Category: Uncategorized

• PRG’s own Albert Fox Cahn (director of the Surveillance Technology Oversight Project) has co-founded a new podcast, Surveillance and the City. Check it out here.
• On September 22 at 11am Eastern, global experts (including many PRG members) will weigh in at a town hall titled “Contextual Integrity of Contact Tracing.” Details here.
• The Surveillance Technology Oversight Project has been publishing great work lately exploring COVID-19’s effects on surveillance trends, including:
  • increasing surveillance of schoolchildren;
  • justice issues in online courts during COVID-19; and
  • contact tracing in higher education.
• Last week, Apple and Google announced a change in their mobile-phone-based contact tracing framework. Instead of providing a backbone on which government actors must create their own apps to notify people of potential exposure, the companies will now provide their own notification software.
• A few days ago, Facebook announced a new research partnership aiming to understand the impact of Facebook and Instagram on users’ political attitudes. Instead of conducting the research solely internally, Facebook has selected 17 external researchers with which it will partner. Users will be paid to stay off of their accounts throughout the election cycle, and the researchers will conduct studies to see the difference between their political attitudes and beliefs and those who continue to be users, among other research topics.

PRG 4/29 News Notes

The Israeli High Court of Justice issued a ruling that the internal service’s contact tracing must be done through means set in law by the legislature. They had not disclosed their methods previously, so the ruling strikes down their current practice. (Haaretz)

The ACLU was suing to enjoin “WAMI” program, currently a pilot program in Baltimore. The program involves surveillance planes equipped with cameras constantly flying over the city. A District Court judge denied the ACLU’s request for a temporary injunction. The ACLU is appealing the ruling. (Baltimore Magazine)

The UK is opting out of Google/Apple’s Bluetooth COVID tracing. Plans on building their own app with a private developer. (BBC)

The French government also pushed back on Apple/Google, requesting the companies disclose more info as part of API. (MacRumors.com)

The U.S. Supreme Court asked the company hiQ to respond to Linkedin’s motion to intervene in an ongoing case, which indicates that the Court is interested in/reviewing the case and may grant cert. The case concerns data scraping and could have major implications for biometrics and companies like Clearview. (MediaPost.com)

Congress put out a call for engineers to modernize governmental procedures – move to online/tech versions of systems currently done in paper, spurred by COVID-19. (Tech Congress)

The Colorado Supreme Court ruled that a search warrant requesting all contents of a cell phone was overbroad, thus violating the Fourth Amendment’s particularity doctrine. (Justia)

A large number of Americans are unable or unwilling to use Apple/Google’s COVID system. (Washington Post)

Germany changed their stance on the Apple/Google COVID initiative after resisting for a while. (DW.com)

China arrested several internet users who uploaded records of the coronavirus outbreak to Github. (QZ)

• France urged Google and Apple to ease their privacy protections because the current protocols wouldn’t permit the French contact tracing plan. (The Guardian)
• ILI Fellow Salome Viljoen wrote an op-ed with Jake Goldenfein and Ben Green about the discourse and narrative around protecting public health vs. protecting privacy, arguing that the privacy/health trade-off is a false one. (Jacobin)
• A group of privacy academics, researchers, and professionals in Europe called DP-3T has proposed a privacy-preserving contact tracing app as an alternative to PEPP-PT. The app, unlike PEPP-PT, is decentralized. (New Statesmen) (Github)
• A number of state supreme courts have adopted Facebook Live as their new way to stream proceedings and hearings. One or two have switched to YouTube. (Florida Supreme Court) (Vermont Supreme Court) (Michigan Supreme Court)
• The Microsoft policy team send out an email yesterday supporting the idea of an “open data opportunity,” trying to change their attitude toward the data they collect and how they share it with other actors. One feature that was interesting was their idea of “spectrum of open data” — trying to differentiate between non-sensitive data, commercially sensitive data, and personal data. (Youtube Explainer)

• PRG member Genevieve Fried wrote a piece with Rashida Richardson focusing on individual privacy while evaluating the merits of contact tracing ignores important qs about whether contact tracing works. It is not published yet. She has also been doing a lot of mapping work around contact tracing technology.
• Stevie Bergman posted a 5-part podcast she made at the end of last year about AI and human rights at a Princeton conference. (Soundcloud)
• Co-opting AI: A GDPR conversation featuring our own Ira Rubinstein. (Youtube)

(compiled by student fellow Tom McBrien)

On April 15, 2020, the PRG student fellows led a discussion about privacy and the ongoing coronavirus pandemic. Please see the slides here.

Zoom continues to face backlash over its privacy and security practices. In particular, concerns have been raised regarding the lack of end-to-end encryption, the prevalence of “zoombombing” (when uninvited participants join an ongoing Zoom meeting), and the fact that the company was apparently sending user information to Facebook. While many of these issues have been addressed by the company, they have also already led to at least two class actionlawsuits. In response to concerns, Zoom’s CEO has stated that the company is working on reevaluating and tweaking some features.  

HuffPost published an article highlighting the connections between Clearview AI, the facial recognition technology firm which has significant partnerships with law enforcement agencies, and the far-right movement in the United States.

A group of over 130 European scientists, technologists and experts has founded the Pan European Privacy Protecting Proximity Tracking organization. Its mission is to supply a technological solution to the COVID-19 crisis which adheres to European privacy and data protection laws and principles. The group is currently working on an app which would generate only temporary IDs and use Bluetooth technology to track interactions between individuals.

(Compiled by student fellow Stav Zeitouni)

• The CDC is collecting data on citizens’ locations and movements from cell phones, social media, and airline passenger manifests — and doing so without judicial oversight. (Daily Beast; Surveillance Technology Oversight Project)

• Zoom for Windows software has a vulnerability that allows attackers to steal users’ operating system credentials. (Ars Technica)

• Zoom uses a preinstallation script in order to install itself without the user’s final consent. Instead, a highly misleading prompt is used to gain root privileges. (Twitter)

• Cloudflare launched 1.1.1.1 for Families, a secure, fast, privacy-first DNS resolver that can block “adult” content (and malware.) However, there are concerns as to how the block-list was created and what is on this list. (Cloudflare)

• As mass surveillance proliferates in cities, some privacy activists are developing “stealth streetwear,” clothes and wearable items that help protects wearers’ anonymity.  (New Yorker)

(Compiled by Student Fellow Ginny Kozemczak)

• The Singaporean government introduced a contact-tracing app named TraceTogether that mainly uses Bluetooth to keep a 21-day log of who users have been in close contact with. Singapore placed many privacy protections in the app. For example, it does not automatically report users names or locations. Upon governmental request, however, this information must be divulged. (CNBC)
• PRG’s own Albert Fox Cahn co-wrote an op-ed in NBC Think, commenting on some of the emerging concerns around surveillance and the pandemic response. The Surveillance Technology Oversight Project (“STOP”) has seen calls for CSLI on a broad base, which would raise a lot of legal concern post-Carpenter. Also, there have been many calls for app-based data collection to enforce quarantine. New York’s Governor Cuomo announced today that he’s recruiting individuals for a technology SWAT team to be deployed over the coming 90 days, but it’s unclear what the scope of operations would be. The Senate bill has $1.5B set aside for local funding of surveillance, but it’s unclear whether that’s cabined to epidemiological surveillance or not. Overall, there seems to be the potential for a concerning pivot toward increased surveillance.  (NBC Think)
• Lawfare and Just Security have posted some helpful articles on the intersection of pandemic response and privacy.
• Quite early in its pandemic response, the Israeli government passed a new law to allow its equivalent of the FBI to apply some measures to hack into people’s phones to find out other people who were physically proximate. Those who had contact with infected individuals would get a text from the ministry of health informing them of their contact and that they need to self-quarantine. (Techcrunch; Washington Post) But the system may not be working well, as many ER technicians and doctors have been getting these messages; there seems to be no differentiation. There was a Supreme Court injunction against the practice.
• Some, including the team behind Proton Mail, have noticed that increasingly popular web meeting client Zoom is an extremely “grabby” data collector and has a suite of surveillance features that can do things such as track user attention. (Protonmail)

(Compiled by Student Fellow Tom McBrien)

In China, “[a] new system uses software to dictate [COVID-19] quarantines — and appears to send personal data to police, in a troubling precedent for automated social control.” (N.Y. Times)

The CDC is struggling to track coronavirus outbreak partially because it doesn’t have enough data from airlines. Airline companies say it’s because customers are booking through Expedia, etc., who don’t normally share info w/ airlines for business reasons. (Wash. Post)

Leaked data from a financial data broker show that large companies are purchasing millions of Americans’ credit card data and may be able to tie it to specific individuals. (Vice)

“Amazon keeps records of every motion detected by its Ring doorbells, as well as the exact time they are logged down to the millisecond.” (BBC)

Clean Master, a popular antivirus app, has a very broad privacy policy. It was kicked off of the Google Play store because it was extracting extremely detailed tracking of users’ browsing. (Forbes)

(Compiled by Student Fellow Tom McBrien)

Two school districts in South Carolina have replaced metal detectors with millimeter wave body scanners. This yet another privacy concern in the school context, after universities have begun attempting to track students using Bluetooth beacons and WiFi MAC addresses.

Smithsonian released nearly 3 million images into the public domain under the Creative Commons Zero license. Our own Michael Weinberg was involved in the effort.

Clearview AI, the controversial facial-recognition company, announced that its entire client list was stolen.

The Indiana Supreme Court ruled that removing a GPS tracking device from your car does not constitute a theft.

EA banned Kurt0411, a popular FIFA player, from its platforms due to “serious and repeated violations.” Interestingly, Kurt0411’s behavior does not appear to match the specific behaviors listed on EA’s website eligible for a ban.

Google’s research has suggested that its efforts to anonymize patient data are not foolproof.

Amazon has opened GoGrocery (the cashier-less grocery store) in Seattle.

The Privacy and Civil Liberties Oversight Board (PCLOB) released a report on the NSA call detail records program, finding the program led to only a single significant investigation between 2015 and 2019.
The USA Freedom Act is up for reauthorization this year. Expect groups to push to amend Section 215.

The Intercept received leaked reports showing EU Police planning to build a European-wide facial recognition database.

The Brave web browser, that purports to be “privacy focused” has been released.

The Markup, a new publication “investigating how technology influences our society” has begun releasing articles.

(Compiled by Student Fellow Jacob Apkon)

The European Commission published its data strategy. The proposal emphasizes the development of rules for access and re-use of industrial and commercial data, as well as building a single data market and developing EU data storage and processing infrastructure. The Commission also released an update on its proposed policies on Business-to-government data sharing, which centers around the idea of EU-wide legislation on “the use of private sector data by the public sector for the common good”.

A simultaneously released digital strategy draws out plans to build “common European data spaces,” — large aggregations of data accessible by members at both sectoral and cross-sector levels. The commission also plans to develop an act that will govern free-of-cost union-wide sharing of high value public sector data. The latest version of the EU’s AI strategy abandons the idea of a total ban on facial recognition technology, which was previously under consideration. 

New criticism of Amazon Ring highlights lack of evidence that the the technology helps reduce crime. In other news related to Amazon’s camera-equipped doorbell, a recent privacy policy update by Ring is criticized for focusing on third party partnerships while not addressing problematic practices of sharing data with law enforcement agencies.

Facebook will Settle Illinois Facial Recognition Suit. The company is said to have violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission.

ISPs sue Maine, claiming that Web-privacy law violates their First Amendment rights.

A second security breach of the Likud party app exposes personal data of individual voters. Also in Israel, ATM users are asked to take an election poll in order to withdraw money.

New York City’s council has voted to ban cashless businesses over privacy and bias concerns.

(compiled by Student Fellow Margarita Boyarskaya)