TO SET THE MOOD: EX MACHINA SOUNDTRACK
Hello, hello! I finally have WiFi (most of the time), a working computer, and some free time to go through my photos from the semester and briefly reflect after a hectic last few weeks between final projects, finals, senior week, graduation, traveling, and now MISTI for the summer. But more on all of that to come, I promise!
For the first class back in February, the Georgetown Law students flew up to Boston to meet us on campus. The rest of the semester, we continued to have our classes together but through video conferencing, using clicker mics to communicate back and forth. The A/V setup worked surprisingly well, and with this new approach to cross-institutional classes, we were able to receive lectures from the professors on the Georgetown side and participate in discussions jointly, and vice versa. We spent our time together reviewing and debating cases, hypotheticals, precedents, and legal frameworks. Each week we’d focus on a new privacy topic, covering ads discrimination, smart cities, and police geolocation in particular. The entire class was centered around developing legislation on one of these privacy areas.
My project team consisted of me, another Course 6 senior, and two Georgetown Law students. We were mentored by Daniel Weitzner, the Founding Director of the MIT Internet Policy Research Initiative in CSAIL and Laura Moy, the Executive Director of Georgetown Law’s Center on Privacy & Technology (my advisor Ilaria Liccardi also helped run the course). We met each week to work on our projects and bounce off ideas. Beyond that, our Georgetown teammates shared with us MIT folks their expertise in crafting, analyzing, and debating legislation. My fellow MIT teammate and I tried our best to learn as fast as we could about the law in the short time we had, and offered our technical background to try to devise robust solutions to modern-day data privacy and handling issues.
We had 8 weeks to research and put together a 17-page white paper, 13-slide pitch deck, and a 22-page piece of state model legislation (and many, many more pages of brainstorming, rough drafts, and notes). Our group focused on smart city transportation technology. Our bill, the TransporTech Act, aims to offer states a piece of model legislation to regulate the increasing volume of data on individuals’ movements in public—by foot, vehicle, or other mode of transportation.
Taken from our executive summary:
To ensure the privacy and security of individuals, States should adopt this model legislation to regulate the use of transportation data. Cities across the country are increasingly deploying sensors, cameras, and other technologies to collect data on traffic patterns, pedestrian movements, or public transit usage. This data can then be used, for example, to alleviate traffic congestion in real-time, reduce auto fatalities, or plan for transportation infrastructure projects.
Taken together, the data collected on individuals in a smart city as they walk, drive, or take the bus can reveal sensitive details, including their personal, religious, or sexual associations. Moreover, if law enforcement is given unfettered access to this data, they can surveil individuals without having to lift a finger, and can mine that data for years into the future. This means that, in cities with transportation-tracking technologies, individuals may never feel free from the watchful eye of police. If this data is not secure, malicious actors can likewise obtain the transportation patterns of individuals, perhaps using it to stalk or harm them.
This law curtails the harms outlined above by requiring that the transportation data that cities collect cannot reasonably be traced to individuals; that it be secure; and that police get a warrant if looking to use the data for law enforcement purposes. Further, this law infuses transparency and public accountability into a city’s use of transportation-tracking technologies by requiring that cities disclose the existence and locations of such technologies, and consider potential discriminatory impacts before using a new technology.
This Act provides that local governments must ensure the privacy and security of data they collect on individuals’ movements in public – by foot, vehicle, or other mode of transportation. Cities must follow a tiered framework based on the transportation data’s sensitivity for use and retention. Data that can identify an individual (personal identifier) or a small subset of individuals (quasi-identifier) must be de-identified before it’s ever shared with the public, and police must obtain a warrant before getting access. When a city contracts with a vendor, they must also abide by the data privacy tiers and security requirements. The law requires that local governments establish a Transportation Data Division to carry out the city’s obligations. A statewide Data Review Board also issues guidance to cities.
This Act requires cities to report any potential for bias or discrimination before a
transportation-tracking technology is deployed. Cities must also disclose the locations of all such technologies, any vendors with whom they are doing business, and any additional entities from whom the local government has received transportation data. Individuals can also request access to their data. Finally, this Act provides a private right of action for individuals whose data was handled in violation of the Act. It also provides a suppression remedy for any evidence obtained as a result of transportation data used by law enforcement without first obtaining a warrant.
For our final presentations, we all met down in DC. We MIT folks flew down bright and early Thursday morning and headed straight to the Georgetown Law school from the airport. We had an hour or two to do some last-minute prep and steady our nerves before our presentation. Each team had 10 minutes to present and about 5 minutes to answer Q&As from a panel of privacy experts judging our legislative proposals.
Our presentation went smoothly enough, but the Q&A was by far the most nerve-wracking part. We had a dry-run of our presentation with a Q&A from our professors and classmates two weeks before in class—we even presented through the video conferencing setup, with two of us at MIT, two of us at Georgetown Law—but we had no idea what to expect from the judges who all were leading experts in their respective legal domains. We defended word choices, definitions, and subparagraphs. We argued our rationale for introducing new regulatory bodies and enforcement mechanisms. We worked as a team to answer these hard questions that we didn’t always have complete answers to.
In the end, we were awarded the Black Mirror Wildcard for the most futuristic, comprehensive, and ambitious legislative proposal! Wild, eh? In just one semester, we went from zero to something, an attempt to make sense of the legal frameworks that govern our country and apply it to an open-ended problem. Our model bill was ambitious, indeed, but maybe some of those ideas will trickle into future bills and proposals.
This course has definitely made me much more conscious of my own digital footprint and aware of the issues that headline the privacy debate. Sometimes problems can’t be solved with more engineers developing more robust technical solutions, as we learned in this class. Sometimes that’s where the law needs to step in. And who knew that a Course 6 undergrad with no previous experience in the law could contribute to that conversation?
After our presentations, we got a tour of the National Cryptologic Museum next to the NSA and a really interesting conversation with one of the civil liberties and privacy officers. I stayed an extra day and spent the weekend relaxing in DC and sightseeing, checking out the museums and exploring the city.