Skip to main content
NCBI home page
Philosophical transactions. Series A, Mathematical, physical, and engineering sciences logoLink to Philosophical transactions. Series A, Mathematical, physical, and engineering sciences
. 2016 Dec 28;374(2083):20160114. doi: 10.1098/rsta.2016.0114

Compelling truth: legal protection of the infosphere against big data spills

Burkhard Schafer 1,
PMCID: PMC5124064  PMID: 28336793

Abstract

The paper explores whether legal and ethical concepts that have been used to protect the natural environment can also be leveraged to protect the ‘infosphere’, a neologism used by Luciano Floridi to characterize the totality of the informational environment. We focus, in particular, on the interaction between allocation of (intellectual) property rights and ‘communication duties’, in particular, data breach notification duties.

This article is part of the themed issue ‘The ethical impact of data science’.

Keywords: data breach notification, copyright, totality operators, big data

1. Big data, new oil, big new problems?

Big data has been frequently characterized as ‘the new oil’ (e.g. [1]). This comparison is inevitably meant to be positive and encouraging, extolling the audience to fully embrace the new technology and the opportunities that it brings. Toonders' characterization can stand in for many others that made claims along similar lines [2]:

Data in the 21st Century is like Oil in the 18th Century: an immensely, untapped valuable asset. Like oil, for those who see Data's fundamental value and learn to extract and use it there will be huge rewards. […]Without it, progress would halt.

The imagery that these statements try to evoke is of rich but underexploited potential for improved products, services and profits, potential for wealth generation and a better future for everybody. Just as oil was the energy source of the nineteenth and twentieth century, the power behind the current industrial revolution is data; the combustion engine is replaced by the silicon chip.

However, even a cursory glance at the history of oil exploitation and the fossil fuel economy triggers a gestalt switch. Big data may well be the new oil, but that means we should be better prepared for substantial environmental damage caused by massive spills; long-lasting environmental degradation owing to the premature use of untested and unsafe extraction technology [3]; forced dislocation or destruction of small, indigenous communities [4, p. 55]; threats to the democratic system owing to a combination of money and economic power held by a small number of large monopolies [5,6]; and political dependency on foreign states with questionable human right records [7]. For all of these ‘old’ dangers that came with the fossil fuel-based industry, we can easily find equivalent dangers in the data-driven economy. The data barons of the twenty-first century are as ruthless in their ability to sideline or defeat political, legal and wider societal concerns in their quest to accumulate more and more information about us.

But is the equivocation between data spills and oil spills a mere metaphor of limited practical use, at best a pedagogical tool, at worst a polemical device to warn against unrestrained optimism when approaching the new paradigm? Or are there deeper structural similarities between informational and environmental hazards, so that we can draw relevant inferences from the failures and successes of environmental protection and environmental ethics to the question of the appropriate law and ethics of big data?

The paper will claim that there are, indeed, valuable lessons that can be learned from environmental regulation and environmental ethics for the regulation of the data society. Luciano Floridi's concept of the infosphere will be used as a broader theoretical framework to justify this analogy, (intellectual) property law and (data) spill notification duties will be the two specific examples that we transplant from environmental to data protection law. One will come from the field of civil law (ownership), the other from the field of public law, more specifically ‘regulatory criminal law’ as the enforcement arm of administrative law. Taking this dual perspective serves two purposes. First, it ensures that the discussion is relevant for a number of legal traditions and approaches, accommodating both the US approach with its emphasis on property rights and the European approach with its greater trust in the state and its regulatory organs. Second, the analysis will show that despite their differences, civil and (regulatory) criminal law, EU and US approaches are experiencing changes that show some recurrent themes and structural properties. I hope to show that these similarities can be explained as a readjustment of our legal systems as a whole of mutually interdependent parts to the conceptual changes that the fourth industrial revolution and the ‘virtualization of reality’ are bringing. In particular, I aim to show a duality between information rights and information duties as an ordering principle of the law of the infosphere.

The paper will discuss, in its civil law part, efficient property allocation for environmental protection very briefly, and with the main aim to make the case for a common good conception of privacy that requires communal or ‘stewardship’ models rather than individual ownership regimes. These typically combine property rights with sets of ‘care duties’. In the second section that takes an example from regulatory criminal law, the paper interprets data breach notification duties as one such duty towards the shared informational environment. Ownership in data through an IP right regime gives the owner a bundle of rights, with the hope that this will encourage good data stewardship. Their role is largely pre-emptive. Data breach notification duties, by contrast, impose a bundle of duties in the hope that this will deter bad data stewardship. Their role is largely reactive. Together, they form a specific type of Totality, the sum of all communication rights and duties—they are ‘the whole truth’ that can be said about that aspect of the infosphere. We will see that talking about totalities of this type is a recurrent aspect of our analysis, making it desirable to explore the logic of this term in more detail.

2. Big data barons

Regulating the Internet and the new data economy has proved to be a difficult, frustrating and often elusive task [8,9]. While claims of the demise of the nation state and the emergence of a libertarian utopia were premature, protecting the safety of citizens online from criminal attacks or unintended damage through negligent service providers remains a significant challenge. Interlinked with this is the protection of their privacy from the preying eyes of private and state actors. It is widely accepted that traditional modes of regulation alone are insufficient to guarantee safety and respect for basic human rights in cyberspace. New forms of regulation are frequently proposed, in particular ‘regulation through code’, by designing protective norms directly into the communication infrastructure [10]. But cyberspace is not the only context where traditional regulatory tools have reached their limits. Preceding the discussion on Internet regulation by more than two decades, concerns over the protection of the physical environment have identified very similar concerns to those posed by the Internet.

The natural environment is the paradigmatic example of a complex adaptive system, which makes it difficult to predict the effect of any top-down legal intervention [11]. Similarly, the Internet as a complex adaptive network often defies ‘single point’ regulatory attempts [9]. Effective environmental protection is frequently a transnational challenge, with the polluter often located outside the borders of the country where the pollution causes the most damage. Effective environmental regulation and Internet regulation require substantial technological and scientific expertise, which will often require judges to defer to expert determination or have regulators resort to technological solutions over legal remedies. The combination of these pressures led increasingly to the insight that despite a growth in the quantity of environmental legislation, the positive effect on the quality of our environment remained often weak, leading to an increased recognition of the limitations of traditional regulatory law [1214].

These concerns about the limits of law's regulatory capacity led some to argue for deregulation and minimal legal intervention. Law then is only facilitative of markets and scientific expertise [15, p. 727ff, 16, pp. 351–383].

Reliance on markets requires efficient allocation of property rights. Undoubtedly, some success was achieved through environmental protection based on private property regimes, in particular, NGOs acquiring land ownership for conservation purposes [17,18]. But in other cases, the intrinsic limitations of a private property regime limited the success of otherwise beneficial privately owned and administered environmental protection schemes [19] or even had detrimental effect [20]. A particular problem is the transient nature of these private property solutions, which can come to an end at any time if the owner so chooses [21]. This insight had led to an increased recognition of the role of non-traditional property conceptions for the protection of the environment, in particular, non-Western conceptions of ownership by local and indigenous communities that are better understood as a ‘stewardship’ relation than a bundle of economy exploitation rights ([22,23], [24, ch. 6]). While the empirical validity of claims of an intrinsically more environmentally conscious indigenous mindset has come under increased scrutiny [25,26], the general concept of non-traditional, communal property rights vested in local groups and linked to corresponding stewardship duties has increasingly found recognition by international bodies, and proved its usefulness as an additional mechanism for long-term, sustainable environmental protection [2729]. Pooling of resources makes this approach inherently stronger than individual property rights in the face of adversity from large, well-financed corporations, while providing long-term perspective and strategy that transcends the life span of individual community members. This has, by now, found recognition from international bodies and law makers, such as the International Union for Conservation of Nature and Natural Resources (IUCN). IUCN recognizes four models of governance under its Protected Area System: governance by government, by shared governance, by private governance and governance by indigenous people and local communities. Private governance covers both individual, NGO (cooperative) and corporate ownership models, while indigenous ‘ownership’ remains as a separate category to express the fundamental conceptual differences between the ownership concepts [30, p. 39ff]. The latter often includes complex systems of joint responsibilities and benefit sharing [31], rooted in traditional systems of ethics, religion and cultural practices.

Three final points are needed to help us make the transition from a discussion of the physical environment and its protection to the protection of the informational environment. First, stewardship property regimes for environmental protection are intimately linked to the concept of knowledge and information. One reason for the failure of traditional government-led preservation efforts was lack of local knowledge and lack of understanding of the systems that the law tried to regulate. The stewardship system, by contrast, tries to develop strategies to maximize the use of traditional, local knowledge and information about the environment for its protection. Indigenous land property rights and intellectual property rights become essentially intertwined [32,33]. Indeed, it could be argued that in some indigenous societies, certain types of knowledge are constitutive for land property rights—the group that holds the knowledge of certain ceremonies and rituals also controls access to the land [34]; destruction and oppression of these knowledge structures also destroy the economic and political control over the land [35]. Conversely, destruction of the land can, in these belief systems, also equate to a destruction of knowledge—flooding of burial grounds, e.g. is deemed in some communities to destroy the knowledge of those buried there [36].

Second, integrating local communities into the environmental protection effort, requires the free, prior informed consent of indigenous peoples (Durban Recommendation 5.24):

  • — ‘Free’ means the consent has not been imposed or manufactured and is the result of voluntary consultations and negotiations.

  • — ‘Prior’ means the consultation and information process is sufficiently in advance to leave time for the indigenous communities to deliberate and decide.

  • — ‘Informed’ requires full disclosure of information in a form accessible and understandable to indigenous communities.

  • — ‘Consent’ requires full indigenous participation in all major phases through their own freely chosen representatives, including the right to access relevant technical/legal support [37].

Consent plays, of course, also a significant role in data protection law, and the environmental conception of consent is if anything more elaborate and substantive than even the (by international standards) substantive conception of consent in the upcoming European General Data Protection Regulation. Consent in the environmental model is a process that extends through time, and is linked to a deliberative process of institutionalized information sharing.

Third, data are, in (at least) one significant sense, different from physical goods. Exploitation of data can be non-rivalrous. While only one person at a time can eat a specific piece of fruit (Locke's example of property acquisition through labour + digestion) or ride a specific bike, indefinitely many people can use ‘the same’ piece of data simultaneously. This does not harm the analogy that is presented here; on the contrary, it removes potential sources of conflict within the community, and should simplify the governance structure.

We can now make explicit the analogy on which this paper is built. State-led environmental regulation, typical for the early stage of environmental protection, focused on non-negotiable access restrictions to protected vulnerable biotopes and landscapes. Market-based and technocratic solutions were promoted to address perceived failures and inefficiencies of this approach, by focusing on giving individuals control (and in this sense empowerment) through property rights. However, this put considerable burdens on under-resourced (in terms of money, time, skills and knowledge) individuals vis-à-vis powerful commercial interests. Finally, indigenous communities became more closely involved in the conservation efforts, through a recognition of non-Western, ‘stewardship’ models of ownership. As property-based solutions, they still emphasize the aspect of control, but do not locate property any longer in a libertarian understanding of rational, self-interested individuals maximizing their personal gain, but instead are based on ‘thick’ notions of communal solidarity. Furthermore, the environment itself can become something that is owed a duty to, and not just merely a subject of exploitation and control.

In the field of data protection law, we can find a similar pattern. We find state-centric approaches that create (more or less) non-negotiable access restrictions and access control, mitigated by informed consent, an approach particularly strong in the EU. In competition and contrast with this state-centric approach, we also find a US-led market-centric approach that invites us to think of personal data as a form of property of the data subject, similar to copyright. In this approach too, the aim is to ‘empower’ users by giving them property rights and (market transfer) control over their data (e.g. [38]). More recently, Rubinstein proposed ‘Personal Data Services’ as a new business model to bring about a shift towards a ‘user-centric’ concept of data protection, which seeks to ‘integrate diverse types of personal data while putting end users at the centre of data collection of use, subject to a set of global data principles that include transparency, trust, control and value creation’ [39]. However, just as with their environmental counterpart, these market-based, private property solutions struggle to achieve adequate protection for two reasons. First, they ignore the very significant difference in bargaining power, resources and technological knowhow between users and the companies that control their data. The economic value of the data of any individual Facebook user is negligible, putting them into a very weak bargaining position, with few incentives to invest the time and resources to maximize the benefits from this new property and therefore ‘to look after it’ carefully. Only collectively would they be able to engage with large data controllers as equals—pointing towards a collective conception of data property rather than an individualist one. This is an idea that was first proposed by Edwards [40]. The proposal here is in many ways similar to Edwards’. The main difference is the stronger element of control that the community has over its stewards (who will typically be elected office holders and directly responsible to their constituency) than the control and degree of active involvement that a beneficiary of a common law trust has vis-à-vis the trustees. But with this control also come duties—in this case, duties of active participation. A better analogy than trusts might be the pooling of resources in a union or a credit cooperative. While there will be members that chose to be more passive than others, they all elect collectively their leadership and office holders from among their ranks, and exercise control over them. This is important for the overall thrust of this paper that argues that we must not only rethink how we allocate communication rights and duties (and a ‘recall’ or ‘vote of no confidence’ is a communication for our purposes), but move away as far as possible from the focus on isolated individuals to democratic communities.

Following on from this, both the state-centric access control model and the market-centric property model see privacy primarily as an individual good. In both approaches, this incentivizes the right holder to maximize benefits in the short term, rather than looking for sustainable long-term solutions. But this individualistic understanding of privacy misunderstands the importance of privacy as a political and societal good, which enables other democratic values and processes. Privacy empowers individuals to criticize and resist acts of government that are of an undemocratic nature. Bloustein [41, p. 1003] argued that

[t]he man who is compelled to live every minute of his life among others and whose every need, thought, desire, fancy or gratification is subject to public scrutiny, has been deprived of his individuality and human dignity. Such an individual merges with the mass. His opinions, being public, tend never to be different; his aspirations, being known, tend always to be conventionally accepted ones; his feelings, being openly exhibited, tend to lose their quality of unique personal warmth and to become the feelings of every man.

And indeed, the experience in many totalitarian regimes has shown that an absence of privacy has the potential for creating a ‘society of followers’.

This interdependency between the protection of privacy and the protection of other essential features of a democratic society is also highlighted by Raab [42, p. 130], who argues that values like personal autonomy and self-determination

are important not primarily because individuals may wish to live in isolation (for they do not, mostly), but so that they can participate in social and political relationships at various levels of scale, and so that they can undertake projects and pursue their own goals.

Just as a private property approach to environmental protection can lead to individuals cashing in on short-term advantages for themselves, while leaving the collective interest in a clean and diversified environment harmed, privacy theories that emphasize the notion of free alienation of privacy in market places, risk lasting harm to the common good. As Regan [43, p. 233] argues, there is a risk that

[i]f one individual or a group of individuals waives privacy rights, the level of privacy for all individuals decreases because the value of privacy [in the collective view of society] decreases.

In the privacy discussion, this has led many European commentators to be deeply sceptical of the very concept of a property/copyright approach to personal data (e.g. [44]). They fear, not unreasonably, that once we think of private data as property at all, this will lead to even more ruthless ‘trading’ of data, where data subjects are paid a pittance. It is here though that we can learn most from the comparison with environmental protection.

Structurally identical problems in environmental protection led, as we saw, to the inclusion of collective, communal stewardship conceptions of ‘property in the environment’ to the regulatory toolset. If we now take Rubinstein's notion of Personal Data Services as an ‘ecosystem’ serious, then we can see the space for a communal notion of data—ownership that preserves the advantages of her property-centric approach, but without the inherent disadvantage of fragmentation and exploitation by economically stronger Data Barons. Facebook users, collectively, would then own the property in their data, administered through an independent, fiduciary structure (in the way indigenous land rights are typically protected through some form of elected political entity), crucially though not just for the benefit of the current group of members, but with a view on preserving a ‘clean’ data environment also for future user groups and wider society. This will then have to be balanced against the expressed collective interest of the current owners who exercise a degree of control over the stewards. (In the same way, one could say in which politicians balance the need to plan for future generations against the short-term goals of their electorate). While Zittrain asked privacy lawyers to learn from copyright lawyers, both may be able to profit from non-Western conceptions of property that have been leveraged in environmental law.

It goes beyond the scope of this paper to develop such a ‘stewardship theory of data ownership’ in any detail. As noted above though, the notion of ‘stewardship’ means that, in addition to use and exploitation rights, these new property titles also come with sets of new duties and obligations. As a first indicative example, we can see the emergence of such a stewardship model in the ‘replicable computation’ movement. ‘Replicable’ or ‘reproducible’ computing concerns themselves with the way research results are communicated to scientific peers and wider public. It is driven by the recognition that the traditional publication and peer review process is failing as a means to ensure the quality, reliability and robustness of results. The more people are put in a position to test and replicate research, the more false or premature results will be identified and weeded out. Staying with our analogy, we can think of any such misleading study as a pollutant of the informational environment, and the collective activity of testing and replicating as a clean-up. Copyright, if understood mainly as a traditional, individual right that prevents others from reproducing material, and hence an access barrier, seems prima facie inimical to this endeavour. However, Victoria Stodden, among others, has shown how a bundle of creative commons licenses for academic papers, software and datasets together can facilitate replicability [45]. This approach to copyright is intimately linked to a notion of community and its values—here the creative commons community and also the scientific community—and uses property rights to protect the openness of the data in perpetuity, secure from ‘land grabs’ by, say, commercial publishers. Intellectual property, thus, changes from an access barrier to an enabler of sustainable information sharing. The communal values of the scientific community—in particular, the specific type of rationality that comes with the concept of criticism and testing—then ensure that the shared research is subject to a much more rigorous post publication peer review than otherwise possible, thus leading to a collectively assured ‘clean’ information environment. Transparency becomes intimately tied to the quest for a ‘clean’ information environment. Laws, such as copyright law, can enable this type of transparency, by creating a right to share [46]. Other laws, by contrast, create a duty for information sharing, and these we will look at in the next section.

Many questions remain unanswered here. What is attempted is, however, to provide a conceptual framework that allows these questions to be asked. We can ask for instance if, in such a model, we should have the duty to only provide accurate data about ourselves (as the opposite could be seen as ‘data littering’ the info-environment). Such a duty would be a problem for obfuscation based methods of privacy protection.

3. Spilling the beans on data spills

Having discussed what we can learn from environmental law for private law-based approaches to data protection, we now look at regulatory tools that use fines and similar punishments to prevent abusive behaviour—regulatory crimes in environmental and data law. This section begins by an account of two significant data spills and the regulatory lessons that can be learned from them. Oil spills can trigger a duty to inform regulators about the spill, even if this means potential sanctions and fines. Similarly, many jurisdictions introduced a duty to inform regulators, customers or the general public of data spills: data breach notification duties. At a first approximation, data breach notification duty laws fall into a group of regulatory tools that Cass Sunstein called ‘regulation through disclosure’ [47]. Regulation through disclosure has two effects. It gives incentives to the party who owes the duty to minimize the number of triggering events and avoid public embarrassment through safer procedures. Secondly, it enables affected third parties and the wider community to make prudent choices, take protective actions and bring market pressures to bear on repeat offenders. DBNLs perform both tasks, making them therefore also part of the ‘choice architecture’ [48]. Schwartz & Janger [49] thus compare them with the duty of factories to disclose information about toxic releases of one's factory.

In early 2005, the data broker ChoicePoint became aware of a potential security breach. The pattern of activity indicated that the data had been used for the purpose of ID fraud. The personal data of 163 000 customers had potentially been compromised [50]. Ten years later, in August 2015, Ashley Madison (AM), the extramarital-affair brokerage website, became the victim of a successful hacking attack by a group calling itself the ‘Impact Team’. Potentially up to 32 million user profiles were affected, though this may exaggerate the number of victims, as one of the stated objectives of the hack was to expose ‘fake’ profiles, which, according to hackers, were plentiful. The AM data contained names, email addresses, physical addresses, login information and partial credit card payment information. The consequences for many of them were devastating, driving some customers into suicide [51].

While in both scenarios, customers of online service providers were put at risk when their personal identifiable data were leaked after an attack on their OSP, the legal protection offered to the affected groups of customers differed in one significant aspect. ChoicePoint, being a US company, initially informed the police of the suspected data breach, and soon after in compliance with the Californian data breach notification laws (DBNLs) also its 35 000 Californian customers. This limited release of information resulted in a public outcry, and the company soon afterwards approached all US customers whose records had been improperly accessed. While ChoicePoint accepted a duty to tell the truth about the danger it had created for its clients, it tried to avoid telling the whole truth as long as it could.

AM customers were even less lucky. Being headquartered in Canada, AM was not subject to a similar legal obligation. When the ‘Impact Team’ hackers initially approached AM, threatening the release of the data unless its parent company shut down. AM kept the breach secret, hoping undoubtedly that the hackers would not act on their threat. They miscalculated, and it was through a statement released on the Internet by the hackers that AM customers learned about the risk of exposure that they were now facing. This prevented many AM customers from taking timely mitigating action—from coming clean to their spouse to changing their credit card.

The two cases raise interesting philosophical issues. In both of them, we find appeal to ‘truth telling duties’, both moral and legal. DBNLs had imposed on ChoicePoint a duty to tell the truth about data breaches to their customers, even though this was likely going to be a statement against the company's own interest. ChoicePoint complied, hesitantly, telling the truth, but never quite the whole truth. AM, at the danger of sounding puritan, was in the business of facilitating lies, enabling its customers to cheat on their partners. But it was not this that attracted the ire of hackers, but the suspicion that in doing so, they also lied to their own customers, or at least facilitated and benefited from a lie: using inflated numbers of (female) profiles to attract new (male) subscribers, even though they knew, or should have known, that many of the profiles were fake. Finally, AM lied by omission, keeping its customers unaware of the risk they were facing, and encouraging as a result continuous use of AM's services, disclosure of which could later harm them. If translated back into the language of environmental damage, AM allowed degraded substances to accumulate (false profiles) and also allowed toxic information to leak into the environment. On all three counts, AM were bad data shepherds who failed in their stewardship duties towards the data ecosystem that they had created.

Data DBNLs aim two things: mitigating the danger after a spill, but equally important, incentivizing data holders to prevent spills form happening in the first place. In 2002, California became the first country to enact a DBNL, S.B. 1386, which took effect in July 2003. The law requires

a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

As of February 2016, 47 states, including the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted DBNLs (see [52,53]). However, the absence of a general tort of privacy intrusion and the difficulty for individuals to use the court system and prove they suffered individual harm means that this approach suffers enforcement issues [54, p. 1134]:

Attempts to establish a right to damages following receipt of a security breach notice through class action lawsuits have generally only succeeded in clarifying the degree to which no such right exists, although many businesses suffering breaches have chosen on a voluntary basis to provide their customers with credit monitoring services to reduce the risk of harm from identity theft.

As in our discussion above, collective, not individual conceptions of privacy are needed to address this deficit. In the European context, the situation is different. Here, in particular, the upcoming General Data Protection Regulation will not only reaffirm the general right to information privacy, but also provide an enforcement mechanism. Europe's attitude to DBNLs is a typical example of a ‘society centric’ approach to mandatory breach disclosure that goes beyond remedies for any individual customer who suffered harm. Directive 2009/136/EC created a two-tier framework for the reporting of data breaches. It imposes duties to inform both regulatory authorities and affected individuals.

The proposed Amendment to the draft General Data Protection Regulation that will further strengthen this approach phrases the required content of the notification in an interesting way (our emphasis) in its Art 32:

The communication to the data subject referred to in paragraph 1 shall be comprehensive and use clear and plain language. It shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b), (c) and (d) of Article 31(3) and information about the rights of the data subject, including redress.

All breaches have to be notified to the authorities, but only those that involver personal data require notification of the person affected. Unlike the US laws, this requirement does not only affect subscribers or customers of the service provider, but also affected third parties can benefit from this duty. Notifying affected non-customers can be particularly difficult. As the regulation notes

While providers should have contact details of their subscribers, given their direct contractual relationship, such information may not exist for other individuals adversely affected by the personal data breach. In such a case, the provider should be permitted to notify those individuals initially through advertisements in major national or regional media, such as newspapers, to be followed as soon as possible by an individual notification as provided for in this Regulation.

(Commission Regulation (EU) No 611/2013 at (14))

Importantly for our discussion, the duty of the service provider is not just an expression of a contractual bond between the provider and the affected data subject, duties between individual right owners. Rather, the duty is (also) owed to the wider public, protecting the collective interest in privacy as a common good.

Importantly, as we saw the Directive also entails an active duty by the provider to establish ‘the whole truth’ of the breach. The hacked service providers are not just passive reporters of information that they have obtained. This establishes a rather unusual form of legal duty—a duty of a victim of a crime not only to report the event, but also, to a degree, to investigate it. We will return to this issue below.

Finally, the Directive adds a number of reporting obligations for providers, who will have to maintain an inventory of data breaches. This inventory has to note all the relevant facts that the provider was able to establish, the effects of the breach and any remedial action that was taken. Regulators will use the information gained from these registers to evaluate the efficiency of existing legislation and guidelines, and to develop best practice. We noted above that the European approach extends the scope of notification duties beyond customers to third parties whose data were held. Here, we see this idea extended further—the beneficiaries of this aspect of the notification duty are not just those individuals who suffered harm, but through improved efficiency of the legal system, everybody.

We can now extend our environmental analogy. As we saw above, in stewardship models of land ownership a collective responsibility arises to ‘be concerned about’ and ‘look after’ the environment, something that can best be done if information about problems is spread widely. A duty to report oil spills, e.g., will give an incentive to companies to invest in security equipment, as reporting a spill harms, at the very least, the reputation of the company, at worst exposes it to litigation. At the same time, it allows agencies and citizens to take appropriate action to mitigate the consequences of the spill, be it by direct involvement in the clean-up, or by reinforcing the deterrent aspect of notification duties through a boycott call or similar use of market tools. Just as spill notification duties protect the natural environment, the biosphere, so do DBNLs protect the information environment—or as Floridi terms it, the infosphere [55]. In Floridi's conception, the infosphere has an intrinsic value, which means, in particular, that we may have duties towards its constituent parts, the ‘inforgs’. Inforgs, the ‘inhabitants’ of the infosphere, are entities made up of processing and transmitting information. Individual humans are one example, but the collective of communication tools of a family also qualifies, as do indeed non-human and non-biological information creating entities; of particular importance if we consider it quantitatively, now most information is already generated through machine-to-machine interaction. Not only then do we have ‘information as environmental regulation’ [56], in Floridi's framework we can now also draw the inverse connection, and think of DBNLs as ‘environmental protection regulation of information’, regulation that forces us to create a ‘clean’, i.e. truthful and transparent information environment.

4. Protecting the data environment—a duty for all Inforgs?

DBNLs carve an exemption into the right against self-incrimination, but, as we saw, in this they are but part of a general trend of regulation through disclosure. In this sense, they are indeed very similar to duties to report oil spills or other failures by companies to ensure a safe and clean environment. However, they also go beyond this duty in a crucial sense. AM did not only act carelessly with its customer data. They also were victim of a crime themselves, the hacking of their system, which ultimately will cost them customers, trust and business.

Imposing duties on the victim of a crime, potentially against his/her own interests and under the threat of criminal law sanctions, makes DBNLs conceptually unusual. Normally, we think of the victim as the passive party, wronged by the criminal, with a duty by the state to right this wrong. But when do victims have a moral duty to enable the prosecution of the crimes against them, and under which conditions is it appropriate, for a democratic republic under the rule of law, to turn this moral or civic aspiration into a legal duty, with criminal law sanctions in the case of non-compliance? To answer these questions, we need a general theory of the relation between citizens and the criminal law, a theory that asks what actions are the appropriate subject of criminal sanctions, and what duties and obligations can the criminal law rightfully impose on the citizenry. With other words, the question needs to be answered within a general theory of (criminal) law, a theory that outlines the totality of rules and obligations that the criminal law creates.

Grand legal theory in the tradition of Austin, Kelsen or Hart struggles to provide us with an appropriate analytical framework for this task. Their gaze is primarily on the ‘officials’, the legislator as the source of law, the judiciary as its interpreter, and possibly other officials, such as police, for its enforcement. The citizen is, in these systems, a largely passive recipient of commands, his/her duties merely to obey the sovereign, or, in Hart's version, obey those officials that they recognize as legitimate. Recast in the language of information, the information flow in these systems is (largely) uni-directional, from the top of the pyramid to its base. The criminal law is something external to the citizen, a body of rules laid down by others for them to obey [57, p. 300].

The shortcomings of this conceptual approach have been recognized, among others, by Duff and Marshall in a series of papers on the role of the criminal law, the criminal trial and criminal punishment [58,59]. The traditional model, so they argue, cannot account for all those characteristics of the criminal trial that do not fall into the neat divide between officials and citizens. A broad range of phenomena, from the duty of citizens to serve as jurors, to the specific duties of witnesses as ‘truth speakers’, or the role of criminals in their own rehabilitation, thus remain unaccounted for. It, therefore, gives at best a partial account of what it means to be a ‘system of criminal law’. Duff and Marshall propose an alternative approach centred around distinct roles, connections that people can have relative to a crime, its investigation and, ultimately, its punishment. In particular, they suggest that we can distinguish the following roles a citizen may play in the practical process that is a crime investigation and prosecution [60, pp. 3–4]:

  • (1) official and professional roles, where the citizen ‘in uniform’ is employed by the polity and in this role given special powers, responsibilities and privileges. These include
    • — police officers
    • — judges
    • — prosecutors
    • — civil servants involved in legislative drafting
  • (2) official roles filled by lay participants. Here too, the polity endows the citizen with special rights and duties, but they serve not as employed professionals. These include among others
    • — jurors (the paradigmatic example)
    • — lay judges, justices of the peace, etc.
    • — special constables
  • (3) the final type of roles are those that a citizen acquires by his/her connection to a particular crime. These, so Duff and Marshal suggest, include among others
    • — victim
    • — witness
    • — offender
    • — suspect/defendant
    • — ‘ex-offender’.

This framework then allows us to ask if our vision of the criminal law is compatible with recognizing any of these roles in law—should we use, e.g., lay people as police officers? It also allows us to ask precisely under what conditions we should or at least legitimately can turn a civic duty into a legal obligation. And finally, it allows us to ask how we can resolve conflicts between these roles while staying true to our vision of the criminal law in a democratic society.

As we saw above, being able to talk about specific roles also enabled us to place DBNLs into a conceptual framework. DBNLs call upon online service providers in their role as professional businesses with special expertise, on their role as witnesses of a crime, and on their role as a victim of a crime. In attaching specific legal duties to these roles, we also saw how they are asked to take on functions that have previously been reserved to certain officials, in particular, the investigative duties they incur to be able to inform their customers about the ‘whole truth’ of the breach. Here, we see the problematic aspect of their involvement: as experts, they are tasked to investigate, as witnesses, to testify truthfully, while as victims and as enablers, they may be entitled to considerations that limit these duties.

Duff and Marshal integrate their role-based scheme within a wider communitarian theory of criminal law in a democratic society, which aligns their approach with communitarian conceptions of ownership that we saw, in the first part, for non-Western property conceptions. They also link it to a specific conception of the trial as ‘public holding to account’ [61]. As noted above, we do not normally in law require active participation of victims of crime in the prosecution of their aggressors. There are, however, a number of more or less isolated exceptions to this rules that can be explained in this combination of communitarian and communicative conceptions of the trial. One such example is prosecutions against victims of domestic violence who withdraw their allegations during the court proceedings. Marshall shows how we can make sense of this within a communication-centric, communitarian model of the criminal law. Victims are not just witnesses; they are a specific type of witness, one that is irreplaceable even when there are other sources to ensure a conviction. In the witness, the harm done to the community is personified, his/her testimony, therefore necessary to communicate the wrongness of the action to judge, public and indeed also the perpetrator [62]. Marshall [63, p. 299] writes:

A trial thus calls a defendant to answer not just to an alleged individual victim, though it does indeed do that, but also to the whole polity for the wrong that he allegedly committed; and it constitutes, in part, an expression, articulation, and application of what are purported to be the shared, ‘public’ values of the polity.

The communication acts that are performed as part of a trial are therefore identity-creating and constitutive. Again Marshall [63, p. 298] writes:

To understand the nature of law we have to understand its role as partly constitutive of a political community and therefore as an object for identification, as playing an important role in a people's sense of who they are. […] Citizens are responsible both to the state (insofar as they are responsible to one another in their roles as citizens) and for the state.

This communicative conception of the trial enables us to connect their account to the information ethics of Floridi. Floridi's conception of the ‘infosphere’ is that it extends beyond cyberspace, as a general theory of information, and can thus accommodate pre-Internet institutions, processes and practices. Its sensitivity to the way ITCs ‘re-ontologize’ the world, in turn, matches the constitutive aspects of information practices during the trial that Marshal emphasizes. If the infosphere, then, as totality of all informational entities, their properties, interactions, processes and mutual relations is the whole of Being [64, pp. 8–10], then we can say that the ‘whole of the law’ becomes the totality of information duties that exist between informational agents. Victims are one type of informational agents, inforgs that hold information of a specific quality.

5. All the facts, ma'am

The paper will finish with a summary of what was achieved, and an outlook for future research.

In the past, legal systems have used, with mixed success, private law solutions (including data as property) and (regulatory) criminal law/public law to protect data subjects.

Protection of the environment too uses both approaches, but in each case with a significant difference: it replaces the focus on largely passive individuals who use rights as a protective shield to more complex communities where parties play active roles and have certain communication duties towards others, in addition to rights.

In the property law case, this is the duty to participate in the communal decision-making process that establishes collective consent. In the criminal law case, it is the duty of victims to participate in the communal communication process that is the trial.

The paper, so far, has argued that the ethical treatment of big data can be informed by experience made with the regulation of environmental hazards. In both cases, institutionalizing the right type of communication duties is essential. We looked at two legal instruments, in particular, the institution of private property, and breach notification duties in administrative law, as complementary strategies. Property laws, if recast as communal, stewardship models of property, can enable the right type of communication and data sharing, while giving incentives to ‘look after’ the environment in perpetuity. Breach notification duties create duties to communicate. Together, they give us part of a regulatory framework where the granting of property rights comes with new, and admittedly burdensome, duties. In both cases, our approach relied on a substantial concept of community and community values. In the case of ownership, we argued for collective control over the assets; in the case of DBNLs, we argued for a duty to inform the whole community of a breach. Appropriate regulation of big data, just as appropriate regulation of the environment, works best within a framework that goes beyond individuals and their interest.

As an avenue for fruitful future research, capturing the precise nature of ‘truth telling duties’ emerged as a key theme. In our analysis, we have also seen that on various levels, appeals to ‘the whole truth’ were made. On the most basic level, we find appeals to the whole truth in the legal doctrine. Just as a witness in court, the victim of a data breach has the duty to report ‘the whole truth’ of the breach. On a more abstract level, we saw how the trial itself can be seen as a communicative exercise, which involves state officials and citizens in a multi-directional exchange of information. Citizens owe to each other various communication duties, depending on their connection to the specific crime, as do legal officials. Victims owe subtly different communication duties to themselves, to the legal officials, to the jurors and indeed to the perpetrator to give a truthful and complete account of what happened. Similarly, judges have communication duties, in particular, the duty to give reasons, that hold towards victim, accused/convict and the wider public, but can vary in intensity, required communication mode or explicitness between these.

We contrasted this model with a more traditional jurisprudential approach to the criminal law, where communication between officials and citizens is uni-directional only, and based on simple commands by the sovereign to the citizenry. This latter view then captures only part of what constitutes a legal system, as opposed to ‘the whole’ of law as the totality of communication rights and duties that citizens and officials owe each other. Finally, we indicated how this normative totality could be extended further still, by substitution ‘inforgs’ for ‘citizen’ and ‘officials’. The resulting model of the infosphere, as suggested by Floridi, provides then the ontological underpinning of our attempt to combine concerns for the natural environment with concerns for the informational environment. The resulting totality encapsulates the whole of ‘Being’, and with that both aspects simultaneously.

From a philosophical perspective, this raises a further question. How are we to make sense of the term ‘the whole truth’ and, what, if anything, does it add to truth simpliciter? To give a precise formal account is interesting not only for practical considerations, e.g. the development of software compliance tools that assist data holders to fulfil their duties under the DBNLs, but also for a more abstract philosophical analysis of what it means to have captured the totality of an issue. It is a natural thought that a description is complete, or is the whole truth, just in case it entails every truth. But this entailment account leads to a dilemma concerning the appropriateness of assertions of the form ‘it is the whole truth that p’. Either p entails that it is the whole truth that p, or it does not. If it does, nothing is added to the bare assertion of ‘it is true that p’ or even p, and the longer utterance violates Grice's maxim of manner. If p does not entail that it is the whole truth that p, however, then ‘it is the whole truth that p’ is false. For if it were true, then there would be a truth—that it is the whole truth that p—that is not entailed by p. Failing to entail all truths, p would not be the whole truth after all, and the assertion would be false. On either horn- of the dilemma, asserting ‘it is the whole truth that p’ comes out as inappropriate. But that result is puzzling: clearly, as our analysis above has shown, there are scenarios where such an assertion seems neither false nor unduly prolix. The prefix ‘it is the whole truth that’ does not seem to be redundant in the way that ‘it is true’ has been taken to be.

In Tractatus 1.1.1, Wittgenstein writes: “The world is determined by the facts, and by their being all the facts. In recent years, philosophers have aimed to give a more precise meaning to this ‘quantifier over everything’. This has involved efforts in metaphysics [65,66] and also crucially for us, ethics and the law [67,68]. Our discussion here indicates that these superficially very different appeals to totalities are indeed interrelated. Introducing a duty to ‘tell the whole truth’ to a witness or victim calls upon both the metaphysical conception of ‘whole truth’ (as a determinant of the precise content of the duties that the witness owes) and the ethical-legal concept (as a determinant of the form of that duty within an account of a complete legal system). Put differently, a more precise and ideally formally representable totality operator T* — ‘It is the whole truth that’ would enable us to describe what the witness has to say, and at the same time allow us to better understand how this type of duty fits into the totality of communication obligations that actors (or inforgs) in a legal system have. The parallel reading of regulation that pertains to the natural environment and regulation that pertain to the informational environment showed how the concept of a duty to tell ‘the whole truth’ connected them both, and can thus also be seen as a first stepping stone for the development of a theory of a totality operator that spans law and metaphysics.

Acknowledgements

Stefan Leuenberger (University of Glasgow) and Martin Smith (University of Edinburgh) contributed substantially to the ideas that gave rise to this paper as part of a joint project on ‘the whole truth’. Section 5, in particular, benefited from the insights and ideas of Leuenberger. My thinking regarding ‘collective’ administration of personal data was strongly influenced by discussions with Lilian Edwards, whose 2004 paper was the first to propose a similar solution.

Competing interests

I declare I have no competing interests.

Funding

This work was supported by the Arts and Humanities Research Council (grant no. AH/M009610/1).

References

  • 1.Hirsch DD. 2013. The glass house effect: Big Data, the new oil, and the power of analogy. Maine Law Rev. 66, 373–396. [Google Scholar]
  • 2.Toonders J. 2014. Data is the new oil of the digital economy. Wired. https://www.wired.com/insights/2014/07/data-new-oil-digital-economy/ (accessed 19 October 2016). [Google Scholar]
  • 3.Ko JY, Day JW. 2004. A review of ecological impacts of oil and gas development on coastal ecosystems in the Mississippi Delta. Ocean Coast. Manage. 47, 597–623. ( 10.1016/j.ocecoaman.2004.12.004) [DOI] [Google Scholar]
  • 4.Gerlach A. 2003. Indians, oil, and politics: a recent history of Ecuador. Lanham, MD: Rowman & Littlefield. [Google Scholar]
  • 5.Lloyd HD. 1894. Wealth against commonwealth. New York, NY: Harper and Brothers. [Google Scholar]
  • 6.Fjelde H. 2009. Buying peace? Oil wealth, corruption and civil war, 1985–99.” J. Peace R. 46, 199–218. [Google Scholar]
  • 7.Le Billon P, El Khatib F. 2004. From free oil to ‘freedom oil’: terrorism, war and US geopolitics in the Persian Gulf. Geopolitics 9, 109–137. ( 10.1080/14650040412331307852) [DOI] [Google Scholar]
  • 8.Brown I, Marsden CT. 2013. Regulating code: good governance and better regulation in the information age. Boston, MA: MIT Press. [Google Scholar]
  • 9.Guadamuz A. 2013. Networks, complexity and internet regulation scale-free law. London, UK: Elgar. [Google Scholar]
  • 10.Brown I, Clark DD, Trossen D. 2010. Should specific values be embedded in the Internet architecture? In Proc. of the Re-Architecting the Internet workshop. New York, NY: ACM; ( 10.1145/1921233.1921246) [DOI] [Google Scholar]
  • 11.Ruhl JB. 1997. Thinking of environmental law as a complex adaptive system: how to clean up the environment by making a mess of environmental law. Houst. Law Rev. 34, 933–1002. [Google Scholar]
  • 12.Wiethölter R. 1986. Materialization and proceduralization in modern law. In Dilemmas of law in the welfare state (ed. Teubner G.), pp. 221–249. Berlin, Germany: Walter de Gruyter. [Google Scholar]
  • 13.Ackerman BA, Stewart B. 1985. Reforming environmental law. Stanford Law Rev. 37, 1333–1365. ( 10.2307/1228633) [DOI] [Google Scholar]
  • 14.Adam R. 2010. Missing the 2010 biodiversity target: a wake-up call for the convention on biodiversity. Colo. J. Int. Environ. Law Policy 21, 123–166. [Google Scholar]
  • 15.Rittich K, 2002. Enchantments of reason/coercions of law. U. Miami L. Rev. 57, 727–742. [Google Scholar]
  • 16.Kennedy D, 1973. Legal formality. J. Legal Stud. 2, 351–398. ( 10.1086/467502) [DOI] [Google Scholar]
  • 17.Pasquini L, Fitzsimons JA, Cowell S, Brandon S, Wescott G. 2011. The establishment of large private nature reserves by conservation NGOs: key factors for successful implementation. Oryx 45, 373–380. ( 10.1017/S0030605310000876) [DOI] [Google Scholar]
  • 18.Kiesecker JM, et al. 2007. Conservation easements in context: a quantitative analysis of their use by The Nature Conservancy. Front. Ecol. Environ. 5, 125–130. ( 10.1890/1540-9295(2007)5%5B125:CEICAQ%5D2.0.CO;2) [DOI] [Google Scholar]
  • 19.LoBue C, Udelhoven J. 2013. Private ownership of underwater lands in Great South Bay, New York: a case study in degradation, restoration and protection. Mar. Policy 41, 103–109. ( 10.1016/j.marpol.2012.12.021) [DOI] [Google Scholar]
  • 20.Cabral RB, Aliño PM. 2011. Transition from common to private coasts: consequences of privatization of the coastal commons. Ocean Coast. Manage. 54, 66–74. ( 10.1016/j.ocecoaman.2010.10.023) [DOI] [Google Scholar]
  • 21.Langholz JA, Krug W. 2004. New forms of biodiversity governance: non-state actors and the private protected area action plan. J. Int. Wildl. Law Policy 7, 9–29. ( 10.1080/13880290490480112) [DOI] [Google Scholar]
  • 22.Alcorn JB. 1993. Indigenous peoples and conservation. Conserv. Biol. 7, 424–426. ( 10.1046/j.1523-1739.1993.07020424.x) [DOI] [Google Scholar]
  • 23.Brechin SR, Wilshusen PR, Fortwangler CL, West PC. 2002. Beyond the square wheel: toward a more comprehensive understanding of biodiversity conservation as social and political process. Soc. Nat. Resour. 15, 41–64. ( 10.1080/089419202317174011) [DOI] [Google Scholar]
  • 24.Ross A. 2011. Indigenous peoples and the collaborative stewardship of nature: knowledge binds and institutional conflicts. Vancouver, Canada: Left Coast Press. [Google Scholar]
  • 25.Alvard MS. 1993. Testing the ‘ecologically noble savage’ hypothesis: interspecific prey choice by Piro hunters of Amazonian Peru. Hum. Ecol. 21, 355–387. ( 10.1007/BF00891140) [DOI] [Google Scholar]
  • 26.Fennel DA. 2008. Ecotourism and the myth of indigenous stewardship. J. Sustainable Tourism 16, 129–149. ( 10.2167/jost736.0) [DOI] [Google Scholar]
  • 27.Berkes F. (ed.). 1989. Common property resources: ecology and community based sustainable development. London, UK: Belhaven Press. [Google Scholar]
  • 28.Arnold JEM. 1990. Social forestry and communal management in India. Social Forestry Network Paper 11b London, UK: Overseas Development Institute. [Google Scholar]
  • 29.Agrawal A, Gibson CC. 1999. Enchantment and disenchantment: the role of community in natural resource conservation. World Dev. 27, 629–649. ( 10.1016/S0305-750X(98)00161-2) [DOI] [Google Scholar]
  • 30.Dudley N. (). 2008. Guidelines for applying protected area management categories. Gland, Switzerland: IUCN. [Google Scholar]
  • 31.Bille Larsen P, Oviedo G. 2006. Reconciling indigenous peoples and protected areas: rights, governance and equitable cost and benefit sharing. IUCN Discussion Paper. See https://cmsdata.iucn.org/downloads/iucn_reconciling_ip_and_pa.pdf.
  • 32.Gadgil M, Berkes F, Folke C. 1993. Indigenous knowledge for biodiversity conservation. Ambio 22, 151–156. [DOI] [PMC free article] [PubMed] [Google Scholar]
  • 33.Coombe RJ. 2005. Protecting traditional environmental knowledge and new social movements in the Americas: intellectual property, human right or claims to an alternative form of sustainable development? Fla J. Environ. Law. 17, 115–135. [Google Scholar]
  • 34.Rigsby B. 1999. Aboriginal people, spirituality and the traditional ownership of land. Int. J. Social Econom. 26, 963–976. [Google Scholar]
  • 35.Pettipas K. 1994. Severing the ties that bind: government repression of indigenous religious ceremonies on the prairies. Winnipeg, MB: University of Manitoba Press. [Google Scholar]
  • 36.Whitt, Roberts, Norman, Grieves. 2001.
  • 37.Motoc A-I. 2004. Preliminary working paper on the principle of free, prior and informed consent of indigenous peoples in relation to development affecting their lands and natural resources that would serve as a framework for the drafting of a legal commentary by the Working Group on this concept. E/CN.4/Sub.2/AC.4/2004/4 UN Doc E/C.19/2005/3.
  • 38.Zittrain J. 2000. What the publisher can teach the patient: intellectual property and privacy in an era of trusted privication. Stanford Law Rev. 52, 1201–1250. ( 10.2307/1229513) [DOI] [PubMed] [Google Scholar]
  • 39.Rubinstein IS. 2013. Big data: the end of privacy or a new beginning? Int. Data Priv. Law 3, 74–87. ( 10.1093/idpl/ips036) [DOI] [Google Scholar]
  • 40.Edwards L. 2004. The problem with privacy. Int. Rev. Law Comput. Technol. 18, 263–294. ( 10.1080/1360086042000276762) [DOI] [Google Scholar]
  • 41.Bloustein EJ. 1964. Privacy as an aspect of human dignity: an answer to Dean Prosser. NYUL Rev. 39, 962–1007. [Google Scholar]
  • 42.Raab C. 2012. Privacy, social values and the public interest. Polit. Vierteljahresschr. 46, 129–152. ( 10.5771/9783845238340-133) [DOI] [Google Scholar]
  • 43.Regan PM. 1994. Legislating privacy: technology, social values and public policy. Chapel Hill, NC: The University of North Carolina Press. [Google Scholar]
  • 44.Purtova N. 2010. Private law solutions in European data protection: relationship to privacy, and waiver of data protection rights? Neth. Q. Hum. Rights 28, 179–198. [Google Scholar]
  • 45.Stodden V. 2009. The legal framework for reproducible scientific research: licensing and copyright. Comput. Sci. Eng. 11, 35–40. ( 10.1109/MCSE.2009.19) [DOI] [Google Scholar]
  • 46.Lyon L. 2016. Transparency: the emerging third dimension of Open Science and Open Data. LIBER Q. 25, 153–171. ( 10.18352/lq.10113) [DOI] [Google Scholar]
  • 47.Sunstein CR. 1999. Informational regulation and informational standing: Akins and beyond. Univ. PA Law Rev. 147, 613–675. ( 10.2307/3312719) [DOI] [Google Scholar]
  • 48.Leonard TC, Thaler RH, Sunstein CR. 2008. Nudge: improving decisions about health, wealth, and happiness. Constit. Polit. Econ. 19, 356–360. ( 10.1007/s10602-008-9056-2) [DOI] [Google Scholar]
  • 49.Schwartz PM, Janger EJ. 2007. Notification of data security breaches. Mich. Law Rev. 105, 913–984. [Google Scholar]
  • 50.Otto PN, Antón AI, Baumer DL. 2007. The choicepoint dilemma: how data brokers should handle the privacy of personal information. IEEE Secur. Priv. 5, 15–23. ( 10.1109/MSP.2007.126) [DOI] [Google Scholar]
  • 51.Segall L. 2015. Pastor outed on Ashley Madison commits suicide. CNNMoney, September 8 2015.
  • 52.Needless SA. 2009. The data game: learning to love the state-based approach to data breach notification law. NCL Rev. 88, 267–310. [Google Scholar]
  • 53.Lee S. 2006. Breach notification laws: Notification requirements and data safeguarding now apply to everyone, including entrepreneurs. Entrepreneurial Bus. Law J. 1, 125–153. [Google Scholar]
  • 54.Winn JK. 2009. Are “better” security breach notification laws possible? Berkeley Technol. Law J. 24, 1133–1165. [Google Scholar]
  • 55.Floridi L. 2002. On the intrinsic value of information objects and the infosphere. Ethics Inf. Technol. 4, 287–304. ( 10.1023/A:1021342422699) [DOI] [Google Scholar]
  • 56.Esty DC. 2004. Environmental protection in the information age. NYUL Rev. 79, 115–212. [Google Scholar]
  • 57.Duff RA. 2010. A criminal law for citizens. Theor. Criminol. 14, 293–309. ( 10.1177/1362480610369784) [DOI] [Google Scholar]
  • 58.Duff RA. 2010. The boundaries of the criminal law. Oxford, UK: Oxford University Press. [Google Scholar]
  • 59.Duff RA, et al. 2015. Criminalization: the political morality of the criminal law. Oxford, UK: Oxford University Press. [Google Scholar]
  • 60.Duff RA. 2015. Legal reasoning, good citizens, and the criminal law. Minnesota Legal Studies Research Paper 15-18 SSRN Electron. J. ( 10.2139/ssrn.2618684) [DOI] [Google Scholar]
  • 61.Duff RA. 2001. Punishment, communication, and community. Oxford, UK: Oxford University Press. [Google Scholar]
  • 62.Marshall SE. 2004. Victims of crime: their station and its duties. Crit. Rev. Int. Soc. Polit. Philos. 7, 104–117. ( 10.1080/1369823042000266549) [DOI] [Google Scholar]
  • 63.Marshall S. 2015. It isn't just about you. Victims of crime, their associated duties, and public wrongs. In Criminalization: the political morality of the criminal law (eds Duff A et al.), pp. 291–306. Oxford, UK: Oxford University Press. [Google Scholar]
  • 64.Floridi L. (ed.). 2010. The Cambridge handbook of information and computer ethics. Cambridge, UK: Cambridge University Press. [Google Scholar]
  • 65.Armstrong D. 1989. A combinatorial theory of possibility. Cambridge, UK: Cambridge University Press. [Google Scholar]
  • 66.Chalmers D. 2010. The two-dimensional argument against materialism. In The character of consciousness. Oxford, UK: Oxford University Press. [Google Scholar]
  • 67.Holton R. 2010. The exception proves the rule. J. Polit. Philos. 18, 369–388. ( 10.1111/j.1467-9760.2009.00358.x) [DOI] [Google Scholar]
  • 68.Holton R. 2011. Modelling legal rules. In Philosophical foundations of language in the law (eds Marmor A, Soames S), pp. 165–183. Oxford, UK: Oxford University Press. [Google Scholar]

Articles from Philosophical transactions. Series A, Mathematical, physical, and engineering sciences are provided here courtesy of The Royal Society

RESOURCES