 Good afternoon, my name is John Palfrey and I'm so grateful that you all have come in from the amazing sunshine This arrived for Commissioner Brilla in one of the best days in Boston history So the fact that we have anybody inside at this moment to talk is great And I do want to note that we are being recorded, but not webcasts. So anything you say in the spirit of Individual privacy just know that it will be recorded and we'd love to have you on the record and using a mic and saying your name But it will be put on the Berkman Center website and so forth and archived after this event And we look forward to having other people play this afterwards So it's a great pleasure to welcome Commissioner Julie Brilla here to the Harvard Law School This is going to be an informal conversation for about an hour. I've got a few questions I'd like to ask I think she's got a few things she'd like to talk about but let's have this be as informal and as Very much a conversation as as we can we've got some mics to hand around we will try to chase you with mics so that it's well recorded when you do bring up Materials for discussion. I think Commissioner Brilla is probably well known to all of us in the room She was appointed in 2010 to a term that lasts wonderfully until 2016, which is great news for all of us She is focused in her work on a series of issues including consumer Privacy which we will talk about in particular today. She's had a career in the private sector of law She's been a law teacher at a wonderful law school not this one of fabulous other one and has worked in two state Attorney General offices in Senior enforcement roles, so she's seen it from the federal perspective. She's seen it from the state perspective She has done it from the private sector perspective and has taught it which is pretty much the the perfect Perfect storm of different approaches to this So maybe I'll just start with a very broad and general question to set the table And then we can go from there if I read carefully the press releases and the kind of outputs of the US FTC It seems to me that consumer privacy must be one of the top priorities of the entire Agency right now, which is great news I wonder if you might sort of let us know if that's in fact true and maybe situate that in the broader Landscape of the agency's priorities and work and statutes and so forth and how you see consumer privacy today and going forward is this a growth area for the agency and How might we see it within the broader context of your work? Sure. Sure. Well, first of all, thank you for having me here It's really great to be here. I Love coming to speak to law students and speaking to academics because you're the ones who are really thinking about the future And thinking about where we ought to be going with a lot of these issues that we're we're dealing with on a day-to-day Basis in terms of enforcement, so it's really wonderful to come out and reach out to you So I do it a fair amount and I always always really enjoy it the Federal Trade Commission is a really interesting agency and a lot of people don't know what it is when I walk around My town my little tiny town also in New England and I tell people I work at the Federal Trade Commission They think I work in international trade, you know, and they say why can't you fix the X Y and Z trade problem with the Chinese or whatever? No, no, no outsourcing you're certainly to blame right. It's all right. Exactly It's it's consumer protection and its antitrust and actually the agency was formed in 1914. It was the brainchild of Lewis Brandeis it came out of the 1912 election where the trusts and monopolies were a big big deal it's sort of hard to believe that that would be a big issue in a presidential election, but it actually was and When Woodrow Wilson won he ran on the issue is one of his big big platforms He asked Lewis Brandeis to come up with a mechanism come up with an idea to help solve this issue And and he conceived the Federal Trade Commission. It's an independent commission No more than as with other independent commissions no more than three commissioners from the same political party So we're bipartisan as you mentioned once we are Nominated by the president and confirmed by the Senate the commissioners cannot be removed by the administration You're good until good. I mean, I suppose there are some rules that would kick me out for something or another if I did it But I don't know about the right forms about taking the government car Yeah, stuff like that. Right, right, right, but otherwise, right. I'm not we're not part of the administration And we do we so we focus on both competition and consumer protection and we're designed to have a broad mandate a flexible mandate and To be able to do lots of research studies and thinking about sort of big-picture issues So in many ways privacy fits really well with that kind of of a mandate But in addition to privacy before we get in there, we do all sorts of things on the competition side We along with the US Department of Justice the antitrust division. We look at huge mergers We look at small relatively small mergers, but they have to hit a certain Dollar or other other kinds of thresholds to be a federal concern We look at anti-competitive practices in the high-tech industry. We look at a lot of health care issues So we're looking at a gamut of issues on the competition side And in the consumer protection side, we do it also a ton of stuff advertising substantiation telemarketing All sorts of last-time frauds, which were something that we really focused in on to try to deal with consumers We're struggling through the the recession the great recession and coming at it, you know a scam artists love to victimize People who've already been victim victimized. So they you know to say well you you've lost your home You're about to lose your home will help you will get you out of foreclosure Etc. And ends up the consumers, you know are often Worse off than they were when they started with a product or service along those lines. So we dealt a lot with those issues We run the do not call list the What Dave Barry calls the most popular government program since the Elvis Stamp Very proud of that And so we do it we do a ton of things we do we do a ton of things so privacy though really does I think fit right in the center of the wheelhouse of what we do because It's it brings together, you know the study work that we do it brings together economics and competition But it also of course is a big consumer protection issue. So we do focus on privacy and You know we For many years were focused, but you know, we could go through sort of the history of privacy in in the country But I'd say back in the 2000s without going further back But back in the 2000s, there was a big focus on data security That was a big issue at the agency and I think within the federal government. Hello and We we still do a lot of work around data security data breaches Issues like that and I'd say that We also have begun probably over the last three or four years Certainly within the last two years that I've been here. Hello Look at we Look at inappropriate use of consumers information or use of consumers information for purposes that they that were not disclosed or that vary from The purposes that were disclosed And that really falls within privacy and then of course we enforce some what I call sector specific laws things like Kappa the Children's Online Privacy Protection Act and I'm sure we'll get back to that. Absolutely. So we do You know we we we have a very broad mandate and within privacy It is something that we that we have really taken seriously and we're doing a lot of work around Excellent, but it's clearly an important thing for our country and others to focus on this So just following up on some of the things that have been the headlines coming out of the FTC recently Historically some we've seen enforcement actions against kind of edgy players of various sorts that people haven't heard of but in the past year There have been landmark settlements as far as I can tell both with Facebook and with Google I wonder if you might comment on that and if there's any kind of detail you can fill in about The nature of those settlements then I have a couple of kind of follow-up questions in particular about what Google and Facebook have been doing But if you could just start with sure and we also have a settlement with Twitter So maybe I'll talk about all three The the Twitter settlement was really more of a data security settlement. They just a couple of years ago, right? Well I want to say it was it was during my tenure as a commissioner and next month will be my second anniversary, so it might have been maybe a year and a half ago So but it might have been a little while ago with Twitter. That was more of a data security issue they were public treats that folks thought were private were becoming public and It was because of essentially some hacking that had been done So that was a settlement that we entered into with Twitter in order to try to get them to better Secure their their whole system their ecosystem but with respect to Facebook and Google Those were two settlements that in many ways borrowed concepts that we have used in the data security Realm and we imported them into the privacy realm and I'll explain what I mean by that when I get to the remedies that we Put in place, but with respect to Facebook There were a number of concerns about about what they had been doing starting in around 2009 with their privacy policy and changes in their privacy policy and information that Advertisers and apps were able to obtain from users accounts So those that was kind of the nature of what we were focused on, you know, they had done things like They said they wouldn't be sharing information with advertisers This is Facebook said they wouldn't share information with advertisers, but in fact information did get shared with advertisers They said that they would take down photos on a user's own page But then photos didn't get taken down or didn't get taken down, you know permanently they they started to reappear on the user's own page They also actually interestingly enough with respect to Facebook. We also dealt with the EU US safe harbor. I don't know if we're going to talk about that later on but There's a regime in place to allow US companies to transfer data over to Europe and It's called a safe harbor regime in any event Facebook had said it was compliant with the the EU US safe harbor, but in fact Wasn't so there were a number of issues that we were looking at with respect to Facebook and What we essentially required them to do in addition to stop doing the particular things that we had concerns about We said we we took this concept that we had used in the data security realm, which was if someone had Not kept data secure and we entered into a settlement with them We said to that company you're going to have to implement a data security program and for 20 years you're going to have to have it monitored through an independent auditor and We required Facebook to do the same thing with respect to a privacy program So it wasn't a data security program. It was a privacy program We said that Facebook would have to implement for 20 years a program where they'd have to have a Full-blown privacy program full-blown data management program with respect to privacy that would be independently audited for 20 years and We also Said that to the extent that they're going to be using Facebook to the extent that Facebook would be using consumers information in a way that hadn't been previously disclosed or that consumers Had previously agreed to Facebook would need to obtain affirmative express consent from the user. So those were probably the two biggest pieces of the Facebook settlement Google said Google was actually pretty similar In the Google settlement I don't know how many of you remember Google Buzz remember when that was launched that was Google's first social media effort which We no longer have Google Buzz. So it didn't it didn't really it was it was their beta version I guess and one of the things a number of things happened around that that some of you may remember Consumers were sort of suddenly in Google Buzz. They hadn't opted in it just sort of came about that all their information If they were a Gmail user, whatever they were in Google other Google disputes a fair amount of these facts, right? Well Anyway, keep going though. We can come back I If I'm remembering correctly Google did not admit or deny our allegations Same thing in the civil settlement for their their cross-action lawsuit Could very well be could very well be and and the same would be true with Facebook You know we these are allegations that we have made and we would have made if it had gone to court But they agreed to settle so But with respect to consumers being swept into it without first opting in I don't know whether Google would dispute that I'm not sure what they might dispute is whether or not consumers had the tools to get out of it One of the things that we alleged was it was hard for consumers to get out of it That may be something that they would not necessarily admit Another issue that we had concerns about were consumers most frequently you most frequent email partners became Public and this was a big concern and we heard about this from a lot of users people like doctors who were emailing patients or maybe People who were employed but looking for new jobs, right? And so they were emailing people and then somehow this information about who their most frequent email partners were became public So that was a concern of ours Essentially Google agreed to the same types of provisions that we had put in place with respect to Facebook In fact, actually the Google settlement if I'm remembering correctly was first and then came Facebook, but it was the same thing Can't use consumers information in a way that consumers hadn't been told about and hadn't agreed to without Affirmative express consent going forward and also a 20-year program of Where they had to have a privacy a full-blown privacy program with an independent auditor So those are two those are two pretty significant settlements and I if I'm remembering correctly The Google one it has been finalized the Facebook one is still open for public comment So I see a lot of Apple users in the room. How many people are using Safari? Not very many actually handful of safaris, but since your agreement There's been further revelations right about Google and Safari and if I understand the at least the allegations correct The the idea was that Google was collecting some information about safari users in a way that wasn't Didn't make Apple happy didn't make the consumers happy may or may not have made the US FTC happy particularly given the fact that these two agreements now have long tails Right that they have to they have to confirm So I wonder are you going to be pressing Google to figure out whether or not they in fact linked up safari data with the Google accounts And so forth and how how would something I mean you could speculate on that one But other things that one could imagine will happen in the next 20 years How will the fact that they have this agreement with you which is a settlement is it this consent decree? It's a consent consent order, right? So they're operating under a consent order. How will it affect something like this safari? revelation so I It's a very fair question, and I don't blame you for asking the question I can't answer with respect to Apple and the safari issue But so let me let me just take a step back and more generally say that Now that both Google and Facebook and for that matter Twitter are under order in the event that they violate those orders They're subject to penalties now and the penalties amount to you know, $16,000 per violation which one could argue is per person one could argue it's per day There's all sorts of calculations about how that's done, but um, you know We take their obligations very seriously under under an order, and we believe they take their obligations Very seriously under an order. So I wish I could answer You know that particular question maybe maybe just for a from a student perspective sure if one were trying to understand How the FTC when it's got a big company under a consent order and something that one might think of as bad happens What happens behind the scenes the FTC FTC to determine how to react to this Is it a staff lawyer is sure of trying to think this through and then comes to you as a commissioner and then brings it To the commission like what's the process? That's a great question. So we have a division of privacy and information practices We call it deep hip. They're great people. They're run by great great attorneys who are very very dedicated to data security and privacy issues and knowing as they do that You know a company is under order when they hear about something You know like things you were talking about or other things that could be a violation of the order Typically speaking the first step will be to call the company in and say What's going on here? Actually that may not be the first step the first step might be to ask Technologists given the given the types of issues we're talking about but to ask someone who might be an expert in the field What's going on say Ed Felton? Oh just say Ed Felton Who we happen to now have on staff Ed Felton is absolutely wonderful run ran. He's on a sabbatical from Princeton's program He's absolutely wonderful someone like that to sort of say okay, the New York Times ran this article the Wall Street Journal ran this article What's going on is and it does this look like something that we should be concerned about? So we do some independent information gathering on our own and then we will call the company in and we'll say okay What's going on? You've got this obligation. We think you may be doing x y and z that may be in violation tell us what's happening and You know it depends on what the issue is if it's a technology issue We may end up interviewing the people who wrote the code the people who are who were Responsible for the issue if it's a dot more of a document issue will review documents So it's almost like we were taking bringing a case over again We're investigating a case anew, but the penalties are different and the the if they are found to have violated the order It could be a very serious issue. So and then what happens after it's Investigated the staff determines whether or not they want to make a recommendation and then they bring a recommendation up to the commissioners And the commissioners decide whether we're going to agree that there was a violation or not or that there wasn't a violation Maybe I'll further channel the law professor in you since we're talking about law enforcement in a law school classroom What what's the range of remedies that you could bring? Can you bring some stuff? I mean obviously bring a lot of fines and you obviously can make some orders. Can you and join them from doing yes? yes, we can enjoy them we can Assess fines if under certain circumstances we don't have general civil money penalty authority But in certain circumstances like an order violation or a rule violation we can obtain penalties We can obtain Restitution for consumers, which can be fairly significant. We can obtain disgorgement in appropriate cases Meaning that whatever their ill-gotten gains were we could require the company to to give that back Injunctive relief as you said and and like this kinds of things that we were to I was talking about you know having to create a Privacy program the comprehensive privacy program that's going to be monitored for 20 years. That's Injunctive relief that's trying to look forward to see how we can make sure that the problem doesn't happen again So we can do all of that and we of course can tell them you can't buy like that area of the law anymore So if I might I'm gonna pick up on your COPPA reference the children's online privacy Protection Act And I see my good friend and colleague Dana Boyd sitting here in the first row, which is great and my friend too the day our friend Dana Boyd and Dana led a study that I and others worked on as well recently that looked at a national survey set of Parents in particular and looked in the context of rethinking COPPA at rates of compliance with COPPA And I know that you've read the study and you actually disagree in some respects with our findings and agree in part So I wonder if you might talk generally about how you're thinking about COPPA and whether or not the these kinds of data that have been coming out about the extent to which People don't always comply with this law how how to think about that in the context of your authority Does it would it make sense? I mean, I don't know if everybody in the room knows what COPPA is Should I take a step back and sort of just explain it a little bit? I'm seeing a couple of people nod Is that okay? Yeah, and I will not avoid the question That's good And I'm gonna get a mic over to Dana in the meantime. She may talk about her findings Excellent excellent excellent. So the Children's Online Protection Act is known as COPPA It was enacted by Congress in 19 I want to say 98 one of the laws that passed through Congress Incredibly quickly because it deals with children and it dealt with issues around privacy and data security and actually Ultimately some of the arguments about COPPA were security of the of the children themselves Because information about children and what they're doing online. There were concerns that that could actually affect the safety of children So it passed through Congress very very quickly What it the it's goals were and We'll have an interesting discussion about this But I think it's fair to say that Congress's goals in an acting COPPA were to enhance parental involvement With respect to their children's activities online to protect children's safety as I mentioned And to maintain this the safety when they visit and post information online and also the security of their information And then probably the fourth issue that the Congress was thinking about was to limit online Collection of personal information about children now COPPA defines children as Kids under 13 so once you hit 13 under the COPPA regime, you're no longer a child and the and we actually The Federal Trade Commission was given authority to enact a rule or promulgate a rule to implement COPPA and we sort of filled out what what what the compliance regime for the Children's Online Privacy Protection Act would be Through this rule so so basically between the law and the rule what Online operators have to do is first they have to figure out do they come under the Children's Online Online Privacy Protection Act and they come under it if they are directing their online Offering services whatever to children under 13 or If they know that the person that is on their website or service or whatever is under 13 So it's either directed at kids or that they have knowledge that the The the person is is a child and if they fall into either of those categories then The operator the web the website or mobile app or whatever operator has to provide notice to a parent that You know what their information collection practices are and they have to get permission from the parent to allow the child on the site And the the term that's used in the in the rule in this I think it's in the rule not the statute is they have to obtain Verifiable parental consent before they can begin to collect information about about the child so We're actually in the process of reviewing our the rule We had last reviewed the rule in 2005 and we at 2005 decided we weren't gonna Change anything that everything sort of seemed the same Normally we review rules every ten years But we decided to accelerate this one and when you think about it I mean if you sit back and think about it Tom Friedman had a great line that I heard on a podcast You know when you compare 2005 to 2012, right? What was 4g? It was a parking space, right? What was what was Skype? It was a typo, right an app an application was like those of us who are parents in the room, right? We were working to get our kids to send them into college, right app meant nothing other than that I mean and Twitter. What was Twitter? It was a sound, right? The world has changed Drastically, I mean if you go back to that 2005 none of these things actually existed or if they existed They were very very like nascent not not anywhere As they haven't didn't penetrate nearly as much as they have by now So we just decided to look in this new technological world where kids are spending so much time online and they're doing so much in terms of apps and and Getting so much information and educational value and every and communicating with each other and all the great stuff The kids are doing online We needed to look at COPPA and update it and one of the things that we are in particular looking at is what is personal information Because under under the current regime for instance geolocation information wasn't necessarily considered personal Information, but now you know with a cell phone that a kid or smartphone that a kid might have Someone could actually track a kid all through the day and it might not have the kids name attached to that into that Geolocation information, but the UD ID You for the for the cell phone would be attached to that information and essentially that means that you are getting the entire sort of Location of a child through the day through the week through the month And so we thought it was really important to bring up to date, you know What what the personal information? What personal information would be considered or what information would be considered personal under COPPA? So those are the kinds of things that we decided look we really need to update it so That's That's the background. That's a background. So let me let me then turn over to Dana if I might and say I think some of us Would suggest that more than tweaking is necessary for this regime And I think one of the data sets one might rely on is the one that Dana had the lead in in pulling together So I don't know if you want to talk a little about the study and you're being a broader concern You're older Skype aim, etc. It's also really common in the social network sites Facebook my space, etc I've been doing ethnographic work for an extended a period of time at this point and kept noticing these amazing comments from parents and kids about How it was ridiculous that you know, these companies were forbidding Children from getting access to these communication technologies to these social media technologies and parents wanted their kids to have access to it And I was like wow, you don't know what's going on here at all And you know, I sort of I drilled into it and and I realized over and over again I was hearing this expectation that this was about Some sort of maturity rating or different kinds of things. So, you know, I was struggling with this and I started with it qualitatively So I realized and I started sort of talking with people about what I was seeing and people were like, oh, that's just qualitative data You don't know what you're talking about. That's not actually what's happening nationally so part of it is that I pulled in a team of folk which is this paper was written by myself Esther Hargitai John and Jason Schultz and the idea was that we had four different perspectives and four different analytic school sets to go with and we Also tag team of the group of about 27 different quantitative scholars to try to make as rigorous as possible a survey at a national level of Parents to get at different aspects of what was going on and for this particular paper We only released a mere fraction of the data that we collected and in this paper We looked particularly at Facebook because Facebook is like the most contested of them. Although in many ways the numbers are actually higher for Communication services than they are for Facebook and what we found was kind of astonishing, which is that of Parents who have 12 year olds in the US and this is nationally representative sample of parents, you know We can go through the sort of methodology of it But of parents who have 12 12 year olds 55% of them allow their child child on to Facebook, right? And what was even more astonishing to them is how many of them knew and this was highest for Facebook compared to other things But how many of them absolutely knew that their child was lying about the age, right? And so it was not even just a matter of so with with interestingly the email parents tended to not know there was an age limitation With my space, which was actually the highest and Facebook also parents knew there was an age limitation But thought that it was not appropriate for thought it was appropriate for their child to be on in violation of the age restriction and so we sort of drilled down in the survey more deeply and found that First off parents had absolutely no Clue what was going on what this what these what the where the age restriction came from But they also I mean most of mind you they also have no clue about different kinds of privacy related bits So one of the other things that was in the study was we asked them, you know How how upset would it make them and if you get the exact wording of it that? Privacy or private data about their child to be collected and they were like, oh, it's absolutely bad We you know, we think this is bad. We asked how likely is this to be occurring? Oh, it never occurs Like okay, so there's a lot of Misunderstanding that came on so part of it was just laying out some of the first level data of saying Parents in many ways are struggling with this They don't understand it the ability to use this as a tool to get parents involved has actually turned into a really weird Involvement of getting parents involved in helping their kids lie about their age because another key point is that not only did They know their kids violated it in terms of age. They often help them do so Which was another big trigger of it. So they help their kids lie about their age Which is an interesting finding so since we put this out We've also had some really interesting feedback because one of the other things that if those don't know this is requirement for commercial websites This is not a requirement for nonprofit websites that said Overwhelmingly nonprofit websites are repeating this type of dynamic as well So one of the things that we started to find was how many libraries in the United States are actually Repeating the 13 limitation as well And we actually triggered on it with the Boston Public Library here and we said so why and they're like well We have to apply by copper and and so we've literally sent them the rule and said nope You don't actually have to play well. We feel like we should it's like oh So we're seeing this become a kind of rhetoric and it's amazing to see that that Misunderstanding of the rule so part of it was trying to actually collect some data and say Well, I think that the intentions both of the Congress and of the FTC and implementing this were completely well-founded and reasonable the way that it has played out has not Actually lived up to the expectations and therefore the ideas of extending it in many ways What we argued is that extending it going further into it further Reimplements something that in many ways is broken and we have to actually step back and question the beginning So that's kind of where we came at that Project from and you know if anybody anybody is a statistician and wants to have a field day with data I have so much more data on this for a whole set of other factors that I just haven't had time to process Yeah, and this is by the way I will say one of the best ways of dealing with these things is get every statistician geek that you know to just jam on Every process with you, and we had an amazing time just trying to get this as rigorous as possible We still got slammed in different ways, but it was really a fascinating process And we got partially slammed by the United States FTC What I so I so let me say that I thought the data was great I I thought the the data was fascinating And look I read I read the piece I were incredibly grateful I read it even unprompted you went you went absolutely. No, I had read it before you guys move for These nice people came in and visited me in Washington and we're you know because I was talking about the study And and I had read it, you know before you ever came in. I know I thought it was a great study I thought the data was really important I think where we differ is the conclusions that one would draw from the data and some of the key findings for me in the data were I as as Dana mentioned that parents helped their kids Lie about their age to get onto Facebook just to use a personal personal story When my younger son finally friended me on Facebook I sort of then saw his you know data his his information and I thought well wait Is this the right Noah Miller because this kid's much older than my kid? So he figured it out all on his own right he got his own birthdate in the place that it needed to be in order to get on But my sister who has twin girls Who are now 13 but about a year maybe a year to nine months ago? She helped him get on Facebook. She said you know, they're all their friends are on that's where all the communications going It's exactly Dana what you talk about that this has become the Social Square the mall the whatever that that older people who are older used to use in order to communicate with their friends It's now all happening online and that's a that's a great thing And that's a parent choice a parental choice and so my sister like many many many I forget this This stats, but I think maybe it was 70% of the parents helped their kids get online of those who were on yeah, okay I was pretty close though. I mean for not having written it So, you know a large number of these parents did help their kids actually Fib about their age In order to participate in Facebook. So what did this what this said to me? Wasn't that we needed to rethink Kappa and the requirements about protecting kids because what it said to me was actually that I that parents want to participate in these decisions they want to know where their kids are online and They want to be a part of the conversation with their kids And I think that's the tool that Kappa gives them And you know when I think as I'm a law enforcement person, right? I'm not an academic I mean as much as I love academics I'm not one and I sort of have to think about well What would the world be like if there weren't a kappa and and that's where I start I start to get worried So so I you know one of the conclusions that you all drew in the paper Which I thought was a very valid one. It was you know, why do we why are we only protecting kids under 13? What about 13 and 14 year olds? What about 15 and 16 year olds? What about 65 year olds? You know, there are a lot of different folks who need protection with respect to their information And if I'm recalling right, I think one of the things that you called for was baseline privacy legislation rather than focusing on kids now Maybe we'll get to this soon But you know the the administration has called for baseline privacy legislation That's been that's part of the privacy bill of rights and the effort that the administration is is going to be pushing I Have called for baseline privacy legislation. I think it's a great idea But until that gets put in place I don't want to see kappa removed because I because I really want to Continue to empower parents to be part of this conversation for their kids. So I wouldn't say I've slammed you But I would say that I I think it's great work that you all did and I I love the data I think it's very important to look at to to understand what parents are thinking But I think what we need to think about as policymakers is what's the conclusion one should draw from it Can I add to this? Um, of course So when we did this paper we decided purposefully to go after and sort of see dynamics around parents But I also did a lot of qualitative work following up on it trying to see some of the dynamics in particular Around the idea that they're like, what do we think about parents roles in this? And you know one of the things Gaia Bernstein has done an amazing analysis of legal statute For the last I think it's 20 years about how it fits into certain norms of middle upper class parenting And this is one of the things that I think that we've seen we even see within our data that we haven't properly released yet Which is that this is very much about certain class dynamics and one of my current projects right now is trying to look at different dynamics for things around parents aren't always so pleasant and One of the most for those who don't know about my human trafficking work right now But one of the most heartbreaking things that you see in commercial sexual exploitation of children is how often and this is about domestic sides This is the US how often kids who get involved in commercial sexual exploitation a Kid prostitutes are in many ways either running away from parents or sold into slavery by parents Which is one of the like that's actually at the extreme end of horrible But one of the things that we really struggle with is what are the more moderate end of horrible where parents always aren't always good actors And I think this is one of the things I struggle with in this data as but since I spend so much time in Communities where things aren't always great, which is I think that in very privileged environments We think about empowering parents and we think about all of those great parents like all of you in the room Who really care about your kids are super involved and super engaged and want to do the right thing But I think the big challenge I throw back to you is is how do we make certain that our statutes? Protect young people whose parents aren't always good actors who need certain privacy productions, which is really important But who for whom we don't necessarily want abusive parents to be ones coming in and controlling this And that's where like when I started to look at the data on LGBT access When I started looking at the data about kids and eating disorders and disordered eating and self-injury start happening at 10 1112 in really problematic households This is where I'm starting to get worried And so I I'm in some ways I think that the that kappa does a great job by middle-upper class kids And I'm like gung-ho. Let's go for it Well, I worry about kids who even from middle-upper class households whose parents are not in the best place to be dealing with this But also for whom there doesn't be a class inflection where things are not always as great So from one of the questions is how do you deal with that where parents aren't always the good people? It's a great question. I Don't have an answer It's a great question. I mean, I'm not you know, I think about I'm gonna use Use some analogies, you know the nutrition labels that Congress enacted under the NLEA the nutritional labeling and Education Act Lots of studies have been done about who actually reads those nutrition labels. It's people like me You know white white middle-class Women are the people who read the nutrition labels and those whose job it is to read But that you know the the new law people read privacy policies probably Oh, well, we can we can talk about that that that population to our subpopulation to for sure But you know it is it is absolutely true that you know some laws that are very very well-intentioned and do have a good Impact for a large sector or some some size of the population might not have an effect you're actually positing that they may have a negative impact on other sectors and Maybe the answer is baseline privacy legislation. I mean, I really don't know I'm not sure I think we should do away with copper to deal with that issue But I hear your issue loud and clear and I I don't have an answer to it. I think it's a great point I don't have an answer to it. And again, I wouldn't want to do with nutritional labeling There's been there's been studies that have been done about, you know The the new laws are now requiring restaurants that are chains of greater than a certain size To have calorie especially that New York Well, it comes from New York and it comes from some of the cities in California, but it's going to be implemented nationally There have been some studies about who looks at that information and who gets it and again It's my demographic who looks at it And so I might not buy a Starbucks a venti chai when I see how many calories it really is but there are other groups of The population that look at it and may not understand what a calorie is and so they see the high Number and they think that that's better. It's energy worse actually and or or they think oh, you know I don't care. They're telling me this is bad and they actually engage in sort of Counterintuitive be what what some would say is counterintuitive behavior. They actually do it very intentionally So that's another example and this is just one study. I've heard about with respect to that It's just an example of you know, we try to do the best we can as policy makers We try to address a problem other problems arise that also do need to be addressed But I'm not sure that means you want to do away with the first solution the difference there is that it's always We're dealing with an information and in other ways. We're talking about a direct expectation of power. I I understand I do I'm not I'm again. It's not a perfect analogy. It's just It's I think it it does there both instances of potential Right unintended consequences from well-intended laws, right? That's a little way and also that the that the laws are not only well-intended But actually do have a very good effect for a lot of people but for some they don't that's the point I think that you're making yeah, so I have several other questions. I want I also have a couple that I've channeled from the Twitter spear and Email, but I want to see if any others in the room want to bring anything up. I've monopolized so far And if you're willing to say who you are on the record that'd be great In in general terms if you look a couple years forward, do you think with as data is aggregated There's more personal information Will will Americans be more accepting that they're gonna be there's gonna be less privacy for the convenience of all the internet stuff What do you think there will be a greater demand for more privacy a greater move towards say European or different styles of Standards, what do you see happening? So I that's a great question You know and I I Don't have a crystal ball for sure and I you know nobody doesn't probably everybody here in this room We've got a lot of big brain power here in this room Probably you could pull just this room and you'd get you know as many opinions as you do have people here But I think what I would say is Based on my experience working at the state level for many many years with respect to data breach notifications It always you know companies businesses said Data breach notifications are really a bad idea because consumers will be lulled into Not worrying about data security. They'll get notice after notice, and they'll just become complacent My experience was actually the exact opposite that as consumers got more notices the issue rose in their In their minds and they became more and more concerned not there wasn't a complacency There wasn't sort of a an effect that said oh well just another day to breach you know I'll go on my way. I think I sense a similar phenomenon with respect to privacy and with respect to for instance Let's just talk about a big Company that may have a search engine and maybe has an ad network and maybe decided to change its privacy policies recently and you know, I Didn't see the public Lie back and say there's you know, this is all okay. I heard a lot of outcry about it I actually think that what will happen is there'll be more and more awareness on the part of consumers about this issue now again, I'm just You know, I know about the future as much as we all know which is Nothing, but I do Think past is prologue and I do think that there is a Lesson that can be learned with respect to day to breach notifications that can apply in the privacy context very helpful so Up here in the far as Professor Jonathan's itch and just so you know He is I think the first and only person in Harvard history to be appointed to three faculties the Kennedy School Which is the policy school? Of course school of engineering and applied sciences and this very same Harvard Law School That's a triple threat could be coming your way. I'm ready for it. I'm ready. I'm in negotiations with the dental school That would ensure that it's not just Well, I'm honored you're here and it's wonderful to meet you and maybe we can chat afterwards. Yes, okay So I imagine preparations are now completely underway for the hundredth anniversary centennial Yes federal trade commission that's gonna be a blowout of a party blow out of a party You're all invited. You're all invited. You've been squirreling away all those fines for a special occasion They go to the treasury. It'll be the bicentennial of the Harvard Law School in a scant five years. Just see that, right? All right, we shall be ready planning is underway. Yes So looking back right a hundred years There's gonna be all sorts of ways in which people will think about the nature of its humble beginnings How far it has come how well it's been able to do what it's done And of course some of it is built into flexibility when I teach torts We talk about rules versus standards and the ways in which there's a big difference between trying to articulate Exactly what somebody can and can't do and then assume the circumstances change loopholes appear and Standards which says, you know go out and be excellent or don't be negligent or don't be unfair and deceptive Correct, and of course federal trade commission immediately jumps to mind as you know anchoring the side of the field that is the standard That has all sorts of drawbacks too, which is why there's always a tension between the two approaches So I'm curious about your thoughts on how the rest of the ecosystem of Trying to deal with unfair and deceptive trade practices has developed around the FTC and even if they're sort of Implicit ways in which cooperation arises. I imagine if I'm a Google One reason why an FTC investigation is going to be of great Moment to me will not only just be the PR hit I take if there's some fine even if it's $10 But the class action suits that might follow and be drawing upon the documents that get released or the Admissions that get made in the context of the FTC or maybe it's the other way around the FTC can come in on the wake of a class action suit and have a lot of the work already sort of done and Maybe then it come in. So I'm curious about How well you figure The vision of Brandeis is still Operable today and the unique position of a standards based Insular from the political establishment, but intended to be highly responsive to stakeholders people lodge these complaints and such How well that's still working and what you might change about it in today's Globalized technological multi-jurisdictional world right is a great. That's a great question. We could spend a lot of time talking about that My personal view As one of five current commit well actually one of four current commissioners. We only have four right now is That the standard approach as you've defined it rules versus standard the standard approach is actually a wonderful tool the flexibility is Very very helpful, especially when what the tool is unfairness and deception or Unfair methods of competition. I mean these are very broad terms. It'd be really interesting to see Well, actually we did see Congress enact another law like that very recently But it'd been many many years since they had which was the Dodd-Frank law right uses unfair Deceptive and abusive so actually added another term in but I find having a standard that is Flexible can be applied in many different circumstances to to really be be quite helpful And you know where the best example is about the dichotomy between I'll get to class actions in a second but I think that's sort of a side issue more than anything the The the dichotomy between rules and standards as you've defined them Really shows up in terms of the US privacy regime and the European privacy regime and we the federal we at the Federal Trade Commission We deal with our European counterparts a tremendous amount we're the US entity that is admitted to the International Conference of Data Data Privacy and Data Protection Commissioners Which is the international group that deals with this issue? And you know in Europe they're much more accustomed to I think what you would define as a rule regimen and The Europeans have not yet deemed the United States to be adequate under the European regimen such that information can flow freely Between US companies and European companies instead they we've created a safe harbor program somewhat cumbersome for companies to operate under where they have to Promise that they'll abide by certain rules and whatever etc etc in order For for instance a US company to transfer data to Europe or vice versa for a company from Europe to transfer data to the United States Because we've not been deemed adequate because if you look at our laws It just says unfair and deceptive acts and practices shall not be allowed or we have a sector-specific law with respect to kappa and kids Or we have HIPAA a health insurance law sector-specific or we have GLB Gramm-Leach-Bliley, sorry if I'm going to you know, but again We're here. What furpa furpa furpa. We don't we don't enforce for I think that's the department there But yes, exactly furpa So we have sector-specific laws, but we don't have an overarching Rule-based privacy law at least at this time so Europe doesn't deem us to be adequate But here in the in the US we take the view and I take the view that the Federal Trade Commission Actually does a really good job protecting privacy because what we do is we take our standard as As you talked about and we apply it in really what we call the common law of privacy We've created a common law of privacy through all of the enforcement actions that we do and we're very careful about cases We select we are you know compared to a state AG's office We have we're very well resourced but compared to other Agencies in the federal government. We're actually pretty small So we call ourselves a small but mighty You know federal agency, but we you know we have to be careful about the resources You have to be very careful about our case selection. So we pick cases that we feel communicate important information to Industry and there is a cadre of chief privacy officers of privacy Professionals of people who are interested in this issue who work for companies who follow what we do very very carefully They have their own industry association. They do which is growing by leaps and bounds I was just speaking there. They follow my every word very carefully I'm sure they're watching this video right now right now. Well, what did she say? When did she raise her eyebrow? You know Zitrain asked what did what did what did Zitrain mean when he asked that question exactly? So we're not teasing those privacy. No, not at all I actually when I speak to them and I did just a couple of weeks ago. I Applied their organization I applaud the fact that they care so deeply about what we do because they're the ones around the front lines of Implementing privacy in the commercial Commercial sphere and it's very important that they do listen to us So I I'm very very supportive of Them and I speak to them all the time But to get back to your question So I see it really is a common law that's been developed here in the United States by having that General standard which is a strong standard and then applying it in specific cases You know, we've only talked about a couple But we've done many many cases involving mobile apps involving copper we've enforced, you know involving behavioral Advertising and each of these cases. I think sends an important message to the industry as a whole now What did you know one could one could look at whether the Europeans do do similar enforcement? Or do they rely on their rule-based mechanism and engage in a different kind of dialogue if you will with industry? But I so that's where I come out But it's you know, but I'm a law enforcement person And so I like the flexibility of a general standard that allows me to look at a new situation As you said when you have a rule you can't always contemplate everything that's going to come up And then you have to go write another rule here with a general overarching standard It's flexible and you can you can new new issues can kind of come under that umbrella Did you want me to address the class action thing or? Or It just very very very very very very very briefly and then Dina actually has a question great great great In in My you know our our statute does not allow for private rights of action at all So under the Federal Trade Commission Act Consumers don't have a private right of action The vast majority of states have enacted a mini FTC act which does provide for unfair that the state AG can bring actions for unfair and deceptive acts and practices many of those state laws do allow for a private right of action, but not all of them do and certainly a very few many fewer many they're very few of Those state laws that allow for a private right of action for unfair methods of competition So as opposed to consumer protection unfair methods of competition, so We don't really rub up against we at the FTC we don't really rub up against the class action community quite as much State AGs I think do a little bit more because class actions will can be brought under those specific state laws So I wanted to actually go back some of the general privacy stuff because one of the things I'm really Fascinating and within struggling with is the ways in which We have we rely on this idea of consent and consent is this Held up as this really important thing and at the same time we see and you know I think it's interesting that you mentioned the March 1 situation with Google because in some ways what we saw is yeah We saw frustration and and upsetness, but we've also seen this moment where we've normalized systemic disempowerment We've normalized the feeling that people feel powerless against these changes And they end up in some ways opting out and dealing and we've seen this with a whole variety of things but part of what I'm really fascinated by is that in some ways we deal with a legal narrative of consent which kind of Looks like a contract law Model of it of like I have I've signed off. I've checked it But there's I think two other sort of key elements to consent first consent requires agency And there's something really interesting when you look at feminist histories of this in particular light of what it means to consent to sex And what it means to understand how you can have agency in power within a very in a situation to actually provide Consent and the the issues that play out and of course if we look at rape laws around the world We see these very different variations of what is required to actually guarantee consent So this is sort of this agency element of it The other thing I would argue is consent requires a set of literacy, right? Which is the ability to understand or interpret what's going on We see a really interesting history of this with ethics and IRBs And I think this comes it really clear with a lot of the HIPAA related stuff So I guess part of what I'm challenged by is how much you know when we rely on consent with these questions of privacy How do we deal with these questions of agency and literacy in a networked effects? Dynamic where people don't necessarily feel like they feel as though they go with the tide in a way where they're They're not certain how to deal with these different dynamics So I'm curious as you're thinking through consent as a really powerful element How do you deal with those elements of consent because I think they play out differently with different groups? They they certainly play out differently with different groups. Let me Again fascinating, you know, this is what you get coming to Harvard. It's like just incredibly fascinating issues being raised I would I'd like to do is tell you what we're doing around some consent issues because You're raising a lot of issues that I need to think about to tell you how I really feel about them sort of at a bigger grander level but We read you know look the the the regime that we've had in the United States has been a notice and consent model where Folks who are engaged in collection and use of information would create a privacy policy They post it and consumers were assumed to have read it understood it and and agreed to it if they went on and use the website Sometimes there'd even be a little check here if you agree to it, right? And if any of us if any people in the room have actually read privacy policies actually in this room There probably are a lot of people who've actually read privacy policies But when I go around and speak, you know Most people who they roll their eyes and they say oh my gosh They're really you know you have to have a law degree, right to really understand these privacy policies with the regime of notice And consent has done I think has taken this concept of consent and made it a very legal one and for a company Thinking about how to operationalize this concept of consent what the companies I think have done it is they've moved They've put this issue in their legal departments, and they've said You know create a privacy policy that will cover us that will make sure that we won't get into trouble What we're trying to do now at the Federal Trade Commission and what I'm very supportive of is saying We need to think of a different model of consent and of notice Consumers can't be expected to go to Harvard Law School or Suffolk Law School or any any law school in order to participate on the web And in order to understand what's happening to their information We're calling for simplified notice Layered notices just-in-time notices quick bits of information that then if consumers want more they can dive down and drill down We definitely want to see full-blown privacy policies because there's there's a role for that The role for that is the activist community the people who really care about privacy can then go in and do an Analysis and can create blogs and all that about what's really happening very very important but with respect to your everyday consumer the everyday consumer needs much simpler information and there are a lot of companies who are Getting this I mean if you talk to Brad Smith general counsel of Microsoft. I think an alum from here He's He's often here, but he turns out not to be an alum. Oh really well I know he went to he went to the college. I went to but I didn't know where he's been in Columbia I think was it Columbia. Oh, I think you're okay. So sorry about that, but um, okay Oh, did I answer your question already? All right. I'm sorry very well done Well, you know, there are companies who really you know, not only believe but actually Create systems that are designed to give consumers simpler Information just-in-time information and simpler choices and it really is very important We haven't had a chance yet to talk about do not track I don't know how many of you heard about that but that whole concept of trying to give consumers Choices through simple information and then tools. They're simple simpler I maybe should say to use so that they can make choices about the amount of information that's collected about them and whether it will be Used for online behavioral advertising across websites. That's what do not track is all about we called on industry to do it In back when we issued our preliminary report in December of 2010 our preliminary privacy report an industry really stepped up to the plate It's not perfect yet. Work needs to be done I talked to the industry all the time about the type of work that I think they should do to make it better But but they're trying they're doing something so Big big issues around choice around notice I think it's something that and we as the FTC generally and me as a commissioner in particular I think it's something we absolutely need to address and we're trying to address it I'm not sure we'll hit all the issues in the way that you've described them But it's a very important issue Excellent. Well, I think do run and follow on or no Yes, sir one one last one. I'm curious about Going from what she said I want to add something. I'm curious about it How does the FTC? View the fact that your average individual consumer has no understanding of the Technology that's that's at play here. I mean, I didn't go to Harvard. I went to law school, but I'd go to Harvard but I'm a I'm a Silicon Valley computer technician at least by trade and it took me forever to understand the things that Google was doing Microsoft was doing, you know, some of the big companies and even some of the small ones And I wrote a paper on it and I was just kind of curious that if Judges don't understand because a lot of you judges don't understand What's at play in technology here and if Your average People who don't understand technology do how how is that going? How does that? Ring for the FTC. How do what's the responsibility of the average individual understanding the technology at work here? It's a great question. It's a great question. It's a great question and you've you worded it. No perf it a great way I Think it's really important to not only do what I was describing a moment ago to give consumers simpler notice and Simplified choice, but it's also important for companies To what we call build privacy in to products and not make it so complicated for consumers but to take on some of the burden of Having to make all these decisions and and implement privacy. We kids. There's a there's a phrase for it It's called privacy by design and that's a phrase that was actually invented or created by a woman Ankebukian who is the commissioner of privacy for Ontario a province and obviously in Canada And she created this concept of privacy by design and what what it's what it's what it's getting at at its heart Is to say to commercial operations to businesses You know don't make it so hard for consumers you know don't One of the phrases that you also hear is it's great to put things on the dashboard if they're clear and simple But build things under the hood for consumers with respect to privacy And there's all sorts of analogies that I like to use like driving a car, right? We don't think every consumer needs to be a mechanic or should be a mechanic I mean think of what our society would be like if we all had to be mechanics in order to drive cars It's completely inefficient. There are least cost avoiders to use the the economists term, right? There are least cost avoiders who should build these things build safety mechanisms and and and all sorts of other Mechanisms that go into car into cars. They should be responsible for that Consumers should just be able to turn on the key do things like change the oil, right? They put in the right kind of gas keep their tires filled, right? Do do simple maintenance But not have to know how the engine was built in order to in order to drive a car and I think that that's a really good analogy that I like to Communicate to businesses to try to explain what privacy by design ought to be They should be thinking about how they're using information How they're collecting information how how much they're retaining and why another big element is retention of information? In order to be thinking about these things on behalf of their consumers, so it's a great question So I think each of these topics could take us absolutely close to our we usually go to about 715 So I was hoping to bring in a few notes from the cyberspace Community who responded to a tweet earlier and I tell you two of them We've actually worked in many of the other ones. So thank you to everybody who emailed them in This the first one relates in somewhat to this last gentleman's question, which was looking at a technological phenomenon and then asking whether it is a plausible FTC type issue and the technical phenomenon as I mentioned to you before is called buffer bloat and the idea that Within networks that there are access buffering instances that are probably not visible to a consumer in which Okay, well how many people in the room know about buffer bloat, okay a couple three and a very well-known Three in a very select group Okay, so please please take over I'm trying to help out here Do you want the microphone? Thank you Well, it's a good point I certainly can't is good point Okay, I'm I guess what you would call a technologist So it turns out that Everybody has been making the same mistake for over a decade thinking that that Losing packets is really a bad idea when in fact whenever the network is congested. It is essential that they be dropped quickly for the network to To actually function correctly So without anybody With any without any malice of forethought or anybody thinking about it since memory got really cheap We've put in buffers all over the place Whenever the network is congested which can happen with a single competing copy these days This turns into horrible amounts of delay so The question is and I'm not sure I know the answer to this I guess there are two facets to it number one that there's been a the marketing of of Speed has been conflated with bandwidth and it's not What matters for most people is speed is how long does it take for me to get what I want off the internet? And it's actually a way more complicated equation than just bandwidth Okay, so there's a a sort of truth in advertising Ten megabits ain't equal to ten megabits depending upon whether there's excess buffering So that's one aspect to it the other of which is that is is that that without anybody intending to this has had the effect of of causing Internet service providers to end up in a preferred position for any real-time application like VoIP or teleconferencing they Without people I firmly believe that this is without any malice of forethought Have provisioned how they do telephony services independently. So if you decide not to get telephony from your broadband carrier It's not currently going to work as well as if you buy it for three-year ISP This this has interesting competitive issues And as I said, I don't necessarily know what the answer right now for the government's role in helping this mess get fixed And it's a pretty monumental mess unfortunately But so in some sense I'm asking this question mostly to put it on your radar screen It needs really serious thought And I guess it's one last aspect of this is not been fully thought through The whole bit torrent network neutrality thing needs to be rewritten the history of that is is more complex than has been realized But as the time bit torrent deployed Buffer bloat was already everywhere and it was really clobbering the ISPs and The people trying to use the network Okay, and it hit much harder than otherwise would because of the technical flaw that it already deployed So a lot of people's Understanding of what happened actually needs to be rethought and reset. There are people on both sides of this equation which are Aren't understanding what the others Position is correctly because they don't even understand there's been a problem Really interesting points. I really appreciate you're bringing it up Yeah, I don't think I'm prepared to answer how we would address that problem today I do think that there's lots of really interesting questions that you're raising potentially advertising Substantiation or a deceptive advertising issues to a certain extent Deception here at all by anyone right and that is it and I and people have raised that advertising issue like around 4g You know, they're advertising 4g, but is it really 4g and what is 4g and where can you actually get 4g, etc? But I think From a just to take a step back on all these issues, you know, obviously, there's the Federal Communications Commission That who we work with a lot on various issues do not call We work with them a lot on some privacy issues as well Obviously, they have a role in in many of the things that you mentioned our final privacy report will be coming out very soon really soon and I think that There'll be some discussion about what we call large platform providers Okay, so, you know ISPs social media Browsers in certain circumstances, you know large platform providers and and and some issues with respect to How they gather information and have the opportunity to gather information in a different way Then then others do and it's it's definitely an area that we need to study I mean it really is now that's the privacy angle. You're really talking more I think about the sort of technological functioning angle And and you know, I appreciate you're raising it at this point We're sort of thinking about how some of the the interplay of these these large platform providers really Effects Consumers and collection of information again. I know you're raising a different issue. So I appreciate you're bringing it up Thank you, and I'll pass along some ACM articles for your flight back on Technical topics We're super over time though do you mind using your mic? The one thing I'm going to disagree in is I don't know if you call me a technologist or not I Think I think that part of it is by by design and it's part on ignorance of Ignorance of the individual user because people don't understand for example I think the engineers do understand the consumers. I don't think the consumers understand I think the engineers do understand having worked at some telecommunications companies I work in Motorola mobility right now And we're dealing with a lot of stuff with Google I also worked as a An educational specialist dealing with sip talking about telecom and they know I just think what they're doing is a lot of them are banking on The fact that no one else does because the technology though it has been around a Lot of people don't understand how to embrace it They think of it. It's just a telephone when really there's so much behind it And I think the only way the government can get involved and I'm going to go back to my education background Really is Proper education of what's happening? I was a trainer for a long time and one of the things I wouldn't struck my students on is when you hear that dial tone what's really going on and I think when you talk about privacy one more second when you talk about privacy and you talk about Advertising and things of that nature. I think that there has to be a component that that deals with Education proper technical education so that people understand that We have a big educational effort absolutely completely agree. It's a perfect note And that which is you're helping to be here as part of the educational program at the Harvard Law School It's really wonderful to spend this time and thank you for making the trip. Well, thank you. It was really fun I enjoyed it a lot