Blog

Felicity Kohn

California has reached an agreement designed to protect the privacy of mobile app users with Amazon.com, Apple, Google, HP, Microsoft, and a company called Research in Motion.  The agreement was sparked by the fact that smartphone apps routinely transmit users’ contacts and other personal data, including location, identity, messages, and photos, without their knowledge.  Both Apple and Google already require app developers to ask users for permission to obtain personal data.  However, users are rarely told which data is being collected or how it will be stored or used.  Moreover, some developers – even makers of very popular apps – have collected and transmitted users’ contact lists without their consent.

 

California’s agreement requires developers of apps for mobile phones to post clearly marked privacy policies explaining what personal information they will collect and how they will use it.  According to the California attorney general’s office, only 5% of mobile apps currently have a privacy policy in place.  In addition to requiring app developers to post privacy policies, California’s agreement also requires app store providers like Apple and Google to provide ways for users to report apps that don’t comply.  In an interesting connection to our conversation about FTC enforcement powers, the California attorney general’s office said that developers who violated their own privacy policies could be prosecuted under California’s Unfair Competition Law and False Advertising Law.

 

California’s agreement also relates to our conversation about the White House’s suggestion for multistakeholder meetings to develop enforceable codes of conduct, in that the statement by California attorney general suggests that this agreement was born of just such a process: “[T]hese companies have to be commended for accepting the invitation to meet around our table, act on it and sign the agreement…”  Perhaps this agreement indicates the willingness of tech companies to engage in that kind of a process.

 

Finally, it’s interesting – and perhaps telling – that California brokered the deal with these major tech companies since it is the state that was on the forefront of requiring notices to consumers regarding breaches of their data, and the casebook notes that most states then followed suit (p. 881-82).  Thus, state regulation may provide yet a third means (other than Congressional action and White House policy) of advancing the cause of consumer privacy.

 

The link to the article is here: http://bits.blogs.nytimes.com/2012/02/22/california-attorney-general-reaches-deal-on-app-privacy/?scp=6&sq=privacy&st=cse

 

Bruna Izydorczyk
Obama’s effort to enforce clear rules on privacy

 

President Obama took the initiative to convoke major technology companies – of course Facebook and Google are involved – to craft voluntary codes of conduct for handling consumer data based on a bill of rights for Web users. Among other reasons, this initiative represents a Congress answer to the existence of modern foreign rules on the subject – the European Directive on privacy – and also, an attempt to avoid cross-border issues on privacy/data control.

 

The development of such policies/rules will take place through meetings among the Commerce Department, companies and consumer groups. The Federal Trade Commission, which has the authority to act when companies engage in unfair and deceptive trade practices, would have the challenging mission to implement and enforce the standards approved.

 

However, the effort to create clear policies on privacy seems to be interesting for the companies, whom are interested in obtaining competitive advantages in well serving their consumers. As we all know, consumer’s trust is essential for the success of any business. Let’s hope that the future of privacy in US relies also in the collective importance of the matter, and not only in the economic analysis of this issue.

 

For more information, please see:

 

http://news.businessweek.com/article.asp?documentKey=1377-a5jAQ79TwrjI-2MRQR870NSTPL8TGO31UVR346I

Brian Smith

Netflix Advocates for Amendment to VPPA

 

Netflix, the popular DVD rental and video streaming service, is currently supporting an amendment to the Video Privacy Protection Act (VPPA) (18 U.S.C. 2710).  The proposed amendment would allow video tape service providers (which includes Netflix) to disclose a consumer’s video rental history if that consumer has given written consent prior to the disclosure. Under current law, a company must seek consent “at the time the disclosure is sought.” Netflix claims that this reform is necessary before a proposed integration of Netflix and Facebook can be achieved, which will allow users to share the titles of the movies they watch with their Facebook friends.

 

Privacy advocacy organization EPIC claims that this reform would shift the control over a user’s rental history form the consumer to the company, allowing companies like Netflix to broadcast a user’s rental and viewing history automatically after a one-time consent.  The amendment has already passed the House, and the Senate’s Privacy Subcommittee held hearings on the subject in January.

 

By liberalizing when and how video rental services may share a user’s rental history, this proposed amendment is poised to substantially weaken the VPPA.  This legislation was originally passed in response to the disclosure of Robert Bork’s video rental history to the public, and integrating Facebook with Netflix could lead to similar inadvertent disclosures of video viewing history.  Hopefully, future Supreme Court nominees will have the foresight not to include any journalists among their Facebook “friends.”

 

For more information, please see:

 

Washington Post’s Post Tech Blog: http://www.washingtonpost.com/blogs/post-tech/post/netflix-discusses-video-privacy-act-along-with-earnings/2012/01/26/gIQAQFk3SQ_blog.html

 

EPIC’s Description of the VPPA: http://epic.org/privacy/vppa/#2011%20Netflix-Backed%20Amendment

 

Danny Blumberg

Consumer Advocacy Groups Voice Concerns Over White House Proposal

http://www.sacbee.com/2012/02/23/4285987/white-house-plan-for-privacy-bill.html

The White House’s newly released Consumer Data Privacy white paper proposes a co-regulatory process to implement the Consumer Privacy Bill of Rights.  Recent class readings describe how a multi-stakeholder process can provide benefits such as increased compliance and innovative solutions, but several consumer advocacy groups are concerned about the regulatory process which will be conducted by the Department of Commerce (and likely enforced by the FTC).  The Commerce Department’s role is to promote business interests, not consumers, and so advocacy groups are worried that large tech companies such as Google and Facebook will have too much influence during the process.  Consequently, the advocacy groups are asking that the process be public to maximize transparency and increase participation from a broad range of public interest groups.

The multi-stakeholder proposal can be found here: http://www.worldprivacyforum.org/pdf/MultiStakeholderPrinciples2012fs.pdf.  Signatories to the baseline principles include the World Privacy Forum, American Civil Liberties Union, Center for Digital Democracy, Consumer Action, Consumer Federation of America, Consumers Union, Consumer Watchdog, Electronic Frontier Foundation, National Consumers League, Privacy Rights Clearinghouse and U.S. PIRG.
Read more here: http://www.sacbee.com/2012/02/23/4285987/white-house-plan-for-privacy-bill.html#storylink=cpy

Jenna Levy

 

Obama Administration Unveils Plan to Protect Privacy in the Information Age, including a “Consumer Privacy Bill of Rights”

 

On February 23, 2012, the White House revealed its plan to protect privacy in the information age, which includes a “Consumer Privacy Bill of Rights.”  The Obama Administration explains that as a world leader in the Internet marketplace, the US has a special responsibility to develop effective privacy practices that meet global standards and to protect individual privacy rights and give users more control over how their information is handled.

 

The White House plan consists of three steps:

 

1)     Putting in place a Consumer Privacy Bill of Rights (see below)

2)     Achieving Privacy Policies for a Global, Open Market

3)     Industry Action

 

The Consumer Privacy Bill of Rights contains seven rights:

1)     Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

2)     Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

3)     Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide data.

4)     Security: Consumers have a right to secure and responsible handling of personal data.

5)     Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a matter that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

6)     Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

7)     Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

 

For the official press release with the complete plan and more in depth explanation of the rights contained in the Consumer Privacy Bill of Rights, see http://www.whitehouse.gov/the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting-consumer-privacy-b

 

For some of the first articles about the plan, please see the following:

 

http://www.nytimes.com/2012/02/23/business/white-house-outlines-online-privacy-guidelines.html?scp=1&sq=privacy%20bill%20of%20rights&st=cse

 

http://online.wsj.com/article/SB10001424052970203960804577239774264364692.html?mod=business_newsreel

 

http://www.usatoday.com/tech/news/story/2012-02-23/ftc-consumer-internet-privacy/53213162/1

 

http://thehill.com/blogs/hillicon-valley/technology/212143-white-house-unveils-privacy-bill-of-rights

Krystan Hitchcock

 

Advertisers Can’t Be Trusted To Self-regulate on Data Collection, Says EFF

 

The Electronic frontier Foundation’s opinion that the digital advertising industry can regulate itself properly.  The Digital Advertising Alliance is an association of online advertisers that was created to establish guidelines to regulate matters of consumer choice e.g. data collection, but their previous programs have been unsuccessful.  A study revealed that users found the DAA’s cookie-based opt-out tool difficult to use and to understand and the same goes for their advertising option icon.

 

The EFF says even if advertisers violate the newer principles, there’s no repercussions and it’s unclear how the guidelines are enforced.  The EFF thinks simpler opt-out tools like the Do No Track Feature found in Safari, Internet Explorer and Firefox achiever more user benefits, but proper legislation is still the best route.

 

http://www.pcworld.com/businesscenter/article/243884/advertisers_cant_be_trusted_to_selfregulate_on_data_collection_says_eff.html

Josh Goldman

One twist on privacy self-regulation is regulation through competitive pressures.  A recent back-and-forth between Microsoft and Google has turned a spotlight on browser privacy settings and online advertising companies’ ability to work around the settings to collect data on users.

Late last week, The Wall Street Journal reported that a Stanford graduate student had discovered a technique Google and other ad companies were using to circumvent default settings in Safari that blocked websites from installing cookies.  According to the Journal, “While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.”

On Monday, Microsoft accused Google of using similar techniques to circumvent privacy settings in Internet Explorer through “a nuance in the P3P specification that has the effect of bypassing user preferences about cookies.”

Google’s response? On the Safari workaround, Google noted, “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”  On the Internet Explorer issue, Google pointed to what it described as outdated Microsoft policies, countering that it is “impractical to comply with Microsoft’s request” given modern web functionality.