Next, members of the federal trade Commission Rebecca Slaughter and Christine Wilson on the agencies priorities and privacy concerns with new technologies. This event was hosted by the brookings institution. Welcome everybody here. Welcome to our cspan audience. Im cameron kerry, the distinguished visiting fellow at brookings and the center for technology and innovation. And i am pleased to continue our discussions on hashtag the privacy debate. Please feel free to live tweet on that. The federal trade commission a been very much at the center of that debate both as Congress Moves forward and as as a government, as a people deal with the policy issues of privacy. The commission has been very much in the spotlight with major cases, the Facebook Cambridge analytica settlement, youtube settlement, and a series of hearings on competition and Consumer Protection in the 21st century ear a lot of the focus on issue of data and privacy. So were fortunate to have with us today two commissioners, rebecca slaughter and Christine Wilson, both of whom have long backgrounds in public policy. Rebecca slaughter on the hill. Christine wilson previously as chief of staff at the commission, and both experienced in private law practice and other capacities. So just jump right into it. Just kind of begin, if we could, with an overview. Now i think, rebecca, you started in may of last year. Christine in september, the both of you are about a year on, had the experience of cases of hearings. How do you see the privacy landscape today . What do you see as the key issues as we go forward . Youre the Senior Commission on that panel so i defer to you. Almost 18 months of experience now. Thanks for having us. Its nice to be and its nice to be here with christine. This is an issue i know we both care about about and are excited for an opportunity to talk about together. So what are the key issues . Obviously this is an issue to which ive been giving a lot of thought from the perspective of enforcement which is different from a policy perspective that i had and lens i had for so long on the hill. So a few observations that are key in my mind now. The first is that i think we just use the term privacy, we may be unintentionally cabined ourselves to too narrow a universe of thought about the date issues that we are facing. Because privacy generally refers to the sharing of information that people would rather had shared. There are real harms that flow from that and thats a real set of values we need to protect. I think we cant separate those harms from the kinds of harms that flow from the use of that data to turn around and make decisions for people or about people or target manipulate information or harmful information to people. My first observation is that i have been thinking, trying to think a lot more about data abuses rather than the narrow frame of data privacy, because i dont want us to get to cabined into a universe that prohibits thinking about the full planet b of issues that we are encountering. Panoply the second observation i which it is really over noticing consent in this universe. Notice and consent as a framework that informs a lot of sec enforcement action and it makes a lot of sense. You tell people what youre doing with their data. You keep your promises. We can enforce where you buy or you dont. That sounds reasonable but for notice and consent to be meaningful, both notice and consent have to be meaningful. And in this space of data i dont think either our particularly. If we take notice, first of all, weve all seen this to texas by how long would take normal people or even very well educated people to read all the privacy policies they encounter in a year. Its months. People dont do it. And even if you tried to do it, you cant i tried to do it and i cant understand what it means what is being done with my data and a lot of cases, and i have the best tools at my disposal of basically anyone to do that analysis. So i dont think the notice is particularly meaningful, and consent isnt particularly mint for either because most options are take it or leave it. Even if take the time to read the Privacy Policy you cant turn around and say im fine with paragraphs one through eight, please make this edit tonight and then doubleclick consent. You just have to say yes. In fact, you often have to say yes to access the service that is necessary for your participation. I think we need to refrain the guideposts away from the concept of notice and consent, and think more about consumer expectation. What do consumers expect will be done with her data and whats reasonable from that framework. The last point i would make and then i will turn over to christine is, i think we need to be particularly sensitive to have these problems of data abuses and have challenges of notice and consent fall disproportionately on vulnerable populations. Thats important from a policymaking prioritization standpoint and its also important from our thinking about enforcement efforts. I think with those observations i will defer to christine. Thank you for having us. It is great to be here with her back and i think the folks here today will see that we agree on almost everything in this space. Not true on every issue. So my views on privacy and privacy legislation have changed over time. I i did mention the honor of having serving the chief of staff when he was chairman of the federal trade commission in 20012002, and at 2002, and at the beginning of that decade we were grappling with how to deal with privacy issues and it was a significant topic of discussion. We brought early cases like eli lilly and Microsoft Case where misrepresentations were made or poor data hygiene practices resulted in sharing of data in ways that consumers would not expect. Those were good cases for the ftc to bring. We also brought, we created the donotcall registry, and i think given the experience of the number of robocalls today we realize technology has outpaced the telemarketing sales rules. And in the same way there are developments that have outpaced some of the thinking that we did in those early days about how the ftc could be brought to bear. Frankly, we found the edges of the thorn in this area. I am in favor of light touch regulation, and i had to grapple over the last several months with eventually embracing the need for federal privacy legislation. Theres a great paper that export all the different ways you could address harmful abuses. Working through that rubric help make it comfortable with the core federal privacy legislation in this area. And ultimately i think businesses need predictability and certainty. The vast majority of states want to follow the law, comply with the lumbar right now theres a lot of great areas how to do that. I think we all agree on abstract principles of how to deal with Consumer Privacy and data security, accountability and risk management, transparency. But doing that and an informed way is difficult without bright line rules from congress and so i think particularly with coming online gdpr online and other states look at privacy legislation, businesses need that certainty and flexibility. By the same token i think consumers more information. I think there is significant opacity with respect to consumer data. I think the average consumer does not understand all of the different kinds of data that are collected and what is done with the data once it is collected, with whom it is shared, how it is monetized, how it gets transferred to third parties with her without safeguards for the protection of the information. So there significant information asymmetries, and i would love to see legislation that helps boost that transparency. I believe consumers can make informed decisions about which services to participate in and avail themselves of without the full information about whats happening with their data those decisions will not be informed. And then finally i think when you privacy legislation because there are gaps that have emerged given competition in tech delta. The fitbit that i wear collects health data but is not covered under hipaa. There are many examples of that. Its been a long process for me in the year ive been at the commission, and lots of conversations with rebecca and my other colleagues at the ftc will be incredibly patient with me as i am thinking through all of these issues. I am now from on the side of meeting federal privacy legislation. Let me explore more on the content of that. You talked about some additional forms of transparency to increase Consumer Choice. Is that enough, or do you think that is more needed to address how businesses handle the data beyond Consumer Choice . Absolutely. And i think that the was one of the first people i heard say in the way that basically it is impossible for consumers to make all the decisions they need to make so some onus needs the on the businesses to handle the data and with applied Risk Assessment and that sort of thing. I dont think transparency is the beginning and the end of federal privacy legislation, and i agree with rebecca that notice and choice, if at all, as a useful limited application. So in that vein, one idea that keeps coming up is data ownership, Senate BankingCommittee Last week had a hearing on that subject. Is that simply another form of notice and choice with money thrown into the market . Im not an expert on this issue. I havent studied all the proposals in detail but my initial reaction is i have a lot of anxiety about the idea that if we pay people for their data, we solve the problems we are seeing in privacy and data uses. For among other reasons, david is valuable in aggregate, when many, many people feel data is collected for many, many sources and aggregator, which means a marginal value of each piece of data is very small. So the amount that an individual consumer might realize, the monetary value the might realize by being paid for the data strikes me as small, and were talking about a universe where people are already giving up lots of data without being paid, so wouldnt a consequence of this likely be that already Large Companies with more money pay people more to aggregate more data which raises questions, serious questions in the competition space as well as in the privacy and Consumer Protections based . And im not sure what problem is solved. Because again if we are getting to the point where were thinking about things through the lens that data is used in problematic ways, not just collected in problematic ways, facilitating collection by paying people may even exacerbate the use problems rather than solving them. I have a slightly different take in conversations that ive had with peter when at doj over the last several months. He and i talked a lot about whether that concept of data ownership helps us get to the answer would want. If i go to turkey can i buy ten items items, who owns the list of items i purchased and for how much . I need those from an accounting and budgeting purposes but target needs those for inventory and revenue and accounting purposes, the bank needs the information. Who owns that data . Im not sure that talking about data ownership gets us to the answers that we are looking for. You mentioned some of the discussions we have been having with one commission and others. Let me ask you both the question your colleague Noah Phillips racer at brookings when he did a number of other forums. What is the harm that were trying to prevent . I think it is a great question here it is a way of focusing the mind, what are the problems were trying to solve . We dont want to rush and create a vast framework without thinking specific about the harms we are attempting to address. And i think the ftc already has a vast set of precedent regarding harms that we do as worthy of waiting. So physical injury and you may want to talk about we made the announcement last week about stalkerware. Financial injury, reputational injury, unwanted intrusion. We have a in which computer rental companies actually installed cameras that could be remotely activated, and those were in bedrooms. Obviously the harms that we are seeking to address are not limited to financial harm. There is a vast array of farmed and begin the cases provide a wonderful list and overview of the harms that it leaves. But i think, i agree with all of that, but i would build on it. First, let me mention the stalkerware case was an important one. It was a case against stalkerware app. You could buy an app and install it on somebody elses song and the app can basically with instructions on how to jailbreak the phones so the person would not be able to delve that they were being tracked. Its not just creepy. It is lethal in a lot of circumstances for victims of domestic violence. Those are incredibly important harms we need to talk about. It is also very important to me that not be a closed universe of harms. Lets think about children for example. There was a study that came out recently that talk about the increase, the dramatic increase in teen suicide rates in the u. S. Theres a notorious case in the uk of a young woman who took her own life at 14 after being the target of some online bullying but also material that was pushed to her the talked about how to commit suicide. Thats indescribably scary and damaging. Thats not a privacy violation in the same what we might have traditionally thought about it. But it is a real harm to use data targeting. I think about terrorist recruitment or recruitment for hate groups. I think about the targeting of manipulative information to voters, children. These are all real the true harms. Whats really important to me in this debate is that we not fall into the trap of thinking we need to be able to quantify harm in order to fight it its easy to quantify financial are but in the data privacy case not always. A lot of harms are not quantifiable and are still very, very real. One thing i think we as an agency need to do and Hope Congress will do is provide help or guidance about the types of harms we think are important but not limited that. I also think there are things we cant anticipate today that will emerge as problems and continue to be problems and we need to make sure we have the flexibility to address emerging problems and not just the ones we are aware of right now. I think in terms of, i think you harms that are not technically evident but that concern is, i am very concerned about the impact on the Fourth Amendment of essentially developing this sense that nothing is private anymore, and so in Fourth Amendment law the question is, was there a reasonable expectation of privacy that was violated. And if in the commercial arena people have the sense that nothing is private anymore, how does that impact the Fourth Amendment jurisprudence with a court, a judge making a decision with respect to societal norms, was there a reasonable expectation of privacy, and you look at the commercial arena and is none, then that has an impact. I am concerned about the erosion of fourth amended protections. Its not something that is within the ftc jurisdiction i think something we as a society should be thinking about through privacy legislation providing rules about did use and abuse, privacy protections and expectation can help us refrain that discussion and tell us what is in and what is out of bounds. And hopefully provide a little more guidance to the courts on Fourth Amendment issues. I think we deal with that to some extent by recognizing, i think as you said, that in a transaction you have certain interests in your grocery list, so do of the people, and the question is how do we balance those interests . I think that gets us to what i think may been a point of departure between you two in the facebook settlement, maybe thats a much a point departure of substance of things as much as ftc authority, but becca slaughter, you dissented from the decision because you wanted to see what you called meaningful limits of what facebook collects, uses, and shares. Among other things, yes. Yes, among other things, but thats the one that is left out on me. Can you flesh that out a little bit . What kinds of i will go back to the expectations principal that i started with. I think that the framework for what Data Companies can collect about people should start with what people reasonably expect to be sharing with them. If i use a mapping out, i reasonably expect that company will need my location information. If i use a flashlight app, i do not expect that company when they buy information because it does not. I think the first set of limitation should be, is the information you are collecting reasonable and necessary to provide the service you are offering . And then second, are you using that date in a way that it is connected to the service yourer offering, or are you then going beyond what you are providing to use that data for other information . Indicates a facebook, my concerns involve the data that facebook collects of people beyond what they expect, including from third parties in a cross behavior, across the web, not just on the facebook platform and from nonfacebook users who dont anticipate that any relationship with that company and are sharing information with them. I think these are all things that are really important to me but instead make a framework notice and choice, making a framework reasonable expectation, what is collected and how it is used makes a lot more sense to bring us in line with not putting with consumers anticipation of how the data will be used and not putting the entire burden on them to make decisions that they dont have the information or the ability often to meaningfully need. I do what is in terms of a disagreement about the facebook outcome, i will let christine speak for herself, but fundamentally one of the point i was making in the case was getting thinks in settlement negotiations is hard, right . There may be cases where there thinks i i would love to see ia settlement that dont make it in at the end of the and i support the settlement in way because its the best use of the agencies resources. In this particular case because of the magnitude of the case and its impact on the markets and the signal that it would send and the scope of the companies reach, i thought is important for us to fight in court if necessary for the outcome that we really thought was important at the end of the day. But but i will also be the firso recognize thats not a maneuv