Category: Uncategorized

Donald Trump’s new social network, Truth Social, has been reported to be a thinly disguised variant of the Mastodon social network codebase.  Mastodon is free software that anyone can use as long as they comply with Mastodon’s license terms, which Truth Social may be in violation of.

Donald Trumps social media company will be funded by a special purpose acquisition corporation (SPAC).  Michael Ohlrogge here at NYU has recently released a paper on the subject.

YouTube, Snap, and TikTok executives testified before the Senate Commerce Committee.  The senators were particularly concerned with the platforms’ impact on young people, reflecting concerns that have percolated around Facebook in recent days. 

Senators Gary Peters (D-MI) and Rob Portman (R-OH), the Chair and Ranking Member of the Homeland Security and Governmental Affairs Committee (HSGAC), introduced legislation to secure and protect information handled by federal contractors using AI technology.  The bill would require OMB to establish and consult the Artificial Intelligence Hygiene Working Group to ensure that government contractors are securing data like biometrics that preserve privacy rights and national security.

Senator Ron Wyden (D-OR) penned an op-ed in Just Security calling for the end of secret laws, given the evolution of government surveillance and markets for private information.

The Journal of Online Trust and Safety is launching its inaugural issue this week. ILI Fellow Aniket Kesari will be featured!

According to Microsoft, a victim of the SolarWinds hack, the group behind the attack, Nobelium, is targeting technology companies that sell and provide cloud services. 

A cyberattack disrupted the sale of heavily subsidised gasoline in Iran on Tuesday, state media reported, causing long queues at gas stations across the country weeks before the anniversary of 2019 street protests that followed fuel price hikes.

Parents or individuals under eighteen years old will be able to request that images of their children or themselves be removed from Google search results unless there is “compelling public interest or newsworthiness.”

Digital rights advocate Elliot Harmon, who was the Director of Communications at the Electronic Frontier Foundation, passed away Saturday.

Baltimore school-issued laptops include monitoring software that helps track when their student users begin to exhibit mental health issues. 

The Center for Democracy and Technology also has some writing on school issued devices. One of the big findings it that poor students are far more likely to be monitored than wealthy ones.  In addition, CDT raises concerns that this software can be unduly intrusive and may discourage students from expressing themselves. 

Sam Altman, a former president of the Y Combinator tech startup accelerator, has developed a cryptocurrency that would be equally distributed across the world population via a retina scan.  The project has faced backlash from the privacy community. 

PRG member Alexandre de Streel will join the Guarini Colloquium on Monday to discuss the EU’s proposals for a digital markets act and a digital services act.  If you are interested in attending, please email guariniglobal@nyu.edu (NYU Law community members can attend in person).

North Carolina prisons have prohibited physical mail including cards, photos, and correspondence in favor of digital scans of mail for inmates. 

(Prepared by Student Fellow Coordinator Justin Lee)

The Guarini Center will host a colloquium on the global data economy.  They will seek legal solutions to deal with data as a new type of asset in order to foster innovation and growth and to reduce obstacles for all stakeholders in the data economy. In a session of the colloquium, Michael Veale will discuss the EU proposal, the AI Act.  (link)

A UK court has fined a man for violating the Data Protection Act 2018 and the UK General Data Protection Regulation for using their Amazon Ring cameras to surveil their neighbor, including capturing distant conversations of the neighbor. (link)

Mark Zuckerberg has been added to a consumer protection lawsuit brought by the attorney general for the District of Columbia.  Based on ongoing investigations, Attorney General Karl Racine claims that Zuckerberg played a much more active role than previously thought.  The District can claim up to $5,000 for any of the District’s 3,000 residents who may have ben affected by the Cambridge Analytica breach, meaning that this suit may be one of the first of many in which Zuckerberg may be personally liable for substantial damages. (link)

Facebook intends to change the company’s name to focus on the ‘metaverse’, the future virtual conceptions of the internet. However, this rebranding also comes as Facebook faces intense scrutiny in the US after the whistleblower Frances Haugen revealed the company’s business practices involving manipulation of its platform and users for profit. (link)

A traffic camera in the United Kingdom fined a British motorist for driving in a bus lane despite the motorist living and commuting a 100 miles from the camera’s location in Bath. The camera had confused a shirt reading “KNITTER” for the motorist’s license plate “KN19TER” and registered a violation to the motorist’s vehicle. (link)

(Prepared by Student Fellow Maxwell Votey)

The Brazilian National Data Protection Authority (ANPD) and the Spanish Data Protection Agency (AEPD) – the administrative authorities responsible for data protection in Brazil and Spain, respectively – signed a Memorandum of Intellectual Cooperation for the protection of personal data, both at a national and transnational level. (link)

The Israeli Communications Ministry is assembling a team that will examine whether Facebook is legally responsible for its content, according to an N12 report. Based on the report, the team’s mandate will also includes assessing transparency requirements for contest takedown, and user blocking policies. (link)

Andy Parker, the father of journalist Alison Parker that was shot and killed in 2015, filed with Georgetown Law clinic a complaint to the F.T.C. against Facebook, for failing to take down violent videos of the killing from the platform. The complaint alleged that Facebook and its subsidiary Instagram unlawfully deceive consumers by allowing violent murder videos to spread and persist on its platforms, in clear violation of their Terms of Service. (link)

Former “Google Fiber” employee shares her experiences and claims that Google’s monopoly in the search and online ad business allowed it to compete against the big internet service providers. The piece later discusses the problems with monopolies in a more general way. (link)

The CIA appears to have invested $1.6 million in Wickr, an encrypted messaging app, recently purchased by Amazon. According to Vice, the investment highlights Wickr’s continuing position as an end-to-end encrypted messaging app for government agencies. (link)

(Prepared by Student Fellow Danya Amir)

Russia is seeking a fine from Facebook totaling 5-10% of its annual turnover in the country. In 2020 Russia passed legislation that allows regulators to fine internet providers if they repeatedly fail to delete content when requested. While Russia said Facebook had complied with demands to delete some of the requested content, it announced it would seek the fine because Facebook had not taken down all of the content it had requested. It is estimated that the fine could be between 12 and 39 billion roubles, equal roughly to $165 million to $538 million. (Link)

The European Parliament’s Committee on Legal Affairs adopted the committee’s recommendations on the Digital Services Act. While these are recommendations and not binding on the final outcome, the committee called for limiting liability exemptions for internet companies that perform basic functions of content moderation and content curation, the right to use and pay for digital services anonymously, a ban on behavioral tracking and advertising and a stricter time limit of 72 hours for deciding on reported content. The Digital Services Act regulates online internet intermediaries and digital platforms with the goal of better protecting consumers and establishing greater transparency. If adopted by the Internal Market Committee, the recommendations would be a notable change in the liability exception for internet platforms. The Internal Market Committee will meet on November 8^th to vote on the recommendations. (Link) (Link)

In “Vaccine – Educated Decision Assoc.” v. City Kinds Inc., a case recently decided in Israel, an anti-vaccination group alleged that the requirement to show proof of vaccination at a kindergarten was an infringement of privacy. The lower court in Israel rejected their claims and held asking for proof of vaccination is not illegal. (Link)

A lower court has asked the Court of Justice of the EU (CJEU) to rule on whether the collection and retention of publicly available data by a credit agency violates the General Data Protection Regulation’s (GDPR) sections on lawfulness and storage limitation principles. The case comes as part of an increase of cases posed by national courts to the CJEU regarding how the GDPR should be interpreted and applied in practice. (Link)

Facebook Whistleblower Frances Haugen filed eight complaints with the Securities and Exchange Commission. She accused the company of making material misstatements and omissions in statements to investor and prospective investors through past filings, testimony to Congress, online statements and media stories. She also accused Facebook of misrepresenting the scale and its awareness of problems with its products. (Link) (Link)

(Compiled by Student Fellow Caolinn Mejza)

The “Facebook Files,” a series of articles about internal Facebook research reports that were revealed recently to the Wall Street Journal, has provided a window into Facebook’s understanding of many of the flaws on its platform. Notable revelations include that Facebook is aware of Instagram use being harmful to a “sizable percentage” of teenage girls (a finding which led Facebook to delay the introduction of Instagram for Kids), that tweaks to the News Feed algorithm made in 2018 resulted in more engagement but also led to more hate speech and increased anger, and that Mark Zuckerberg’s personally directed efforts to curb vaccination misinformation on the platform were largely a failure. Facebook faces a difficult “Snowden revelation” scenario in responding to the leaks, where it needs to decide whether to release more information about these issues (to show the WSJ’s data is incomplete) or to refuse to (leading to accusations of hypocrisy). (Link, Podcast, Facebook rebuttal)

The Senate Commerce Committee held a hearing about consumer privacy. The main decision points appear to be whether to handle privacy by expanding FTC authority over the field (including by possibly creating a new bureau within the FTC and/or increasing its funding), and/or whether to enact a federal privacy law along the lines of California’s or Colorado’s. (Link, Source)

Amazon released a surveillance robot that is capable of moving autonomously around a house taking pictures and video from a security camera. The robot is designed to look friendly, but privacy advocates have been quick to point out troubling implications for anyone who can afford the $999 sticker price. (Link, Link)

YouTube has updated its internal policies regarding misinformation, specifically becoming more stringent on medical and vaccine misinformation. They will be more proactive on removing content that “falsely alleges that approved vaccines are dangerous and cause chronic health effects, claims that vaccines do not reduce transmission or contraction of disease, or contains misinformation on the substances contained in vaccines.” (Link)

The UK is considering removing or amending Article 22 of the GDPR, which protects people from automated processing by providing a right of human review for automated decisions. This comes after some mixed empirical evidence about the success of human review within the GDPR framework. (Link)

An article highlighted the use of refugees and displaced people to train machine learning datasets, often by labeling videos, transcribing audio, or similar “clickwork.” Major firms, like Microsoft, Facebook, Amazon, and Tesla, rely substantially on this labor. This appears to be an important and concrete instance where machine learning is causing real-world harm. (Link)

ICE recently signed a $3.9 million contract for a “rapid” AI-powered facial recognition tool for use at migrant detention facilities. So far, the agency has released the bare minimum of details on how this will be used, with the contract suggesting only that it will be deployed for “rapid alternatives to detention enrollments through facial confirmation application.” (Link, Link)

(compiled by Student Fellow Andrew Mather)

Upcoming Events

Guarini Colloquium: Regulating Global Digital Corporations – Monday September 27, 2021, 17:20 – 18:20 In this NYU Law School colloquium, participants will read and discuss a recent paper by Elettra Bietti on digital platform regulation. (link)

News Items 

China passed the Personal Information Privacy Law (PIPL) at the end of August 2021. The PIPL covers all businesses, including those doing business outside of China, that interact with, store, share, collect, or otherwise use personal information from people within China. The PIPL regulates the ways in which “personal information handlers” can handle personal data and includes data transfer restrictions. Violation of the PIPL can result in fines, notice on China’s social credit system, or being prohibited from future business in China. It will go into effect on November 1, 2021. (link, link)

The Cyberspace Administration of China passed the The Regulation on Management of Automobile Data Security (Trial), which will impact many sectors, including automakers, software suppliers, distributors, maintenance organizations, and ride hailing platforms. Through this, “important data” such as geographic information, video and images, and personal data, will need to be stored within China. Any data transfers outside of China will need to undergo a security assessment. (link)

China’s Data Security Law went into effect on September 1. The Data Security Law outlines how companies active in China should classify and manage data. (link)

Apple released iOS 15 on September 20. While Apple had previously announced a plan to introduce technology to scan user devices for images of child sex abuse material (CSAM), that plan has been delayed after criticism from privacy, policy, and rights groups, as well as thousands of individuals. (link) Additionally, new privacy controls are available in iOS 15, but will not be available in all countries or may require a subscription fee. (link)

Zoom made a $14.7 billion proposal to acquire Five9. The deal is currently being reviewed by the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector for national security concerns, due to Five9 having operations in Russia. Zoom already has research and development staff located in China. (link)

Facebook is making changes to its news feed, adding “junk code” to HTML features used for accessibility, In addition to impacting technology like screen readers, which blind and visually impaired people may implement to help use a computer, these changed affect ad blockers and prevent automated data collection, impacting Facebook users and researchers using automated data collection. (link)

As voting begins in Russia, Facebook and Google removed a smartphone app that tells users what opposition candidates are likely to defeat candidates backed by Russian authorities. (link)

The Illinois Appellate Court issued an opinion on how the statute of limitations applied to the state’s Biometric Information Privacy Act (BIPA). The court suggested a one year limit on claims about “unlawful profit or disclosure” and a five year limit on claims of “data retention policy disclosure, informed consent, and safeguarding.” (link)

(compiled by Student Fellow Molly de Blanc)

President Biden nominated Alvaro Bedoya for a seat on the Federal Trade Commission.  Bedoya, a professor at Georgetown University Law Center, is a well-known privacy advocate.  He has a research background in privacy lapses on online platforms, the consequences of facial recognition technology, and oversight on electronic and biometric tracking. (link)

Ireland’s Data Protection Commission has opened two inquiries into TikTok on the processing of children’s personal data and the transfer of personal data to China.  The Data Protection Commission, which is considered a leading EU regulator, is allowed to impose fines of up to 4% of global revenue. (link)

Facebook’s Oversight Board affirmed Facebook’s decision to restore a news post about a threat of violence from the Izz al-Din al-Qassam Brigades, the military wing of the Palestinian group Hamas.  Facebook originally removed the content under the Dangerous Individuals and Organizations Community Standard and restored it after the Board selected this case for review. The Board concluded that removing the content did not reduce offline harm and restricted freedom of expression on an issue of public interest. (link)

Facebook has built a system—known as XCheck—in which high-profile users, including politicians and celebrities, are exempted from some or all of its rules.  This is contrary to the platform’s public position, which is that its three billion users may all speak on equal footing.  (link)

The Wall Street Journal acquired internal documents from Facebook showing that the company knew that Instagram was causing profound harm to teen girls’ mental health.  According to internal company studies, the social media platform fosters body-image concerns, eating disorders, among other effects.  The company also downplayed these negative effects and has not made its internal research public.  (link)

China has forbidden under-18-year-olds from playing video games for more than three hours a week.  Gaming companies will be barred form providing services to minors in any form outside of 8:00pm to 9:00pm on Fridays, Saturdays, and Sundays.  (link)

(compiled by Student Fellow Coordinator Justin Lee)

The Israeli government attempted to transfer information to local authorities that would enable them to track the identity of people who have not received a COVID-19 vaccine. These health data transfers from the Health Ministry to local governments were approved by the Knesset last month, but last Tuesday, the High Court of Justice ruled them unconstitutional. The court held that the data transfer laws harmed constitutional right to privacy and issued a temporary injunction barring further data transfers. (link)

Google announced that will roll out Federated Learning of Cohorts as an replacement to 3rd party cookies. The announcement has generated a lot of Github arguments about how the new online activity tracking system may look like, and how it should look like. (link, link, link)

New York is expanding the use of its vaccine passport, the Excelsior Pass. Art venues will be able to use the pass to monitor whether visitors have been vaccinated and get authorization to open at increased capacity. STOP has reached out to the NY government regarding the Excelsior Pass’s privacy policy but has not received a response yet.

Verkada, a security camera startup, has been reported to possess a super admin view of their private customer cameras. The super admin view allows them to watch live footage from any of their tens of thousands of cameras. The news caused a security camera scandal. (link)

(compiled by student fellow Kevin Kuate Fodouop)

Treasury Secretary Janet Yellen dropped a Trump Administration proposal to reform global digital tax rules to include a “safe harbor” provision that would have allowed tech companies to opt out of a global tax regime. Even if a global deal is not reached, there may be a European-wide one.

Israel’s parliament passed new legislation that allows the Israeli Health Ministry to share personal information of those who declined the COVID vaccine with local and national authorities.
Mason Marks: Facebook is considering adding facial recognition to its augmented reality glasses. Also, Mason is moderating a March 17 panel on “Privatizing Public Health” at the Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics at Harvard Law School.

A US Treasury Department watchdog report says that the IRS might violate the Fourth Amendment when it uses cellphone location data without a warrant. Also, S.T.O.P. and the Yale Privacy Lab are hosting a March 6 symposium on how remote proctoring software promotes bias, undermines privacy, and creates barriers to accessibility.

Federal District Judge Lucy Koh, who is presiding over the Google private browsing class action, said she was “deeply disturbed” that Google tracks visitors to the Northern District of California’s court website.

In Italy, Facebook was again fined for failing to comply with an earlier order related to its failure to inform users about the commercial use it makes of their data.

On March 30, TransUnion LLC v. Ramirez will be argued at the Supreme Court. It raises the question of whether F.R.C.P. Rule 23 permits a damages class action even when the majority of the class has suffered no actual injury. While the case is about the Fair Credit Reporting Act, it will likely have broad ramifications going forward.

(compiled by student fellow Jacob Apkon)

The International Network of Civil Liberties Organisations released a report on facial recognition technologies across the world. It uses stories from 13 member organizations to highlight discrimination and the impact on rights.

The UK Supreme Court ruled that Uber drivers must be treated as workers. Uber had argued that they were self-employed contractors instead.

Under legislation proposed by the Australian Competition and Consumer Commission, tech giants would need to pay for news content on their sites.

China is developing its Digital Currency/Electronic Payment system through the People’s Bank of China. It is the digital version of the yuan.

The Swedish Police Authority has used Clearview AI facial recognition to identify individuals, and the way it processed personal data violated the Swedish Criminal Data Act. After an investigation by the Swedish Authority for Privacy Protection, the Police Authority was fined SEK 2,500,000, which is about 300,000 USD.

Twitter’s Birdwatch is a tool that allows users to identify potentially misleading information in tweets and add notes with context. However, the newsletter Factually recently reported that more than 10% of Birdwatch’s notes are generated by the five most active Birdwatchers.

Virginia is likely to become the second state with a comprehensive consumer privacy bill, after both houses of the Virginia General Assembly passed the Consumer Data Protection Act.

The New York City Police Department released the Cryptocurrency Analysis Tools: Impact & Use Policy for public comment. 

(compiled by student fellow Emmett Weiss)