Category: Uncategorized

The ninth Hackers On Planet Earth conference will take place in New York on July 13-15, 2012. Organizers have issued a call for speakers on a wide variety of topics, including “cryptography, copyright, telecommunications, new technologies, research, experimentation, surveillance, countersurveillance, privacy, anonymity, censorship, hardware hacking, programming, democracy and law, education, social engineering, digital protests, [and] hacking society.”

“The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.”  Read more here.

Facebook has announced its long-rumored privacy settlement with Facebook. The complaint focuses on several allegedly deceptive acts by Facebook, as listed in the press release:

• In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
• Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
• Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
• Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
• Facebook promised users that it would not share their personal information with advertisers. It did.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
• Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

The proposed settlement would impose various privacy obligations on Facebook, including the quickly-becoming-standard 20 years of privacy audits.

Edited to add: Mark Zuckerberg’s statement.

Edit 2: My colleague Joe Hall points out Count 3 of the FTC’s complaint:

As described in Paragraphs 19–26, by designating certain user profile information publicly available that previously had been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. Facebook retroactively applied these changes to personal information that it had previously collected from users, without their informed consent, in a manner that has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers. This practice constitutes an unfair act or practice.

This continues a recent trend of the FTC asserting its authority over “unfair” trade practices, even when they’re not “deceptive.” This also came up in the FTC’s settlement with Frostwire over unfair default settings, which prompted the FTC to warn companies to “spend some time thinking through [their] default settings” and consider questions like “Do your defaults keep users safe from making serious inadvertent errors?” and “Does your application work in ways consumers would reasonably expect?”

Joe Hall here.

An intriguing story flew past my Twitter stream, that begins:

“MINNEAPOLIS (WCCO) — Detailed medical information discovered on the back of a first-grader’s school drawing sent Minneapolis school officials scrambling.

Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White.” –(“Recycled Medical Records Used As Scrap Paper At School”)

Long story, short: Ms. White’s records that she voluntarily gave to a law firm representing her after a car accident were donated by a paralegal to Ms. Kane’s daughter’s elementary school.  These records, and those of presumably many others, were found by school officials after being used as scrap paper and have since been secured, probably waiting disposal (or, cynically, placed in escrow until the new team of lawyers Ms. White might hire to sue her old lawyers get a chance to look at them!).

Ms. White expresses concerns that we see often in cases of privacy breaches, especially medical breaches: “It’s got my account number, my birth date, my job … I’m outraged. I am embarrassed. I don’t want anyone to know my personal information.”

What recourse does she have?  Likely, the only thing she can do is hire another law firm to sue the first law firm; that is, there’s no federal health privacy issue here. Because the law firm is not a “covered entity” under the federal law and accompanying regulations known as the Health Insurance Portability and Accountability Act (HIPAA), the responsible enforcement agency, the department of Health and Human Services, can’t seek corrective action.  In fact, you may be surprised how little HIPAA and HHS can do in situations like these. Our friends at the World Privacy Forum keep a very useful FAQ about HIPAA and also point out how medical identity theft, where people use medical information about others to obtain services or make fraudulent claims, is on the rise and an increasing concern for patients.

What can you do? Be vigilant, as always. Make sure you monitor and understand your health insurance claims information and that you let your health care providers know if you suspect funny business. Of course, if a law firm you hire screws up this bad, find a new one and teach the old one a lesson with a good old fashioned legal malpractice lawsuit.

Updated on 11/22 to make clear that Ms. White can sue the original law firm for malpractice. –JLH

That’s quite an interesting article!

Court makes it official: You have no privacy online

Eleni Gessiou

Orin Kerr ponders oral arguments in United States v. Jones (reposted from The Volokh Conspiracy):

As a follow-up to Helen’s post about Verizon’s new privacy practices, EPIC has filed an FTC complaint alleging that the move amounts to an unlawful trade practice.

Michael Degusta has a wonderful blog post up about the history of missing software updates for Android smartphones, compared to Apple’s iPhone. A sample:

In this chart, green blocks represent periods when a phone ran the most up-to-date major version of its operating system, while yellow, orange, and red blocks represent periods where a phone could only run increasingly out-of-date major versions. See Michael’s post for the full chart and some great analysis.

Two factors combine to make the lack of updates a significant problem. First, in the United States at least, most phones are sold on two-year contracts, so a lack of updates means they will almost certainly be used well after their OS is no longer the current version. Second, since smartphones are constantly connected to the cell-phone network and the Internet, they present an attractive and vulnerable target for malware authors when security vulnerabilities are discovered. If updates can’t be applied to many of the smartphones in use, then the potential harm from a security problem expands greatly. Indeed, the many Android privacy and security problems show the potential severity of the issue.

So what is to be done? It’s understandable why, in the fast-moving and competitive market for Andoid smartphones, makers don’t want to spend money supporting devices they’re no longer selling. Yet if two-year contracts are the standard, it may not be unreasonable for users to expect makers to support a device for at least two years after they stop selling it. With the FTC’s recent reemphasis on trade practices that are “unfair” but not necessarily “deceptive” (a subject worthy of a post of its own), it will be interesting to see if the agency has anything to say about the Android orphan problem.

From TalkingPointsMemo:

“Feds To Monitor Google’s Privacy Practices For Next 20 Years

Sarah Lai Stirland October 24, 2011, 4:10 PM 942 5

The U.S. Federal Trade Commission on Monday finalized a landmark settlement with Google in which the company has agreed to be audited for its privacy practices for the next 20 years.

The commission has said that this is the first time that it has required any company to formally implement a comprehensive privacy program to protect individuals’ personal information.

The FTC commissioners voted to approve the settlement 4-0, after the period for public comment ended. The proposed settlement was announced in March.

The FTC case was prompted by the now-defunct Google Buzz social networking service. Google tried to tack Buzz onto Gmail users’ e-mail accounts, enabling them to provide status updates and to share photos and videos, but it created an uproar when it made users’ Gmail contacts public by default.

The commission charged that Google engaged in unfair and deceptive practices in 2010 when it launched Google Buzz by leading users of its Gmail system to believe that they could easily opt-out of the social network. The controls that would enable them to do that were ineffective, the FTC charged at the time.

Also the tools that Google created to enable users to limit the sharing of users’ personal information were confusing and difficult to find, the agency alleged.

In its complaint, the FTC said that Google had enrolled some Gmail users in Google Buzz even after the users had clicked on a tab to decline to use the service, and that the identities of people that Gmail account holders most frequently communicated with were made public by default. Worse, when users tried to get out of the service, they weren’t fully removed.

In a press statement on the settlement, the FTC noted, “In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors.”

Google made changes to respond to those complaints, but the FTC went after the company because Google had violated its own privacy policy by using its users’ personal information in a way that they had not consented to even though Google had said they would ask for permission first.

The commission had also charged that the way that Google had gone about representing the way its users’ personal information would be displayed was deceptive. Users didn’t know, for example, that their most frequently e-mailed contacts would be made public by default.

The FTC’s settlement with Google requires the company to inform and obtain its users’ consent before it shares any of their information with third parties, and subjects the company to 20 years of privacy audits every two years by an independent third party monitoring service. The audits are meant to ensure that Google is living up to its promises about what it is doing with its users’ personal information. The company is also required to implement a comprehensive “privacy program.”

Google recently killed its disasterous Google Buzz project, which had been long abandoned in favor of its Google+ social network, which has met with general praise for the way it enables users to control how they share information on a fine-grain level.

In an e-mail to TPM, Google’s Senior Manager of Global Communications Chris Gaither said that Google has completely revamped the way it approaches privacy.

Instead of being an afterthought, privacy is a concept that’s considered during the design of new products.

“We’ve strengthened many of our internal privacy and security controls over the past year,” he said. “For example, in October we appointed longtime Google engineer Alma Whitten to director of privacy across product management and engineering.”

In addition, Gaither says, “We’ve increased privacy training for all our employees. We’ve tightened our compliance controls for those who deal with sensitive data. And last fall, we added a new process to our existing privacy review system requiring every engineering project leader to maintain a Privacy Design Document for each initiative they are working on. This document records how user data is handled and is subject to regular review.”

Like other technology companies, Google had come increasing fire both here in the United States and especially in Europe over privacy issues.

Last May, Google inadvertently collected data from private WiFi networks when its Street View cars drove by. Google has since been investigated by the regulatory authorities in Europe over the incident.”