ILI Student Blog

Month: November 2011

  • Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything

    “The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.”  Read more here.

  • FTC settles privacy complaint against Facebook

    Facebook has announced its long-rumored privacy settlement with Facebook. The complaint focuses on several allegedly deceptive acts by Facebook, as listed in the press release:

    • In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
    • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
    • Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
    • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
    • Facebook promised users that it would not share their personal information with advertisers. It did.
    • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
    • Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

    The proposed settlement would impose various privacy obligations on Facebook, including the quickly-becoming-standard 20 years of privacy audits.

    Edited to add: Mark Zuckerberg’s statement.

    Edit 2: My colleague Joe Hall points out Count 3 of the FTC’s complaint:

    As described in Paragraphs 19–26, by designating certain user profile information publicly available that previously had been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. Facebook retroactively applied these changes to personal information that it had previously collected from users, without their informed consent, in a manner that has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers. This practice constitutes an unfair act or practice.

    This continues a recent trend of the FTC asserting its authority over “unfair” trade practices, even when they’re not “deceptive.” This also came up in the FTC’s settlement with Frostwire over unfair default settings, which prompted the FTC to warn companies to “spend some time thinking through [their] default settings” and consider questions like “Do your defaults keep users safe from making serious inadvertent errors?” and “Does your application work in ways consumers would reasonably expect?”

  • Is my Mac laptop sharing my location?

    how is this ZIP code being sent?

    Is my Mac laptop using cell tower information to calculate and transmit my location to third parties? I believe the answer is yes.

    Here is my evidence. I cleared recent history from Firefox, selected private browsing, then typed “Msn.com” into my browser. Then I looked at what was stored in my cache (using about:cache), and I found this entry (see above).

    This entry is a message from my browser to msn.com with whatever data can be passed along. Notice the “euid” field is empty. That is good, I am using private browsing. Then notice it is passing back my zip code as 07024, and my local news provider as WNBC. Is this coming from my IP address?

    The answer is no, it is coming from cell tower location information. How do I know this comes from cell tower rather than my IP address?

    The zip code transmitted is  07024 (Fort Lee, NJ). However I live right across the river is Washington Heights, upper Manhattan (below is the view of New Jersey from Washington Heights).  Often 911 calls via cell phone from my neighborhood get routed to New Jersey by mistake due to our close proximity to NJ cell towers. So my zip code is not coming from my IP address, which comes from Time Warner, hence it should be a NYC zip code, not a NJ zip code. It seems to be coming from cell tower triangulation, being collected and passed along by my Mac laptop :(

    View of New Jersey from Washington Heights

  • One person’s trash is another person’s… medical record?

    Joe Hall here.

    An intriguing story flew past my Twitter stream, that begins:

    “MINNEAPOLIS (WCCO) — Detailed medical information discovered on the back of a first-grader’s school drawing sent Minneapolis school officials scrambling.

    Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White.” –(“Recycled Medical Records Used As Scrap Paper At School”)

    Long story, short: Ms. White’s records that she voluntarily gave to a law firm representing her after a car accident were donated by a paralegal to Ms. Kane’s daughter’s elementary school.  These records, and those of presumably many others, were found by school officials after being used as scrap paper and have since been secured, probably waiting disposal (or, cynically, placed in escrow until the new team of lawyers Ms. White might hire to sue her old lawyers get a chance to look at them!).

    Ms. White expresses concerns that we see often in cases of privacy breaches, especially medical breaches: “It’s got my account number, my birth date, my job … I’m outraged. I am embarrassed. I don’t want anyone to know my personal information.”

    What recourse does she have?  Likely, the only thing she can do is hire another law firm to sue the first law firm; that is, there’s no federal health privacy issue here. Because the law firm is not a “covered entity” under the federal law and accompanying regulations known as the Health Insurance Portability and Accountability Act (HIPAA), the responsible enforcement agency, the department of Health and Human Services, can’t seek corrective action.  In fact, you may be surprised how little HIPAA and HHS can do in situations like these. Our friends at the World Privacy Forum keep a very useful FAQ about HIPAA and also point out how medical identity theft, where people use medical information about others to obtain services or make fraudulent claims, is on the rise and an increasing concern for patients.

    What can you do? Be vigilant, as always. Make sure you monitor and understand your health insurance claims information and that you let your health care providers know if you suspect funny business. Of course, if a law firm you hire screws up this bad, find a new one and teach the old one a lesson with a good old fashioned legal malpractice lawsuit.

    Updated on 11/22 to make clear that Ms. White can sue the original law firm for malpractice. –JLH

  • You have no privacy online!

    That’s quite an interesting article!

    Court makes it official: You have no privacy online

    Eleni Gessiou

  • Natural Language Versus the Fourth Amendment on Search

    (x-posted from Coffee House Talks)

    In doing the initial framing for an article on how to apply Helen Nissenbaum’s theory of Contextual Integrity to the 4th Amendment, it has become apparent that there are differences between how natural language would classify whether something is a search, a reasonable search, or an excused or unexcused reasonable search, and how the law would classify the same action. Now this is not a mind-blowing observation, as it has been understood for some time that the fact of some things being classified as “not a search” for Fourth Amendment purposes is just kind of weird. However, I believe the differing categorizations of the two areas have implications when asking what an ideal Fourth Amendment doctrine would look like, so I’ll explore that here.

    (more…)

  • Orin Kerr on United States v. Jones

    Orin Kerr ponders oral arguments in United States v. Jones (reposted from The Volokh Conspiracy):

    I was at the Supreme Court this morning for the oral argument in United States v. Jones, the GPS case. In this post, I want to blog my reactions to the argument: I’m going to update the post as I go, so general readers can get the important stuff first at the top and then general readers can get the rest down the page:

    (more…)

  • FTC Finally Goes After Flash Cookies

    The FTC and ScanScout came to a settlement over ScanScout’s deceptive use of Flash cookies.  ScanScout used Flash cookies to track users, but its privacy policy merely stated a user could “opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.” Since Flash cookies could not actually be blocked through browser controls during the relevant time period the FTC investigated, the privacy policy statement was found to be deceptive.  Read more here.

  • EPIC files FTC complaint against Verizon

    As a follow-up to Helen’s post about Verizon’s new privacy practices, EPIC has filed an FTC complaint alleging that the move amounts to an unlawful trade practice.