Global Affairs Expert Webinar: Surveillance and Privacy in the Digital Era
Neil Richards, the Koch distinguished professor in law and director of the Washington University School of Law’s Cordell Institute, leads the conversation on surveillance and privacy in the digital era. Carla Anne Robbins, senior fellow at CFR, moderates the discussion.
These webinars provide an opportunity for college and university educators and students to discuss global issues with CFR fellows, Foreign Affairs authors, and other leading experts. To register for future invitations, please complete this form or email [email protected] with your name, title, and academic affiliation.
Speaker
Neil Richards
Koch Distinguished Professor in Law; Director, Cordell Institute
Washington University in St. Louis
Presider
Carla Anne Robbins
Senior Fellow
Council on Foreign Relations
Transcript
ROBBINS: Thank you, Hannah, so much. And hello, everybody. Welcome to today’s session of the Winter/Spring 2026 Global Affairs Expert Webinar series. Phew. That’s a long sentence. I’m Carla Anne Robbins. I’m a senior fellow at the Council on Foreign Relations. I’m director of the master of international affairs program at Baruch College’s Marxe School. And in a previous life, I covered national security for the Wall Street Journal and New York Times. And I just want to thank everyone for joining us today.
This discussion is on the record, and the video and transcript will be posted on education.CFR.org. So if you’d like to share this with your colleagues or classmates, we urge you to do that. And, as always, CFR takes no institutional positions on matters of policy.
And we are truly delighted to have Neil Richards with us to discuss surveillance and privacy in the digital era. Professor Richards is the Koch distinguished professor of law at Washington University School of Law, and codirector of the Cordell Institute for Policy and Medicine Law, where he teaches courses on privacy, technology, free speech, and constitutional law. He’s a member of the American Law Institute, serves on the board of the Future of Privacy Forum, and is an affiliate scholar with the Stanford Center for Internet and Society and the Yale Information Society Project. Professor Richards is the author of Why Privacy Matters and Intellectual Privacy: Rethinking Civil Liberties in the Digital Age, and his writings have appeared in leading law reviews and outlets such as the Guardian, Wired, and Slate.
And just one word on format. Professor Richards and I are going to chat for about ten to fifteen minutes, probably around twelve, and then open things up to your questions. And welcome Neil—the professor has given me permission to call him Neil—(laughs)—and thank you so much for speaking with us today. So I want to start with a really basic question. Which is, what do we mean by surveillance? And who is watching whom? Are we talking about data miners? Are we talking about government? Are we talking about foreign governments? And with this, and how much have new technologies like AI and facial recognition expanded these surveillance capabilities?
RICHARDS: Hi, Carla. Let me just say at the outset, it is great to be here in conversation with you and the other participants in the webinar. This is a really important topic and I’m really glad to have the opportunity to have a, hopefully, informative and entertaining chat for our participants about it.
I think surveillance is one of those big words that gets banded around. I’ve written quite a lot about it. I have a paper in the Harvard Law Review called “The Dangers of Surveillance.” But I think when we talk about surveillance, the basic definition is people are watching. And it can be the government, in the sense of, you know, Orwellian Big Brother. It can also be data miners. I think the literature in surveillance studies has been really helpful in helping us figure out what surveillance is. And I think there’s a couple of characteristics to it that I think are really important.
One of them is surveillance is intentional. It is just—there’s a decision to do it. It’s focused. It usually also serves a particular purpose, that governments or marketers or employers or exam proctors are engaging in the watching of other humans with some goal. They either want to learn something about them, but most likely it’s—most often it’s so they can influence their behavior, whether it’s to not commit a crime, whether it is to deter them from cheating, or whether it is to persuade them to buy that pair of shoes that a marketer has paid them a lot of money to try and talk people into.
And I think the most important thing for surveillance in the digital age is that we have to get away from the sort of Orwellian sense that there’s a totalitarian state that is watching and trying to dominate us. That perhaps is—perhaps, you know, more plausible these days than it was a few years ago, but I think the more important point is that surveillance is often by the state with its purposes, it is often by private actors with its purposes, but the lines between the government and private actors are slippery. And that information that the government collects gets used by private marketers, and information that private sector entities collect gets collected by the government.
Perhaps two examples from recent days in the news, right? So the ICE agents on the streets of Minneapolis are using handheld facial recognition tools that were developed by private actors. They’re also wearing masks, which is its own privacy issue which we can talk about as well. The other one is that in in the Super Bowl, there was an ad for lost pets. And Amazon’s Ring advertised, you know, are you sad that doggies get lost? Use your Ring doorbell and we find one dog every year—every day. What they’re not telling you is that Ring is also sharing its network of surveillance cameras with law enforcement, with immigration agents, and there’s very little control that people have over what that is used for. So here, you know, the happy puppy—and, you know, I like dogs. I think, you know, dogs that get lost should be found. There are ways to find dogs besides a massive public-private surveillance system, but they’re sort of the smiling canine face of something that is not only quite sinister, but also shows the ways in which surveillance crosses this line between the private sector and the public sector, in ways that we’re only just beginning to appreciate.
ROBBINS: So, what sort of legal rights to privacy do we have as American citizens? And because it just seems like we’re voluntarily signing away a lot of them every time we sign up for a loyalty card, or we check one of those boxes with our software updates which no one, of course, reads. There’s that, which is the sort of passive—like, we’re not paying attention to it. And at the same time, it seems like the government is encroaching in a very Orwellian way. I was—as a reporter, was really disturbed by this raid of the home of a Washington Post reporter. They seized her computers, they seized her phone, they seized her smartwatch. And she covers the federal workforce, so you can imagine the impact on all the other sources whom she had promised anonymity. So, how much of this is passive? And how much of it is that the government is becoming more and more intrusive, and it has more tools than it had, say in the 1950s, during the Red Scare?
RICHARDS: Yeah. So that’s a great question. I would say let me give you a short answer, and then a slightly longer answer. The short answer is, what laws do we have? Not enough. And not nearly updated enough. And this is not because of the tired, and to my mind false, trope that the law can’t just keep up with technology. That’s nonsense. And maybe we can talk about that later on, or in the Q&A. The reason that we don’t have enough laws is that big tech spends literally millions of dollars a year on lobbying to make sure that any time the federal government or the states get close to passing an actually protective privacy law, it dies in committee and it never sees the light of day, much less getting passed.
That said, we do have quite a lot of privacy laws that protect us. But I think it’s a testament to the fact that both big tech and also the sort of intelligence community and police are good at forestalling protections that the two most important privacy laws we have in the United States, one against the state one against private actors, were passed in 1789 and 1938, respectively. The one from 1789, of course, is the Fourth Amendment that protects us against unreasonable searches and seizures. That is backed up by federal wiretapping law from the 1960s. And the Supreme Court, for all that has received a lot of criticism in recent years, has actually been quite good at making sure that the standard of protection against unreasonable searches and seizures is updated for the digital age. There was a case about ten years ago called Carpenter v. United States, in which an opinion by Chief Justice John Roberts held that if the police want to get your cell-site location data they have to get a warrant, even though that data is held by a third party.
With respect to the private sector, there’s a law from—it’s a 1914 law called the Federal Trade Commission (FTC) Act that was amended in 1938 to give the Federal Trade Commission the power to prevent unfair and deceptive trade practices. And so that’s why, when tech companies lie or mislead in their privacy policies, or where they cause unreasonable harm through their data practices, the federal government is able to investigate and to try to hold them to account. State governments, having their own versions of the FTC Act, are able to enforce. And private litigants in state versions are able to bring lawsuits. The most famous example of the—of the FTC’s unfairness and deception authority, of course, was the Cambridge Analytica scandal, which led to a $5 billion settlement against Facebook and Meta in the years sort of after the 2016 presidential election. To many people that was not nearly enough, but those are the two most important laws. There’s lots of laws that we could and should pass. And we can talk about those too.
ROBBINS: So—and I do want to ask that—but just can you give people the one‑and‑a‑half‑sentence reminder of what the Cambridge Analytica?
RICHARDS: Oh my gosh, yeah. So the problem with Cambridge Analytica is everybody knows that it’s bad, but it actually takes about half an hour to explain exactly what they did. But the one‑and‑a‑half‑sentence version, let me try my best, is this was a British psychological warfare company that was involved in both the 2016 presidential election and the British Brexit referendum. And they used data scraping to create detailed psychological profiles of people, and to target messages of fear to people who were neurotic, of change to people who are not particularly open. But to tailor essentially political propaganda to them to—either to get them to vote the way they wanted, this is the whole point about surveillance having a goal, or to put them off from voting by discrediting the candidate. In this case, it was Hillary Clinton, but it doesn’t really matter. Well, if we care about the integrity of our elections, we shouldn’t want anybody of either party or any party engaged in this kind of data-based electoral manipulation. But that’s the short version.
ROBBINS: So, before I turn it over, you did say that there were some potentially good legislation, that legislation can actually keep up with technology, but that every time we’ve come close to passing it lobbyists, either for the government or for big tech, managed to squash it.
RICHARDS: Yeah.
ROBBINS: Can you just describe one law? Tell us, you know, the potential law that’s out there that they’ve managed to squash? And is it something like what the Europeans have been doing with data privacy rules? Or do we—is there something out there we should be calling our congressman saying, why aren’t you passing this?
RICHARDS: Yeah, let me offer three, but I’ll be brief. So one that nearly passed—there was nearly a federal law that passed about two or three years ago that would have imposed data minimization on tech companies. Which is the idea they only collect the information they need to provide the service. That nearly passed. Actually, that was killed by the Democrats. The sort of—my understanding is—I don’t have any inside information. My understanding was, the congressional Democrats from California were concerned it was going to interfere with California’s own privacy law, which is also pretty good.
The second one is in Vermont a couple of years ago, they nearly—the legislature passed, and went to the governor for signature, a law that would have imposed data minimization on tech companies with a private right of action for consumers, so that if their rights were violated, they could sue. This got—the governor vetoed it. It went back to the legislature. And they’ve tried to override the veto, and the lobbyists literally descended in sort of unprecedented ways. And it passed the House and came very close to passing the Senate and overriding the veto. But that law was killed by lobbyists.
And the third law, one that I and my colleagues at the Cordell Institute here at Wash U have written about quite a lot, is a requirement of data loyalty. And this is the basic idea, you know, that when you go to the doctor, you can share information because you know the doctor is not going to betray you. The doctor is going to act in your best interests. When you go to a lawyer, the same thing applies. And it applies these ancient fiduciary or fiduciary-like rules, duties of care, duties of confidentiality, and duties of loyalty, to make sure that when we share information we aren’t betrayed. And I think that’s really the future. That’s where we should be thinking about, particularly for tech companies, protection.
I mean, they say, you know, we’re going to give you AI and cloud storage and search and all these other products. And many of them are great. But I think in order really to have the benefits of these things shared, I think it’s important that companies commit, or be required to commit by law, to act in our best interest, and not to betray us, and not to have us be exposed. And when they do that in the long term, that’s good for business. Because, you know, we share information freely with people we trust. And I think one of the great problems of privacy in the contemporary era is we’re all very uncertain about what we’re agreeing to and what we’re exposing, and how the technology works, and how the business model—we don’t need to know that. All we need to know is we’re not going to be betrayed. But we are too often being betrayed.
ROBBINS: So can you give us—and then I’m going to turn over—can you describe this data minimization, which is—I suppose would search be a good way to explain it? What are they taking that they don’t need—that they don’t need to take, to give me what I’m asking for?
RICHARDS: Yeah. Let me give it a slightly smaller example, and then we’ll talk about search. So one example would be there was a flashlight app in the app store a few years ago. And it was free. You downloaded it. And it would—iPhones, of course, already had apps, but there was a slightly better flashlight. And what it would give you was a slightly better flashlight. What it would take was all of your location data. And there’s no reason that a flashlight needs location data in order to provide a service. Now, I drove from Washington Dulles Airport to the College of William and Mary last night. I needed to share my location data with Google Maps in order for them to tell me where I was going. But the flashlight doesn’t need it. And that’s data minimization. Data minimization is you only need the data you need—you only collect and use the data you need to provide the service. A flashlight doesn’t need location data, but a GPS mapping service does.
And so when it comes to search, there’s a lot of information that is being exposed about people to advertisers that is unnecessary. There’s a wonderful study by the Irish Council on Civil Liberties called something like The Greatest Data Breach [The Biggest Data Breach]. And it’s about this system of real-time auctions that happens every time we use search, but also every time we use websites. That our attention is auctioned off. But what the companies are doing is they’re providing these—creating these profiles. And they’re auctioning off our attention. But there’s no safeguards—or no reasonable safeguards, or insufficient safeguards, in place. That the participants in the auction can just collect all the data about us. And there’s—members of Congress, members of the Senate have been quite concerned that foreign intelligence agencies—this goes back to the theme about the public-private divide—that foreign intelligence agencies just create listening nodes on all these auctions, and they’re just getting all of this data which is being shipped for free.
I think we don’t need to have surveillance-based advertising in order to have search. We didn’t used to have it. There’s ways to provide ads. Newspapers have provided ads without watching people for a long time. And I think if we were to either outlaw or place meaningful constraints upon surveillance-based advertising, that would be another form of data minimization. But right now, because the law is—it’s something of a gray area, and it’s debatable whether it—whether it prohibits it, the companies are able to do this. And because they can sell surveillance-based ads for slightly more money, the market incentives on publicly traded companies are that everybody really has no choice. That’s the kind of place where law can intervene and make a difference, and protect us from dangerous business practices.
ROBBINS: Well, thank you. I have so many more questions but I’ve gone way beyond my twelve-minutes, which I promised. So, I want to turn it over to the group.
(Gives queuing instructions.)
And I turn it over to the wonderful people at CFR to manage all this.
OPERATOR: We will take the first question from David Brown from the University of Minnesota.
Q: Are our votes accessible to the FBI or other government agencies?
RICHARDS: Our what? Sorry.
ROBBINS: Votes.
Q: Votes.
RICHARDS: So in theory, no, right? Voting is another one of those areas that we have traditionally decided with secret ballot, that voting should be purely private. Of course, we have to—we have to count votes. I realize, right, in Minnesota, this is an issue that is tremendously important right now. Voter records, I think, can be kept. But in terms of who voted which way, I don’t believe that information is kept. And I don’t believe this information should be kept.
Incidentally, at the University of Minnesota my dear friend, Bill McGeveran, is the dean of Minnesota. And he is an eminent privacy scholar who literally has written the book that I use in my classrooms to teach privacy to my grad students.
OPERATOR: Our next question is from Catherine Odari, assistant professor at Spelman College, who asks: For years China has been considered the most surveilled society and the worst offender of privacy rights. In your experience, how does the U.S. level of surveillance compare at this moment with China?
RICHARDS: Wow. Nothing like an easy question. You know, I think it’s interesting, right? I mean, I think—and I’m an expert in U.S. law. I’ve studied Chinese privacy a little bit, but I’m certainly not as knowledgeable as I am—so it’s difficult to make those kinds of comparisons. I think in China they talk a lot about government surveillance of people and a lack of protections of legal process. There’s also the Chinese social credit system in which information about—there was a Black Mirror episode, I think it was called “Nosedive,” that dealt with a variant of this. But this is the idea that everything you do gets rated and scored, and if your score gets too low you can’t fly, or you can’t send your children to whatever university you want to send them to. And so this has been a highly criticized system. I am certainly no fan of Chinese state surveillance. And I’m no fan of Chinese social credit. I think we should resist efforts to impose similar or analogous things in the United States.
Without comparing it directly to China, I would say the United States is becoming, you know, one of the most surveilled societies in the world. I think information is being collected by tech companies. I mentioned ICE agents using facial recognition scanners on members of the public in Minneapolis, I believe also in Maine and in other places. Access to tech company platforms. They’re subpoenaing the Google accounts of their critics. They’re getting automatic license plate reader and other camera data from carpools at schools. That’s really a problem. And I think it’s important to have a conversation about the rule of law and about restrictions on the right of—or the ability of government agents to act in ways that are unconstrained by protections. And a very important part of those protections is privacy as one of our most precious and fundamental civil liberties, alongside the freedom of expression.
With respect to companies, I think if—and I’m just old enough to have remembered the beginning of the internet when I was a—when I was a college student. If you’d asked people in 1997-1998, we’ll give you the internet but we’re going to allow widespread government surveillance of your communications and we’re going to allow vast private sector scrutiny of everything you read and everything you do and everywhere you go, and there’s going to be a hidden market in all of this, I think we would have rejected that deal. I think it would have been technologically impossible in 1998, but it also would have been politically nonviable in 1998. But, by a series of, you know, distractions of sparkly digital devices, and the creeping lucrative trade in data, I think we’ve reached a point where we need to have meaningful protections put in place to regulate the data trade so it is in the interests of ordinary people in our society and in the economy, rather than a few large technology companies.
And the final thing that I will add is the scraping of data about people to feed and train frontier models and AI platforms is another one of these areas that I think companies are asking for forgiveness rather than permission to do so. And they’re operating in a very dangerous legal gray area, and gambling, well, we’re going to make billions. If we have to pay out a few million that’s just good for business. And I think that shows a real disrespect for law and a real disrespect for privacy. Even platforms like the one that we’re using, Zoom, turned on without any public conversation two features. One, the automatic transcript feature. And the idea that—presumably that that every human conversation deserves to be written down and copied to the clipboard. And, second, AI Companion, the idea that every human conversation, at least that takes place in a video conference, deserves to be assessed and summarized by AI, and then used to train further AI models, is sort of a shocking and unprecedented and arrogant data grab that there really has been no public conversation about.
So I think, you know, it’s—I won’t choose the U.S. over China. I think that different things are going on in different countries and I think it’s dangerous to compare them. But I would say that that what is happening with surveillance and privacy in the United States, both by the government, regardless of which party is in power, and in the private sector, is something that should alarm and concern us all.
OPERATOR: We will take the next raised hand from the students at Stockton University.
Q: Hi.
So I just had a question about the web browsing. So I was wondering if users were to use, like, a browser, like DuckDuckGo, like, that deletes, like, browsing history, like, as, like, they can choose, like, would that be any safer than using a browser like Google Chrome?
RICHARDS: So, yes. So the short answer is, yes. The longer answer is, no. (Laughs.) So let me unpack that a little bit. So when you’re using a web browser, right, there’s a couple of different layers that are happening. One of them is whether your browser remembers the sites that you have visited. And so that’s what things like Incognito Mode on Chrome, and every browser has its analog. It’s referred to by engineers as porn mode, presumably because people didn’t want to have records of all the sites they’d been to in places where shared computer could find it. Now that said, Chrome had to settle a lawsuit, Google Chrome, a few years ago, that it said there was incognito mode but it actually turned out they could see what you were doing, and they were keeping records of it. And so they settled for multimillions of dollars in that case. So I think, you know, Google’s business model is monetizing your data. And so I think for that reason Google products are inherently less trustworthy, because they have what economists would call a moral hazard to always push the envelope on what they can collect.
Browsers like DuckDuckGo are less amenable to what Shoshana Zuboff calls surveillance capitalism. They tend to have extensions in them that block particular kinds of trackers. And I think that’s a—that’s a more secure route to go. But websites—and assume we’re just on the web. Apps are a different story. But websites can also place trackers and other sorts of devices that can circumvent these protections. And so it’s also good to get a virtual private network, if you’re going to do that. Now, here’s the problem, right? So you use it—you use a browser, you choose a different browser, you turn on incognito mode, you turn on a virtual private network, sometimes that breaks the functionality. Like, you can’t use, I think, Hulu using a VPN. A number of websites will get rejected. But notice here—and I think those are all good things that one should do, and use two-factor, and change your password regularly, and eat a lot of fiber, and get some sleep, right?
That we place all of this work upon consumers, right? And you use the word—the questioner used the word “user,” which is the correct term that tech companies use. The only other industry that calls its customers users is the illegal drug industry, right? In the English language we have a whole host of words that are not “user,” that show that there are other—that there are two parts of your relationship and mutual duties are owed to them. Passenger. Client. Patient. Customer. Guest. You know, one could go on and on with them. And I think language has also played a role here. I tell my students that words matter, particularly for lawyers. But words matter for all of us as we make sense of this new and evolving world. And I think we need to stop as a society, and our regulators and lawmakers, need to stop placing all of these burdens on individual consumers to protect themselves.
We should have a digital set of protections and rights that mean—purely with respect to companies, for the moment—that we are protected no matter what we choose. Just as when we go into the supermarket we cannot choose to buy maggoty meat because it’s $1 off a pound. Or vegetables that have been, you know, doused in dangerous pesticides. But—well there’s a little bit of that. But, you know, dangerous foods—that that’s the commitment, that the food that you buy is healthy. Now you can—you can buy a steak and bacon and peanut oil and deep fry the bacon, right? You can make those kinds of choices. But I think the idea that we have clean water, and safe food, and safe consumer products, like, toys and chairs, and cars, we need to extend those sorts of protections to our digital products and our digital life. Because it’s an unreasonable burden for consumers to always take the role of protecting themselves.
As Carla mentioned, no one reads the terms of service because you can’t. There was a study a couple of years ago—actually, ten years ago—that said if you if you read all of the privacy policies of all the websites that you encounter in a year, it would take you seventy-six working days, reading fast, just to get through all the words. And companies know this. And they set up their policies in such a way to get us to have the illusion that we’ve consented to these practices, when in fact our consent is nothing of the sort. But the short answer to the question is, yes, use DuckDuckGo.
OPERATOR: Our next raised hand is from Sophia Rivera, undergraduate student at the University of North Florida.
Q: Hi. Thank you for the opportunity to ask a question.
I’m really glad that you mentioned the Ring commercial from the Super Bowl. And you made an interview for The Markup. And you said that conceptions of privacy can be shaped by these powerful entities. And my question is, how much consent can we really give in this situation? Because even if I block the permissions, if my neighbor still has the monitor, is unaware of that feature, they still have a lot of access to my neighborhood. So what can we do about it? And how can we protect our privacy in that sense?
RICHARDS: Yeah. That’s such a great question, Sophia. I think part of the problem is these products are being sold as one thing, but there’s a—you know, it’s really convenient, and you can see who’s at the door and, you know, you really don’t want someone stealing your Amazon packages. And those may be useful things. In fact, those are useful things. But there’s a whole backend surveillance network that is being added to this that is not being meaningfully disclosed to consumers. And when it is disclosed to consumers, it’s masked in this sort of happy face of, you know, these really happy puppies who’ve been—you know, had missed their—do we say fur parents instead of fur babies? I don’t know. But they miss their—they miss their loving owners, to use an older term that we used to use.
And I think this—Sophia’s question is a great one because it brings up this broader question of consent. We’ve placed so much burden not just on consumers, but on consumers to consent. And consent being the mechanism that we use. If every search engine sells your data or offers your data to participants in real-time bidding, you can’t consent to an alternative because there’s no choice. There’s no reasonable alternative to that. And similarly, with things like Ring, I mean, I suppose consumers could become aware, and organize, and boycott Ring, and choose not to use Ring. But that’s difficult, practically speaking. And there’s a thousand other products that are maybe just as bad as the Ring camera is. So I think the solution is—it’s sort of like the DuckDuckGo question, right? The short-term solution is don’t use Chrome. Use DuckDuckGo. Don’t use Ring. Buy a different camera that doesn’t have sort of backend leakage to law enforcement and isn’t building a sort of Orwellian private sector camera network on the back of happy puppies.
I think the solution is to have rules that protect this. And things like data minimization would protect us, if we had a federal data minimization requirement. And certainly, things like data loyalty would be helpful. And maybe a requirement that police had to get a warrant before they used or accessed Ring camera data. Or maybe Ring had to get separate, explicit, informed consent from a consumer before they share with law enforcement, or before they assemble their data into the surveillance network.
OPERATOR: Our next question is a written question from Andrea Walther-Puri, postdoctoral fellow at Tufts University: What does privacy realistically mean in 2026, both in the U.S. and in countries where state capacity is low but digital monitoring is expanding rapidly?
RICHARDS: That’s a great question. I think the problem with this question is it asked me to sort of reiterate the thesis of my book, right? Ultimately why does privacy matter? Privacy matters because information is power, and information about people gives us power over other people. And that’s true whether we are a federal agent on the streets of Minnesota—the streets of Minneapolis, or we are a marketer trying to get people to buy one brand of shoe over a different brand of shoe. Because information is power, I think we need—and because people are feeling increasingly powerless—we need better privacy rules to help us to sort of regird ourselves and to restore our power against marketers, against corporations, against employers—who also we haven’t talked about very much, but who also have access to data that can be used to our detriment—and against the state.
And I think the most important thing is to realize that privacy isn’t dead, because privacy is power. Privacy is always and constantly up for grabs. But if we don’t fight for it, if we don’t demand it, if we don’t resist the logics of government surveillance and the logics of corporate data collection, data processing, and say, well, actually there’s people here with rights who have interests that are not being taken sufficiently into account, and who are being exposed, and betrayed, and protected, and in some cases manipulated and abused—I think we need to stand up and advocate for those. And to not treat privacy as a sort of outdated, bourgeois, 1940s value, but really one that is vital and fundamental. Particularly as we live in an information society. Our rights and protection surrounding our information are paramount, and are fundamental and central to what it means to be free.
OPERATOR: We have another written question with two upvotes from students at the Honors College at Adelphi University: Is there a middle ground between leaving social media platforms unregulated, which can distort democratic discourse, and regulating them, which can run the risk of politicizing speech?
RICHARDS: That’s a great question. So I think this is—so let me try and explain where I think this question is coming from. And if I’m wrong, write back in and correct me. So I think this is a discussion of content moderation and age verification before we use sites. So I think it’s important to separate that issue out from information collection and sort of the algorithms and the engagement models, though it can be difficult, as we’re going to see. I do think there are very important First Amendment issues associated with digital expression, because digital platforms, for better or for worse—I think perhaps on the whole, for worse—but undeniably digital platforms, for better or for worse, are how many people encounter the world, learn about the world, express themselves. So these platforms are imbued with important First Amendment values. I think, though, it’s really important to talk about whose First Amendment values and whose First Amendment rights. And I think those are the rights of people, not the rights of corporations.
So companies will say, well, we have a First Amendment right to craft our algorithm in such a way that we’re going to show people whatever we think they want, or whatever we want them to see. And I think that’s a very dangerous and bold move. The Supreme Court, of course, had a couple of cases a couple of years ago involving Florida and, I think, Texas laws that purported to regulate the algorithms. And the Supreme Court struck those laws down because those laws did seem to be motivated by a desire to nudge the totality of public debate towards one direction or another. Now these were also laws passed by sort of Republican-dominated legislatures that were concerned about the amount of perceived liberal bias through platforms. I don’t think it matters whether these were conservative legislatures concerned about them being silenced, or progressive legislatures concerned about their viewpoints being silenced. I think those cases involved what was a pretty transparent effort by lawmakers to push public debate in a particular way. And that’s deeply offensive to the First Amendment.
But the Supreme Court was also very, very careful. There’s an important opinion by Justice Amy Coney Barrett that said, we’re only talking about this particular law. If we were talking about, say, child protection, that would be an entirely different issue. So I think it’s important to move slowly and to move carefully. Sometimes these laws do raise very important First Amendment issues, but companies, you know, they’ve got a lot of money. And they can hire a lot of expensive lawyers and lobbyists. And they can hire a lot of expensive marketing people. And they can hire a lot of expensive lawyers to litigate these cases and to argue that, you know, we’re just like the New York Times. Well, Facebook’s not just like the New York Times, right? The New York Times is in the business of providing the news. And Facebook is in the business of selling data. And those are two fundamentally different business models. And I think we need to realize both that there are very important democracy-facing and fundamental civil liberties issues associated with any regulation of digital platforms, but also we need to be careful not to just, like, every—to like every First Amendment argument that we see, and to try and craft—that we need to try and craft the law in ways that makes sense.
Ultimately, our society is moving from a sort of mass media democratic ecosystem to a phone-based, platformized, hopefully remaining democratic ecosystem. The challenge is to make sure that our hard-won rights, values, responsibilities survive the transition to a digital environment. And judging by the evidence that we see, we are not doing a very good job about that right now. And I think there’s a real—there’s very strong evidence not just that digital platforms and their voracious engagement models are causing a mental health epidemic among young people in particular, but also the recommendation engines that give you more of what you’re going to click on, more of what outrages you, more of what makes you annoyed, more of what reinforces your worldview, that these models are dangerous to democracy, and that they’re literally ripping us apart.
And I think if you look at the coarsening—and, again, regardless of party—if you look at the coarsening of our democratic discourse over the last ten or so years, over the last fifteen years, I think it’s undeniable that digital delivery of news and opinion is not healthy for what we should hope to be a sort of thoughtful, compassionate, evidence-based set of policymaking in a democracy, that tries to make our society better rather than try and score cheap points by annoying people we don’t like.
OPERATOR: We will take the next raised hand from Inken von Borzyskowski, professor of international relations at the University of Oxford.
Q: Hi. Thanks so much, Neil.
I had a question about the international dimension. So you talked about the U.S. I was just wondering if you could say something about the state of international regulation on surveillance. I seem to remember a few years ago the European Union was trying to push back against U.S. tech companies sharing European citizens’ personal data. I think it has softened last year with, like, delaying the AI laws. I was just wondering, do you think international regulation is a positive step forward? Do you think there’s strong restrictions as a silver lining or false hope? What’s your take?
RICHARDS: Wow. How long do we have? We have seventeen minutes, but I think much—but Carla is not going to give me seventeen minutes to answer your excellent question. So I was actually an expert witness in that case. The case was called Schrems. And it argued that—the plaintiff argued that Facebook taking data about Europeans and sharing it with the NSA violated fundamental rights of Europeans. More generally, I think international regulation, international conversations, are really important when it comes to dealing with these questions. These are questions that every—not even every democracy, but every society in the world is having to confront, right, whether we’re talking about Cambridge Analytica or the exacerbation of genocide in Myanmar, or the EU’s AI Act.
And I think we can learn from each other. We have to talk to each other. I think things like some statements from the current administration that European law is all about censorship, I think really—don’t really contribute to this conversation that I think we need to have. European laws like the General Data Protection Regulation, or the GDPR, have influenced U.S. law. The California law that I mentioned earlier was modeled on the GDPR. It’s something of, like, a GDPR-light. But it does remain a very important protection for consumers in the United States, even outside California. One of the challenges, I think, for the international conversation is many of the leading platforms are U.S. companies. And I think there’s a sort of national interest part to this that colors a lot of the perspectives, certainly that Congress and both Democratic and Republican administrations have taken over the past twenty years.
But I think—on the whole, I think European regulation of privacy is well meaning. It operates in the public interest. I think it makes society better in Europe. I was born in England. And I spend a lot of—I spend a lot of time talking to British and European colleagues and family members about these issues. I also think that the U.S. can learn from Europe, and Europe can learn from the U.S. And so I have been delighted that our field has become increasingly international over the past couple of decades, because these are things that we—that we all have to work on as democratic societies. And we can learn from the successes, and from the mistakes, and from the things in the messy middle that other societies engage in. And I wish there were a more concrete answer, but this sort of—that’s the sort of the—my version of the of the one and a half sentence answer to that question.
OPERATOR: Our next written question is from the students at the Georgia Institute of Technology: Which current regulatory and privacy technology standards would you say are the most desirable for society today? Are there specific countries or regions that lead?
RICHARDS: That’s a great question. I think on the whole, and I’ve written about this quite a bit in my scholarship, I think that—and picking up from the last question—I think Europe is currently doing a better job than the United States. Not just in terms of passing laws, but realizing that these are unprecedented challenges and we need to try and grapple with them. The GDPR is not perfect. The Digital Services Act, sort of the European platform regulation, is not perfect. The EU AI Act is certainly not perfect. But at least they’re trying. And at least they’re trying to regulate platforms in ways that minimize the excesses of these tools, while allowing, hopefully, the benefits of these tools to be realized.
I was asked to testify before Congress in, I think, September of last year. One of the things that Silicon Valley would love would be a moratorium on state regulation of artificial intelligence, and, by extension, that would include state regulation of privacy, because AI tends to use personal data and scrapes it in order to train the models. As I told the members of the House, and this was well received, actually, by members of both parties, this would be a terrible idea. If you think about just privacy regulation over the past twenty years, Congress has been really, really good at doing absolutely nothing with respect to protecting our privacy. And the real leaders of privacy law have been the states. California’s law, Colorado’s law. If you think about data breach notification, that was a law that California passed in, like, 2003. They used—there were laws—there was concerns maybe fifteen years ago about companies requiring or demanding your social media profile before they would hire you, or before they would keep you hired.
So these tools are going to create problems. Even though they’re wonderful, they’re going to create problems. They’re going to create issues. Congress has proven singularly incapable of acting. The states need to keep acting. And I think it’s important to keep experimenting and learning. But I think on the whole, to return to the question, Europe is doing that in a much more serious way than either the federal government in the United States, or, even though I love a lot of things that they’ve done, the state governments too.
OPERATOR: We have a raised hand from Alan Raul, lecturer on law at Harvard University.
Q: Hi. Great conversation and nice to see you, Professor Richards.
RICHARDS: Great to see you, Alan.
Q: With regard to a comment that was made from a different questioner on, you know, voter information, one of the key areas of really quite extensive litigation right now, vis-à-vis the administration, is demands by the Department of Justice and the Department of Homeland Security for voter roll information. So not the actual votes, but voter rolls, for the specific purpose of putting it in an aggregated, massive federal database of all of this state voter roll information. Presumably for the purpose of comparing it against not—you know, known noncitizens or believed to be suspected noncitizens who might be voting. There’s also the issue that’s arisen with regard to the Internal Revenue Service sharing taxpayer data with ICE and Department of Homeland Security. That litigation is pretty intense right now. There have been some rulings adverse to the Department of Justice so far. And it’s occurring largely under the Federal Privacy Act of 1974. Internal Revenue Code as well would be a factor in some of them.
So that was a comment. The question is you mentioned the EU AI Act, Neil. And you mentioned the various federal legislative proposals on privacy that have been shot down because the situation is, you know, complex, and there are powerful competing interests on it. So to add to that complexity on AI and data minimization in particular, what do you think you—what would you like to see, and what do you think we will see, with regard to any, you know, federal or state legislation on data minimization requirements and standards for use of personal data and training and otherwise for AI. And any other interesting comments you have on the intersection of privacy, data protection. and artificial intelligence. Thank you.
RICHARDS: Thank you, Alan. I guess I can’t see you, but it’s great to hear your voice. Alan is an enormously—is a friend, and an enormously distinguished privacy scholar, and now also academic. And I would—I would agree with everything he said about the—about the voter rolls and the IRS litigation. I think that’s—that was expertly stated, as I would have expected.
With respect to the question about AI, I think—I have mixed feelings about the EU AI Act, because on the one hand I like the impulse that they should do something. On the other, it’s sort of this big, sprawling, messy thing that actually delegates a lot of stuff that it should be worrying about to private actors. So with respect to U.S. AI regulation, what I would like to see, more than anything, is a mindset by federal and state regulators and lawmakers that AI promises tremendous potential, but we know that it’s going to cause problems. And a willingness to experiment and a willingness to put some baseline protections in place. I think some of those could happen at the level of scraping. I think the idea that, you know, all of human experience is there to be scraped and used to train models is problematic.
And I think if we’d had a reasonable privacy law that has things like data minimization in place, that wouldn’t have been possible. Just as Clearview AI would not have been able to scrape the web to create a massive facial recognition database that basically includes everybody with a webpage that has a photograph and their name associated with it. So I’m sure—I’m sure I’m in it. I’m sure, Carla, you’re in it. I’m sure Alan is in it, as are many, if not most, of the people on this—on this call. That’s what I’d like to see. I’d like to see some courage. I’d like to see some intellectual modesty. I’d like to see some curiosity. And I’d like to see some experimentation. I certainly don’t want there to be a federal AI policy where they can do whatever they want, and then a moratorium on states prohibiting states from regulating in good faith to protect their citizens.
What I think we’re going to see, at least for the next two to three years, is no action on the federal front. I think the administration has made clear that it views artificial intelligence as a national security priority. And that, I believe the word they use is “U.S. dominance” in artificial intelligence is essential. And with respect to states, there have been, I think, three attempts to create an AI moratorium. One in the so-called Big, Beautiful Bill. One in the fall as part of the appropriations process, which was where I was called in to testify. And the most recently, the president’s executive order, which he doesn’t have the power to bind states, by declaring state laws to be invalid.
There is a piece of the executive order that I think is going to be very significant, which is the creation—which the president does have the authority to do—the creation of a unit within the Department of Justice to sue states and to try and have their laws invalidated when they are seen as infringing with these national priorities. I think that is—that is likely to happen. And it’s going to be left to the courts. And we’ll see what the what the courts do on that. So but I would like to see things like, you know, the United States is the only country in the—only advanced country in the world, only sort of matured economy, that doesn’t have a comprehensive privacy law that has baseline protections. And I would like to see data minimization. I would like to see a weak duty of loyalty to protect consumers. I would like to see consumers have some modest private rights of action to enforce those rights. And more than anything, I think a mindset—not one of innovation is magical and we should just let the tech companies build the society that they want.
But instead, a mindset that, just as we had eventually with the Industrial Revolution, that it created many good things but it created some fairly bad problems we had to address—like workplace safety, and environmental law, and discrimination, and product liability, and product safety—I think we should realize that the Information Revolution, whether we call the AI Revolution or not—the Information Revolution creates many of the same wonderful opportunities to make our society better, but it also creates the specter of real problems, and ones that we should be able to address through ordinary legislative processes, and to resolve, so that we can have the benefits of these new technologies while, at the same time, minimizing and mitigating their undeniable costs.
ROBBINS: Thank you. What a fantastic way to end, although I tell you there are many, many, many more questions. So if you got many more hours we could sit here, but that would be wrong. (Laughs.) So I know you have to—you have to get back to being at William and Mary. I want to thank you so much for this wonderful conversation. I want to thank everyone here for great questions and comments.
The next Global Affairs Expert Webinar will take place on Wednesday, March 4, at 1:00 p.m. Eastern Time. Frank O. Mora, professor of politics and international relations at Florida International University, FIU, for those of us who are Miamians, will lead a conversation on democratic backsliding in Latin America and the Caribbean.
In the meantime, I encourage you to learn about CFR paid internships for students and fellowships for professors at CFR.org/careers, and visit CFR.org. ForeignAffairs.com, and ThinkGlobalHealth.org for research and analysis on global issues, and education.CFR.org for free, expert-informed teaching and learning resources. Thank you again for joining us today. Thank you so much, Neil Richards, for being here. We look forward to your participation in our next webinar on March 4. Thanks so much, everybody.
RICHARDS: Thank you.
(END)