Category: Uncategorized

Johnston Chen

http://www.nytimes.com/2013/01/26/technology/eu-privacy-proposal-lays-bare-differences-with-us.html?_r=0

In January, the United States government and Silicon Valley lobbied against European efforts to increase consumer information privacy law in the European Union.  At that time, several proposed laws were working their way through the European Parliament.  These proposed laws are designed to give 500 million consumers the ability to block or limit many forms of online web tracking and targeted advertising.  While seen as a major boon in consumer privacy, all major American tech companies have lobbied the European headquarters in Brussels arguing that Europe weaken or remove these limits.

Ben Wizner of the American Civil Liberties Union highlights that, unlike Europe, the United States has no general data protection law.  As a result, he states that online companies in the United States may conduct “unfettered” data mining.  Under the European proposals, however, Web businesses would be unable to collect and profile individual users without their explicit consent.  Businesses would also have to permanently remove information upon a user’s request.

Adoption of the bill is expected in early 2014, and is critical for both European and American consumers because the outcome of these information privacy laws could critically affect United States technology companies.  Although based in the United States, many Silicon Valley companies typically generate a third or more of their sales in the European Union.  The profitability and continued success of companies such as eBay, Amazon, Microsoft, Google, and Texas Instruments, among other companies, could depend in large part on how the European Parliament decides to format their information privacy laws.  While these laws are designed to protect the privacy of the consumers, many corporations fear that their loss of data could turn into a loss of sales, hurting both the consumers and the corporation. As a result, the tension between consumer privacy and profitability is highlighted in Brussels’ current struggle over increased European privacy laws.

Catalina Carmona

For quite some time now, both industry and privacy advocates have pointed out the need of reforming the Electronic Communications Privacy Act (ECPA). The main argument is that the act, which was passed in 1986, cannot adequately respond to new technologies, and leaves important loopholes for privacy to be disrupted.

For example, ECPA only requests law enforcement authorities to have a warrant when searching through email that has not been opened, and is less than 180 days old. For older emails, no warrant is required. In times in which people no longer store their emails in their hard drives, but on the cloud or a server, this poses serious threats to privacy.

In November 2012, the Senate Judiciary Committee approved a reform to ECPA, which would now require law enforcement authorities to obtain a warrant in all cases when searching through email.

http://www.nytimes.com/2012/11/30/technology/senate-committee-approves-stricter-privacy-for-e-mail.html?_r=0

The Committee approved this bill despite strong opposition from enforcement agencies. In fact, just a few days before this proposal was approved, Patrick Leahy, the Democratic chairman of the Senate Judiciary Committee, who also took part in the drafting of the original version of ECPA, was ready to go through with a version that would allow several agencies –including the Securities and Exchange Commission and the Federal Communications Commission– to access email without a warrant. The FBI and Homeland Security would have even greater powers under the Act, as they could even fully access online accounts without a judge authorization, or notification to the owner of the account.

http://news.cnet.com/8301-13578_3-57552225-38/senate-bill-rewrite-lets-feds-read-your-e-mail-without-warrants/?part=rss&subj=news

The online community has enthusiastically received the reforms to ECPA, and now awaits the final vote on the Senate, which is expected to happen some time this year.

(See, for example: https://www.cdt.org/pr_statement/senate-committee-takes-historic-step-privacy and https://www.netnanny.com/blog/the-ecpa-and-your-online-privacy/ )

But the bill will still need to overcome the resistance from more conservative groups, who believe that public safety should have a stronger stance when analyzing online privacy.

Zachary King

This past Sunday 60 Minutes aired a report about the enormous amount of mistakes made by credit reporting agencies.  (http://www.cbsnews.com/8301-18560_162-57567957/40-million-mistakes-is-your-credit-report-accurate/).

In the report Steve Kroft cites to a newly released 8-year long study conducted by the FTC into the big 3 credit reporting agencies (Experian, TransUnion, and Equifax) saying that 40 million Americans have an error on their credit reports and 20 million have a mistake significant enough to lower their credit score. This translates to one in every five adults with an error, which the Ohio attorney general has called “unconscionable.”

The segment explains the harms faced by individuals with mistakes on their credit records. The show concentrates on one woman who had a six year battle with the big three companies. She was denied credit and couldn’t refinance her mortgage or undersign a loan for her children. When she ordered her credit reports there was nothing alarming. She only found out what the problem was by peaking at her file at a bank when nobody was looking. She learned that the credit reports that banks get are different from what the consumer can get. In her case the large debts of a woman with the same first name, but a completely different last name from a different state somehow got added to her file. While it seems like this would be easy to fix, it turns out that it was impossible. The companies refuse to undergo the reasonable investigations required by the FCRA. 60 Minutes interviewed former employees of Experian who said that they did not have the power to do even the most basic investigation and were instructed to always take the word of the creditor to be true. The only way that she was able to finally prevail was by filing a lawsuit. The show says that the credit reporting companies are not interested in improving their policies. They reason that it is cheaper to every so often pay $ 1 million in punitive damages than it would be to implement a system that is in line with the basic fair information practice principles.

60 Minutes explained this story as “a horror story worthy of Hitchcock or Kafka.” While these analogies aren’t bad, what is more apt is the movie Brazil, where a fly gets jammed in a typewriter causing a slight change in a name printed on a government document, which sets into place a very unfortunate series of events. Rather than give spoilers, you should watch the movie (http://www.imdb.com/title/tt0088846/). In any event, now that there is some press about the practices of the credit reporting agencies, perhaps changes will be made and we can avoid the path that is currently set towards Terry Gilliam’s dystopian bureaucratic vision captured in Brazil.

Jessica Heimler

http://www.nytimes.com/2013/02/07/technology/personaltech/protecting-your-privacy-on-the-new-facebook.html?smid=tw-nytimes

With Facebook consistently rolling out new features and subsequent privacy settings, many people may be unaware as to how to best protect their online information. This article, which appeared on February 6, 2013 in the New York Times. The article suggests four questions to ask yourself so as to best be able to format your privacy settings. First is “How You Would Like To Be Found.” It gives tips on how to disable search engines from linking to your facebook timeline and how to determine what the privacy settings are for something posted by a friend. The next question is “what do you want the world to know about you?” It urges readers to reconsider including seemingly harmless pieces of information, such as gender and birthday, which can be exploited by hackers. The article also identifies online tools which can identify pieces of information, such as profanity, and gives you the option of deleting it from your profile. Third asks “do you mind being tracked by advertisers?” and explains how to remove targeted advertising from your homepage. Finally, the article asks “Whom do you want to befriend?” and asks readers to carefully consider who they create connections with over Facebook. It identifies two more pieces of software that can prevent a Facebook friend’s actions from displaying pieces of your own information publicly.

This article is an important read even for those who think they have a good handle on Facebook’s privacy settings. The new version of Facebook, released this past December, will allow all users–including strangers–to search for pieces of information such as what you do and where you go. It is imperative that users know how to protect this information in the best way possible.

Akiva Miller

The approaches to privacy regulation taken by Europe and the United States are often seen as being at odds with one another. The European regulatory scheme is characterized as overarching, comprehensive, principled, centrally-controlled, and more protective of citizen’s rights, whereas the US regulatory system is characterized as a patchwork of sector-specific laws and regulations, lacking in unitary concepts, driven by a combination of FTC action and self-regulation by the industries, and less-protective of citizens’ rights. (See, for example: http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=1& ,  which was featured in last week’s PRG blog post).

However, this impression may need to be revisited following closer scrutiny of the drafting process of the EU’s new Data Protection Regulation.  As technology news site GigaOm reports, a recent examination of the proposed amendments to the draft Data Protection Regulation conducted by Max Schmers, and Austrian Law student and vocal critic of Facebook, casts light on the extent to which US commercial interests are influencing the drafting process.  Schmers’s examination shows how language coming from from lobbyists for US-based commercial giants Amazon and eBay, as well as the American Chamber of Commerce, have been copy-and-pasted directly into the opinion submitted by the European Parliament’s Committee on the Internal Market and Consumer Protection to amend the proposed General Data Protection Regulation. According to the report, these suggested changes water-down the original protections of European citizens’ rights in favor of American business.

http://gigaom.com/2013/02/11/amazon-ebay-privacy-lobbying-sparks-cut-and-paste-crowdsourcing-drive/

So perhaps the guiding hands behind privacy regulation in the US and Europe are not so vastly different after all? If true, this information is a vivid reminder that Europe’s principled approach to privacy does not necessarily translate into tougher privacy safeguards for citizens. It should also serve as a food for thought for advocates of comprehensive privacy legislation in the United States and elsewhere around the world.

Information on the proposed General Data Protection Regulation can be found at: http://ec.europa.eu/justice/newsroom/data-protection/news/130206_en.htm

The proposed amendments by the Committee on the Internal Market and Consumer Protection  can be found at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-496.497%2b02%2bDOC%2bPDF%2bV0%2f%2fEN

Peter Kauffman

http://www.nytimes.com/2012/06/13/technology/ftc-levies-first-fine-over-internet-data.html

Last June, the Federal Trade Commission assessed an $800,000 penalty on Spokeo, a data collection agency, for distributing personal information as a way for potential employers to screen job applicants. According to the above New York Times article, this was “the F.T.C.’s first case addressing the sale of Internet and social media data for use in employment screening.” Like the Google buzz case and the Path settlement discussed in the “FTC is getting serious about regulating mobile privacy” blog post, this indicates the FTC’s willingness to aggressively curb social media sites’ abilities to disseminate their users’ private information. Unlike those two cases, the FTC assessed the fine against Spokeo under the Fair Credit Reporting Act.

Based on this case, institutions can be considered consumer reporting agencies despite their best attempts to not fall under that label. In 2010, Spokeo changed its terms of service to state that it “was not a ‘consumer reporting agency’ and that consumers could not use its profiles for purposes that were covered by the Fair Credit Reporting Act.” Similar to the Google Buzz case, the FTC faulted the company for insufficient notice to subscribers about such a change in its practice. The FTC then argued that the “coherent people profiles” Spokeo made available—which included an individual’s marital status, hobbies, ethnicity, religion, and photos—constituted a “consumer report” under the definition in 15 U.S.C. § 1681b(d). This case highlighted an interesting strategy the FTC can employ in its quest to protect dissemination of social media users’ private information.

Post by: Diana [Isabel] Ajuria

http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=0

This article, Consumer Data Protection Laws, an Ocean Apart, posted February 2, 2013 in the New York Times is focused on the differences between the American and European systems of privacy laws and speaks to several issues that have been addressed in class. First, the American system is described as very piecemeal, with a greater focus on certain industries, including medical records and credit reports, for example. This is in no doubt partially due to how privacy law in the United States was developed, emerging in  the Warren & Brandeis article and implemented through the Prosser torts.  The European system has grown out of a more blanket regulatory approach that guarantees certain rights. Now, Europe is looking to update their laws and some American tech companies are worried about how this will impact their business in Europe. For example, the article specifically mentions app companies, which we discussed in class this week, which in the United State are for the most part unregulated but would fall under protection in Europe.

Although they take different underlying approaches, common ground can be found in the idea that both the current system in the United States and in Europe seem to be inadequate to meet current privacy needs of an advanced technological age. How one feels about the expansion of the American system, such as seen in the Zimmerman article, might vary. As regarding Europe, the vice president of the European Commission mentions in the article that the “main problem is that [the] rules predate the digital age and it became increasingly clear in recent years that they needed an update.” It will be interesting to see how both countries address privacy concerns over the next decade and if one ultimately convinces the other to adopt their regulatory approach.

Post by: Abigail Augus

Regulating the collection and use of personal information though tort or contract is problematic for a host of reasons and may not provide companies with sufficient incentives to act in line with societal values and expectations. FTC enforcement, coupled with publicity and best practice guidelines, could provide those lacking incentives.

As recently discussed in the New York Times, the FTC is getting serious about regulating mobile privacy. http://www.nytimes.com/2013/02/02/technology/ftc-suggests-do-not-track-feature-for-mobile-software-and-apps.html?hp&_r=1&. Last week, the FTC made two big moves in the mobile arena: first, the FTC released a staff report detailing recommendations for the mobile industry to safeguard personal information (http://www.ftc.gov/opa/2013/02/mobileprivacy.shtm); and second, almost simultaneously, the FTC entered into a settlement agreement with Path through which it fined the social networking company $800,000 and required it to create a comprehensive privacy program along with independent monitoring for the next 20 years (http://www.ftc.gov/opa/2013/02/path.shtm). Similar to the FTC settlement over the launch of Google Buzz, this settlement went far beyond an order to simply desist deceptive practices. Such agreements send powerful messages to other companies. As the NY Times notes, for big companies such as Google and Amazon, “the suggestions essentially carry the weight of policy.”

Though some worry about unintended consequences of these settlements, such as companies eliminating privacy policies altogether to avoid FTC action, it seems likely that the publicity of violations may incite an increasingly savvy public to demand certain protections, which, if ignored, could destroy a business. This may be exactly what caused Instagram to lose almost half its users, as discussed in the January 30th blog post, “Continuing saga of Instagram.” Given that these companies’ ability to profit is entirely dependent on users and user data, reputational threats should be incentive enough for companies both small and large to heed the recommendations of the FTC, as well as those of other organizations setting influential guidelines (see, for example, the ACLU’s guide to privacy and free speech (https://www.aclunc.org/docs/technology/privacy_and_free_speech_it’s_good_for_business,_2nd_edition.pdf) and the California Government’s recommendations for mobile privacy (http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf)).

Every Move You Make

By Jesse C. Glickenhaus

February 7, 2013

Artist Pierre Derks’ installation in the Hague showing rotating live streaming images—a baby in a crib, a security feed from a laundromat, a woman eating breakfast on a couch in a bathrobe—from over 800 web cameras may feel uncomfortable to watch, but does it invade people’s privacy?[1] The images are both deeply intimate and largely anonymous. Derks did not hack any computers, but rather assembled collections of unsecured webcams that are connected to the Internet and filtered and streamed them into a gallery. If one defines privacy by the public/private physical space conception, then images of “public” places such as stores or public streets would not be an intrusion. There would be no reasonable expectation of privacy in these places, and few people would be surprised to know that stores and streets have security cameras that may be viewed by other people. Helen Nissenbaum would probably agree that the context of these environments—populated by with strangers, in public spaces—privacy is not expected, and therefore images of those places might not be a prima facie violation of privacy. However, the images from inside people’s “private” spaces might violate privacy. Warren and Brandeis would be horrified at the idea of “instantaneous photography” showing live video images from inside person’s home. Such streamed images seem to violate Processor’s “intrusion upon seclusion” tort. Diane Zimmerman might argue that the benefits of the disclosures, including increased public awareness of the issue of unsecured webcams, could outweigh any potential privacy concerns. Whether or not one views Derks’ project as an invasion of privacy depends on how one views connecting a webcam to the Internet. Is this an act of self-disclosure or assumption of the risk, analogous to leaving one’s digital window curtains open, or is it closer to writing in a journal or taking a private photograph at home? Will there be a point when no reasonable person could expect his or her unsecured webcam to remain private? Until then, secure your webcams, or know that someone might be watching you.