to move beyond the law’s limits to pursue higher goals. For example, he sent letters threatening Visa and MasterCard, which process payments for Backpage, with a series of legal and extra-legal consequences should the firms continue to do business with Backpage. Visa and MasterCard stopped. Backpage sued Dart.

Yesterday, the Seventh Circuit, in a concise and cutting opinion by Judge Richard Posner, rejected Dart’s attempt to paint his actions as informal suasion, and enjoined him from continuing his crusade. (The opinion brilliantly cites XOJane on being a dominatrix, discusses people who dislike pets, and casually drops a reference to phone sex.) It turns out the First Amendment means threats from Sheriff Dart to MasterCard get treated differently than threats from you or I. If I complain to MasterCard about its interaction with BackPage, and threaten to write a Tweet denouncing the company, no one at MC is going to reach for a Tums. Sheriff Dart, though, has a lot more firepower – albeit none of it lawful. 47 USC 230(c)(1) prevents Backpage from being held liable civilly, or under state criminal law, for content provided by a third party, such as the folks who advertise in the Adult section of the site. Backpage isn’t entirely in the clear: if the site violates federal law it can be prosecuted (see 230(e)(1)). So, Dart can ask the feds to go after Backpage, but he can’t successfully prosecute or sue the site himself. The caselaw on this point is littered with the failures of better lawyers who have tried, and Dart himself went after Craigslist as a public nuisance and lost badly.

Dart was cunning enough, though, to know that he didn’t need to win in court against Backpage if he could beat them another way, such as cutting off their funding. That meant targeting payment processors, the favorite 21st century trick of law enforcement. He did just that, along several dimensions. First, he told Visa he’d hold a press conference about their relationship to Backpage – the contents of which would depend on whether they had severed their relationship with the platform. The content wasn’t subtle: “Obviously the tone of the press conference will change considerably if your executives see fit to sever ties with Backpage and its imitators. Of course we would need to know tonight if that is the case so that we can ensure the Sheriff’s messaging celebrates Visa’s change in direction as opposed to pointing out its ties to sex trafficking.” (opinion at p.8) Message received: a Visa employee referred to the exchange as “blackmail.” (p.8)

Second, he raised the possibility of federal criminal liability for the site for money laundering, which is a bit like a Pop Warner football coach threatening Miami with NCAA sanctions for violating collegiate rules. It’s not Dart’s decision to make.

Third, Dart wanted Visa and MasterCard to cut all transactions with Backpage, not just those related to the Adult section. The goal, obviously, is deterrence: to make it massively costly for Backpage to have an Adult section, even at the price of cutting off unrelated (and harmless) speech.

Why would Visa and MasterCard listen to a blowhard of a local sheriff? This is a question I tackle in a paper forthcoming in the Minnesota Law Review, Against Jawboning. Threats and informal pressures are routine in the modern administrative state. The problem is when officials engage in jawboning – when they threaten action at the edges of or wholly outside their legal authority, as Dart did. Jawboning is particularly problematic for Internet platforms, which largely subsist on third-party content. Any one piece of that content generally earns a minuscule amount for the platform. But if government threatens the platform for hosting that material, the Internet firm faces the full cost of the potential penalty and of defending against the action. It’s just good economics to comply, and to take down the material. Or, in this case, to drop Backpage as a customer. As Posner notes,

The revenue [MasterCard and Visa] derived from Backpage’s adult ads must have been a small fraction of their overall revenue, especially since not all of Backpage’s ad customers pay for their ads with a MasterCard or Visa credit card. Yet the potential cost to the credit card companies of criminal or civil liability and of negative press had the companies ignored Sheriff Dart’s threats may well have been very high, which would explain their knuckling under to the threats with such alacrity. (pp. 13-14)

Moreover, successfully defending any legal action is not a slam dunk. Defendants win most Section 230 cases, but the results are variegated. And judges make mistakes – in this case, the district court judge denied a preliminary injunction to block Dart’s power grab (with some particularly muddled reasoning about Sheriff Dart’s First Amendment rights, IMO). Thus, even very weak legal arguments can compel Internet platforms to censor content.

The Article argues that jawboning, in the context of Internet intermediaries, is normatively illegitimate. (If you’re unsympathetic to Backpage, which is understandable, you might consider the Obama administration using the banking system to cut off services to gun store owners, or the Bush administration trying to coerce ISPs into retaining data about their users’ activities. All three of these case studies are described in the Article.)

The trouble is that it’s quite hard to constrain jawboning. Legislation could narrow officials’ ability to operate, but it is difficult to keep them from threatening to do so, from threatening to call in someone who has enforcement authority, or from lobbying for more power. Constitutional doctrine imposes only weak and uncertain limits, via the unconstitutional conditions doctrine. Here, the state action and standing requirements operate to bar some plaintiffs from seeking relief, at least in federal court. As the Article argues, “Put simply, the political branches find jawboning too easy, attractive, and powerful to impose meaningful internal or interbranch checks on the practice. And, the demands of the modern administrative state make regulators wary of limiting informal enforcement.” Finally, hoping that regulators themselves forgo jawboning as a tool is to wish away the problem.

What can we do? I offer a few small-scale solutions: applauding firms that resist jawboning and decrying those who knuckle under (to provide a counterweight to governmental pressures on reputation); encouraging companies to be transparent about when and how jawboning occurs, perhaps with analogues to warrant canaries; and using the term “jawboning” as a term of disapprobation, in much the way the term “censorship” operates in common parlance.

The problem with jawboning is that, unlike in the case of Backpage and Dart, it typically operates offstage, with companies that are averse to the risk either of liability or bad publicity. Counterintuitively, this is what makes the weak formal legal position of enforcers like Dart so effective: their power operates best in an atmosphere of uncertainty and asymmetric costs. Hopefully the Seventh Circuit’s opinion will stiffen the backbones of companies, like Backpage, that face jawboning.


Sharing Shortcomings

I have a new essay coming out in Loyola University Chicago Law Journal titled Sharing Shortcomings. Comments and feedback are very much welcomed. Here’s the abstract:

Current cybersecurity policy emphasizes increasing the sharing of threat and vulnerability information. Legal reform is seen as crucial to enabling this exchange, both within the public and private sectors and between them. Information sharing is due for some skepticism, though, and this Essay (part of a symposium on Privacy in a Data Collection Society) attempts to provide it. Not only are there few real legal barriers to data exchange, but greater sharing will generate little benefit and will create significant privacy risks. This Essay creates a typography of vertical and horizontal information sharing, and argues that while top-down communication could be useful, it faces important practical impediments. The present focus on sharing increases the scope of the surveillance state unnecessarily and displaces more effective cybersecurity policy measures.

Ground Control to Major Dumb

The St. Louis Cardinals, one of baseball’s most famous teams, is under investigation (by both Major League Baseball and the FBI) for allegedly hacking into a data warehouse compiled by the Houston Astros. At first blush, this seems strange: the Cardinals play in the National League Central, and the Astros in the American League West. While all teams compete, this isn’t a bitter divisional rivalry, such as between the Red Sox and Yankees. So why break in?

In this case, it appears it is personal. Jeff Luhnow, currently general manager of the Astros, was formerly a player development executive for the Cardinals. He left, and took his (money)ball with him to Houston. In this case, Luhnow set up a data warehouse called Ground Control for the Astros, which the organization uses to catalog player data and rate their prospects. (It seems to be going well: the Astros, previously a laughingstock, are in first place at the moment in their division.) For the Cardinals, he’d done something similar, creating a system called Redbird to play the same role. Cardinals executives appeared concerned that Luhnow had engaged in theft of trade secrets or confidential information about how to evaluate players algorithmically. So, it seems that the Cardinals people tried Luhnow’s old password from Redbird on Ground Control, and it worked.

As Deadspin brilliantly notes, there is a lot of stupid in the story as currently understood. First, Luhnow apparently didn’t bother to change passwords when he changed teams. (This may be the only case study ever in favor of password change requirements.) Second, the Cardinals hacker team broke into Ground Control from a team member’s home. Third, ESPN “legal analyst” Lester Munson makes a genuinely hilarious series of errors in his screed on Just for fun, let’s tackle those:

  • Lester claims it’s not clear that this activity (if as alleged) by the Cardinals is a crime. Dead wrong. It’s a clear violation of the federal Computer Fraud and Abuse Act, 18 U.S.C. 1030. Take a look at 1030(a)(2). For criminal liability, there are but three elements: 1) intentional access without authorization (or exceeding authorized access), to 2) a protected computer (defined as “used in or affecting interstate or foreign commerce or communication” by 1030(e)(2)(B)), and 3) obtaining information. The Cardinals folks (allegedly again) intentionally accessed Ground Control. Ground Control affects interstate commerce – that’s both the business of Major League Baseball, and being connected to the Internet – so it’s a protected computer. And the Cardinals retrieved information from Ground Control. That’s it. Lester claims that “the prosecutor must be able to show that the information was the work product of significant efforts by Astros officials and, more importantly, was not available elsewhere.” This is completely wrong. Lester appears to be channelling trade secret theft, which is 1) a state crime, not a federal one, under these circumstances, and 2) totally unrelated to computer crime statutes. (Texas has a state-based computer crime offense that prosecutors could charge, too. Check out Section 33.02 of Title 7 of the Texas Penal Code: “A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.” Even easier to prove than the CFAA violation.) [Update 11:16AM: Of course, federal prosecutors could also charge under 18 U.S.C. 1832, which I just re-checked. It is frequently used against hacking to benefit non-US interests, but the language covers interstate commerce, too.]
  • Lester needs a refresher on how intent works in criminal law. Here he is again: “the prosecutor must be able to show that Cardinals executives knew they were committing a crime. If the Cardinals’ activity was just a dirty trick or an attempt at getting even with a former colleague, the hacking might not qualify as a crime.” NO NO NO. Ignorance of the law is no defense. You have to look at the applicable statute. For the CFAA, for example, the key is intentional access to a computer. That’s the mens rea element – the defendants don’t have to know anything about computer crime law. They jus have to have the intent to access a computer, and then carry out such access. This is Crim Law 101.
  • Lester doesn’t bother to consider criminal liability for trade secret theft under Texas law. Section 31.05(b) of the Texas Penal Code makes it a felony if: “without the owner’s effective consent, he knowingly: (1) steals a trade secret; (2) makes a copy of an article representing a trade secret; or (3) communicates or transmits a trade secret.” If Ground Control contains trade secrets (and I bet it does) and the Cardinals stole them, they can be liable under Texas law. Lester is even incorrect about prosecution here – you have to show that the thing stolen / transmitted is a trade secret, defined in 31.05(a)(4) as “the whole or any part of any scientific or technical information, design, process, procedure, formula, or improvement that has value and that the owner has taken measures to prevent from becoming available to persons other than those selected by the owner to have access for limited purposes.” The statute doesn’t state that the information must not be publicly available, although courts at times read in such a requirement based on common law precedent.
  • I’d also disagree with Lester’s conclusion that it’s a mistake for the FBI to tackle this intrusion. MLB is big business, and we’ve decided to have prosecutors go after computer hacking, especially when it’s big business. Sure, maybe we’d like the FBI to spend more time on hacking of government data and less on private firm attacks, but given where we are on hacking enforcement, there doesn’t seem anything improper about this investigation, especially since prosecution of executives of a famous baseball franchise would likely have significant deterrence effects.

The whole episode tastes of fail.

The Crane Kick and the Unlocked Door

Cybersecurity legislative and policy proposals have had to grapple with when (if ever) firms ought to be held liable for breaches, hacks, and other network intrusions. Current approaches tend to focus on the data that spills when bad things happen: if it’s sensitive, then firms are in trouble; if not personally identifiable, then it’s fine; if encrypted, then simply no liability. This approach is a little bit strange, by which I mean daft: it uses the sensitivity of the information as a proxy for both harm (how bad will the consequences be?) and precautions (surely firms will protect more sensitive information more rigorously?).

I propose a different model. We should condition liability – via tort, or data breach statute, or even trade secret misappropriation – based upon how the intruders gained access. Let’s take two canonical examples. One exemplifies the problem of low-hanging fruit – or, put another way, the trampling of the idiots. Sony Playstation Network (Sony is a living model for how not to deal with cybersecurity) apparently failed to patch a simple bug in their database server that was widely known (an SQL injection attack, for the cognoscenti). Arthur the dog would have patched that vulnerability, and he is a dog who is continually surprised to learn that farts are causally connected to his own butt. On the other hand, Stuxnet and Flame depended upon zero day vulnerabilities: there is, by definition, no way to defend against these attacks. They are like the Crane Kick from “The Karate Kid”: if do right, no can defense.

So why would we measure vulnerability based on data rather than precautions? The latter is a classic tort move: we look at whether the defensive measures taken are reasonable, rather than whether the harm that resulted is large. I would suggest a similar calculus for cybersecurity (ironic in light of software’s immunity from tort vulnerability): if you get pwned based on something you could have easily patched, then you’re liable for every harm that a plaintiff can reasonably allege. In fact, I’m perfectly happy with overdeterrence here: it’s fine with me if you get hit for every harm a creative lawyer can think of. But if your firm gets hit by a zero day attack against your Oracle database, you’re not liable. (There are some interesting issues here about who can best insure against this residual risk; I’m assuming that companies are not the best bearers of that risk.)

This leaves some hard questions: what about firms that have stupid employees who open e-mails loaded with zero day exploit code? We might need a more sophisticated analysis of precautions. How was your desktop A/V? Did you segment your network? Did you separate your data to make it harder to identify or exploit?

To take up one obvious objection: this scheme requires some forensics. One must determine why a breach occurred to fix liability. But: firms do this analysis already. They have to figure out how someone broke in. We can design rules to protect secrets such as network defenses, and any litigation is likely to take place months if not years after the fact. I think it’s unlikely that firms will be able to game effectively the system to show that intrusions resulted from impossible attacks rather than someone jiggling doorknobs to find unlocked ones. And, we could play with default rules to deal with this problem: companies could be liable for breaches unless they could show that attackers exploited unknown weaknesses. If we’re worried about fakery, we could require that firms prove their case to a disinterested third party, such as Veracode or Fireeye – companies with no incentive to cut a break to weak organizations. Or, we could set up immunity for firms that follow best practices: encrypt your data, patch known vulnerabilities in your installed software base, provide for resilience / recovery, and you’re safe.

I think we should differentiate liability for cybersecurity problems based on how the attackers broke in. Were you defeated by the Crane Kick? If so, then you get sympathy, but not liability. But if it turns out that you left the front door unlocked, then you’re going to have to pay the freight. We can’t expect miracles from IT companies, but it makes sense to require them to do the easy things.

In Memoriam: Greg Lastowka

I am deeply saddened to learn of the news of the death of my friend Greg Lastowka, a professor at Rutgers-Camden School of Law. Greg was a pioneer in studying virtual worlds and video games, and his work forms a good part of the foundation in that field. His work had that wonderful quality of the best scholarship: it was utterly new, and yet once you’d read it, you couldn’t believe that anyone had ever thought differently. It made the instant transition from novelty to accepted wisdom that only the best work achieves.

Far more important, though, was that Greg was a terrific person. He was wise and funny, and genuinely unassuming. He supported those, like me, who were junior cyberlaw scholars, and he could give insightful feedback to senior profs in a way that they could hear. He had a fascinating life – as a lawyer, as a member of the Peace Corps, as an academic, and as a husband and father. Scrolling through Facebook posts, I’d notice that Greg had added a new image of one of his sons’ latest pieces of artwork, or a new bit of software code one of them had written. His quiet pride in and love for his family was plain. And, in the face of a terrible diagnosis, Greg demonstrated remarkable courage, humor, and tenacity.

My heartfelt sympathies and condolences go out to his wife Carol, his sons Adam and Daniel, his colleagues at Rutgers-Camden, and his many friends.

Greg’s dean, John Oberdiek, has a moving tribute to him (with thanks to Larry Solum).

Is De-Identification Dead Again?

Earlier this year, the journal Science published a study called “Unique in the Shopping Mall: On the Reidentifiability of Credit Card Metadata” by Yves-Alexandre de Montjoye et al. The article has reinvigorated claims that deidentified research data can be reidentified easily. These claims are not new, but their recitation in a vaunted science journal led to a new round of panic in the popular press.

The particulars of the actual study are neither objectionable nor enlightening. The authors demonstrate that in highly dimensional databases (for example, those with a lot of variables that can take a lot of different values), each person in the database is distinguishable from the others. Indeed, each person looks distinguishable from the others based on just a small subset of details about them. This will not surprise anybody who actually uses research data because the whole point of accessing individual-level data is to make use of the unique combinations of factors that the people represented in the database possess. Otherwise, aggregated tables would do. What is surprising, however, is the authors’ bold conclusions that their study somehow proves that data anonymization is an “inadequate” concept and that “the open sharing of raw deidentified metadata data sets is not the future.” How Science permitted this sweeping condemnation of open data based on such thin evidence is itself a study in the fear and ideology that drives policy and scientific discourse around privacy.

What the de Montjoye Study Actually Demonstrated

The credit card metadata study used a database consisting of three months of credit card records for 1.1 million clients in an unspecified OECD country. The bank removed names, addresses, and other direct identifiers, but did nothing else to mask the data. The authors used this database to evaluate the chance that any given person is unique among clients in the database based on X number of purchase transactions. So, using an example from the paper, if Scott was the only person who made a purchase at a particular bakery on September 23rd and at a particular restaurant on September 24th, he would be unique with only two transactions within the database. The authors use these “tuples” (place-date combinations) to estimate the chance that a person in the database looks unique compared to the other data subjects. They found that 90% of the data subjects were unique in the database based on just four place-date tuples. And the rate of uniqueness increased if approximate price information was added to each tuple.

The authors treat database uniqueness and reidentifiability as one and the same. That is, the authors treat the chance that a person is unique in the dataset based on X number of tuples as the chance that the person can be reidentified.

I am sympathetic to the authors’ goal of finding concrete, a quantifiable measure of privacy risk. But database uniqueness should not be its measure. Measures of sample uniqueness systematically exaggerate the risk of reidentification. Consequently, any research and data sharing policy that relies only on sample uniqueness as the measure of re-identification risk will strike the balance of privacy and data utility interests in the wrong place.

Problem 1: Sample Uniqueness is Not Reidentification. (It’s Not Even Actual Uniqueness.)

The greatest defect in the Science article is treating uniqueness within a sample database as equivalent to “reidentification,” which the authors do several times. For example, the authors state that 90% of individuals can be “uniquely reidentified” with just four place-date tuples. I suspect that most readers interpreted the article and its subsequent coverage in the popular media to mean that if you know just four pieces of place-date purchase information for a person, you are 90% likely to be able to figure out who they are in the de-identified research database. But the authors did not come close to proving that.

The problem is that uniqueness in a deidentified research database cannot tell us whether the data subject is actually unique in the general population. The research database will describe only a sample of the population, and may be missing a lot of information about each of its data subjects. Inferring actual uniqueness from database uniqueness requires some extra information and modeling about what proportion of the population is sampled, and how complete the data about them is.

To give an extreme example, let’s go back to “Scott”—the credit card-holder who went to a bakery on September 23rd and a restaurant on September 24th. Suppose that his data was part of a research dataset that included the purchase histories of just ten credit card customers. Using this database on ten people, could we reliably say anything about whether Scott was the only person in his city to go to the bakery and the restaurant? Of course not. We may have a hunch that the city’s inhabitants are unlikely to go to this bakery and that restaurant on the same days that Scott did, but we’d be using our intuitions rather than the research data to draw our conclusions about uniqueness. Read more…