Chris Hoofnagle

Chris Jay Hoofnagle is an American professor at the University of California, Berkeley who teaches information privacy law, computer crime law, regulation of online privacy, internet law, and seminars on new technology. Hoofnagle has contributed to the privacy literature by writing privacy law legal reviews and conducting research on the privacy preferences of Americans. Notably, his research demonstrates that most Americans prefer not to be targeted online for advertising and despite claims to the contrary, young people care about privacy and take actions to protect it. Hoofnagle has written scholarly articles regarding identity theft, consumer privacy, U.S. and European privacy laws, and privacy policy suggestions.

Career

Hoofnagle is a professor and attorney at Gunderson Dettmer LLP. He has served as an advisor for several student projects at the University of California, Berkeley School of Information. He advised Ashkan Soltani and his colleagues on their article "Flash Cookies and Privacy".

Hoofnagle and Soltani published a follow-up on this work in 2011 documenting the use of "HTTP ETags" to store persistent identifiers. This research was also published in the Harvard Policy Law Review as "Behavioral Advertising: The Offer You Cannot Refuse," and won the CPDP 2014 Multidisciplinary Privacy Research Award.

Privacy literature contributions

Identity theft

Today, most information regarding identity theft incidents is gathered from the victims whose identities are being stolen. As a result, many aspects regarding identity theft are still unknown. This is because of missing data on synthetic identity theft (situations of identity theft where victims aren't aware of the crime), the fact that most victims don't report identity theft to criminal authorities, and the fact that the FBI may decline to investigate identity theft cases due to lack of resources. In fact, less than one in 32 victims of identity theft file an official complaint on the issue.

Because of these issues, Hoofnagle argues that identity theft information should be gathered from financial institutions. Financial institutions are a central actor during identity theft crimes as they are the institution that imposters use to steal money, they undergo nonpayment after imposters steal money, and they recharge victims after nonpayment. Thus, financial institutions have the most interaction with the imposter, which makes them the best player to gather information about identity theft, according to Hoofnagle. Hoofnagle believes that financial institutions should be required to track the number of identity theft instances that taken place or been avoided, identify the targeted product of the thief, and report the loss suffered or avoided. He argues that these policies will garner more information regarding identity theft, helping institutions avoid the problem in the future.

Hoofnagle's research also discovered that larger institutions that focused on credit card accounts had relatively higher rates of identity fraud than smaller institutions. He argues that this may contradict consumer expectations, as consumers may believe that larger institutions have the tools necessary to avoid identity fraud problems.

Consumer privacy

Social networking services

Although signing up for social networking services (SNSs) like Instagram and Facebook do not cost any money to access, Hoofnagle argues that there is a great price for this transaction: the collection of personal information. As consumers post more on SNSs, the SNSs gather more and more personal information on the consumer. Data can be collected directly by tracking the smartphone owner's posts or storing information from other phone applications on the device. It can also be collected indirectly from information that other people store about the smartphone owner on their own devices. Hoofnagle argues that this transaction represents a loss of privacy for consumers. By freely revealing personal information, consumers leave themselves more vulnerable to data collection, identity theft, fraud, and stalking.

Additionally, consumers do not know how their information will be used in the future. It is almost impossible to delete information that has been posted on SNSs, and consumers do not know how that information will be dealt with.

Internet tracking

There are many methods of internet tracking, including Flash cookies, ETags, HTML5 local storage, Evercookies, and browser fingerprinting. In a study, Hoofnagle discovered that there was a dramatic increase in the use of standard cookies between 2009 and 2011. Additionally, most cookies were placed by third-party hosts, which is mainly made up of advertisers.

Hoofnagle argues that modern privacy regulation would give consumers more choices in the marketplace. He denies that government intervention of this kind is paternalistic in nature.

Commercial data brokers

Commercial data brokers (CDBs) are businesses that collect personal information on individuals and sell it. Hoofnagle argues that CDBs like ChoicePoint perform law enforcement duties by allowing the police to download collections of information about individuals. He thinks that CDBs should be regulated by the Privacy Act of 1974 as a result. He argues that government access to CDBs gives law enforcement information that they would not be able to collect legally, presenting a significant legal issue.

Hoofnagle presents three policy solutions to protect personal data from law enforcement. He believes that commercial and government collection of information shouldn't be distinct, public records should be compatible with modern technology, and the Privacy Act of 1974 should apply to CDBs.

Physical vs digital goods

In "What We Buy When We Buy Now," authors Aaron Perzanowski and Chris Hoofnagle explore a common misconception regarding consumer rights when buying digital goods; specifically, the misconception that the same regulations govern physical and digital media. The authors called their study The Mediashop Study. After conducting a web-based survey, they discovered that most consumers believe that digital goods and physical goods have the same rights to use and transfer. For example, just like an individual can easily transfer a physical book to someone, most consumers believe they have this same ability with digital books. This is not the case under current digital ownership rights. The study also revealed that consumers would be willing to pay more for the right to transfer digital goods and that adding a short notice that explains consumers’ digital rights would be effective in reducing consumer misperceptions.

Privacy policies

Hoofnagle argues that there are limitations to the FTC's privacy policy approach. The Federal Trade Commission (FTC) is the primary consumer protection agency in the United States. Despite the FTC's commitment to the self-regulation of privacy, Hoofnagle argues that consumers are very concerned about their private information being collected. In "The Federal Trade Commission and Consumer Privacy in the Coming Decade," Hoofnagle and the other authors explain how most Americans believe that a company's privacy policy explains how their information will remain private. However, in reality, privacy policies merely detail how website will use a consumer's private information. Based on their research, the authors conclude that privacy notices alone are insufficient for consumer privacy. To advance privacy, the authors suggest that the FTC make three provisions: police the term “privacy policy,” consult with experts in usability to create privacy-protecting mechanisms, and set benchmarks for self-regulation.

Privacy law

Europe

The European Union's General Data Protection Regulation (GDPR) is the E.U.'s law on data protection. Hoofnagle argues that the GDPR is "the most consequential regulatory development in information policy in a generation." The GDPR applies to situations where "personal data" is "processed," so virtually all actions involving personal data are protected under the GDPR. The GDPR also places significant burden on data controllers (e.g. companies) to ensure the privacy of consumer information. For instance, they must keep records of all their data processing, adopt a data protection policy, and be transparent on their data usage. Exemptions to the regulations of the GDPR are data activity of personal use or national security. Consequences for breaking the rules of the GDPR include sanctions and fines, and Data Protection Authorities are the main enforcers of the GDPR's regulations.

The United States

The U.S.'s Privacy Act of 1974 and Fair Credit Reporting Act of 1970 (FCRA) are the framework for U.S. privacy law. Hoofnagle argues that these regulations don't adequately protect privacy, as many companies have found loopholes to them. He argues that the problem with the Privacy Act is that it only applies to the federal government and private companies that work for the government. It does not apply to other private companies or data brokers. Hoofnagle additionally criticizes the FCRA for solely applying to "consumer reporting agencies" that use "consumer reports." Consumer reports solely concern communication on a consumer relating to credit evaluation, employment screening, insurance underwriting, or licensing, and all other uses are not protected by the FCRA.

Hoofnagle and Daniel Solove

HOME


Content is Copyleft
Website design, code, and AI is Copyrighted (c) 2014-2017 by Stephen Payne


Consider donating to Wikimedia



As an Amazon Associate I earn from qualifying purchases