White House Report to President Obama on Big Data

On May 1, 2014, a report by Administration officials to President Obama on big data was released. The report was signed by John Podesta, Counselor to the President; Penny Pritzker, Secretary of Commerce; Ernest J. Moniz, Secretary of Energy; John Holdren, Director of the Office of Science & Technology Policy; and Jeffrey Zients, Director of the National Economic Council. The report is the result of a ninety-day study by the review group, convened at the request of President Obama at a January 17 speech at the Justice Department.

The report discusses some of the concerns and challenges with respect to big data and ultimately makes several recommendations. The report is broken into six parts: 1) Big Data and the Individual; 2) Obama Administration’s Approach to Open Data and Privacy; 3) Public Sector Management of Data; 4) Private Sector Management of Data; 5) Policy Framework for Big Data; and 6) Conclusions and Recommendations. Highlights from the report, including are included below.

Big Data and Education
One portion of the report specifically focuses on big data and education, recognizing the wide range of technology and platforms used at all levels of education. The report notes that new technologies allow institutions to personalize education and improve learning, but also raise concerns regarding student privacy. For example, the report states that:

Data from a student’s experience in massive open online courses (MOOCs) or other technology-based learning platforms can be precisely tracked, opening the door to understanding how students move through a learning trajectory with greater fidelity, and at greater scale, than traditional education research is able to achieve. This includes gaining insight into student access of learning activities, measuring optimal practice periods for meeting different learning objectives, creating pathways through material for different learning approaches, and using that information to help students who are struggling in similar ways. [… ]

The big data revolution in education also raises serious questions about how best to protect student privacy as technology reaches further into the classroom. While states and local communities have traditionally played the dominant role in providing education, much of the software that supports online learning tools and courses is provided by for-profit firms. This raises complicated questions about who owns the data streams coming off online education platforms and how they can be used. Applying privacy safeguards like the Family Educational Rights and Privacy Act, the Protection of Pupil Rights Amendment, or the Children’s Online Privacy Protection Act to educational records can create unique challenges.

The report further notes that user information from education platforms “can be very personal” and that the U.S. Department of Education released guidelines for online educational services in February 2014. These guidelines highlight the importance of compliance with FERPA when entering into agreements with third parties regarding student data. The report concludes that “The Administration is committed to vigorously pursuing these questions and will work through the Department of Education so that all students can experience the benefits of big data innovations and teaching and learning while being protected from potential harms.”

Privacy and Law Enforcement
The report also recognizes that while big data can be a useful tool for law enforcement and security, “they also pose difficult questions about their appropriate uses.” Big data can be used to better understand criminal organizations through pattern analysis, but gathering of such data can also include information about individuals not subject to investigation. It also cautions that use of predictive technologies, while potentially useful in anticipating and preventing crimes, is controversial. It is therefore necessary to balance civil liberties and privacy interests with law enforcement goals.

Data Held by Third Parties
The big data report summarizes Fourth Amendment case law, particularly with respect to data held by third parties. It cites the seminal Supreme Court cases from the 1970s in United States v. Miller and Smith v. Maryland, both of which held that an individual does not have a legitimate expectation of privacy in information voluntarily turned over to third parties, also known as the “third party doctrine.”

In light of Supreme Court jurisprudence in this area, Congress enacted the Privacy Act of 1974, the Electronic Communications Privacy Act of 1986 (ECPA) and the Pen/Trap Act, which provide statutory protection for records held by third parties. However, these pieces of legislation may be seen as outdated and, “In light of technological advances, especially the creation of exponentially more electronic records about personal interactions, some commentators have called for a reexamination of third-party doctrine.” The report notes that the Court of Appeals for the Sixth Circuit ruled in United States v. Warshak that a subscriber has a reasonable expectation of privacy in his e-mail, analogous to a letter or phone call that would be protected. Similarly, in the recent Supreme Court case, United States v. Jones, Justice Sotomayor wrote a concurrence expressing the concern that the third-party doctrine may be “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

The report notes that while post-Warshak, warrants are required for content, metadata is being collected and obtained under the third-party doctrine and suggests that examination of the metadata issue, even beyond intelligence activities, should be expanded.

The authors of the report recognize that evolving technologies have created a need to re-evaluate current practices:

ECPA was originally passed in 1986. It has served to protect the privacy of individuals’ stored communications. But with time, some of the lines drawn by statute have become outdated and no longer reflect ways in which we use technology today. In considering how to update the Act, there are a variety of interests at stake, including privacy interests and the need for law enforcement and civil enforcement agencies to protect public safety and enforce criminal and civil law. Email, text messaging, and other private digital communications have become the principal means of personal correspondence and the cloud is increasingly used to store individuals’ files. They should receive commensurate protections.

Similarly, many protections afforded to metadata were calibrated for a time that predated the rise of personal computers, the Internet, mobile phones, and cloud computing. No one imagined then that the traces of digital data left today as a matter of routine can be reassembled to reveal intimate personal details. Today, most law enforcement uses of metadata are still rooted in the “small data world”, such as identifying phone numbers called by a criminal suspect. In the future, metadata that is part of the “big data” world will be increasingly relevant to investigations, raising the question of what protections it should be granted.

The report also acknowledges the challenge that “once data is collected, it can be very difficult to keep anonymous.”

Conclusions and Recommendations

The authors of the report conclude by making six policy recommendations:

  1. Advance the Consumer Privacy Bill of Rights. The Department of Commerce should take appropriate consultative steps to seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights and then devise draft legislative text for consideration by stakeholders and submission by the President to Congress.
  2. Pass National Data Breach Legislation. Congress should pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 201 Cybersecurity legislative proposal.
  3. Extend Privacy Protections to non-U.S. Persons. The Office of Management and Budget should work with departments and agencies to apply the Privacy Act of 1974 to non-U.S. persons where practicable, or to establish alternative privacy policies that apply appropriate and meaningful protections to personal information regardless of a person’s nationality
  4. Ensure Data Collected on Students in School is Used for Educational Purposes. The federal government must ensure that privacy regulations protect students against having their data being shared or used inappropriately, especially when the data is gathered in an educational context.
  5. Expand Technical Expertise to Stop Discrimination. The federal government’s lead civil rights and consumer protection agencies should expand their technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes, and develop a plan for investigating and resolving violations of law.
  6. Amend the Electronic Communications Privacy Act. Congress should amend ECPA. To ensure the standard of protection for online, digital content is consistent with that afforded in the physical world—including by removing archaic distinctions between email left unread or over a certain age.