ILI Student Blog

Author: Nicole Arzt

  • Differences between the American and European systems of privacy laws

    Post by: Diana [Isabel] Ajuria

    http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=0

    This article, Consumer Data Protection Laws, an Ocean Apart, posted February 2, 2013 in the New York Times is focused on the differences between the American and European systems of privacy laws and speaks to several issues that have been addressed in class. First, the American system is described as very piecemeal, with a greater focus on certain industries, including medical records and credit reports, for example. This is in no doubt partially due to how privacy law in the United States was developed, emerging in  the Warren & Brandeis article and implemented through the Prosser torts.  The European system has grown out of a more blanket regulatory approach that guarantees certain rights. Now, Europe is looking to update their laws and some American tech companies are worried about how this will impact their business in Europe. For example, the article specifically mentions app companies, which we discussed in class this week, which in the United State are for the most part unregulated but would fall under protection in Europe.

    Although they take different underlying approaches, common ground can be found in the idea that both the current system in the United States and in Europe seem to be inadequate to meet current privacy needs of an advanced technological age. How one feels about the expansion of the American system, such as seen in the Zimmerman article, might vary. As regarding Europe, the vice president of the European Commission mentions in the article that the “main problem is that [the] rules predate the digital age and it became increasingly clear in recent years that they needed an update.” It will be interesting to see how both countries address privacy concerns over the next decade and if one ultimately convinces the other to adopt their regulatory approach.

  • FTC is getting serious about regulating mobile privacy

    Post by: Abigail Augus

    Regulating the collection and use of personal information though tort or contract is problematic for a host of reasons and may not provide companies with sufficient incentives to act in line with societal values and expectations. FTC enforcement, coupled with publicity and best practice guidelines, could provide those lacking incentives.

    As recently discussed in the New York Times, the FTC is getting serious about regulating mobile privacy. http://www.nytimes.com/2013/02/02/technology/ftc-suggests-do-not-track-feature-for-mobile-software-and-apps.html?hp&_r=1&. Last week, the FTC made two big moves in the mobile arena: first, the FTC released a staff report detailing recommendations for the mobile industry to safeguard personal information (http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm); and second, almost simultaneously, the FTC entered into a settlement agreement with Path through which it fined the social networking company $800,000 and required it to create a comprehensive privacy program along with independent monitoring for the next 20 years (http://www.ftc.gov/opa/2013/02/path.shtm). Similar to the FTC settlement over the launch of Google Buzz, this settlement went far beyond an order to simply desist deceptive practices. Such agreements send powerful messages to other companies. As the NY Times notes, for big companies such as Google and Amazon, “the suggestions essentially carry the weight of policy.”

    Though some worry about unintended consequences of these settlements, such as companies eliminating privacy policies altogether to avoid FTC action, it seems likely that the publicity of violations may incite an increasingly savvy public to demand certain protections, which, if ignored, could destroy a business. This may be exactly what caused Instagram to lose almost half its users, as discussed in the January 30th blog post, “Continuing saga of Instagram.” Given that these companies’ ability to profit is entirely dependent on users and user data, reputational threats should be incentive enough for companies both small and large to heed the recommendations of the FTC, as well as those of other organizations setting influential guidelines (see, for example, the ACLU’s guide to privacy and free speech (https://www.aclunc.org/docs/technology/privacy_and_free_speech_it’s_good_for_business,_2nd_edition.pdf) and the California Government’s recommendations for mobile privacy (http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf)).

  • Every Move You Make

    Every Move You Make

    By Jesse C. Glickenhaus

    February 7, 2013

    Artist Pierre Derks’ installation in the Hague showing rotating live streaming images—a baby in a crib, a security feed from a laundromat, a woman eating breakfast on a couch in a bathrobe—from over 800 web cameras may feel uncomfortable to watch, but does it invade people’s privacy?[1] The images are both deeply intimate and largely anonymous. Derks did not hack any computers, but rather assembled collections of unsecured webcams that are connected to the Internet and filtered and streamed them into a gallery. If one defines privacy by the public/private physical space conception, then images of “public” places such as stores or public streets would not be an intrusion. There would be no reasonable expectation of privacy in these places, and few people would be surprised to know that stores and streets have security cameras that may be viewed by other people. Helen Nissenbaum would probably agree that the context of these environments—populated by with strangers, in public spaces—privacy is not expected, and therefore images of those places might not be a prima facie violation of privacy. However, the images from inside people’s “private” spaces might violate privacy. Warren and Brandeis would be horrified at the idea of “instantaneous photography” showing live video images from inside person’s home. Such streamed images seem to violate Processor’s “intrusion upon seclusion” tort. Diane Zimmerman might argue that the benefits of the disclosures, including increased public awareness of the issue of unsecured webcams, could outweigh any potential privacy concerns. Whether or not one views Derks’ project as an invasion of privacy depends on how one views connecting a webcam to the Internet. Is this an act of self-disclosure or assumption of the risk, analogous to leaving one’s digital window curtains open, or is it closer to writing in a journal or taking a private photograph at home? Will there be a point when no reasonable person could expect his or her unsecured webcam to remain private? Until then, secure your webcams, or know that someone might be watching you.

    [1] Amar Toor, Privacy invasion or webcam art? ‘Screening Reality’ walks a fine line, The Verge (Feb. 6, 2013, 12:00 PM), http://www.theverge.com/2013/2/6/3949860/pierre-derks-screening-reality-amsterdam-exhibit-IP-cameras.

  • Path Settles With FTC Over Privacy Row-Will Pay $800K And Establish New Privacy Program Including Outside Audits

    Privacy Blog Post- Kenneth Villa

    Path Settles With FTC Over Privacy Row-Will Pay $800K And Establish New Privacy Program Including Outside Audits

    Tech Crunch

    http://techcrunch.com/2013/02/01/path-settles-with-ftc-over-privacy-row-will-pay-800k-and-establish-new-privacy-program-including-outside-audits/

    Business Week

    http://www.businessweek.com/printer/articles/420272?type=bloomberg

    Path, a social networking mobile app that allows users to share various types of social media content between one another, agreed to pay an $800,000 fee for violating the Children’s Online Privacy Protection Act and for misleading users with its “Add Friends” feature.

    Bearing some similarities to the Google Buzz settlement, the FTC alleged that Path misled consumers, and failed to provide users with a meaningful choice regarding the collection of their personal feature.  Path had an “Add Friends” feature that allowed users to add new connections to their networks through three options: “Find friends from your contacts,” “Find friends from Facebook,” or “Invite friends to join Path by email or SMS.” However, even if users chose not to select the first option, Path automatically collected and stored personal information from the iOS address book whenever the user first launched the app and each time the user signed back into the account. Path automatically recorded the names, addresses, phone numbers, email addresses, birth dates, and Facebook and Twitter usernames of each contact. Therefore, the FTC alleged that Path’s privacy policy deceived consumers by claiming that it only automatically collected the following information about their users: IP address, operating system, browser type, address of referring site, and site activity information.

    Additionally, the FTC alleged that Path had violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information of around 3,000 children who were under the age of 13, without requiring parental sign-off. Children comprised a portion of Path’s users, since it enabled children to create personal journals and upload, store and share photos, written “thoughts,” their location, and songs they were listening to.

    As part of its settlement, Path agreed to pay an $800,000 fee for its violation. In addition to the fine, Path will be creating a “comprehensive privacy program,” which requires a privacy assessment from external disinterested third-party sources every other year. The assumptions made in class, that startups enjoy more flexibility with its data privacy and receive less scrutiny from the FTC, are debunked by this settlement. Despite raising $40 million in venture capital, Path is a still a small startup without a firm revenue model in place. This settlement sends a clear and strong message to young companies that data privacy must be an important consideration at the early stages of its product development cycle. Although this might initially cause companies to delay product launches, the trade-off seems to be well worth it since it will presumably lead to better protections for user data.

    Another reason to justify the stiff fine is because Path violated COPPA by acquiring children’s personal information without parental consent.  Based on my previous experiences in the industry, children are typically a vulnerable age group—susceptible to stalkers, pedophiles, and child pornographists. Therefore, it is likely that this was an important consideration in establishing a settlement figure.

    In conjunction with this settlement, the FTC also took the time to release a new set of guidelines for mobile developers, since mobile apps are proliferating at a fast rate and developers are increasingly obtaining large amounts of private data from its users. Some of the guidelines urge developers not to store passwords in plaintext on their servers and to designate at least one member on the team to be responsible for considering security at every state of the app’s development.

    Lastly, this article signals the FTC’s increasing scrutiny and regulation of the mobile technology industry. Previously, the Federal Communications Commission (FCC) and the U.S. Food and Drug Administration (FDA) were the two primary governmental agencies that regulated the cell phone industry, the latter in charge of regulating health-related concerns with cell phone use and the former certifying wireless devices and ensuring that they comply with FCC regulations. All that is beginning to change with the increasing capabilities of mobile phones. It is likely that mobile app makers and the mobile phone industry will get increasing scrutiny from other governmental agencies in the future, most notably from the FTC.