Link Search Menu Expand Document
Cybersecurity Research

II. ASSESSING THE DAMAGE AND LAW’S RESPONSE

  1. A. Undermining the Values Secured by Sexual Privacy
  2. B. Surveying the Harm
  3. C. Understanding the Legal Landscape
    1. 1. Privacy Legislation
    2. 2. Privacy Policymaking of Law Enforcers
    3. 3. Private Suits
    4. 4. Criminal Law

The private sector’s vast reservoirs of intimate information threaten crucial values secured by sexual privacy, and they risk damage to human well-being. This Part takes stock of the fallout. Then, it explores existing legal protections.

A. Undermining the Values Secured by Sexual Privacy

Sexual privacy allows people to manage the boundaries around their intimate lives. 146 With sexual privacy, people enjoy the freedom to go “backstage” to experiment with their bodies, sexuality, and gender.147 They decide who learns about their innermost fantasies, sexual history, and sexual and reproductive health.

The private sector’s handling of intimate data undermines the values that sexual privacy secures. Firms have jeopardized the autonomy that sexual privacy enables. The dating app Jack’d endangered individuals’ choice to keep their nude photos private by making it easy for strangers to find them online. Grindr negated subscribers’ choice to share intimate information only with potential partners by giving it to advertisers and analytics. There is every reason to believe that subscribers were distressed (to say the least) by the denial of their autonomy.

Private-sector surveillance of intimate information also imperils self-expression and the ability of people to explore new information and ideas.148 The social conformity theory of chilling effects helps explain why.149 People may refrain from searching, browsing, and expressing themselves if they perceive their expression and exploration as falling outside the mainstream.150 For fear that intimate information will be collected and shared in unwanted ways, people will stop visiting sites devoted to gender, sexuality, or sexual health. They will not use periodtracking apps that might help them manage anxiety, pain, and uncertainty.151 They will stop visiting adult sites that enable “vicarious expression and satisfaction of minority interests that are difficult, embarrassing, and occasionally illegal to indulge in reality.”152 They might avoid communicating about intimate matters for fear of unwanted exposure.153 The self-censorship can be more subtle though no less significant. As Jonathon Penney explains, chilling can be more subtle—we may see people change engagement and expression to more socially conforming, mainstream ones rather than experimental, nonmainstream ones.154

146 Id. at 1886. My prior work explores the value of sexual privacy in great detail. See Citron, supra note, at 1882-93; Danielle Keats Citron, Why Sexual Privacy Matters for Trust, 96 WASH. U. L. REV. 1189, 1193-1203 (2019) (exploring the importance of sexual privacy for trust in intimate relationships).

147 Citron, Sexual Privacy, supra note, at

148 Jerry Kang,* Information Privacy in Cyberspace*, 50 STAN. L. REV. 1193, 1260 (1998). For a masterful exploration of the importance of intellectual privacy, see NEIL M. RICHARDS, INTELLECTUAL PRIVACY (2015). Sexual privacy and intellectual privacy are both foundational privacy rights that often intersect.

149 Jonathan W. Penney, Chilling Effects: Understanding Them and Their Harms (on file with author); Jonathon W. Penney, Internet Surveillance, Regulation, and Chilling Effects Online: A Comparative Case Study, 6 INT. POLICY REV. 1 (2017) https://policyreview.info/articles/analysis/internet-surveillance-regulation-andchilling- effects-online-comparative-case; Alex Marthews & Catherine Tucker, Government Surveillance and Internet Search Behavior, in CAMBRIDGE UNIVERSITY HANDBOOK ON SURVEILLANCE LAW (David Gray et al. eds., 2017); Elizabeth Stoycheff, Under Surveillance: Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring, 93 JOURNALISM & MASS COMM. 296 (2016).

150 Penney, supra note, at 58-62.

151 Khan, supra note, at.

152 S. Mowlabocus, Porn 2.0? Technology, Social Practice, and the New Online Porn Industry, in PORN.COM: MAKING SENSE OF ONLINE PORNOGRAPHY (F. Attwood, ed. 2010); Maris et al., supra note, at 2.

153 Maris et al, supra note, at 2; Matthews & Tucker.

154 Penney, supra note, at 66.

Public health officials feared this kind of chilling effect after news broke that Grindr had shared its customers’ HIV status with analytics firms.155 A Grindr subscriber told Vox that he removed his HIV status from his profile after learning about the disclosure. He explained that, “Some people’s jobs may be in jeopardy if the wrong people find out about their status—or maybe they have difficult family situations. It can put people in danger, and it feels like an invasion of privacy.”156 This example is consistent with studies showing that victims of nonconsensual pornography tend to withdraw from online engagement and expression.157

155 Julia Belluz, Grindr is revealing its users’ HIV status to third-party companies, VOX (Apr. 3, 2018, 10:26 AM), https://www.vox.com/2018/4/2/17189078/grindr-hiv-status-datasharing-privacy. In response to news that analytics firms obtained people’s HIV status from dating sites like Grindr, sexual health researcher Dr. Jeffrey Klausner underscored his concern “this would undermine years of efforts to promote people recording their HIV status in their profile and sharing their status with others to promote safer sex.” Id.

156 Ghorayshi & Ray, supra note.

157 Jonathon W. Penney, Chilling Effects: Online Surveillance and Wikipedia Use, 31 BERKELEY TECH. L.J. 117, 125–26 (2016); see also Jonathon W. Penney, Internet Surveillance, Regulation, and Chilling Effects Online: A Comparative Case Study, 6 INTERNET POL’Y REV., May 26, 2017, at 1, 3. See generally CITRON, HATE CRIMES IN CYBERSPACE, supra note, at; Danielle Keats Citron, Civil Rights In Our Information Age, in THE OFFENSIVE INTERNET (Saul Levmore & Martha C. Nussbaum, eds. 2010); Jonathon W. Penney & Danielle Keats Citron, When Law Frees us to Speak, FORDHAM L. REV. (2018). Danielle Keats Citron & Neil M. Richards, Four Principles for Digital Expression (You Won’t Believe #3!), 95 WASH. U. L. REV. 1353, 1365 (2018) (“[N]ot everyone can freely engage online. This is especially true for women, minorities, and political dissenters who are more often the targets of cyber mobs and individual harassers.”); Citron & Franks, supra note, at 385; Citron, Cyber Civil Rights, supra note.

The loss of sexual privacy undermines human dignity by changing self-perception. When people realize their intimate life is being observed, tracked, and trafficked, they view themselves as “something seen through another’s eyes.”158 As Anita Allen explains, privacy invasions risk “form[ing] humiliating, despicable pictures of their victims that interfere with their victims’ self-concepts and self-esteem, making them doubt they are the people they have worked to be.”159 The loss of sexual privacy also undermines dignity by having others see people as just parts of their intimate lives and not as fully integrated human beings.160

When people’s nude photos are posted online without consent, they see themselves as just their genitals or breasts and fear that others will see them that way. For example, in 2018, a young lawyer stayed in a hotel for work.161 Without her knowledge or permission, a hotel employee placed a camera in the bathroom and recorded her as she showered.162 The employee posted the video and her personal details on various porn sites.163 The woman told me that after finding out about the postings, she despaired at seeing herself and at being seen as just a naked body relieving and washing herself.164

Private-sector handling of intimate information can jeopardize the trust that is essential for the development of intimate relationships. As Charles Fried argued years ago, privacy is the oxygen for intimacy.165 Intimacy develops as partners share vulnerable aspects of themselves.166 Partners must believe that their confidences will be kept not only by their partners but also by the firms handling their intimate information. If people lose faith in the companies facilitating their intimate interactions, then they will stop using their services, to the detriment of the project of intimacy. The loss of trust is profound when sites disclose people’s nude images without consent. People stop dating for fear that future partners will frequent revenge porn sites and porn sites to post their nude photos in violation of their trust and confidence.167

158 Stanley I. Benn, Privacy, Freedom, and Respect for Persons, in PHILOSOPHICAL DIMENSIONS OF PRIVACY: AN ANTHOLOGY 223, 227 (Ferdinand David Schoeman ed., 1984).

159 ANITA ALLEN, UNPOPULAR PRIVACY: WHAT MUST WE HIDE? 15 (2011).

160 Citron, supra note, at 1882-83.

161 Phone Interview with Gina Doe (October 15, 2018) (notes on file with author); Interview with Gina Doe (May 3, 2019) (notes on file with author). I will explore the invasion of Gina Doe’s sexual privacy in greater detail in my book project.

162 October 15, 2018 Interview.

163 Id. The perpetrator sent a video of her showering to her LinkedIn contacts. Id.

164 Id.

165 CHARLES FRIED, AN ANATOMY OF VALUES (1970).

166 Id. at; Citron, Why Sexual Privacy Matters for Trust, supra note, at.

167 Citron, Why Sexual Privacy Matters for Trust, supra note, at. When domestic violence victims learn that that they were being tracked on their cellphones, they fear purchasing new phones lest abusers install cyber stalking app again.

Equal opportunity is on the line as well. The surveillance of intimate life is particularly costly to women and marginalized people. Consider the disproportionate impact of sites trafficking in nonconsensual pornography. A majority of the nude images posted online without consent involve women and sexual minorities.168 Nonconsensual porn impacts women and girls far more frequently than men and boys. Individuals who identify as sexual minorities are more likely than heterosexual individuals to experience threats of, or actual, nonconsensual pornography.169 As Ari Waldman has found, gay and bisexual male users of geosocial dating apps are more frequently victims of nonconsensual pornography than both the general population and the broader lesbian, gay, and bisexual communities.170 The damage stems from prevailing stereotypes and the social construction of sexuality. When heterosexual men appear in videos having sex, they are socially empowered by the performance whereas women and sexual minorities are demeaned, disempowered, and viewed as stigmatized.171

168Asia A. Eaton et al., 2017 Nationwide Online Study of Nonconsensual Porn Victimization and Perpetration, CYBER C.R. INITIATIVE 12 (June 2017). For other studies confirming this finding, see Citron, Sexual Privacy, supra note, at 1919 n. 307.

169See Citron, Sexual Privacy, supra note, at 1920 (discussing various studies confirming this finding); Ari Waldman, Law, Privacy, and Online Dating: ‘Revenge Porn’ in Gay Online Communities, 44 Law & Social Inquiry 987 (2019) (discussing studies showing that 15 percent of lesbian, gay, and bisexual internet users report that someone has threatened to share their explicit images and 7 percent say that someone has actually done it).

170 Waldman, supra note, at.

171 Citron, Hate Crimes in Cyberspace, supra note, at; Citron, Sexual Privacy, supra note, at.

We see the disproportionate impact on women featured on deep fake sex video sites. According to a 2019 study, 96 percent of all of the 15,000 deep fake videos online are deep fake sex videos and 99 percent of those videos involve inserting women’s faces into porn without consent.172 In the past year, the number of deep fake sex videos have grown exponentially as have deep fake sex videos featuring women without consent.173

Consider the fem-tech market’s potential disproportionate impact on women.174 According to media reports, some employers and health insurers have access to employees’ period- and fertility-tracking apps. Women’s intimate information could be used to raise the cost of employerprovided health insurance, adjust wages, or scale back employment benefits.175 It could impact the ability to obtain life insurance, keep jobs, and get promotions. Medical researcher Paula Castano explains that the information tracked by fertility apps raise concerns because they offer little insight as a medical clinical matter and “focus on variables that affect time out of work and insurance utilization.”176

If intimate information is shared with data brokers, it could be used in the scoring of individuals, to their detriment. As the Federal Trade Commission explains, data brokers’ scoring processes are not transparent, which means that “individuals cannot take actions to mitigate the impact of negative scores, such as being limited to ads for subprime credit or receiving different levels of service from companies.”177 “An insurance company could use scoring products to infer that individuals to classify individuals as higher risk.”178 Scoring products could negatively impact the interest rates charged on loans.179 News about the disproportionately higher creditworthiness of men as compared to women for Apple’s new credit card demonstrates the point.

172 Deeptrace Labs, The State of Deepfakes: Landscape, Threats, and Impact 6 (September 2019), available at https://storage.googleapis.com/deeptrace-public/Deeptrace-the-Stateof-Deepfakes-2019.pdf. Eight of the top ten pornography websites host deepfake pornography, and there are nine deepfake pornography websites hosting 13,254 fake porn videos (mostly featuring female celebrities without their consent). These sites generate income from advertising. Indeed, as the first comprehensive study of deepfake video and audio explains, “deepfake pornography represents a growing business opportunity, with all of these websites featuring some form of advertising.” Id.; see generally Chesney & Citron, supra note, at.

173 Zoom Interview with Henry Adjer (June 10, 2020) (notes on file with author).

174 As discussed above, this is the explicit goal of fem-tech companies.

175 Drew Harwell, Is Your Period App Sharing Your Intimate Data with Your Boss?, WASHINGTON POST (April 10, 2019). Video game company Activision Blizzard pays employees a dollar a day to give it access to the data that they generate with a pregnancy tracking app provided by Ovia Health. Id. The company uses a special version of the app that relays health data in de-identified form to the employer’s internal website accessible by human resources personnel. Id. Ovia Health contends that intimate information can help employers cut back on medical costs and help usher women back to work after birth. Id.

176 Harwell, supra note, at.

177 Federal Trade Commission, supra note, at 48.

178 Id.

179 Rosato, supra note, at.

Reservoirs of intimate information shared with advertisers and sold to data brokers make their way into the hands of vendors who use that data to train algorithms used in hiring, housing, insurance, and other crucial decisions.180 As more intimate information is collected, used, and shared, the more it will be used to entrench bias. People’s sexual assaults, abortions, painful periods, HIV infections, escort use, extramarital affairs, and porn preferences may be used to train job-recruitment and housing-matching algorithms.181 A wealth of scholarship and research explores the discriminatory impacts of algorithmic discrimination in the commercial sector.182 A prevailing concern is that algorithmic tools “replicate historical hierarchies by rendering people along a continuum of least to most valuable.”183

180Petition for Rulemaking Concerning Use of Artificial Intelligence in Commerce, https://epic.org/privacy/ftc/ai/EPIC-FTC-AI-Petition.pdf. See generally Danielle Keats Citron & Frank Pasquale, The Scored Society: Due Process for Automated Predictions, 89 Wash. L. Rev. 1, 19 (2014).

181See, e.g., Complaint and Request for Investigation filed by Electronic Privacy Information Center, In the Matter of Airbnb, Inc. (filed with FTC on February 26, 2020). EPIC raised concerns about Airbnb’s deployment of “risk assessment” tool that assigns secret ratings to prospective renters based on behavioral traits using an opaque proprietary algorithm that is trained on personal information obtained from third parties. The complaint noted that Airbnb’s machine learning inputs include personal data collected from “web pages, information from databases, posts on the person’s social network account” among other information. Id. at 5. Airbnb’s algorithm claims to identify “negative traits” including whether a person is “involved in pornography . . . or sex work” or “has interests that indicate negative personality or behavior traits.”* Id*.

182 Solon Barocas, Kate Crawford, Deborah Hellman, Anna Lauren Hoffman, Ifeoma Injuwa, Pauline Kim, Jason Schultz, Andrew Selbst, and Meredith Whittaker have been doing pathbreaking work in this area. See, e.g., CAROLINE CRIADO PEREZ, INVISIBLE WOMEN: DATA BIAS IN A WORLD DESIGNED FOR MEN (2019); Anna Lauren Hoffmann, Data Violence and How Bad Engineering Choices Can Damage Society, MEDIUM (April 2018), https://medium. com/s/story/data-violence-and-how-bad-engineering-choices-candamage-society-39e44150e1d4; I. Raji & Joy Buolamwini, Actionable Auditing: Investigating the Impact of Publicly Naming Biased Performance Results of Commercial AI Products, Conference on Artificial Intelligence, Ethics, and Society (2019), available at https://www.media.mit.edu/projects/actionable-auditingcoordinated-bias-disclosurestudy/publications/.

183 West, Whittacker & Crawford, supra note, at 10. See also Jevan Hutson et al., Debiasing Desire: Addressing Bias & Discrimination on Intimate Platforms, https://arxiv.org/pdf/1809.01563.pdf; Sasha Costanza-Chock, Design Justice, A.I. and Escape from the Matrix of Domination, JOURNAL OF DESIGN AND SCIENCE (July 2018), https://jods.mitpress.mit.edu/pub/costanza-chock; Kate Crawford, Artificial Intelligence’s White Guy Problem, N.Y. Times (June 26, 2016), https://www.nytimes.com/2016/06/26/opinion/sunday/artificial-intelligences-white-guy-problem.html.

The opacity of commercial algorithms makes identifying and challenging discrimination difficult.184 But examples do exist. Consider, for example, Amazon’s experimental hiring tool that ranked job candidates by learning from data about the company’s past practices. A Reuters story revealed that the hiring algorithm downgraded resumes from candidates who attended all-women’s colleges along with any resume that included the word “women’s.”185 Amazon abandoned the tool when it could not ensure that it was not free of bias against women.

B. Surveying the Harm

The wide-spread collection, storage, use, and disclosure of intimate information risks emotional, physical, and reputational harm. It makes people vulnerable to manipulation, blackmail, and extortion.186 The examples of suffering are as plentiful as they are disturbing.

Consider the aftermath of the hack of Ashley Madison for John Gibson, a married father and Baptist minister who was just one of many exposed in the hack. He committed suicide days after the public learned about the hack. Gibson’s wife explained that her husband’s suicide note described his deep shame about having his name on the site. She explained her husband was mourning the loss of his job. As his daughter explained, Gibson resigned—or was urged to resign—after the church learned about the site.187 “We all have things we struggle with, but it wasn’t so bad that we wouldn’t have forgiven it. But for John, it carried such a shame, and he just couldn’t see that,” she noted.188 Gibson’s son spoke at his memorial service, noting that shame killed his father.189 Gibson’s fear about losing his job was well-founded. Victims of sexual-privacy invasions have been fired or encountered great difficulty obtaining work.190

184 https://epic.org/privacy/ftc/hirevue/EPIC_FTC_HireVue_Complaint.pdf (arguing that HireVue’s hiring algorithms “are likely to be biased by default” and keeps secret the “training data, factors, logic, or techniques used to generate each algorithmic assessment”). Indeed, career staff in the offices of state attorney generals have told me that the most challenging problem is figuring out which of the countless vendors to target with civil investigative demands and the likelihood that those demands will be met by claims of trade secrecy.

185 J. Dastin, Amazon scraps secret AI recruiting tool that showed bias against women, REUTERS, available at https://www.reuters.com/ article/us-amazon-com-jobs-automationinsight/amazon-scraps-secret-ai-recruiting-tool-that-showed-bias-against-womenidUSKCN1MK08G/.

186For a superb discussion of such risks for governmental and private sector collection of personal data, see Neil M. Richards, The Dangers of Surveillance, 126 HARV. L. REV. 1934, 1953-54 (2013).

187 Jon Robson, Episode 5: The Yes Ladder, BUTTERFLY EFFECT PODCAST (aired November 3, 2017), https://www.stitcher.com/podcast/the-butterfly-effect-with-jonronson/e/52105431?autoplay=true.

188 https://www.buzzfeednews.com/article/mbvd/pastor-exposed-by-ashleymadison-hack-commits-suicide.

189 Jon Robson, Episode 5: The Yes Ladder, BUTTERFLY EFFECT PODCAST (aired November 3, 2017), https://www.stitcher.com/podcast/the-butterfly-effect-with-jonronson/e/52105431?autoplay=true. Gibson was not the only suicide related to the hack of Ashley Madison. Two Canadian citizens killed themselves in the wake of the leak. Chris Baraniuk, Ashley Madison: Suicides over website hack, BBC (Aug. 24, 2015).

190 DANIELLE KEATS CITRON, HATE CRIMES IN CYBERSPACE (2014); see, e.g., Complaint, FTC et al. v. EMP Media, No. 18 CV 00035, at ¶ 47 (D. Nev. Jan. 9, 2018) (victims of nonconsensual pornography attest to fear of losing jobs).

Stories abound of scammers using emails and passwords hacked from porn sites to blackmail people. Criminals write to individuals claiming they recorded them watching porn online and demanding money to keep the videos secret. For seven months in 2018, victims lost 332,000 dollars to these scams. More than 89,000 people were targeted, and on average they paid 540 dollars. Increasingly, criminals are targeting high-earning victims, including company executives, doctors, and lawyers.191

The national security implications of this kind of activity are also significant. The concentration of sensitive information on dating sites presents an inviting target for governments seeking leverage over political activists, dissidents, or foreign agents.192 National security experts raised these concerns after the Chinese government bought the gay dating app Grindr.193 Peter Mattis, a former U.S. government analyst and China specialist, remarked: “What you can see from Chinese intelligence practices is a clear effort to collect a lot of personal information on a lot of different people, and to build a database of names that’s potentially useful either for influence or for intelligence. Then later, when the party-state comes into contact with someone in the database, there’s now information to be pulled.”194

191 Isobel Asher Hamilton, Criminal Groups Are Offering $360,000 Salaries to Accomplices who can Help them Scam CEOs about their Porn Watching Habits, BUSINESS INSIDER (Feb. 24, 2019).

192 “Tinder is the fourth dating app in the nation to be forced to comply with the Russian government’s request for user data, Moscow Times reports, and it’s among 175 services that have already consented to share information with the nation’s Federal Security Service, according to a registry online.” Melanie Ehrenkranz, The Russian Government Now Requires Tinder to Hand Over People’s Sexts, GIZMODO (June 3, 2019, 12:05 PM), https://gizmodo.com/the-russian-government-now-requires-tinder-to-hand-over1835201563. In response to these reports a Tinder spokesperson asserted that “this registration in no way shares any user or personal data with any Russian regulatory bodies and we have not handed over any data to their government.”* Id.*

193 Steven Blum, What Does a Chinese Company Want with Gay Hookup App Grindr?, LOS ANGELES MAG. (Nov. 4, 2019), https://www.lamag.com/citythinkblog/grindr-china-fbi/.

194 Josh Rogan, Can the Chinese government now get access to your Grindr profile?, Wash. Post (Jan. 12, 2018, 6:00 AM), https://www.washingtonpost.com/news/joshrogin/wp/2018/01/12/can-the-chinese-government-now-get-access-to-your-grindrprofile/.

Criminals and hostile states are not the only ones who exploit intimate information in ways that undermine people’s well-being. When companies use people’s acute emotional fragility or membership in a protected class to override their wishes, their actions can be viewed as a “dark pattern.”195“The Spinner” exemplifies the troubling nature of dark patterns. It promises to bend the will of people’s intimate partners with its advertising services. The online service sends innocent-looking links to people via text that, when clicked, creates cookies that send targeted advertisements.196 The company claims to have swayed people to get back together, to initiate sex, and to settle their divorces. The company’s most requested service is its “initiating sex campaign,” which sends ads trumpeting reasons why people should initiate sex.

Another illustration of troubling manipulation is period-tracking app FEMM, which uses subscribers’ intimate information to dissuade them from terminating their pregnancies. An anti-abortion group runs the app, but it does not tell that to subscribers.197 The app’s marketing materials simply say: “Are you looking to track your menstrual cycles and symptoms, get pregnant or avoid pregnancy? The FEMM app is more than just a period tracker: it provides you with cutting edge science that helps you keep track of your health, understand what is going on with your body, flag potential issues and connect with a network of doctors and nurses to provide you the best health care. We’re a new revolution in women’s health!”198 The app provides materials claiming that birth control is unsafe and highlighting information that promotes pregnancy. The app misleads subscribers about its motives and propagates misinformation.

195 STIGLER COMMITTEE ON DIGITAL PLATFORMS 240-41(2019). As the Stigler Report notes, using personal data to manipulate people can be benign such as by serving them ads for restaurants around lunchtime. Id. Yet the practice is morally and legally troubling when sensitive data is used to manipulate people. Id. The Stigler Report invokes the concept of dark patterns to evaluate user-interface systems that nudge people to disclose information that they otherwise would not disclose if they had time to consider the implications. Such systems might not be understood as deceptive under traditional understanding of consumer protection laws. Id. at 249.

196 Parmy Olson, For $29, This Man Will Help Manipulate Your Loved Ones With Targeted Facebook and Browser Links, FORBES (January 15, 2019, 7:20 a.m.); Fiona Tapp, New Service Promises to Manipulate Your Wife Into Having Sex With You, ROLLING STONE (August 18, 2018, 11:38 am EST).

197 Jessica Glenza, Revealed: Women’s Fertility App Run By Anti-Abortion Campaigners, THE GUARDIAN (May 30, 2019), https://www.theguardian.com/world/2019/may/30/revealed-womens-fertility-app-isfunded-by-anti-abortion-campaigners.

198 https://play.google.com/store/apps/details?id=org.femmhealth.femm&hl=en_US

In the United States, information privacy law does little to curtail the private sector’s amassing of vast amounts of intimate information, at least outside the provision of health care.199 It generally presumes the propriety of commercial collection of personal data.200 As William McGeveran explains in his influential privacy casebook, American law treats the processing of personal data as both inevitable and pro-social.201

1. Privacy Legislation

American privacy law generally does not curtail data collection.202Instead, it focuses on procedural protections, such as ensuring the transparency of corporate data practices (referred to as notice) and securing certain rights over personal data (referred to as choice).203 Even its more reform-oriented elements sometimes continue this trend. The California Consumer Privacy Act (CPPA), enacted in 2018, for example, gives consumers the right to know what personal information has been collected and to opt-out of its sale.204

199 The Children’s Online Privacy Protection Act of 1998 is the rare exception. It limits the collection of children’s online information to instances where parents have explicitly provided consent. Similarly, in the EU, the GDPR protects information pertaining to individuals’ “sex life” as sensitive information, precluding its collection except upon explicit consent.

200 Danielle Keats Citron, A Poor Mother’s Right to Privacy: A Review, 98 B.U. L. REV. 1139, 1141 (2018).

201 WILLIAM MCGEVERAN, PRIVACY AND DATA PROTECTION LAW 382-83 (2016); Danielle Keats Citron, Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age, 80 S. CAL. L. REV. 241 (2007).

202 Citron, Privacy Policymaking of State Attorneys General, supra note, at 771. Some states limit commercial contexts in which Social Security numbers and zip codes can be collected.

203 See, e.g., CAL. BUS. & PROF. CODE § 22575 (West 2016); CAL. CIV. CODE § 1798.100 (West 2018). State attorneys general played an important role in getting legislation passed to require privacy policies. Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 NOTRE DAME L. REV. 747, 764-65 (2016).

So long as companies post privacy policies and offer opt-out rights under state law, they can largely collect, use, and sell intimate information without limitation.205 It should therefore not be a surprise that Grindr’s privacy policy warns that its advertising partners “may be collecting information from you.”206 The fem-tech market is doing the same. A recent study showed that ten popular fem-tech apps including Clue sold subscribers’ personal information to at least 135 companies.207 Individuals should not be reassured if companies pledge to de-identify intimate information before selling it. Intimate information can be easily reidentified when combined with other information.208

Under federal and state law, companies must store intimate information in a reasonably secure manner. Legal obligations stem from data security,209 data disposal,210 encryption,211 breach notification,212 and unfair and deceptive acts and practice (UDAP) laws.213 Companies may have a duty to adopt certain data security practices, such as having a comprehensive data-security program addressing potential risks to consumers.214 As explored below, companies have faced suit for inadequately securing intimate information.

204 CAL. CIV. CODE § 1798.100, 1798.105, 1798.110, 1798.120 (West 2018). Under the California Online Privacy Protection Act, websites must detail the categories of personal information that they collect and the categories of third parties with whom that information may be shared. On the CCPA generally and its comparison to GDPR, see Anupam Chander, Margot Kaminski, and William McGeveran, Catalyzing Privacy Law, MINN. L. REV. (forthcoming 2020).

205 CAL. CIV. CODE § 1798.100, 1798.105, 1798.110, 1798.120 (West 2018). Of course, compliance with notice requirements isn’t perfect. For instance, according to researchers, only 11 percent of the privacy policies posted by porn sites disclose that third-party trackers may be collecting visitors’ information. Maris et al., supra note, at. Many consumers will not invoke their opt-out rights due to the stickiness of defaults and the sheer number of companies that would to be contacted to make a dent in the effort to reduce the trafficking of one’s personal information. See generally WOODROW HARTZOG, PRIVACY’S BLUEPRINT (2018).

206 Thomas Germain, Popular Apps Share Intimate Details About You With Dozens of Companies, CONSUMER REPORTS (January 14, 2020), https://www.consumerreports.org/privacy/popular-apps-share-intimate-details-aboutyou/

207 Rosato, supra note, at.

208 Daniel Kondor et al., Towards Matching User Mobility Traces in Large-Scale Datasets, IEEE, https://ieeexplore.ieee.org/document/8470173.

209 See, e.g., CAL. CIV. CODE 1798.81.5(b) (West 2016); Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 (2010).

210 See, e.g., CONN. GEN. STAT. 42-471 (2015); MASS GEN. LAWS ch. 931 2.

211 See, e.g., CAL. CIV. CODE 1798.85(a)(3).

212 See, e.g., CAL. CIV. CODE 1798.82.

213 See, e.g., CONN. GEN. STAT. 42-11-a-110q.

214 William McGeveran, The Duty of Data Security, 103 MINN. L. REV. 1135, 1140, 1175- 1180 (2018).

One might assume think privacy law limits all of the private sector’s collection of intimate information related to health conditions. The crucial protections of the federal Health Insurance Portability and Accountability Act (HIPAA), however, only cover data collected during the provision of health care and not health data generally. HIPAA is a health care portability law with privacy protections, not a health privacy bill. It covers particular healthcare providers (known as covered entities), such as medical practices, hospitals, and health insurance companies.215 HIPAA, for instance, requires that covered entities obtain consent before using or disclosing individually identifiable “protected health information.” That provision does not apply to the broad array of non-covered entities, including fem-tech apps, search engines, medical information sites, or dating sites.216 When a dating app collects information about individuals’ HIV status or when a femtech app stores the dates of abortions and miscarriages, it is not constrained by HIPAA’s privacy rules.

2. Privacy Policymaking of Law Enforcers

In the rare case, the Federal Trade Commission (FTC) and state Attorneys General (AG) have set norms around the collection and storage of intimate information.217 Federal and state UDAP laws provide support for this activity.218 The following examples provide precedent for entities handling intimate information in the relevant jurisdictions.

215 In passing HIPAA in 1996, Congress delegated authority to the Department of Health and Human Services to enact national data privacy or confidentiality and data security standards. Allen, supra note, at 113-14. DHHS issued its Standards for Privacy of Individually Identifiable Health Information known as the HIPAA Privacy Rule. 45 CFR 164.524. The HIPAA Privacy Rule, enacted in 2000, applies only to covered entities— healthcare providers who engage in certain electronic healthcare transactions, health plans, and healthcare clearinghouses like hospital billing providers and insurers. Id.

216 Period-tracking apps Ovia claims to comply with HIPAA, surely due to the fact that the company shares de-identified data with employers who provide health insurance to employees. Harwell, supra note, at.

217 Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 NOTRE DAME L. REV. 747 (2016). The Consumer Financial Protection Bureau also has the authority to regulate abusive conduct, at least within the banking and financial services sector. Under 12 U.S.C. 5531, an abusive practice is one that materially interferes with the ability of consumers to understand a term or condition of a “consumer financial product or service” or takes unreasonable advantage of their understanding of such a service or product’s material risks or of their inability to protect their interests.

The Massachusetts Attorney General’s office has considered the collection of information about women’s visits to abortion clinics, inferred from geolocation data, to constitute an unfair and deceptive business practice. In 2015, an advertising company in Brookline, Massachusetts was hired to bombard “abortion-minded women” with pro-life advertisements as they visited certain health providers.219 Geofencing technology was key to the effort. It let the advertising company target women’s cell phones as they entered “Planned Parenthood clinic[s], hospitals, doctor’s offices that perform abortions.”220 Women saw ads entitled “Pregnancy Help,” “You Have Choices,” and “You’re Not Alone” that linked to live web chats with a “pregnancy support specialist.”221 Once an individual’s device had been tagged, then that person would continue to see pro-life ads for the next thirty days.222

The Massachusetts AG’s office viewed the company’s collection of location data to infer women’s reproductive health as constituting an unfair and deceptive business practice.223 For the Massachusetts AG, the advertising firm intruded upon a “consumer’s private health or medical affairs or status” resulting in the “gathering or dissemination of private health or medical facts about the consumer without his or her consent.”224

218 The Federal Trade Commission has enforcement authority to police unfair and deceptive commercial acts and practices under Section 5 of the Federal Trade Commission Act. Id. In the late 1960s and early 1970s, state lawmakers followed the federal government’s lead in adopting so-called baby Section 5 acts, that is, UDAP laws. With this authority, state attorneys general have served as crucial privacy norm entrepreneurs using their authority under state UDAP laws. Id. I had the great fortune of witnessing creative state AG privacy policymaking in advising then-California AG Kamala Harris from 2014 to 2016. Id.

219* In the Matter of Copley Advertising & John F. Flynn,* Assurance of Discontinuance (dated April 4, 2017), https://www.huntonprivacyblog.com/wpcontent/uploads/sites/28/2017/04/nDP.pdfhttps://www.mass.gov/news/ag-reachessettlement-with-advertising-company-prohibiting-geofencing-around-massachusetts.

220 Id.¶ 7.

221 Id. ¶ 10.

222 Id. ¶ 11.

223 Id. In a series of consent decrees, the FTC has made clear that it considers geolocation information as sensitive information requiring explicit, opt in consent before collecting it. See https://www.ftc.gov/news-events/press-releases/2014/04/ftc-approves-finalorder-settling-charges-against-flashlight-app. For a discussion of the norms around collection of geolocation data, see Danielle Citron, BEWARE: The Perils of Location Data, FORBES, (December 24, 2014), https://www.forbes.com/sites/daniellecitron/2014/12/24/beware-the-dangers-oflocation-data/#6037ba1543cb. The U.S. Supreme Court has held that obtaining cell-site location data from third parties implicates a search under the Fourth Amendment. United States v. Carpenter (finding that location data “holds for many Americans the ‘privacies of life’” and that a government with access to historic location data “achieves near perfect surveillance”); see also United States v. Jones. I have been advising federal lawmakers on efforts to provide stronger regulatory protections for location data. This effort is not new. In 2014, then-Senator Al Franken proposed the federal Location Privacy Protection Act, but the bill failed to pick up traction. See Citron, Spying Inc., supra note, at.

224 In the Matter of Copley Advertising, ¶ 15 (emphasis added).

The advertising company and the AG’s office entered into a settlement agreement under which the company vowed not to use geofencing technology near medical centers or physician offices to infer people’s health status, medical condition, or medical treatment.225 Although the agreement is enforceable only against this specific advertising company (one of the limits of governance by settlement agreements), it established a norm against the collection of geolocation data to infer consumers’ reproductive health data under Massachusetts law.226

In another effort to curtail the collection of intimate data, the FTC sued mobile spyware company Retina-X under its UDAP authority in Section 5 of the Federal Trade Commission Act.227 The complaint alleged that defendant’s spyware injured consumers by enabling stalkers to monitor people’s physical movements, sensitive information, and online activities without consent.228 The unwanted collection of cellphone activity risked exposing victims to emotional distress, financial losses, and physical harm,including death.229 The FTC charged that the mobile spyware constituted an unfair practice because consumers could not reasonably avoid the secret spying and the harm was not outweighed by the countervailing benefits.230 In 2019, the FTC entered into a consent decree with Retina-X. The defendant agreed to obtain express written agreement from purchasers that they would use the product only for legitimate and lawful purposes.231 Regrettably, the defendant was not required to refrain from selling monitoring products in the future, a result that shows another of the limits of governance by consent decree.

225 Id. ¶ 20.

226 See Danielle Keats Citron, The Privacy Policymaking of State Attorneys General, 92 NOTRE DAME L.REV. 747 (2016); Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 COLUM. L. REV. (2011).

227Section 5 of the Federal Trade Commission Act prohibits unfair and deceptive acts and practices. It served as the template for state UDAP laws, which are often referred to as mini-FTC Acts.

228 Complaint, In the Matter of Retina-X Studios, LLC, at ¶ 11-12 (U.S. Fed. Tr. Comm’n).

229 Id.

230 Id. ¶ 32.

231 Agreement Containing Consent Order, In the Matter of Retina-X et al. (U.S. Fed. Tr. Comm’n); Decision and Order, In the Matter of Retina-X Studios (U.S. Fed. Tr. Comm’n).

State and federal enforcement efforts have set important precedent regarding sites amassing people’s nude images as part of extortion schemes. In her capacity as California’s Attorney General, Kamala Harris prosecuted operators of sites that encouraged users to post nude photos and then charged for their removal.232 In one case, site operator Kevin Bollaert faced charges of extortion, conspiracy, and identity theft after urging users to post ex-lovers’ nude photos and offering to remove those images for hundreds of dollars. Bollaert was convicted of 27 felony counts and sentenced to eight years of imprisonment and ten years of mandatory supervision.233

The FTC sued another revenge porn operator under Section 5 of the FTC Act for exploiting nude images shared in confidence for commercial gain.234 The operator agreed to shutter the site and delete the images.235 The FTC joined forces with the Nevada Attorney General in an investigation of yet another revenge porn site that solicited nude images and charged victims from $499 to $2,800 for their removal.236 A federal court ordered the site to destroy all intimate images and personal information in its possession and to pay more than $2 million in penalties.237

Norms around data security have similarly emerged based on federal and state enforcement activity. The FTC follows a process-based approach to data security, which entails assessing steps taken by entities to achieve “reasonable security.”238 State attorneys general, adhering to this approach, often serve as “first responders” to data breaches, at times in coordination with the FTC.239

232 Citron, Privacy Policymaking of State Attorneys General, supra note, at 775.

233 https://www.sandiegouniontribune.com/sdut-kevin-bollaert-revenge-porn-caseresentencing-2015sep21-story.html

234 Complaint, In the Matter of Craig Brittain, No. C-4564 (January 29, 2015), https://www.ftc.gov/system/files/documents/cases/150129craigbrittaincmpt.pdf.

235 Press Release, FTC, Website Operator Banned from the ‘Revenge Porn’ Business After FTC Charges He Unfairly Posted Nude Photos (Jan. 29, 2016); see generally Danielle Citron & Woodrow Hartzog, The Decision That Could Finally Kill the Revenge-Porn Business, ATLANTIC (Feb. 3, 2015). CCRI joined together with Without My Consent to file comment to the consent decree in that case. Comments of the Cyber Civil Rights Initiative and Without My Consent to the Federal Trade Commission (filed February 23, 2015), available at https://www.ftc.gov/system/files/documents/public_comments/2015/02/00007- 93359.pdf.

236Complaint, FTC et al. v. EMP Media, No. 18 CV 00035, at ¶ 45 (D. Nev. Jan. 9, 2018); Press Release, FTC, FTC, Nevada Obtain Order Permanently Shutting Down Revenge Porn Site MyEx (June 22, 2018). The Nevada Attorney General argued that the site violated state UDAP law by intimidating people into paying for the removal of their photos. Id.

237 FTC et al. v. EMP Media Inc., No. 18 CV 0035 (D. Nev. June 15, 2018).

238 Citron, Privacy Policymaking of State Attorneys General, supra note, at.

239 Id.

The FTC and state attorneys general have brought investigations in the wake of data breaches involving intimate information. For instance, the FTC and the Vermont Attorney General’s office sued the owners of Ashley Madison for failing to adequately secure customers’ personal data. The Vermont AG’s complaint highlighted the site’s failure to maintain information security policy and to use multi-factor authentication.240 The complaint alleged that the site’s inadequate security amounted to an unfair business practice that risked “significant harm to consumers’ reputation, relationships, and personal life” and raised people’s risk of identity theft. The case resulted in a consent decree with the FTC and settlements with state Attorneys General.

The New York Attorney General’s office similarly investigated Jack’d, a gay, bisexual, and transgender dating app, for failing to protect the nude images of approximately 1,900 individuals.241 The dating app allegedly deceived customers by breaking its promise to ensure the confidentiality of photos marked “private.” Although the site had been warned about the security vulnerability more than a year earlier, it had failed to take remedial action.

3. Private Suits

Civil suits have gained traction for deceptive collections of intimate information related to networked sex toys. Subscribers sued vibrator manufacturer Lovense for collecting intimate information despite its promise that “absolutely no sensitive data (pictures, video, chat logs) pass through (or are held) on our servers.”242 The complaint alleged that the defendant intruded on the plaintiffs’ privacy by recording their communications and activities without consent in violation of the federal and state wiretap laws and state privacy tort law.243 Subscribers brought similar claims against We-Vibe for recording information about their use of the defendant’s vibrators.244 The case settled for 3.75 million dollars.

240 Complaint, Vermont v. Ruby Corp., Civ. No. 730-12-16 (dated December 14, 2016).

241 Press Release, N.Y. Attorney General’s Office, N.Y. State Attorney Gen., Attorney General James Announces Settlement With Dating App For Failure To Secure Private And Nude Photos (June 28, 2019), https://ag.ny.gov/press-release/2019/attorney-general-jamesannounces-settlement-dating-app-failure-secure-private-and.

242 First Amended Complaint, S.D. et al. v. Lovense, No. 18-CV-00688, at 33 (N.D. Cal. Aug. 24, 2018).

243 Id. at 65. The case proceeded to discovery after the court rejected the defendant’s motion to dismiss. Order Granting in Part and Denying in Part Defendant’s Motion to Dismiss, S.D. v. Hytto Ltd., D/B/A Lovense, No. 18-CV-00688 (N.D. Cal. May 14, 2019).

244 Amended Complaint, N.P & P.S. v. Standard Innovation Corp., Case No. 16-CV08655 (N.D. Ill. Filed February 27, 2017).

By contrast, individuals have been unable to hold platforms accountable for hosting their nude images without consent.245 Section 230 of the federal Communications Decency Act (CDA) has barred their efforts.246 The irony is significant—the CDA was principally concerned with censoring porn (and was mostly struck down), yet the only part of the law left standing now enables the distribution of the very worst kinds of obscenity and hateful expression. Under Section 230, providers or users of interactive computer services are shielded from liability for under- or over-filtering user-generated content.247 Section 230(c)(1) says that providers or users of interactive computer services will not be “treated as publishers or speakers” for information provided by another information content provider.248

Lower federal and state courts have dismissed victims’ civil claims even though site operators solicited, chose to republish, or failed to remove nonconsensual pornography.249 Section 230 did not bar the state AG and FTC suits discussed above because they concerned site operators’ own extortion schemes, not their publication of user-generated content.250

245 Danielle Citron & Benjamin Wittes, The Internet Will Not Break: Denying Bad Samaritans Section 230 Immunity, 86 FORDHAM L. REV. 401 (2017); Danielle Keats Citron, Cyber Mobs, Disinformation, and Death Videos: The Internet As It Is (And As It Should Be), 118 MICH. L. REV. (2020).

246 Citron & Wittes, supra note, at; Written Testimony of Danielle Keats Citron, House Energy and Commerce Committee Hearing on Fostering a Healthier Internet (October 17, 2019). For an enlightening history of Section 230’s adoption and judicial interpretation, see JEFF KOSSEFF, THE TWENTY-SIX WORDS THAT CREATED THE INTERNET (2019).

247 42 U.S.C. 230(c); Citron & Wittes, supra note, at.

248 42 U.S.C. 230(c)(1). Section 230(c)(2) extends the legal shield to “good faith” removal or blocking of offensive, harassing, or otherwise offensive user-generated content. 42 U.S.C. 230(c)(2).

249 MARY ANNE FRANKS, THE CULT OF THE CONSTITUTION (2019); CITRON, HATE CRIMES IN CYBERSPACE, supra note, at; Danielle Citron & Mary Anne Franks, The Internet As a Speech Machine and Other Myths Confounding Section 230 Speech Reform, U. CHI. L. FORUM (forthcoming 2020), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3532691; Citron & Wittes, supra note, at; Mary Anne Franks, Sexual Harassment 2.0, 71 MD. L. REV. 655, 695 (2012).

250 CITRON, HATE CRIMES IN CYBERSPACE, supra note.

Individuals have sued companies for failing to properly secure personal information. Companies have faced lawsuits in the wake of data breaches, but those suits are often dismissed early on in the litigation due to plaintiffs’ lack of standing or cognizable harm under state law.251 Those lawsuits have a greater likelihood of surviving motions to dismiss if plaintiffs have suffered financial harm like identity theft, as opposed to the increased risk of such harm.252

One might think anti-discrimination law would serve as a crucial tool to preventing the use of discriminatory hiring algorithms in employment decisions. The major barrier to private civil rights claims (or even federal and state enforcement actions) is the opacity of vendors’ proprietary systems. Hiring AI systems may be mining intimate information in ways that have a disparate impact on individuals from protected groups but it has been impossible to detect and thus private suits are hard to pursue.253

4. Criminal Law

Only a narrow set of commercial practices—spyware and cyberstalking apps—implicate the criminal law. As I have explored in prior work, Title III of the Wiretap Act includes a provision covering those involved in the manufacture, sale, and advertisement of covert surveillance devices.254 Congress passed that provision, 18 U.S.C. 2512, to “dry up” the source of equipment that is highly useful for private nonconsensual surveillance.255

Section 2512 makes it a crime to intentionally manufacture, sell, or advertise a device knowing or having reason to know that its design renders it “primarily useful” for the surreptitious interception of wire, oral, or electronic communications.256 Defendants face fines of up to $10,000, up to five years imprisonment, or both. Section 2512 covers a “narrow category of devices whose principal use is likely to be for wiretapping or eavesdropping.”257 Twenty-five states and the District of Columbia have similar statutes.258

251 Daniel J. Solove & Danielle Keats Citron, Risk and Anxiety: A Theory of Data-Breach Harms, 96 TEX. L. REV. 737, 739-45 (2018).

252 Id.

253 https://ainowinstitute.org/discriminatingsystems.pdf (explaining that AI tools claim to detect sexuality from headshots and such systems replicate gender and racial bias in ways that deepen and justify historical inequality but are often impossible to review and challenge when deployed in commercial sector); AI Now 2017 Report, https://ainowinstitute.org/AI_Now_2017_Report.pdf.

254 Citron, Spying Inc., supra note, at 1264.

255 S. REP. NO. 90-1097, at 2183 (1968).

256 18 U.S.C. 2512(1)(b) (2012).

257 United States v. Shriver, 989 F.2d 898, 906 (7th Cir. 1992).

258 Citron, Spying Inc., supra note, at 1265 n. 132 (collecting statutes).

Nonetheless, prosecutions remain rare. Despite the prevalence of spyware and the hundreds of purveyors of cyber stalking apps, federal prosecutors have only brought a handful of cases. In September 2014, federal prosecutors brought Section 2512 charges against StealthGenie’s CEO Hammad Akbar.259 StealthGenie’s spyware app secretly intercepted communications to and from mobile phones.260 The federal indictment alleged that the app’s target population was “spousal cheat: Husband/Wife or boyfriend/girlfriend suspecting their other half of cheating or any other suspicious behavior or if they just want to monitor them.”261 A federal judge issued a temporary restraining order authorizing the FBI to disable the site hosting StealthGenie.262 The defendant pleaded guilty to the charges and was ordered to pay $500,000 in fines.263 There have been no subsequent reported federal criminal cases against spyware purveyors since the StealGenie case. At the state level, prosecutions have been virtually nonexistent.264

While criminal law provides a foothold for the prosecution of the manufacturers, it has been hampered by the requirement that the device be primarily designed for the secret interception of electronic communications.265 As privacy advocate James Dempsey argued and as prosecutors have confirmed, the small number of prosecutions under Section 2512 is attributable to the fact that it is hard to demonstrate that equipment is primarily designed for stealth interception of communications.266

Individual sexual-privacy invaders are a different matter, as my prior scholarship has explored.267 Consider nonconsensual pornography. Today, 46 states, D.C., and Guam criminalize the posting of nude photos without consent.268 Law enforcement has been slowly but surely pursuing cases under those laws.

259 Id. at 1267.

260 Id.

261 Id.; Hautala, supra note, at (noting federal prosecutor’s frustration that the primarily useful requirement makes it difficult to bring Section 2512 cases).

262 Id.

263 Department of Justice, Man Pleads Guilty to Selling Spyware and Ordered to Pay $500,000 Fine (November 25, 2014), available at https://www.justice.gov/opa/pr/manpleads-guilty-selling-stealthgenie-spyware-app-and-ordered-pay-500000-fine.

264 Id.

265 Id.

266 James X. Dempsey, Communications Privacy in the Digital Age: Revitalizing the Federal Wiretap Laws to Enhance Privacy, 8 ALB. L.J. SCI. & TECH. 65 (1997).

267 Citron, Sexual Privacy, supra note, at; Citron & Franks, supra note, at.