Episode 1: Information Privacy – it’s complicatedSeptember 10, 2019
In our first episode, we discuss the basics of privacy with Trevor Hughes, the President and CEO of the International Association of Privacy Professionals. Our discussion focuses on the rapid pace of technological innovation and how our laws and policies are keeping up (or not). We also discuss current consumer expectations of privacy and how society has handled privacy issues for generations, from Roman statues to the invention of flexible film.
In our first podcast episode, we discuss the basics of privacy with Trevor Hughes, the President of the International Association of Privacy Professionals. Our discussion focuses on the rapid pace of technological innovation and how our laws and policies are keeping up (or not). We also discuss current consumer expectations of privacy and how society has handled privacy issues for generations, from Roman statues to the invention of flexible film.
J. Trevor Hughes is the CEO of the International Association of Privacy Professionals (IAPP), the world’s largest association of privacy professionals. The IAPP promotes, defines and supports the privacy profession globally. Trevor is widely recognized as a leading privacy expert, appearing at SXSW, RSA and other privacy and technology events. He has contributed to media outlets such as the New York Times, TechCrunch and WIRED and has provided testimony on issues of privacy, surveillance and privacy-sensitive technologies before the U.S. Congress, the U.S. Federal Trade Commission, British Parliament and more. Hughes received his undergraduate degree from the University of Massachusetts, Amherst and his Juris Doctor from the University of Maine School Of Law, where he is also an adjunct professor and member of the Law Foundation Board.
Connect with Us
Produced by the University of Maine Graduate and Professional Center, with help from WMPG
- International Association of Privacy Professionals (IAPP)
- University of Maine School of Law
- The Right to Privacy – Samuel D. Warren and Louis D. Brandeis; Harvard Law Review (December 1890)
- Privacy and Freedom – Alan Westin (1967)
J. Trevor Hughes is the President and CEO of the International Association of Privacy Professionals (IAPP), the world’s largest association of privacy professionals. The IAPP promotes, defines and supports the privacy profession globally. Trevor is widely recognized as a leading privacy expert, appearing at SXSW, RSA and other privacy and technology events. He has contributed to media outlets such as the New York Times, TechCrunch and WIRED and has provided testimony on issues of privacy, surveillance and privacy-sensitive technologies before the U.S. Congress, the U.S. Federal Trade Commission, British Parliament and more. Hughes received his undergraduate degree from the University of Massachusetts, Amherst and his Juris Doctor from the University of Maine School Of Law, where he is also an adjunct professor and member of the Law Foundation Board.
The information provided in this podcast by the University of Maine System, acting through the University of Maine Graduate and Professional Center, (the University) is for general educational and informational purposes only. The views and opinions expressed in this podcast are those of the author(s) and speaker(s) and do not represent the official policy or position of the University. Assumptions made in the analysis are not reflective of the position of any entity other than the author(s) and speaker(s) – and, since the author(s), speaker(s) and listeners are critically-thinking human beings, these views are always subject to change, revision, and rethinking at any time. All information in the podcast is provided in good faith, however the University makes no representations or warranties of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability or completeness of any information in the podcast and will not be liable for any errors, omissions, or delays in the information in this podcast or any losses, injuries, or damages arising from its broadcast or use. It is the listener’s responsibility to verify their own facts. Your use of the podcast and your reliance on any information in the podcast is solely at your own risk. The podcast does not contain nor is it intended to contain any legal advice. Any legal information provided is only for general informational and educational purposes, and is not a substitute for legal advice. Accordingly, before taking any actions based upon such information, the University encourages you to consult with an appropriate legal professional or licensed attorney.
This transcript has been lightly edited for clarity.
The Greater Good: Episode 1
Welcome to the Greater Good: a podcast devoted to exploring complex and emerging issues in law, business, and policy. I’m your host Carrie Wilshusen, Associate Dean for Admissions at the University of Maine School of Law.
Today we’ll be talking with J. Trevor Hughes, President and CEO of the International Association of Privacy Professionals. We’ll explore the basics of privacy and how privacy issues have been with us for generations as far back as Roman statues and the introduction of flexible film.
J. Trevor Hughes leads the world’s largest association of privacy professionals, which promotes, defines, and supports the privacy profession globally. Trevor is widely recognized as a leading privacy expert, appearing at South by Southwest, RSA, and other privacy and technology events. He has contributed to media outlets such as the New York Times, Tech Crunch and Wired and has provided testimony on issues of privacy, surveillance and privacy sensitive technologies before the US Congress, the US Federal Trade Commission, British Parliament, and more.
He received his undergraduate degree from the University of Massachusetts Amherst and his Juris Doctor from the University of Maine School of Law where he is also an adjunct professor and a member of the Law Foundation Board.
Thank you so much for your time today, Trevor.
Glad to be here.
So before we begin, I wanted to set the scene for the folks who are listening to us. We are at a retired air force base in Portsmouth, New Hampshire, right?
That’s right. We are sitting in a building of the former Pease Air Force Base. It was decommissioned in the early 1990s and this was a machine shop and warehouse space for the airstrip itself. And we have repurposed it for the IAPP.
And it is filled with beautiful artwork and dogs and happy people. And it’s just an extraordinary universe that’s been created here.
We like where we work, that’s for sure.
So tell us about your organization and your role here.
So first the organization, the IAPP is the International Association of Privacy Professionals. We are a not for profit professional association, which means that we are like a lot of other professional associations say the American Bar Association or the American Medical Association. But there’s one thing that’s different about us and that is that we serve the emerging profession of privacy. There is a growing professional class of people around the world who work in the field of information privacy. Many of them are lawyers, lots of them aren’t, but those professionals come to us for all the things that they need in their profession. So they come to us for conferences and certification for publications, research, really anything that they need to help them do their work as privacy professionals. We are like a lot of other professional associations that have existed before us, but in the sense that we are representing really a new and burgeoning profession, it makes it sort of dynamic and exciting. And my personal role here is I’m president and CEO, the IAPP is 19 years old and I’ve been working with the IAPP for about 17 and a half years now.
Let’s talk about the historical concept of privacy. Can you talk a little bit about that?
We think about privacy in contemporary ways. We think about it in our modern framing of the issue of privacy and that’s right. I think as appropriately as human beings, we do that as society. We do that. But privacy is a fundamental and timeless human truth. And what I mean by that is that it never goes away. It has been with us since the dawn of humanity. In fact, there are some researchers, anthropologists, primatologists, who have suggested that privacy is actually found in other species as well. So other primates have concepts of privacy, ideas of seclusion and, and vulnerability when they want to protect themselves. So privacy has been around for the longest time. And I have used art to demonstrate that by showing ancient art, Greek statues, Roman statues, ancient myths, and biblical stories to demonstrate that some of the concepts and constructs of privacy have been around for a very, very long time.
Certainly it intersects with ideas of say, modesty. So we cover ourselves physically and that is to protect certain vulnerabilities or senses of vulnerability that we may have. There are social norms that intersect with this. There are societal factors that are at play, but fundamentally we are trying to protect something and those vulnerabilities often have a physical form. Young children at some point begin to close the bathroom door. And that is not because we’ve necessarily educated them on that. We haven’t told them that there are moments that are private necessarily, even though we sometimes might want them to feel that more. At some point it just becomes obvious to them that they feel vulnerable in certain moments and they want to protect themselves. That is the fundamental human truth of privacy. It has existed for as long as human beings have existed. And it is the same starting point for all of the privacy discussions that we have today. When we talk about privacy today, we are often talking about how are we protecting our vulnerabilities. How do we have a sense of autonomy and control and the ability to seclude ourselves for purposes of rest and recuperation and repose and innovative thought? There are all sorts of reasons that we might want privacy, but the nugget of it, the central thesis of it, is that it’s been around for a long time.
So information privacy specifically, is that about data and the data that’s collected?
Sure is. There are many different constructs or framing of privacy. I just mentioned your physical, bodily privacy. So we cover ourselves with clothes. We have a sense of modesty or privacy associated with our physical self. We also have emotional privacy, so we have thoughts and feelings and past histories and transgressions, things that we want to keep private from an emotional perspective. We also have communicative privacy. We have dialogue and intimacies that we want to create in order to stitch ourselves together in relationships. And we want those to be in a cone of trust, a zone of privacy so that we can have communications that engender that sense. We also have a spatial sense of privacy. It’s the reason that we have doors and windows and shades. We create zones of privacy within our homes and in fact, they change as you go through the home, there are different degrees of privacy that we afford to different spaces. So those four constructs: physical privacy, emotional privacy, communicative privacy, and spatial privacy were the traditional constructs of privacy.
In 1967, an academic named Alan Westin wrote a book called “Privacy and Freedom”. It looked out at the rise of computers and databases and the explosion of data, which mind you in those days was tiny and nothing, right? And said, you know what, there’s actually a new kind of privacy emerging here and that is information privacy, that embedded within all of this data that we are creating are privacy interests and we need to recognize, yes, these four traditional constructs of privacy, but also this new realm of privacy, which is information privacy.
So we all have smart phones and we have smart speakers and all these things, and online bank accounts. What is the meaning for our society going forward? Are we giving up an expectation of privacy by buying into these things?
So are you have asked the question that is the question of our field and consumes every day of every year in the privacy profession. The answer is it’s complicated. And I think there were a few truths that I can share to totally avoid answering your question.
First of all, technological innovation has never shown a significant ability to slow itself down or to constrain itself. Technological innovation moves forward frequently, whether we like it or not. With that technological innovation comes disruption at a mediation of our experience of privacy. So every new technological innovation changes. It mediates the way we experience privacy. And that’s not to say it’s better or worse, it just disrupts and mediates the way we experience privacy. So we don’t have to apply a value judgment to whether smartphones are good or bad for privacy. It’s just different.
And it is the job of privacy professionals. And I think it is the struggle of society to figure out how do we introduce our expectations of privacy back into those technologies. How do we make sure that this fundamental human truth that has lasted since the dawn of time, how do we make sure that it is protected in this new environment?
And so that question becomes massively complicated. And in any other era of human history, the process was fairly predictable. You would have a technological innovation, you’d have disruption in privacy, you would have new social norms emerge, and you would have outcry over the change in the expectations or the experience of privacy. You would have new laws, regulations, and restrictions on the technology; all sorts of other things emerge. And that would be the normal process. But that takes time because the human processing of that decision making those societal norms, those laws and regulations that is measured in years, if not decades, if not generations.
And the technology is going so rapidly right? Do people even understand what is at risk? I’m thinking of face app and Equifax and all these things that, you know, privacy has been compromised and people didn’t even realize that potentially they had it out there to be compromised.
And the answer is, of course, no. The great challenge that we face today is that the pace of technological innovation, that bleeding edge of technological innovation is moving so quickly that our lagging responses, law, regulation, social norms, consumer understanding, and citizen understanding of these technologies is way, way behind. The distance between those two spaces, the bleeding edge of technological innovation and the lagging efforts to put some constraints or understand these things that creates risk, is what creates disruption in the marketplace, what creates the types of news cycles that we’ve seen over the past couple of years with massive fines, with a lack of law and a lack of understanding as to how to protect privacy with a sense of real frustration for citizens and consumers. I use “citizens” or “society” broadly because we often frame this in a private marketplace perspective. It’s bigger than that because it’s also governments using data and it’s also us using data about each other. So it is a broad societal concern. Our ability to wrap our hands around that, to wrap our heads around that, is deteriorated and that creates real challenges.
Legislators, those who are making the laws, how are they going to be able to understand the concepts in order to be able to legislate around it?
There are lots of great examples here, actually since 1967 when Alan Westin wrote Privacy and Freedom, the idea that we have been working with is that privacy should be managed through a sense of control. That information privacy particularly is about your ability to control your information as it leaves you. What we’re finding with the explosion of the digital economy is that that control is illusory at best, if not an outright fantasy, that anyone’s individual ability to control their data out there in the digital economy is very, very minimal. And as a result, we need to develop new public policy solutions, new ideas. We need to innovate in our policy making. We need to innovate in the way that we think about managing privacy. There are some promising areas, ideas of accountability and stewardship over data, ideas of consequential regulation, things like data breach notification have actually changed behavior in the marketplace. But we have more work to do there. We need bigger and better ideas to manage private privacy.
So do you think that the norms of the industries that are working in this realm are changing because it can’t just be legislative, right? I mean the norms of the companies and taking responsibility for the data that they’re collecting? I heard on the news last night that Equifax was actually the victim of a hack, right? As opposed to the perpetrator of it. And so it’s a complicated question.
Sure. There’s a lot there in that question and the answer is yes, I think we are seeing an evolution of maturity in corporate best practices with regards to privacy and data protection. When I started in the field over 20 years ago, it was a struggle. It was a compliance driven role. People were interested in what does the law say and make sure that we’re checking the boxes for what the law says.
Which is presuming that legislators are ahead of this.
Also that privacy was a compliance risk to be managed. Now privacy is a consumer trust and branding issue. And it is also a massive Board level risk, so organizations are increasingly embracing the idea that we have to get privacy, right? Yes because there are laws that tell us that we have to do certain things, but more importantly because that’s what the marketplace expects, that if we want to do right by our customers, we want our customers to come back to us, we want them to engage with us, we want them to embrace what we put forward, then we want them to trust us, then we have to get privacy, right? That’s a really big shift and that is a more recent development. We are starting to see that really blossom right now and that actually means that laws and regulations are not the end zone. They’re not the finish line. They’re actually the starting line. The laws and regulations are the floor of what we do in terms of managing privacy and data in society. What you build from that point forward, that’s what engenders trust and creates better relationships with your customers, with society at large.
That actually is much more hopeful I think, because it can move apace with the technology.
Yes. So, to be really clear, I think there are very sophisticated and good critiques of the public policy tools that we have in place today. So think of those tools, how many times have you not read a privacy statement or a terms of service and how many times have you clicked I agree or continue or I accept, just to move on through the process that you’re trying to get through. Those tools are not scalable, they’re not showing that they are as functional as they should be or could be or as we want them to be in terms of responses to privacy concerns. We need to move to better solutions. And I think one of the biggest, most promising areas for those solutions is the idea of accountability and stewardship around data practices from both governments and organizations, private sector organizations, accountability and stewardship. That if I hand my data over to you, you are a steward of my data and I can hold you accountable for managing it well, for using it appropriately and for doing things that are within the frame of my expectations of you, your use of my data. That’s a really powerful structure and that is what we are starting to see emerge.
So do you think, as we are more and more reliant on these technologies that our expectation of privacy is lesser, that we care less about the loss of our privacy?
So the answer to that is unequivocally no. We don’t care less about privacy. I think privacy is a fundamental human truth. We care about privacy. What we are in is a turbulent era in which privacy has been disrupted by innovative technologies, by new technologies. What we’re going through is the push and pull, the negotiation of privacy, which is actually an evergreen thing.
Let me tell you a couple of quick stories to give a sense to this. One of the fundamental founding documents in privacy law in the United States is a Harvard Law Review article that was written in 1890 by Louis Brandeis and Samuel Warren. They had just recently graduated from Harvard Law School. Samuel Warren was so aggrieved by a new technology of that era, and also by mass media publishing his family’s name, that he went to his law partner Louis Brandeis (they had graduated one and two in their class from Harvard Law School) and said, we have to write about this. We have to issue a call to action for the law to respond.
So they wrote “The Right To Privacy”. This law review article has been described as the best law review article written in the history of American jurisprudence. It says something really simple: when the circumstances in society change, so too should the law. The law needs to be an adaptive tool to whatever happens in society. This technological innovation had changed the context of privacy. And as a result, Warren and Brandeis said the law should adapt as well and should be flexible and should go through a process of development where it responds to this new normal that we are experiencing.
The punch line of the story is that the new technology was flexible film. Eastman Kodak had developed a new form of camera, which was the Kodak Brownie, and flexible film allowed a camera to now be in a small box – like smaller than a birdhouse. That box could be carried around surreptitiously. So unlike the 40 or 50 years of photography that existed before the 1890s, where a photo required a huge tripod and a cape and these big plates that went in and out and you really knew that a photo was being taken! All of a sudden a photo could be taken surreptitiously. That changed the context of privacy in society. That technological innovation disrupted everything. And so Warren and Brandeis said, okay, the law has to adapt. And in fact, we saw laws about public photography emerge around the United States. More importantly, there was a sense of social normative values that emerged around when it was appropriate or not appropriate to take pictures and in what contexts pictures might be okay or not okay.
We are seeing the same thing today. Now the digital revolution is a disruption and every technological innovation associated with the digital revolution. The internet, smart phones, the Internet of Things, connected cars, fridges that order your milk for you, you name it. All of those are disruptions and we are in the process of figuring out how do we respond to those. Those technological challenges don’t reduce our expectation of privacy. I think our expectation of privacy is a constant. What those technological innovations do is they force us to renegotiate privacy and we are in that process. It’s turbulent, it’s awkward, and it’s uncomfortable. The marketplace gets it wrong all the time and we have to pull some organizations, some technologies back when there is outcry about certain things. On the other hand, there’s outcry, right? When something steps too far, you know, we react to it. If something that we may have thought was a privacy violation before turns out to be, you know, actually not that consequential from a harm or an intrusion or a vulnerability perspective. Maybe we shrug our shoulders about that, but there is a normative evolutionary cycle that we go through, a process that ends up protecting privacy in the end.
Thank you for tuning in to the Greater Good. I hope you’ll join me next time as we continue our conversation with Trevor Hughes and dive deeper into privacy and how it affects our lives.
Love this episode of the Greater Good? Please rate, review, and subscribe to the podcast. As a new podcast, ratings and reviews are critical to our success. We’d also appreciate your feedback to ensure we are bringing you quality content and conversation. If you’d like to learn more about our guests, access show notes and find additional resources, visit https://umainecenter.org/greatergood. Thank you.
The information provided in this podcast by the University of Maine System acting through the University of Maine Graduate and Professional center is for general educational and informational purposes only. The views and opinions expressed in this podcast are those of the authors and speakers and do not represent the official policy or position of the university.