Bridging the Gap between Computer Science and Legal Approaches to Privacy

The fields of law and computer science have generated different notions of privacy risks in the context of the analysis and release of statistical data about individuals. Emerging concepts from the theoretical computer science literature provide formal mathematical models for quantifying and mitigating privacy risks. Such models take into account a notion of privacy risk that is substantially broader than the privacy risks contemplated by many privacy laws. An example of a formal privacy model is differential privacy, which provides a concrete provable guarantee of privacy against a wide range of potential attacks, including types of attacks currently unknown or unforeseen. The subject of much theoretical investigation, new privacy technologies based on formal models such as differential privacy have recently been making significant strides towards practical implementation. For these tools to be used with sensitive personal information, it is important to demonstrate that they satisfy relevant legal requirements for privacy protection. However, making such an argument is challenging due to the significant conceptual gaps between the legal and technical approaches to defining privacy. Notably, information privacy laws are generally subject to interpretation and some degree of flexibility, which creates uncertainty for the implementation of more formal approaches. This Article articulates the nature of the gaps between legal and technical approaches to privacy in the release of statistical data about individuals. It also presents an argument that the use of differential privacy is sufficient to satisfy the requirements of the Family Educational Rights and Privacy Act of 1974 (FERPA), a federal law that protects the privacy of education records in the United States. This argument illustrates what may evolve to a more general methodology for rigorously arguing that technological methods for privacy protection satisfy the requirements of a particular information privacy law. The argument detailed in this article has two main components. First, it involves the extraction of a formal mathematical requirement of privacy protection based on the standard set forth by FERPA. Second, it describes the construction of a rigorous mathematical proof for establishing that differential privacy satisfies the mathematical requirement extracted from FERPA. The argument takes a conservative “worst-case” approach in order to extract a mathematical requirement that is robust to potential ambiguities in legal interpretation. In this way, the mathematical proof demonstrates that the use of differential privacy is sufficient to satisfy a broad range of reasonable interpretations of FERPA, including interpretations that may be adopted in the future.