Month: February 2022

On February 23d, the Privacy Research Group discussed the following current events:

The European Commission has put forth a proposal this week on industrial data regulation. The proposal, called the Data Act, is especially notable in its push for greater data-sharing and the right to data portability.

The PRG also discussed the National Institute of Standards and Technology’s plans to revise its Cybersecurity Framework. One particular aim of the revision is to improve cybersecurity guidance for supply chain risk management.

In media-related news, the New York Times has recently bought Wordle. The media company’s use of ad-trackers in the popular word game has led to privacy concerns and internet backlash.

On the other side of the pond, another news company has lost a landmark case on privacy. The UK Supreme Court has ruled against Bloomberg for publishing the private information of an individual facing criminal investigation. The court decision has prompted concerns over the future of journalism and the free press. 

(Compiled by Student Fellow Kiana Boroumand)

During the third PRG meeting of the Spring 2022 semester, the following topics were discussed:

This week the UN convened an international committee of government experts to conduct preliminary negotiations on a new treaty regulating cybercrime. However, there are substantial divides over what types of actions could be regulated and over the definition of “cybercrime.” A number of nations have pushed to exclude broader issues of national security, cybersecurity, and cyberwar, warning against using preventing cybercrime as a tool to impose broader controls on the internet. Another major divide is over the inclusion of both content-based crimes and technology-facilitated crimes. Human rights groups have noted the importance of public interest safeguards, and the initial proposals of many states have reflected those concerns, calling for adherence to current standards and an awareness of possible adverse consequences.

French and Belgian data protection watchdogs followed the Austrian’s data protection watchdog ruling that the use of Google Analytics violated GDPR with their own rulings. The French watchdog held that the data transfer built into Google Analytics violated Article 44, while the Belgian Data Protection Authority held that IAB Europe’s Transparency and Consent Framework infringed on GDPR as a result of IAB Europe’s negligence. Such rulings are likely to continue until US and EU negotiators come to an agreement to replace the recently struck down Privacy shield agreement.

California lawmakers are introducing a new bill, similar to the UK’s recent children’s code, tightening regulation on tech companies’ collection and usage of children’s data.  Lawmakers noted that several platforms introduced changes to make their platforms less addictive and more safe for children prior to the passage of UK regulation, and are undoubtedly hoping for similar effects.

Following a $650 million settlement in a similar lawsuit from the Illinois Attorney General, the Texas Attorney General has sued Meta, alleging that it unlawfully collected biometric data and stored such identifiers as vioceprints, retina or iris scans, and hand and face geometry. It is possible that similar lawsuits will continue, particularly if the Texas case results in a court victory or another large settlement.

Android announced a multi-year Privacy Sandbox initiative, aiming to create tools to improve users’ control over their own data. This builds on their Advertising ID system, which aimed to help users exercise more control over their data. It promises to limit third-party data sharing, not rely on cross-app identifiers, and stop cover data collection.

Second sight, a company producing implants to help restore vision to blind patients, stopped servicing and maintaining its ocular implants as it shifted its attention to a neural rather than ocular interface. This raises interesting questions the obligations companies have to maintain equipment others depend on, even as they go through bankruptcy or reorganization.

Meta has warned that upcoming privacy legislation in India may impact their operations. The bill seeks local storage and processing of data.

India has also banned 54 apps over security and espionage concerns. This follows the banning of 59 other apps, including TikTok, in June 2020, and another 118 apps in September 2020. This seems to both be part of a broader pushback against China as well as against apps which collect and transmit data abroad.

The CIA has been collecting and analyzing information on Americans in bulk and without a warrant, according to a declassified letter from two senators. These activities took place under Executive Order 12333, or intelligence activities that Congress left unregulated by its ban on bulk communications under the Patriot Act and FISA.

(Compiled by Student Fellow Justin Jin)

During the third PRG meeting of the Spring 2022 semester, the following topic were discussed.

This week, the Algorithmic Accountability Act of 2022 has been introduced. It’s a bill requiring new transparency and accountability for automated decision systems. Requirements include conducting impact assessments for bias, effectiveness, and other factors. It also creates, for the first time, a public repository at the Federal Trade Commission of these systems and adds 75 staff to the commission to enforce the law.

The Senate confirmed the nominations of two new members for the Privacy and Civil Liberties Oversight Board (PCLOB), a federal privacy watchdog tasked with ensuring the federal government’s counterterrorism efforts don’t trample on privacy and civil liberties. The agency, having been ineffective for quite some time due to vacancies, can now fully function again.

Seton Hall University School of Law’s Gibbons Institute of Law, Science & Technology and Institute for Privacy Protection are co-hosting a virtual conference on Big Tech and Antitrust to explore these issues from U.S., EU, and international perspectives with leading academics, practitioners, and former regulators.

In its efforts to collect information on the use of “standard technical measures” to address copyright infringement, the U.S. Copyright Office is meaning to hold a plenary hearing on automated filters on February 22^nd.

On February 3^rd, the Illinois Supreme Court filed an opinion holding that people can sue their employers for damages under the State’s privacy law, the Biometric Information Privacy Act (BIPA). The decision means that employers do not have a powerful weapon at their disposal when it comes to defending privacy claims.

The IRS has announced that it will “transition away” from using third-party facial recognition services for the verification of taxpayers’ identities, effectively ending a contract with facial recognition company ID.me that had received widespread criticism.

Duke Law Journal is organizing an event about automating the administrative state.

Israeli police has been using a spy software (Pegasus) to spy on its own citizens, including political activists involved in the Black Flag and Balfour demonstrations that took place against former Prime Minister Netanyahu last year.

A lawsuit challenges facial recognition as unconstitutional and illegal in Indian state Telangana, the most surveilled state in the world, according to Amnesty International.

For the first time, a German lower Court granted a data subject compensation under Article 82 GDPR for non-material damages suffered because of an unauthorized third-party access to the subject’s personal data. Furthermore, the Court found that the defendant company is obligated to compensate all material future damages resulting from the breach. 

A Human Rights Coalition is urging the Senate to drop the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act (EARN IT, S.3538). According to the Coalition, EARN IT will in fact make it harder for law enforcement to protect children and result in online censorship disproportionately impacting marginalized communities.

As Meta disclosed regulatory risks to its investors, the media spun that into a withdrawal from Europe threat. Meta issued a press release clarifying that they are not threatening to leave Europe but disclosed that continuing uncertainty over EU-US data transfer mechanisms poses a threat to their ability to serve European consumers.

(Compiled by Student Fellow Ge’ez Engidashet)

During the second PRG meeting of the Spring 2022 semester, the following topics were discussed.

In Germany, Twitter is challenging a provision in an anti-hate speech regulation. The regulation mandates social media firms to report serious criminal offences to German authorities. In reporting to the authorities, Twitter must transfer user data even though no crime has yet been committed. Twitter is arguing that this law impinges upon German citizens’ individual liberties and transforms social media firms into informal criminal prosecutors.

The Israeli Privacy Protection Authority issued its final paper regarding privacy protection officers.

Crisis Text Line, a non-profit messaging service is under fire for making use of anonymous data drawn from the conversations of its users to build a for-profit machine learning system. This platform’s mission is to help users in the context of mental health crises.

Distributed Denial-of-Service (DDoS) activities increased at record rates in 2021. The gaming industry has been one of the main victims of these attacks. Microsoft played an important role in curtailing many of these cyberattacks.

Bank Indonesia was also targeted by a ransomware attack at the beginning of 2022. The cybercriminals acquired non-essential data which belonged to the employees of the Bank. The Conti ransomware group claimed responsibility over the attack. As of the end of the month of January, the Conti group was still threatening to leak the data it had stolen.

Video game corporations may increasingly resort to facial recognition technologies. For instance, Tencent announced last year that it would use facial recognition systems in order to comply with China’s gaming regulations which aim to decrease the amount of time that minors spend on these devices.

Unity Technologies is attempting to create “digital twins” of people. These twins are essentially clones of real-life objects or persons. They exist and interact in a virtual sphere. The creators of these technologies are trying to simulate human behaviour and action through these digital twins. Ultimately, by using large amounts of data, Unity’s objective is to generate a “digital twin of the world”.

State lawmakers in Massachusetts are trying to pass a new privacy bill, the Massachusetts Information Privacy and Security Act.

In San Francisco, the mayor is suggesting a new ballot measure for the upcoming June election which would empower the police department to make use of live surveillance without prior approval in certain circumstances to prevent crime or harm. For example, police would have the authority to deploy real-time surveillance in certain neighborhoods.

In India, the Modi government is planning to reduce carbon emissions by promoting the use and sale of electric vehicles. The government is attempting to reach this goal through a “battery swapping” policy. This policy would allow drivers of electric vehicles to replace their batteries for already charged batteries at “swap stations”.

New Chinese draft provisions and propositions regarding the “deep synthesis” of Internet content have been issued.

In Tel Aviv, researchers have developed a novel method for lie detection by resorting to software, electrodes and algorithmic techniques.

Anduril Industries recently announced its new contract with the U.S Special Operations Command (SOCOM). Anduril will be supporting SOCOM’s “unmanned systems” and help counter military threats. 

Lastly, the Belgian Data Protection Agency decided that the Transparency and Consent Framework (a framework which manages user preferences for targeted advertising) is non-compliant with the GDPR. The Interactive Advertising Bureau Europe (IAB) has been fined in light of these violations.

(Compiled by Student Fellow Natasha Petrof)

Welcome to the Spring 2022 from the Privacy Research Group student fellows! The first PRG meeting was January 26 and we covered the following news items:

On the legal front, more than the privacy one, Justice Stephen Breyer announced his retirement. Breyer has served on the court for 27 years.

The United States Federal Reserve Board released a discussion paper on central bank digital currency. This report was published on January 20.

At the end of 2021 the European Commission presented a proposal of new laws on political advertising and microtargeting, a tool that allows candidates and parties to tailor communications to small groups of people through the use of datamining techniques.

The Austrian Data Protection Authority decided that the use of Google Analytics violates GDPR.

The creator of Bulli Bai, an app that puts Indian Muslim women up for “online auction,” was arrested in Delhi.

Two years ago, an employee of the Bharatiya Janata Party’s Information Technology Cell Tweeted about the existence of a a secret app called Tek Fog, that made it possible to do things like “hijack” the trending section of Twitter and Facebook; phish inactive WhatsApp accounts; and harass private citizens. An investigation by Ayushman Kaul and Devesh Kumar has been published by The Wire.

The United States Internal Revenue Service plans to require a “video selfie” with ID.me registration. (Update: The IRS is exploring “alternatives”.)

Google will be blocking targeted advertising for people under 18.

Google has been talking about replacing tracking cookies with “FloC.” They recently changed directions and are now replacing tracking cookies with “Topics API.”

Two ex-aides of former Israeli Prime Minister Benjamin Netantyahu had their phones illegally searched by police. The two ex-aides had been accused of trying to intimidate a witness for a trial against Netanyahu. The Supreme Court of Israel said that this search was “unacceptable,” but decided to approve the search regardless.

Microsoft is buying Activision Blizzard. This may bring up exciting antitrust scrutiny in the future.

A bill proposed in New York State to ban geofence and keyword search warrants was reintroduced to the New York State Assembly and Senate.

Police in Mainz (Germany) gained access to data from Luca, an app used for COVID-tracing, and used it to locate possible witnesses.

(Compiled by Student Fellow Molly de Blanc)