On Friday I attended a privacy conference at Boalt. The purpose was to get people on the ground into the same room as people in the ivory tower. However, as one attorney commented privately, "It's everyone telling other people what work to do." I did see that: researchers saying, "We need articles on this," and practitioners saying, "We need studies on that," and still others interjecting, "There's already a study on this, and there's already a paper on that." But if nothing else, it accomplished one thing: everyone was exposed to what everyone else was doing.
Most of the attendees knew 2/3rds of the people there from countless other workshops and were consequently jaded to the whole experience. But I, being young and uninitiated, found it all pretty interesting. Plus there were some names there, people whose law reviews I've cited to or whose names I knew. Eg, I got to meet Dan Solove (yes, I will toss out the short form!).
Some random highlights:
Everyone seemed in agreement over making it a Federal crime to use a social security number as an authenticator. Companies should be able to use it as an identifier (this name matches this information), but they shouldn't be able to use it as proof of authenticity (Eg, prove you are who you say by providing your SSN.) Suggestions: use a combination of personal data to verify one's identity, such as date of birth, mother's maiden name, and previous address.
In a discussion of click-wrap agreements (you download a program and accept all the terms of the contract by clicking "I agree"), I saw that the common terminology "notice and consent" was replaced by "notice and choice." The implication being that the default should be choosing, not agreeing to the terms.
Some lessons from the environmental movement could perhaps be imported into the privacy realm. Eg, privacy impact statements, public shaming of companies, regulation in the form of covenants. But the environmental movement has Al Gore. Privacy needs a celebrity!