Print
Comment
Volume 91.7

Network Harms

Andy Z. Wang
B.S. 2022, San Jose State University; J.D. Candidate 2025, The University of Chicago Law School.

I would like to thank Professor Omri Ben-Shahar for his tremendous guidance and advice. Thank you to the editors and staff of the University of Chicago Law Review for their tireless editing support. A special thank you to Eric Haupt, Jack Brake, Karan Lala, Tanvi Antoo, Luke White, Jake Holland, Bethany Ao, Emilia Porubcin, Benjamin Wang, and Anastasia Shabalov for their invaluable insights and contributions along the way.

Download PDF

When it comes to data, the whole is greater than the sum of its parts. There may be millions of people with the same birthday. But how many also have a dog, drive a red car, and have two kids? The more that data is aggregated, the more identifying, and thus sensitive, it becomes. In recognition of this principle, the law has developed safe harbors for firms that take steps to prevent aggregation of the data they sell. A firm might, for instance, anonymize its data by removing identifying information. But as the science academy has shown, a wide array of de-anonymization techniques largely renders such efforts moot, allowing motivated actors to link data back to its data subject even after data is anonymized.

Today, data collection is ubiquitous. Data brokers—firms that collect, process, and sell the data of individuals with whom they have no direct business relationship—are a major player in this ecosystem. Courts have traditionally conceived of the harms that arise from data brokering as discrete harms divorced from other activity occurring in the larger data ecosystem. But that judicial conception overlooks a crucial intuition: the magnitude of harm arising from one broker’s activities depends on what data other brokers in the network are selling. De-anonymization techniques often depend on cross-referencing external data to make internal inferences. Furthermore, a motivated actor can purchase multiple datasets from multiple brokers, employ de-anonymization techniques to overcome barriers to aggregation, and aggregate as they please. The consolidated dataset would represent a far larger privacy harm than if those datasets were to be owned in isolation. These “network harms” have thus far been underexplored.

In the absence of meaningful legislation, this Comment urges a turn to the courts. Section 5 of the Federal Trade Commission Act empowers the Federal Trade Commission (FTC) to prevent “unfair or deceptive acts or practices.” In recent years, the FTC has begun to employ these statutory powers to reach the activities of several data brokers. This Comment offers a framework for courts to incorporate network harms in § 5 suits. Doing so would provide a more accurate descriptive account of brokering harms and also extend the reach of the FTC’s theories to data brokers whose activities are not grossly negligent but nevertheless harmful.

TABLE OF CONTENTS
    Cyber Law Data Privacy Privacy Law Technology and Law