Category: Uncategorized

News

Uber is rolling out a new advertising branch, which will show riders live ads during their ride using data that Uber collects from their phones.

A father and son shot at a woman sitting in her car after their Ring camera notified them of someone at their front door. The person at their front door was their neighbor, dropping off a package sent to the wrong address.  

Apple rolled out new app store ads, allowing advertisements for apps on the store pages for other apps, but they paused gambling app ads after outcries from other developers. 

Events

On November 2nd, NYU’s Law will be hosting a panel called “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality.” The event will take place in the Greenberg Auditorium at 5:00 pm, and will be moderated by Professor Melissa Murray. The registration link is here, and the event description is as follows:

In the aftermath of the leaked Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, warnings to period tracking app users went viral. The message? Ditch them immediately. Weeks later, a New York Times headline countered, “Deleting Your Period Tracker Won’t Protect You.” Join us for a panel discussion with academic, innovation, and advocacy experts who will explore how exactly such data is already or could be used – and misused. What privacy laws or legislation can be leveraged to protect FemTech users? And why does menstrual literacy – with or without tech tools – matter more than ever in our post-Dobbs reality?

(Compiled by Student Fellow Batya Kemper)

Events

On November 2^nd, NYU’s Law will be hosting a panel called “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality.” The event will take place in the Greenberg Auditorium at 5:00 pm, and will be moderated by Professor Melissa Murray. The registration link is here, and the event description is as follows: 

In the aftermath of the leaked Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, warnings to period tracking app users went viral. The message? Ditch them immediately. Weeks later, a New York Times headline countered, “Deleting Your Period Tracker Won’t Protect You.” Join us for a panel discussion with academic, innovation, and advocacy experts who will explore how exactly such data is already or could be used – and misused. What privacy laws or legislation can be leveraged to protect FemTech users? And why does menstrual literacy – with or without tech tools – matter more than ever in our post-Dobbs reality?

News

The Biden Administration plans to start a labelling system for rating the cybersecurity of Internet of Things (IoT) devices. This labelling system is meant to help American consumers identify and purchase more secure tech.

In the aftermath of the Optus privacy breach, Digital Rights Watch Australia has advocated for reforms to Australia’s Privacy Act, which has an exemption for voter information kept by political parties. They argue that breach of this voter data could have dangerous social and political implications. For more on the issue, see this link. 

A new investigative report reveals that the company Equifax surveilled 1000 of its remote workers to assess their productivity. The company then fired 24 employees who were found to have been juggling two jobs. 

In the UK, the Competition and Markets Authority (CMA) ordered Facebook’s parent company Meta to sell GIPHY, one of its recent acquisitions. The CMA believed that Meta’s acquisition would give the company even more market power.

(Compiled by Student Fellow Kiana Boroumand)

On September 28, the EU Commission published a Proposal for an Artificial Intelligence Liability Directive (AILD, or AI Liability Directive). The purpose of the Directive is to “improve the functioning of the internal market by laying down uniform rules for certain aspects of non-contractual civil liability for damage caused with the involvement of AI systems.” 

On October 4, the EU Parliament voted to approve EU legislation that would standardize mobile charges to be USB Type-C starting in 2024. The legislation (which now only needs final approval by the EU Council) is intended to reduce e-waste, but also has significant implications on interoperability, especially for companies like Apple that make their own separate lightning chargers. Similar legislation for computer chargers may be forthcoming.  

Also on October 4, the White House Office of Science and Technology Policy (OSTP) released a “Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People” describing five principles to “guide the design, use, and deployment of automated systems.” The OSTP has described the Blueprint as a non-binding “white paper” instead of official guidance. The Blueprint was also accompanied by a companion document, “From Principles to Practice: A Technical Companion to the Blueprint for an AI Bill of Rights.” 

In Canada, the Edmonton police service has begun using DNA phenotyping to create computer-generated images of suspects. On October 4, Edmonton detectives utilized the Snapshot DNA Phenotyping Service from Parabon NanoLabs, a US-based DNA technology company. However, pushback led them to retract the computer-generated suspect image they had released two days later.  

On October 5, Joseph Sullivan, former chief security officer of Uber, was convicted of obstruction of proceedings and misprision of a felony regarding an attempted cover-up of a 2016 hack of Uber. He now faces a maximum of five years in prison for obstruction and three years for misprision. This is one of the first instances of criminal charges in response to a data breach. The case is U.S. v. Sullivan (9th Cir. 2022). 

On October 7, President Biden signed an executive order directing the steps the US will take to institute the pending EU-US Data Privacy Framework. While some US parties seem optimistic about the draft, other EU parties like data privacy activist Max Schrems are less so. 

Pending Cases

The Supreme Court is scheduled to hear Gonzalez v. Google LLC (9th Cir. 2021) in its current term, a case about whether Section 230(c)(1) of the Communications Decency Act “immunizes interactive computer services when they make targeted recommendations of information provided by another information content provider, or only limits the liability of interactive computer services when they engage in traditional editorial functions (such as deciding whether to display or withdraw) with regard to such information.” The case was accepted by SCOTUS even though there is not a clear circuit split indicating a particular point of view. 

Gonzalez v. Google comes on the heels of two appellate court decisions about content moderation that have not been granted certiorari by SCOTUS, but which some think might in the future. They are NetChoice, LLC v. Attorney General, State of Florida (11th Cir. 2022), which struck down a Florida law restricting social media platforms’ ability to moderate content, and NetChoice v. Paxton (5th Cir. 2022), which conversely upheld a similar law in Texas.

There is a pending data protection case before the Court of Justice of the EU (CJEU) regarding the scope of damages for GDPR violations: UI v. Österreichische Post AG. An Advocate-General Opinion was issued on October 6 before the CJEU issues a final judgment: an analysis of the opinion by Max Schrems’ group noyb can be found here. 

US “crypto policy advocacy group” Coin Center is suing the Department of Treasury’s Office of Foreign Asset Control (OFAC) over its sanctions of cryptocurrency mixer Tornado Cash. Complaint linked here; Ori Freiman’s take here. 

Upcoming Events

On November 2 at 5 pm EST, the Engelberg Center will host “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality,” a conversation exploring how FemTech data can be used, and the privacy laws and legislation that can be leveraged to protect users. The event will be in-person in Greenberg Lounge, Vanderbilt Hall. RSVP and more information here.

(Compiled by Student Fellow Toni Xu)

Yesterday, the White House Office of Science and Technology Policy released its Blueprint for an AI Bill of Rights, which aims to embed protections throughout the AI design pipeline. The blueprint is centered on five principles, namely, rights to safe and effective systems; algorithmic discrimination protection; data privacy; notice and explanation; and human alternatives, consideration, and fallback.

Recently, concerns have been raised that corporations are outsourcing the work of data collection and training of machine learning models to academic non-commercial entities to avoid legal liability and accountability. These algorithms, such as Stable Diffusion and Google’s Imagen, may then be re-licensed for commercial use. 

After a months-long dispute, Elon Musk has agreed to go forward with a $44 billion buyout of Twitter for $54.20 per share, far above its market price, in order to preempt a trial connected to Musk’s attempt to walk away from the original deal. Twitter has yet to respond to the offer.

The Council of the European Union approved the Digital Services Act, which aims to regulate large digital providers and protect fundamental rights. It requires platforms and search engines to be more transparent, to design recommender systems not based on profiling, and to be accountable for their role in the dissemination of harmful content online. 

A provision of the Obama-era Cures Act intended to provide patients with direct access to their medical records has led some hospitals to send medical data and test results to patients before their doctors can consult with them. As a result, some are being confronted with stressful, traumatizing information and are left to process it alone.

The United Kingdom government has again paused its draft legislation of a data reform bill which is meant to replace the EU’s GDPR. The new prime minister Truss’ cabinet claims that this new legislation will eliminate bureaucratic red tape, though details of how exactly it will do so have yet to emerge.

The New York City Department of Consumer and Worker Protection has given notice of a public hearing and opportunity to comment on proposed rules governing the use of automated tools in employment decisions. The hearing will take place on Monday, October 24^th, 2022.

Erick Adame, a Spectrum News NY1 meteorologist, was fired after someone sent pictures of him nude on an adult webcam site to his employer and mother. Adame’s firing has sparked outcry as he was the victim of revenge porn and so-called ‘morality clauses’ in contracts are disproportionately wielded against LGBTQ people like him.

(Compiled by Student Fellow Nicholas Tilmes)

Yesterday, the European Commission introduced a proposal for a new AI liability standard. This proposal consolidates the fragmented liability standards in effect in EU member countries. It has specific provisions for “lay[ing] down uniform rules for access to information and alleviation of the burden of proof in relation to damages caused by AI systems”. Existing EU-level legislation left out considerations for end-users, an omission which this proposal addresses.

Australia’s second largest telecommunications provider was breached this week. The hacker posted the information of 10,200 customers before apologizing and taking it down. A class action lawsuit may follow from this breach.

A new California law bars in-state companies and law enforcement from sharing abortion information requested by out-of-state warrants. It raises new legal questions for companies and sets up future legal battles, but furthers California’s goal of becoming a sanctuary for abortion-seekers.

The US Treasury Department issued guidance this week aimed at increasing internet service access for protestors in Iran. This update included new internet-related exceptions to Iranian sanctions, specifically expanding VPN, video-conferencing, and social media access.

The Journalism Competition and Preservation Act advanced out of the Senate Judiciary Committee on Thursday. It would provide an antitrust exemption for news outlets to collectively bargain with tech platforms over pricing, terms, and conditions.

A modification to California’s Age-Appropriate Design Code Act was introduced in the New York state senate this week. This legislation would outlaw advertising and data mining targeting minors and would require a hotline for parents to report content related emergencies to tech platforms. It faces staunch opposition from tech lobbyists, as it is even stricter than its California equivalent.
A recent TikTok about Turo hosts mocking a customer’s driving habits set off conversations about privacy when renting through the car sharing platform.

(Compiled by Student Fellow Jacob Leiken)

Yesterday, after more than a year of deliberation, Indonesia passed a sweeping data privacy law. Following a string of data breaches and leaks at government organizations, lawmakers greatly welcomed the bill.  Violating this new law can result in corporate fines (up to 2% of annual revenue) and even prison time. 

The Berkeley Consumer Laws Scholars Conference (March 2-3, 2023), from Berkeley’s Center for Consumer Law & Economic Justice,  has extended their call for abstracts to this Friday, September 23. To submit an abstract, please fill out this form. 

California governor Gavin Newsom has just signed a huge bill (called the California Age-Appropriate Design Code Act) protecting children’s online safety. The bill, strongly opposed by the tech industry, includes sweeping safeguards for users under 18 across a variety of online services: social media, games, connected toys, voice assistants, digital learning tools, and more. The law will take effect in 2024. 

The Federal Court in Canada has ruled in favor of two Somali women who were stripped of their refugee status after officials at the Canadian Border Services Agency used facial recognition technology to allege that they were actually Kenyan. The Agency used Clearview AI, a facial recognition surveillance technology company (which also has federal contracts with the U.S. government). 

The Court of Justice of the European Union (CJEU) ruled yesterday that antitrust authorities, as part of their antitrust investigations, are allowed to assess whether companies are compliant with EU data protection rules (GDPR), dealing a blow to Meta. This case came to the CJEU from Germany, where Meta challenged a finding that it had taken advantage of its market power when it collected data without permission, which brought forth the question of whether antitrust investigations can cover data privacy issues. The CJEU answered yes, stating that potential violations of privacy laws are relevant to violations of antitrust laws.  

The CJEU also ruled that Germany’s data retention law is unlawful. In the opinion, the CJEU made clear that the blanket data collection law was to be applied very narrowly—only in situations involving serious national security threats—and was otherwise illegal. Member states had been banking on the vast data collection for the purposes of protecting national security and fighting crime.  

Spawning AI has just launched a tool, Have I Been Trained?, which allows you to see if your image has been used to train popular AI art models. The tool will search across a set of 5.8 billion images. Ontario is investing nearly $1.8 million in new video surveillance systems. This funding will go towards updated CCTV cameras, software, and installation.

(Compiled by Student Fellow Eunice Park)

Google must face most of Texas AG’s antitrust lawsuit, which alleges, among other things, that the company illegally monopolized the advertising technology market. Google won its motion to dismiss an allegation that it entered into an anticompetitive agreement in 2018 with Meta’s Facebook—codenamed Jedi Blue—with respect to advertising auctions. Despite Google having to face all but the one claim in the suit, the company is considering the dismissal a win, asserting that the dismissal highlights the flawed nature of the AG’s case.

Google lost a challenge against an EU antitrust decision, resulting in a record fine of €4.1 billion for the company. Europe’s General Court broadly upheld the Commission’s decision concluding that Google imposed unlawful restrictions on Android mobile device manufacturers and network operators in order to support the dominance of its search engine. 

The Privacy and Civil Liberties Oversight Board (PCLOB) is seeking public comments related to its oversight project examining Section 702 of the Foreign Intelligence Surveillance Act. Section 702 is a key FISA provision permitting the government to conduct targeted surveillance of foreign persons located outside the United States, with the compelled assistance of electronic communication service providers, to acquire intelligence information.

At a “listening session” about tech platform accountability, the White House has renewed a call to remove the shield allowing platforms to disseminate content without liability. President Biden previously called for the revocation of the liability shield, also known as Section 230 of the Communications Decency Act, on the campaign trail in 2020. Biden will need Congressional action for the change, but there is limited bipartisan consensus on how to fix the law. 

Apple added multiple new privacy and security features in its newly released iOS 16. One of the privacy features is called Safety Check and allows people to quickly reset data and location access sharing. According to Apple, the feature is aimed at those in domestic or intimate partner violence situations. For non-emergency situations, Apple has rolled out a Manage and Sharing Access walkthrough that allows individuals to review sharing permissions and data access.

Apple, who for years has been a vocal critic of data-intensive online advertising models, is now making a push to become a bigger seller of ads. Apple will likely face criticism that it is acting hypocritical, given that many features across its devices, operating system, and its safari browser have been designed to block tracking technologies and limit the sharing of person or device-level information. In order to be successful with its advertising efforts, the company must integrate its advertising initiatives into its ecosystem without detrimentally impacting its renowned user experience.

Google and Meta were hit with a whopping fines totaling ~$71.8M (100 billion KRW) by South Korean authorities due to a finding that the companies violated the country’s privacy law. According to South Korea’s Personal Information Protection Commission (PIPC), Google and Meta failed to receive legitimate consent in the process of collecting information from users. These penalties are the largest to date in South Korea for violation of the personal information protection laws.

The FTC published an advanced notice of proposed rulemaking to request public comment on the prevalence of commercial surveillance and data security practices that harm consumers. The Commission is specifically inviting comment on whether it should implement new trade rules or other regulatory alternatives concerning the ways in which “companies collect, aggregate, protect, use, analyze, and retain consumer data, as well as transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive.” Comments must be received on or before October 21, 2022.

Upcoming NYC events:

• Simons Foundation Presidential Lecture: Algorithmic Fairness from a Sociotechnical Lens (Wednesday, September 21, 2022; 5:30pm doors)
• Cornell Tech’s 4th Annual Symposium on Applications of Contextual Integrity (Thursday, September 22-Friday, September 23)

(Compiled by Student Fellow Tanner Co)

The Ninth Circuit Court of Appeals held this week that web scraping of publicly accessible data is legal. The case initially arose when LinkedIn sued a company, Hiq Labs, for scraping data off its site in order to evaluate employee attrition. 

The Dutch tax authority was recently fined €3.7 million for GDPR violations stemming from the ‘child care benefits scandal’ first uncovered in 2019. The authority had utilized an algorithm that mistakenly flagged as high-risk tens of thousands of people––many belonging to low income or dual citizen households––as potentially engaging in child care benefits fraud. Mistakenly flagged individuals were denied certain services as a result of their high risk profile, including payment arrangements and debt restructuring. 

The 10th annual Freedom of Expression Scholars Conference will take place on Saturday, April 30 and Sunday, May 1st. It will be preceded by a Symposium organized by the Journal of Free Speech Law on Friday, April 29th at 5pm EST. As in previous years, the conference will be a mix of plenary sessions (one panel discussing multiple papers) and breakout sessions (simultaneous panels, each discussing one paper). All sessions will take place on Zoom. Papers can be found here.

(Compiled by Student Fellow Addison Yang)

Recently, the Cybersecurity and Infrastructure Security Agency issued a “shields up” message to U.S. organizations, warning of potential cyberattacks relating to the Russian invasion of Ukraine. While no definite threats have been confirmed or issued, the agency has provided guidance on vulnerabilities and common tactics and has cataloged known vulnerabilities. 

The Center for Social Media and Politics hosted a symposium on the future of social media. The panels at that symposium discussed how to cover, research, and regulate social media in the wake of the Facebook Papers.

(Compiled by Student Fellow Justin Jin)

The ACLU put out an op ed on the privacy implications of digital currencies, highlighting that the technology may pose more threats to privacy than previously anticipated.

The European Union court of justice (CJEU) ruled once again that EU continues to preclude the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime.

The NYU Center for Social Media and Politics (CSMAP) is holding a virtual symposium on April 13, 2022: The Future of Social Media: Covering, Researching, and Regulating Platforms.

(Compiled by Student Fellow Margarita Boyarskaya)