ILI Student Blog

Blog

  • Proposed EU Data-Privacy Rules Require Breach Disclosure within 24 Hours

     

    Josh Perles

    Proposed EU Data-Privacy Rules Require Breach Disclosure within 24 Hours

     

    Part of a comprehensive suite of data-privacy reforms, the proposed rules would require any firm with EU customers to notify affected individuals and the relevant authorities within 24 hours of detecting a breach.

     

    The draft legislation has received mixed responses.  Though designed to enhance consumers’ ability to manage personal data, critics point out that the short deadline may ultimately undermine privacy goals by interfering with law enforcement investigations, distracting from damage control, and creating confusing false alarms.

     

    Some view the proposal as a reaction to the PlayStation Network breach last spring, after which Sony failed to notify customers for over a week.  Even if the proposal never comes into effect, it sends a strong message to IT firms: step up your data-privacy game or risk strict regulation.

     

    http://www.nextgov.com/nextgov/ng_20120127_6325.php?oref=topnews

  • Privacy of Financial Data News: International Accounts, Voluntary Disclosure, and Privacy

    Caitlin Urbach

    Privacy of Financial Data News: International Accounts, Voluntary Disclosure, and Privacy

    The IRS announced on January 9, 2012 that it was instituting another voluntary disclosure program for those with foreign bank accounts.

    Taxpayers with foreign bank accounts with more than $10,000 in them are required to note the account on their income tax return and on a form entitled “Report of Foreign Bank and Financial Accounts” (FBAR), and those who fail to report these accounts are subject to significant financial penalties as well as possible criminal punishment. According to a recent Forbes article, the voluntary disclosure program that the IRS has created provides for reduced penalties in order to incentivize disclosure, and is also accompanied by the implied threat that the government will pursue offenders more diligently once the disclosure period ends. While this program provides a significant opportunity for those who have evaded detection in the past and would like to take advantage of the relative leniency of the program’s penalties, the very requirement of disclosure highlights how little financial privacy is permitted between U.S. taxpayers and the government. Even with required disclosure to the government, however, foreign bank accounts may provide some additional privacy relative to domestic accounts and so continue to have their advocates in the United States. A Business Insider contributor recently commented that the United States government monitors domestic accounts in a way that is not possible

    overseas– the Financial Crimes Enforcement Network, which is part of the U.S. Treasury, requires banks to fill out reports whenever a customer’s financial activity is deemed suspicious. While an international bank account might not be the panacea that those seeking financial privacy from the U.S. government have hoped for, some may continue to use foreign bank accounts for the increased privacy that they may offer. The IRS voluntary disclosure program provides a limited opportunity for those who want to benefit from the increased privacy abroad due to the lack of monitoring, while minimizing the legal consequences such individuals would face if they were found not to have disclosed offshore account information.

    Links to articles:

    IRS FBAR voluntary disclosure initiative:

    http://www.forbes.com/sites/irswatch/2012/01/10/deja-vu-yet-another-irs-fbar-voluntary-disclosure-initiative-2/

    Commentary on suspicious activity reports and U.S. banks:

    http://www.businessinsider.com/why-308127404-americans-are-going-to-get-hosed-2012-1

  • HOPE 9 call for speakers

    The ninth Hackers On Planet Earth conference will take place in New York on July 13-15, 2012. Organizers have issued a call for speakers on a wide variety of topics, including “cryptography, copyright, telecommunications, new technologies, research, experimentation, surveillance, countersurveillance, privacy, anonymity, censorship, hardware hacking, programming, democracy and law, education, social engineering, digital protests, [and] hacking society.”

  • Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything

    “The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.”  Read more here.

  • FTC settles privacy complaint against Facebook

    Facebook has announced its long-rumored privacy settlement with Facebook. The complaint focuses on several allegedly deceptive acts by Facebook, as listed in the press release:

    • In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
    • Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
    • Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
    • Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
    • Facebook promised users that it would not share their personal information with advertisers. It did.
    • Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
    • Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

    The proposed settlement would impose various privacy obligations on Facebook, including the quickly-becoming-standard 20 years of privacy audits.

    Edited to add: Mark Zuckerberg’s statement.

    Edit 2: My colleague Joe Hall points out Count 3 of the FTC’s complaint:

    As described in Paragraphs 19–26, by designating certain user profile information publicly available that previously had been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. Facebook retroactively applied these changes to personal information that it had previously collected from users, without their informed consent, in a manner that has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers. This practice constitutes an unfair act or practice.

    This continues a recent trend of the FTC asserting its authority over “unfair” trade practices, even when they’re not “deceptive.” This also came up in the FTC’s settlement with Frostwire over unfair default settings, which prompted the FTC to warn companies to “spend some time thinking through [their] default settings” and consider questions like “Do your defaults keep users safe from making serious inadvertent errors?” and “Does your application work in ways consumers would reasonably expect?”

  • Is my Mac laptop sharing my location?

    how is this ZIP code being sent?

    Is my Mac laptop using cell tower information to calculate and transmit my location to third parties? I believe the answer is yes.

    Here is my evidence. I cleared recent history from Firefox, selected private browsing, then typed “Msn.com” into my browser. Then I looked at what was stored in my cache (using about:cache), and I found this entry (see above).

    This entry is a message from my browser to msn.com with whatever data can be passed along. Notice the “euid” field is empty. That is good, I am using private browsing. Then notice it is passing back my zip code as 07024, and my local news provider as WNBC. Is this coming from my IP address?

    The answer is no, it is coming from cell tower location information. How do I know this comes from cell tower rather than my IP address?

    The zip code transmitted is  07024 (Fort Lee, NJ). However I live right across the river is Washington Heights, upper Manhattan (below is the view of New Jersey from Washington Heights).  Often 911 calls via cell phone from my neighborhood get routed to New Jersey by mistake due to our close proximity to NJ cell towers. So my zip code is not coming from my IP address, which comes from Time Warner, hence it should be a NYC zip code, not a NJ zip code. It seems to be coming from cell tower triangulation, being collected and passed along by my Mac laptop :(

    View of New Jersey from Washington Heights

  • One person’s trash is another person’s… medical record?

    Joe Hall here.

    An intriguing story flew past my Twitter stream, that begins:

    “MINNEAPOLIS (WCCO) — Detailed medical information discovered on the back of a first-grader’s school drawing sent Minneapolis school officials scrambling.

    Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White.” –(“Recycled Medical Records Used As Scrap Paper At School”)

    Long story, short: Ms. White’s records that she voluntarily gave to a law firm representing her after a car accident were donated by a paralegal to Ms. Kane’s daughter’s elementary school.  These records, and those of presumably many others, were found by school officials after being used as scrap paper and have since been secured, probably waiting disposal (or, cynically, placed in escrow until the new team of lawyers Ms. White might hire to sue her old lawyers get a chance to look at them!).

    Ms. White expresses concerns that we see often in cases of privacy breaches, especially medical breaches: “It’s got my account number, my birth date, my job … I’m outraged. I am embarrassed. I don’t want anyone to know my personal information.”

    What recourse does she have?  Likely, the only thing she can do is hire another law firm to sue the first law firm; that is, there’s no federal health privacy issue here. Because the law firm is not a “covered entity” under the federal law and accompanying regulations known as the Health Insurance Portability and Accountability Act (HIPAA), the responsible enforcement agency, the department of Health and Human Services, can’t seek corrective action.  In fact, you may be surprised how little HIPAA and HHS can do in situations like these. Our friends at the World Privacy Forum keep a very useful FAQ about HIPAA and also point out how medical identity theft, where people use medical information about others to obtain services or make fraudulent claims, is on the rise and an increasing concern for patients.

    What can you do? Be vigilant, as always. Make sure you monitor and understand your health insurance claims information and that you let your health care providers know if you suspect funny business. Of course, if a law firm you hire screws up this bad, find a new one and teach the old one a lesson with a good old fashioned legal malpractice lawsuit.

    Updated on 11/22 to make clear that Ms. White can sue the original law firm for malpractice. –JLH

  • You have no privacy online!

    That’s quite an interesting article!

    Court makes it official: You have no privacy online

    Eleni Gessiou

  • Natural Language Versus the Fourth Amendment on Search

    (x-posted from Coffee House Talks)

    In doing the initial framing for an article on how to apply Helen Nissenbaum’s theory of Contextual Integrity to the 4th Amendment, it has become apparent that there are differences between how natural language would classify whether something is a search, a reasonable search, or an excused or unexcused reasonable search, and how the law would classify the same action. Now this is not a mind-blowing observation, as it has been understood for some time that the fact of some things being classified as “not a search” for Fourth Amendment purposes is just kind of weird. However, I believe the differing categorizations of the two areas have implications when asking what an ideal Fourth Amendment doctrine would look like, so I’ll explore that here.

    (more…)

  • Orin Kerr on United States v. Jones

    Orin Kerr ponders oral arguments in United States v. Jones (reposted from The Volokh Conspiracy):

    I was at the Supreme Court this morning for the oral argument in United States v. Jones, the GPS case. In this post, I want to blog my reactions to the argument: I’m going to update the post as I go, so general readers can get the important stuff first at the top and then general readers can get the rest down the page:

    (more…)