Peter Swire is Professor of Law and Ethics at the Georgia Tech Scheller College of Business, and Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy. He has appointments by courtesy with the College of Computing and School of Public Policy. He is Senior Counsel with Alston & Bird, LLP.
In 2019, the Future of Privacy Forum awarded Swire the inaugural Outstanding Academic Scholarship Award. In 2018, Swire was named an Andrew Carnegie Fellow for research on "Protecting Human Rights and National Security in the New Era of Data Nationalism." In 2015, the International Association of Privacy Professionals awarded him its Privacy Leadership Award. In 2013, he served as one of five members of President Obama's Review Group on Intelligence and Communications Technology. Prior to that, he was co-chair of the global Do Not Track process for the World Wide Web Consortium. He is a member of the National Academies' Forum on Cyber-Resiliency.
Swire is author of six books and numerous scholarly papers. He has testified often before the Congress, and been quoted regularly in the press.
Swire graduated from Princeton University, summa cum laude, and the Yale Law School, where he was an editor of the Yale Law Journal.
Areas of Expertise (2)
Privacy and Cybersecurity
Law of Cyberspace
Selected Accomplishments (7)
Privacy Leadership Award of the International Association of Privacy Professionals
Annual award of the IAPP, a group with over 20,000 members, 2015
American Library Association 2014 James Madison Award
To the Review Group on Intelligence and Communications Technology, for “the public’s right to know at the national level”, 2014
Named John Glenn Scholar in Public Policy Research
By the John Glenn Institute for Public Policy & Public Service, for “What Should Still be Secret? Lessons on Anti-terrorism, Cybersecurity, and Privacy”, 2003
Distinguished Privacy Leadership Award
Presented by Privacy & American Business, 2000
Future of Privacy Forum, 10th Anniversary Celebration, 2019
Annual award of the IAPP, a group with over 20,000 members, 2015
Outstanding Academic Achievement Award (professional)
In recognition of his thought leadership and contribution to privacy scholarship, and is the first academic to be honored by Future of Privacy Forum (FPF).
Yale Law School: J.D., Doctor of Law 1985
Program of Doctor of Civil Laws (Political Theory) (all but dissertation)
Princeton University: B.A., Economics & Public Affairs 1980
Summa Cum Laude; Phi Beta Kappa
- Alston & Bird LLP: Senior Counsel
- The Future of Privacy Forum: Senior Fellow
- Center for Democracy and Technology: Policy Fellow
- Center for American Progress: Senior Fellow
- W3C: Co-Chair, Tracking Protection Working Group
- Ohio State University: C. William O'Neill Professor of Law
- White House, National Economic Council: Special Assistant to the President for Economic Policy
- Obama-Biden Presidential Transition Team: Member
- Morrison & Foerster LLP: Consultant
- White House, Office of Management & Budget: Chief Counselor for Privacy
Selected Media Appearances (6)
Scheller College Professor Peter Swire Discusses Hartsfield-Jackson Airport Biometrics with WABE
WABE, Closer Look with Rose Scott radio
Peter Swire was interviewed by WABE’s Closer Look with Rose Scott to discuss the launch of Hartsfield-Jackson International Airport’s facial recognition check-in technology.
Facial scan technology makes debut in airports
He cited a report from the Georgetown Law Center on Privacy & Technology, which found that biometrics software does not respond well during a data breach. But the use of biometrics raises privacy and security concerns, according to Peter Swire, associate director for policy of the Georgia Tech Institute for Information Security and Privacy.
The report also referenced tests by the National Institutes of Standards and Technology, a government agency, which found that more than 35 facial recognition algorithms showed accuracy rates varied depending on the race and gender of the person being scanned. Customs and Border Protection said its facial technology has a more than 97 percent accuracy rate.
Swire said one question he has around privacy is how the government could use its facial scan technology software in the future.
“They could change the rules and start using these pictures for a much broader range of things,” he said.
The Cybersecurity 202: Trump team isn't doing enough to deter Russian cyberattacks, according to our panel of security experts
“Deterrence depends on a credible promise to take stern action. The Helsinki summit makes it impossible for the world to believe that this president will take stern action against Putin,” said Peter Swire, former chief counselor for privacy at the Office of Management and Budget and a member of President Barack Obama’s Review Group on Intelligence and Communications Technology.
Peter Swire Named Andrew Carnegie Fellow
Georgia Tech News
“This award brings recognition to the crucial issues of how to govern cross-border flows of personal information,” said Swire, the Elizabeth and Tommy Holder Chair of Law and Ethics in the Scheller College of Business. “I am humbled by the opportunity to try to help solve these global challenges before they turn into severe global problems.”
Swire said the conflicts arising from data nationalism pose large risks to privacy and human rights. It also endangers the effectiveness of legitimate law enforcement and intelligence activities, he said.
Privacy Concerns in Amazon and Aetna-CVS Health Deals: Q&A With a Cyberlaw Expert
The National Law Journal
How is HIPAA implicated in the proposed deal between CVS and Aetna?
Swire: Both [CVS and Aetna] are covered under HIPAA, but historically they were in two different categories of entities. So with the merger, the general rule is that the pharmacy data can be merged in the company’s databases with the insurance data subject to minimal rules. HIPAA says you should only collect and share the minimum necessary data that’s needed for the patient, but the rules there tend to be pretty flexible.
HIPAA also has rules about role-based access, because the janitors shouldn’t see the psychiatric records. The role of someone for health insurance might require different data than the role that’s needed for a health care provider. The merger doesn’t give every health insurance employee the right to see all of the medical records from the pharmacy.
Business Privacy experts alarmed as Amazon moves into the health care industry
The Washington Post
“The law covers traditional health insurance and provider health care, but it doesn’t cover many of the other sources of health-related data that today’s technology generates,” said Peter Swire, a professor of law at Georgia Tech University and White House coordinator for HIPAA under President Clinton. “It doesn’t cover, for example, the books you buy about health care or the many fitness and health-care apps you may have on your phone.”
He and others added that even if companies aren’t collecting — or sharing — medical records, there are a number of other ways a patient’s habits and history could be used to glean important information about their health. (There are also signs that Amazon is considering possible privacy concerns: It recently posted a job opening on its site for a HIPAA expert who can “own and operate the security and compliance elements of a new initiative.”)
Selected Articles (11)
On July 9, the Court of Justice for the European Union (CJEU) held eight hours of oral argument in hearing case C-311/18, on whether US surveillance practices violate the fundamental rights of EU citizens. This case could potentially rupture the mechanisms that allow personal data to flow across the Atlantic. Should the Court so decide, it would soon be illegal for companies and services we use every day to transfer personal data from the EU to the US. Such a determination, however, may result in an absurdity; EU citizens’ data could not travel to the US for fear of intrusive surveillance, but could flow unimpeded to China, a nation with surveillance practices ripped from the pages of a dystopian science fiction novel.
In this session, Professor Peter Swire will present two current research topics in cybersecurity. The first addresses the non-code aspects of cybersecurity. Computer scientists are familiar with the seven layers of the OSI model, from physical to application layer. Swire is developing a 10-layer model for cybersecurity, adding the “natural language” layers. Layer 8 applies to private-sector organizations, and is dominated by firm management decisions and contracts. Layer 9 is the government, which sets laws. Layer 10 is international, where diplomacy operates. Significant vulnerabilities exist at each of these layers, and can undermine cybersecurity efforts at the traditional seven layers if organizations, governments, and international relations are not handled effectively. The second topic is the globalization of criminal evidence. Today, a typical crime in France, for instance, often generates evidence from webmail and social networks, with the latter often stored in the United States. Even routine criminal investigations thus take on a new, international dimension. The Georgia Tech Research Project on Cross-Border Requests for Data has been a global leader in analyzing these emerging problems and proposing solutions. If these requests are not handled effectively by law, then governments will have stronger incentives to weaken encryption, develop lawful hacking, and require localization of data in the country, with negative results for the open and secure Internet.
Peter Swire, Jesse Woo
This Article examines privacy and cybersecurity issues for the topic of this symposium, police body-worn cameras (" BWCs"). BWCs already generate, and will increasingly generate, a great amount of video footage and related content. In our era of increasingly effective facial recognition, this video footage generates a vast amount of personally identifiable information, with consequent privacy issues. Over time, the volume of video footage will increase enormously, creating challenging cybersecurity issues for the data that is stored, often in the cloud. Cities and police departments will face substantial challenges in managing these privacy and cybersecurity issues. To develop good privacy and cybersecurity practices for BWCs, this Article proposes drawing on the already substantial experience with the Internet of Things (" loT"). Definitions of loT abound,'but key aspects of the technology are (1) a sensor connected to the Internet that (2) stores and/or processes data remotely …
This testimony of 300 pages explains US surveillance law to a non-US audience. The testimony was provided to the Irish High Court in litigation brought by Max Schrems against Facebook, challenging the use of standard contract clauses for transfers of personal data to the US Under Irish rules, the author was selected by Facebook and required to provide his independent expert opinion to the court on US law. The comprehensively footnoted testimony makes conclusions in four areas:
Peter Swire, Justin Hemmings
These reply comments to the Federal Communications Commission (FCC) provide additional facts about limits on the ability of Internet Service Providers (ISPs) to have “comprehensive” and “unique” visibility into the Internet activities of individual users.
Peter Swire, Jennifer M Urban, et al.
Letter from various civil society organizations, companies, trade associations, and academics to Senators Description: Letter from various civil society organizations, companies, trade associations, and academics to Senators opposing a provision of the Intelligence Authorization Act for fiscal year 2017 (Act, S. 3017) that would bar the US Privacy and Civil Liberties Oversight Board (PCLOB) from considering the privacy and civil liberties interests of anyone but citizens and lawful permanent residents of the US (US persons)
Peter Swire, DeBrae Kennedy-Mayo
Law enforcement access to personal data presents a paradox at the heart of debates between the European Union (EU) and the United States about privacy protections. On the one hand, the comprehensive privacy regime in the EU contains many requirements that do not apply in the United States-the EU is" stricter" than the United States in applying requirements that do not exist in the latter. On the other hand, the United States also sets requirements that do not exist in the EU, such as the Fourth Amendment requirement that a warrant be signed by a judge upon a finding of probable cause. Thus, both are stricter in important ways when setting standards for law enforcement access to personal data. The fact that both sides are stricter in significant respects is important to two distinct topics: how to reform the system of Mutual Legal Assistance (MLA), and whether the United States provides" adequate" protection for personal data under EU law, and thus is an appropriate destination for …
Peter Swire, Justin D Hemmings, Suzanne Vergnollie
This article provides a case study involving France and the United States for a topic of growing importance-how to reform the outdated system of" Mutual Legal Assistance"(MLA). Mutual Legal Assistance occurs when one country, such as France, requests evidence held in another country, such as the United States, for criminal prosecution, frequently pursuant to a Mutual Legal Assistance Treaty (MLAT). As discussed in Part I, this article is part of a broader research project on MLA reform, a topic that has reached a new level of prominence driven by two technological developments. First, globalized communication through the Internet means that emails and other evidence for criminal investigations are often held in a different country, such as when Europeans use popular US-based email and social network services. Second, the drastic increase in use of encrypted communications has made many local wiretaps ineffective,'pressing law enforcement to seek evidence through judicial orders on …
Kimberly Kiefer Peretti, Peter Swire, Jason M Waite, Jason R Wool
n a proposed rule published in the Federal Register recently, the Department of Commerce's Bureau of Industry Security has indicated its intent to implement a license requirement for the export, reexport, or in-country transfer of certain intrusion and surveillance items (collectively, cybersecurity items). As industry and technical experts consider the potential scope of the rule, there is uncertainty about the impact of the rule on cybersecurity software developers and device manufacturers and their customers. Because the proposed rule may reach certain software and hardware solutions that are not apparently intended to be the target, slow down global deployment of these solutions, and raise corporate compliance costs, companies should analyze the full impact of the proposal on their products and services and closely follow the proposed rule as it is finalized. The comment period for the proposed rule closed on Jul 20, 2015.
Aaron K Massey, Richard L Rutledge, Annie I Antón, Justin D Hemmings, Peter P Swire
Ambiguities in legal texts can make the difference between regulatory compliance and non-compliance in software systems. Ambiguities are prevalent in laws and regulations. Policy analysts who write laws and regulations and software engineers who build software systems that must comply with laws and regulations approach ambiguity differently. In our prior work, we surfaced differences between the approach taken by policy analysts and technologists in identifying and classifying ambiguities in legal texts. Understanding the rationale behind the identification and classification of legal ambiguities is essential to disambiguating them for requirements engineering. Herein, we discuss a case study in which we seek to understand the rationale used to make determinations about ambiguities in legal texts. Our 48 case study participants identified 373 ambiguities, 99.1% of which were classified using our ambiguity taxonomy. The results of our qualitative analysis suggest participants are consistently able to identify words and phrases they believe to be ambiguous, but are unable to express and agree on a consistent rationale defending their classification. This result supports a strategy for addressing ambiguity in regulatory requirements—software engineers are likely to be successful at identifying components of legal texts that then require supplemental expertise to resolve.
Peter Swire, Justin D Hemmings
In our era of globalized communications, criminal enforcement increasingly encounters communications stored in other countries, yet law enforcement officials often lack the ability to use their national laws to obtain that evidence.'Mutual Legal Assistance Treaties (MLATs), long an obscure specialty topic for international lawyers, have been the principal mechanism for responding to these cross-border data requests. 2 This Article contends that MLATs today are emerging as a key component of multiple legal...