Forms of Disclosure: The Path to Automated Data Privacy Audits

Mihailis Diamantis; Maaz Bin Musa; Lucas Ausberger; Rishab Nithyanand

doi:10.2139/ssrn.4458285

Back

Forms of Disclosure: The Path to Automated Data Privacy Audits

Preprint

Open access

Forms of Disclosure: The Path to Automated Data Privacy Audits

Mihailis Diamantis, Maaz Bin Musa, Lucas Ausberger and Rishab Nithyanand

SSRN

06/10/2023

DOI: 10.2139/ssrn.4458285

Files and links (1)

url

https://doi.org/10.2139/ssrn.4458285 View

Preprint (Author's original)This preprint has not been evaluated by subject experts through peer review. Preprints may undergo extensive changes and/or become peer-reviewed journal articles. Open Access

Abstract

The weakest link in privacy enforcement today is detection. For years, agencies and activists sounded the alarm about unregulated, opaque mechanisms that organizations employ to harvest, process, and sell online user data. Some state legislatures have responded in recent years by passing legislation to protect privacy rights. Federal legislation may not be far off. But privacy rights are meaningless without effective enforcement, and enforcement is blind without detection. New techniques for uncovering privacy violations hold promise. Historically, this would have required access to data brokers’ books. Unsurprisingly, such access was not forthcoming. Researchers now have tools that can carry out what this Article calls “closed book privacy audits,” detecting privacy violations without targets’ cooperation. For example, by selectively feeding fictitious personal data to online platforms and measuring its impact web experience, closed book privacy audits can track corporate use (and misuse) of personal information across the data ecosystem. Automated closed book privacy audits could uncork the detection bottleneck, empowering private and public enforcers. There is one hitch... Privacy audits require both data to test and benchmarks to test it against. Crisp evaluative benchmarks have remained elusive. Emerging privacy laws require corporations to disclosures how they collect and use personal information. The laws do not mandate any particular form of disclosure. Through an original empirical study of privacy disclosures by California data brokers, this Article documents the result: a widely variable mishmash of opaque representations that are impossible to audit using a consistent procedure. We argue that the law should mandate uniform privacy disclosures in a machine-readable format. Regulators could borrow from standardized disclosure frameworks used by other regulatory bodies (e.g., the United States Securities and Exchange Commission) to simultaneously improve disclosure clarity and facilitate low-cost detection of violations through closed book audits.

Data Privacy

FTC, Disclosures

CCPA

Privacy Audits

Privacy Law

Law and Tech

Consumer Protection

Details

Title: Subtitle: Forms of Disclosure: The Path to Automated Data Privacy Audits
Creators: Mihailis Diamantis - University of Iowa
Maaz Bin Musa - University of Iowa
Lucas Ausberger - University of Iowa
Rishab Nithyanand - University of Iowa
Resource Type: Preprint
Publication Details: SSRN
DOI: 10.2139/ssrn.4458285
Number of pages: 26 pages
Comment: Forthcoming in Harvard Journal of Law and Technology, v.62
Language: English
Date posted: 06/10/2023
Academic Unit: Philosophy; Law Faculty; Computer Science; Public Policy Center (Archive); Center for Social Science Innovation
Record Identifier: 9984442225302771

Metrics

3 Record Views

See more details