Year: 2020

• France urged Google and Apple to ease their privacy protections because the current protocols wouldn’t permit the French contact tracing plan. (The Guardian)
• ILI Fellow Salome Viljoen wrote an op-ed with Jake Goldenfein and Ben Green about the discourse and narrative around protecting public health vs. protecting privacy, arguing that the privacy/health trade-off is a false one. (Jacobin)
• A group of privacy academics, researchers, and professionals in Europe called DP-3T has proposed a privacy-preserving contact tracing app as an alternative to PEPP-PT. The app, unlike PEPP-PT, is decentralized. (New Statesmen) (Github)
• A number of state supreme courts have adopted Facebook Live as their new way to stream proceedings and hearings. One or two have switched to YouTube. (Florida Supreme Court) (Vermont Supreme Court) (Michigan Supreme Court)
• The Microsoft policy team send out an email yesterday supporting the idea of an “open data opportunity,” trying to change their attitude toward the data they collect and how they share it with other actors. One feature that was interesting was their idea of “spectrum of open data” — trying to differentiate between non-sensitive data, commercially sensitive data, and personal data. (Youtube Explainer)

• PRG member Genevieve Fried wrote a piece with Rashida Richardson focusing on individual privacy while evaluating the merits of contact tracing ignores important qs about whether contact tracing works. It is not published yet. She has also been doing a lot of mapping work around contact tracing technology.
• Stevie Bergman posted a 5-part podcast she made at the end of last year about AI and human rights at a Princeton conference. (Soundcloud)
• Co-opting AI: A GDPR conversation featuring our own Ira Rubinstein. (Youtube)

(compiled by student fellow Tom McBrien)

On April 15, 2020, the PRG student fellows led a discussion about privacy and the ongoing coronavirus pandemic. Please see the slides here.

Zoom continues to face backlash over its privacy and security practices. In particular, concerns have been raised regarding the lack of end-to-end encryption, the prevalence of “zoombombing” (when uninvited participants join an ongoing Zoom meeting), and the fact that the company was apparently sending user information to Facebook. While many of these issues have been addressed by the company, they have also already led to at least two class actionlawsuits. In response to concerns, Zoom’s CEO has stated that the company is working on reevaluating and tweaking some features.  

HuffPost published an article highlighting the connections between Clearview AI, the facial recognition technology firm which has significant partnerships with law enforcement agencies, and the far-right movement in the United States.

A group of over 130 European scientists, technologists and experts has founded the Pan European Privacy Protecting Proximity Tracking organization. Its mission is to supply a technological solution to the COVID-19 crisis which adheres to European privacy and data protection laws and principles. The group is currently working on an app which would generate only temporary IDs and use Bluetooth technology to track interactions between individuals.

(Compiled by student fellow Stav Zeitouni)

• The CDC is collecting data on citizens’ locations and movements from cell phones, social media, and airline passenger manifests — and doing so without judicial oversight. (Daily Beast; Surveillance Technology Oversight Project)

• Zoom for Windows software has a vulnerability that allows attackers to steal users’ operating system credentials. (Ars Technica)

• Zoom uses a preinstallation script in order to install itself without the user’s final consent. Instead, a highly misleading prompt is used to gain root privileges. (Twitter)

• Cloudflare launched 1.1.1.1 for Families, a secure, fast, privacy-first DNS resolver that can block “adult” content (and malware.) However, there are concerns as to how the block-list was created and what is on this list. (Cloudflare)

• As mass surveillance proliferates in cities, some privacy activists are developing “stealth streetwear,” clothes and wearable items that help protects wearers’ anonymity.  (New Yorker)

(Compiled by Student Fellow Ginny Kozemczak)

• The Singaporean government introduced a contact-tracing app named TraceTogether that mainly uses Bluetooth to keep a 21-day log of who users have been in close contact with. Singapore placed many privacy protections in the app. For example, it does not automatically report users names or locations. Upon governmental request, however, this information must be divulged. (CNBC)
• PRG’s own Albert Fox Cahn co-wrote an op-ed in NBC Think, commenting on some of the emerging concerns around surveillance and the pandemic response. The Surveillance Technology Oversight Project (“STOP”) has seen calls for CSLI on a broad base, which would raise a lot of legal concern post-Carpenter. Also, there have been many calls for app-based data collection to enforce quarantine. New York’s Governor Cuomo announced today that he’s recruiting individuals for a technology SWAT team to be deployed over the coming 90 days, but it’s unclear what the scope of operations would be. The Senate bill has $1.5B set aside for local funding of surveillance, but it’s unclear whether that’s cabined to epidemiological surveillance or not. Overall, there seems to be the potential for a concerning pivot toward increased surveillance.  (NBC Think)
• Lawfare and Just Security have posted some helpful articles on the intersection of pandemic response and privacy.
• Quite early in its pandemic response, the Israeli government passed a new law to allow its equivalent of the FBI to apply some measures to hack into people’s phones to find out other people who were physically proximate. Those who had contact with infected individuals would get a text from the ministry of health informing them of their contact and that they need to self-quarantine. (Techcrunch; Washington Post) But the system may not be working well, as many ER technicians and doctors have been getting these messages; there seems to be no differentiation. There was a Supreme Court injunction against the practice.
• Some, including the team behind Proton Mail, have noticed that increasingly popular web meeting client Zoom is an extremely “grabby” data collector and has a suite of surveillance features that can do things such as track user attention. (Protonmail)

(Compiled by Student Fellow Tom McBrien)

In China, “[a] new system uses software to dictate [COVID-19] quarantines — and appears to send personal data to police, in a troubling precedent for automated social control.” (N.Y. Times)

The CDC is struggling to track coronavirus outbreak partially because it doesn’t have enough data from airlines. Airline companies say it’s because customers are booking through Expedia, etc., who don’t normally share info w/ airlines for business reasons. (Wash. Post)

Leaked data from a financial data broker show that large companies are purchasing millions of Americans’ credit card data and may be able to tie it to specific individuals. (Vice)

“Amazon keeps records of every motion detected by its Ring doorbells, as well as the exact time they are logged down to the millisecond.” (BBC)

Clean Master, a popular antivirus app, has a very broad privacy policy. It was kicked off of the Google Play store because it was extracting extremely detailed tracking of users’ browsing. (Forbes)

(Compiled by Student Fellow Tom McBrien)

Two school districts in South Carolina have replaced metal detectors with millimeter wave body scanners. This yet another privacy concern in the school context, after universities have begun attempting to track students using Bluetooth beacons and WiFi MAC addresses.

Smithsonian released nearly 3 million images into the public domain under the Creative Commons Zero license. Our own Michael Weinberg was involved in the effort.

Clearview AI, the controversial facial-recognition company, announced that its entire client list was stolen.

The Indiana Supreme Court ruled that removing a GPS tracking device from your car does not constitute a theft.

EA banned Kurt0411, a popular FIFA player, from its platforms due to “serious and repeated violations.” Interestingly, Kurt0411’s behavior does not appear to match the specific behaviors listed on EA’s website eligible for a ban.

Google’s research has suggested that its efforts to anonymize patient data are not foolproof.

Amazon has opened GoGrocery (the cashier-less grocery store) in Seattle.

The Privacy and Civil Liberties Oversight Board (PCLOB) released a report on the NSA call detail records program, finding the program led to only a single significant investigation between 2015 and 2019.
The USA Freedom Act is up for reauthorization this year. Expect groups to push to amend Section 215.

The Intercept received leaked reports showing EU Police planning to build a European-wide facial recognition database.

The Brave web browser, that purports to be “privacy focused” has been released.

The Markup, a new publication “investigating how technology influences our society” has begun releasing articles.

(Compiled by Student Fellow Jacob Apkon)

The European Commission published its data strategy. The proposal emphasizes the development of rules for access and re-use of industrial and commercial data, as well as building a single data market and developing EU data storage and processing infrastructure. The Commission also released an update on its proposed policies on Business-to-government data sharing, which centers around the idea of EU-wide legislation on “the use of private sector data by the public sector for the common good”.

A simultaneously released digital strategy draws out plans to build “common European data spaces,” — large aggregations of data accessible by members at both sectoral and cross-sector levels. The commission also plans to develop an act that will govern free-of-cost union-wide sharing of high value public sector data. The latest version of the EU’s AI strategy abandons the idea of a total ban on facial recognition technology, which was previously under consideration. 

New criticism of Amazon Ring highlights lack of evidence that the the technology helps reduce crime. In other news related to Amazon’s camera-equipped doorbell, a recent privacy policy update by Ring is criticized for focusing on third party partnerships while not addressing problematic practices of sharing data with law enforcement agencies.

Facebook will Settle Illinois Facial Recognition Suit. The company is said to have violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission.

ISPs sue Maine, claiming that Web-privacy law violates their First Amendment rights.

A second security breach of the Likud party app exposes personal data of individual voters. Also in Israel, ATM users are asked to take an election poll in order to withdraw money.

New York City’s council has voted to ban cashless businesses over privacy and bias concerns.

(compiled by Student Fellow Margarita Boyarskaya)

The Department of Justice unsealed indictments against four officers of China’s People’s Liberation Army (PLA), charging them with carrying out the 2017 hack against consumer credit bureau Equifax. The indictments allege that the officers, who were members of the PLA’s 54th Research Institute, “conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.”

Kashmir Hill, a technology reporter for the New York Times, conducted an interview with Hoan Ton-That, the founder of Clearview AI, a technology company providing law enforcement agencies with facial recognition software. Ton-That discussed the company’s policy regarding selling the software, claiming that “[Clearview AI’s] philosophy is basically, if it’s a U.S. based — or like a democracy or an ally of the U.S. — we will consider it. But like, no China, no Russia or anything that wouldn’t be good. So if it’s a country where it’s just governed terribly or whatever, I don’t know if we’d feel comfortable selling to certain countries.” Additionally, he claimed that at this stage Clearview AI is not looking to offer the software on the consumer market.Relatedly, CNN tested Clearview AI software in a piece featuring PRG member Jake Goldenfein.

Researchers affiliated with Roboflow discovered widespread problems with the labeling (and mislabeling) of cars, pedestrians and cyclists in a popular dataset used to build autonomous cars.

The Washington Post reported that Crypto AG, an encryption company based in Switzerland, has been owned and controlled for decades by the CIA and German intelligence.

US government officials have reportedly told the Wall Street Journal that Huawei built backdoors into mobile phone networks it maintains and sells. These new disclosures come after Britain approved a plan allowing Huawei to build the country’s 5G network, despite urging by the US to the contrary.
The New York Times reported on the many organizational problems which plagued the Iowa Democratic caucuses beyond the Shadow Inc. reporting app.

The Federal Trade Commission ordered five major tech companies (Alphabet, Amazon, Apple, Facebook and Microsoft) to provide information about their acquisitions in the past 10 years which were not previously reported to antitrust agencies.

The British government introduced a plan which would give Ofcom, the country’s media regulator, new powers to regulate internet content. Although the details of the proposal have not been released, the aim appears to be to combat “harmful content such as violence, terrorism, cyber-bullying and child abuse.” (BBC/NYT)

The Scottish Parliament’s Justice Sub-Committee on Policing released a report concluding that “current live facial recognition technology is not fit for use by Police Scotland.” Among other things, the report cites biases against women and ethnic minorities as causes for concern. (BBC)

Israel’s Ministry of Justice has begun to investigate the massive leak of voters’ data via an election campaign app used by the Likud party. The data includes the names, ID numbers and addresses of all Israeli voters. (JP/Haaretz/NYT)

Compiled by Student Fellow Stav Zeitouni.

• Facebook and Twitter announced new policies for how they plan to handle deepfake videos and falsified content. 

• In an interview with CBS, the CEO of controversial facial recognition company, Clearview AI, argued that his company is allowed to scrape billions of social media profiles due to First Amendment rights. The scraped data is used to help police departments around the country identify individuals.
• Senator Lindsay Graham will introduce a bill, the EARN IT Act, that purports to combat the online exploitation of children, but in reality works to end strong encryption practices. It would amend Section 230 of the Communications Decency Act and give Attorney General William Barr the authority to shape “best practices” for tech companies.
• Experian announced that 100% of the U.S. population has been assigned a Unique Patient Identifier.
• The U.S. Army is looking to develop technology that utilizes biometric data in order to give soldiers the ability to classify and identify individuals, including through walls and ceilings.
• The Iowa Caucus suffered from widespread chaos and confusion on Monday due to the Democratic Party’s introduction of a new smartphone app that malfunctioned when volunteers attempted to use it.